Wireless Network Security

Objectives

• Describe the different types of wireless network

attacks

• List the vulnerabilities in IEEE 802.11 security

• Explain the solutions for securing a wireless

network

2

Introduction

• Wireless data communications have revolutionized

computer networking

– Wireless data networks found virtually everywhere

• Wireless networks have been targets for attackers

– Early wireless networking standards had

vulnerabilities

– Changes in wireless network security yielded

security comparable to wired networks

3

Wireless Attacks

• Bluetooth

– Wireless technology

– Uses short-range radio frequency transmissions

– Provides for rapid, ad-hoc device pairings

• Example: smartphone and Bluetooth headphones

– Personal Area Network (PAN) technology

• Two types of Bluetooth network topologies

– Piconet

– Scatternet

4

5

Table 8-1 Bluetooth products

Wireless Attacks (cont’d.)

• Piconet

– Established when two Bluetooth devices come within

range of each other

– One device (master) controls all wireless traffic

– Other device (slave) takes commands

• Active slaves can send transmissions

• Parked slaves are connected but not actively

participating

6

7

Figure 8-1 Bluetooth piconet © Cengage Learning 2012

Wireless Attacks (cont’d.)

• Scatternet

– Group of piconets with connections between

different piconets

• Bluejacking

– Attack that sends unsolicited messages to

Bluetooth-enabled devices

• Text messages, images, or sounds

– Considered more annoying than harmful

• No data is stolen

8

9

Figure 8-2 Bluetooth scatternet © Cengage Learning 2012

Wireless Attacks (cont’d.)

• Bluesnarfing

– Unauthorized access to wireless information through

a Bluetooth connection

– Often between cell phones and laptops

– Attacker copies e-mails, contacts, or other data by

connecting to the Bluetooth device without owner’s

knowledge

10

Wireless LAN Attacks

• Institute of Electrical and Electronics Engineers

(IEEE)

– Most influential organization for computer networking

and wireless communications

– Dates back to 1884

– Began developing network architecture standards in

the 1980s

• 1997: release of IEEE 802.11

– Standard for wireless local area networks (WLANs)

– Higher speeds added in 1999: IEEE 802.11b

11

Wireless LAN Attacks (cont’d.)

• IEEE 802.11a

– Specifies maximum rated speed of 54Mbps using

the 5GHz spectrum

• IEEE 802.11g

– Preserves stable and widely accepted features of

802.11b

– Increases data transfer rates similar to 802.11a

• IEEE 802.11n

– Ratified in 2009

12

Wireless LAN Attacks (cont’d.)

• Improvements in IEEE 802.11n

– Speed

– Coverage area

– Interference

– Security

• Wireless client network interface card adapter

– Performs same functions as wired adapter

– Antenna sends and receives signals

13

Wireless LAN Attacks (cont’d.)

• Access point (AP) major parts

– Antenna and radio transmitter/receiver send and

receive wireless signals

– Bridging software to interface wireless devices to

other devices

– Wired network interface allows it to connect by cable

to standard wired network

• AP functions

– Acts as “base station” for wireless network

14

15

Figure 8-3 Access point © Cengage Learning 2012

Wireless LAN Attacks (cont’d.)

• AP functions (cont’d.)

– Acts as a bridge between wireless and wired

networks

• Can connect to wired network by a cable

• Autonomous access points

– Separate from other network devices and access

points

– Have necessary “intelligence” for wireless

authentication, encryption, and management

16

Wireless LAN Attacks (cont’d.)

• Wireless broadband routers

– Single hardware device containing AP, firewall,

router, and DHCP server

• Wireless networks have been vulnerable targets for

attackers

– Not restricted to a cable

• Types of wireless LAN attacks

– Discovering the network

– Attacks through the RF spectrum

– Attacks involving access points

17

Wireless LAN Attacks (cont’d.)

• Discovering the network

– One of first steps in attack is to discover presence of

a network

• Beaconing

– AP sends signal at regular intervals to announce its

presence and provide connection information

– Wireless device scans for beacon frames

• War driving

– Process of passive discovery of wireless network

locations

18

19

Table 8-2 War driving tools

Wireless LAN Attacks (cont’d.)

• War chalking

– Documenting and then advertising location of

wireless LANs for others to use

– Previously done by drawing on sidewalks or walls

around network area

– Today, locations are posted on Web sites

20

21

Table 8-4 War chalking symbols © Cengage Learning 2012

Wireless LAN Attacks (cont’d.)

• Attacks through the RF spectrum

– Wireless protocol analyzer

– Generating interference

• Wireless protocol analyzer

– Wireless traffic captured to decode and analyze

packet contents

– Network interface card (NIC) adapter must be in

correct mode

22

Wireless LAN Attacks (cont’d.)

• Six modes of wireless NICs

– Master (acting as an AP)

– Managed (client)

– Repeater

– Mesh

– Ad-hoc

– Monitor

• Interference

– Signals from other devices can disrupt wireless

transmissions

23

Wireless LAN Attacks (cont’d.)

• Devices that can cause interference with a WLAN

– Microwave ovens

– Elevator motors

– Copy machines

– Outdoor lighting (certain types)

– Theft protection devices

– Bluetooth devices

24

25

Figure 8-5 Attacker interference © Cengage Learning 2012

Wireless LAN Attacks (cont’d.)

• Attacks using access points

– Rogue access points

– Evil twins

• Rogue access point

– Unauthorized access point that allows attacker to

bypass network security configurations

– May be set up behind a firewall, opening the network

to attacks

26

27

Figure 8-6 Rogue access point © Cengage Learning 2012

Wireless LAN Attacks (cont’d.)

• Evil twin

– AP set up by an attacker

– Attempts to mimic an authorized AP

– Attackers capture transmissions from users to evil

twin AP

28

Vulnerabilities of IEEE 802.11 Security

• Original IEEE 802.11 committee recognized

wireless transmissions could be vulnerable

– Implemented several wireless security protections in

the standard

– Left others to WLAN vendor’s discretion

– Protections were vulnerable and led to multiple

attacks

29

MAC Address Filtering

• Method of controlling WLAN access

– Limit a device’s access to AP

• Media Access Control (MAC) address filtering

– Used by nearly all wireless AP vendors

– Permits or blocks device based on MAC address

• Vulnerabilities of MAC address filtering

– Addresses exchanged in unencrypted format

– Attacker can see address of approved device and

substitute it on his own device

– Managing large number of addresses is challenging

30

31

Figure 8-7 MAC address filtering © Cengage Learning 2012

SSID Broadcast

• Each device must be authenticated prior to

connecting to the WLAN

• Open system authentication

– Device discovers wireless network and sends

association request frame to AP

– Frame carries Service Set Identifier (SSID)

• User-supplied network name

• Can be any alphanumeric string 2-32 characters long

– AP compares SSID with actual SSID of network

• If the two match, wireless device is authenticated

32

33

Figure 8-8 Open system authentication © Cengage Learning 2012

SSID Broadcast (cont’d.)

• Open system authentication is weak

– Based only on match of SSIDs

– Attacker can wait for the SSID to be broadcast by

the AP

• Users can configure APs to prevent beacon frame

from including the SSID

– Provides only a weak degree of security

– Can be discovered when transmitted in other frames

– Older versions of Windows XP have an added

vulnerability if this approach is used

34

Wired Equivalent Privacy (WEP)

• IEEE 802.11 security protocol

• Encrypts plaintext into ciphertext

• Secret key is shared between wireless client device

and AP

– Key used to encrypt and decrypt packets

• WEP vulnerabilities

– WEP can only use 64-bit or 128-bit number to

encrypt

• Initialization vector (IV) is only 24 of those bits

• Short length makes it easier to break

35

36

Figure 8-9 WEP encryption process © Cengage Learning 2012

Wired Equivalent Privacy (cont’d.)

• WEP vulnerabilities (cont’d.)

– Violates cardinal rule of cryptography: avoid a

detectable pattern

– Attackers can see duplication when IVs start

repeating

• Keystream attack (or IV attack)

– Attacker identifies two packets derived from same IV

– Uses XOR to discover plaintext

– See Figures 8-10 and 8-11 for details

37

38

Figure 8-10 XOR operations © Cengage Learning 2012

39

Figure 8-11 Capturing packets © Cengage Learning 2012

Wireless Security Solutions

• Unified approach to WLAN security was needed

– IEEE and Wi-Fi Alliance began developing security

solutions

• Resulting standards used today

– IEEE 802.11i

– WPA and WPA2

40

Wi-Fi Protected Access (WPA)

• Introduced in 2003 by the Wi-Fi Alliance

• A subset of IEEE 802.11i

• Design goal: protect present and future wireless

devices

• Temporal Key Integrity Protocol (TKIP) Encryption

– Used in WPA

– Uses longer 128 bit key than WEP

– Dynamically generated for each new packet

41

Wi-Fi Protected Access (cont’d.)

• Preshared Key (PSK) Authentication

– After AP configured, client device must have same

key value entered

– Key is shared prior to communication taking place

– Uses a passphrase to generate encryption key

• Must be entered on each AP and wireless device in

advance

– Not used for encryption

• Serves as starting point for mathematically generating

the encryption keys

42

Wi-Fi Protected Access (cont’d.)

• Vulnerabilities in WPA

– Key management

• Key sharing is done manually without security

protection

• Keys must be changed on a regular basis

• Key must be disclosed to guest users

– Passphrases

• PSK passphrases of fewer than 20 characters subject

to cracking

43

Wi-Fi Protected Access 2 (WPA2)

• Second generation of WPA known as WPA2

– Introduced in 2004

– Based on final IEEE 802.11i standard

– Uses Advanced Encryption Standard (AES)

– Supports both PSK and IEEE 802.11x authentication

• AES-CCMP Encryption

– Encryption protocol standard for WPA2

– CCM is algorithm providing data privacy

– CBC-MAC component of CCMP provides data

integrity and authentication

44

Wi-Fi Protected Access 2 (cont’d.)

• AES encryption and decryption

– Should be performed in hardware because of its

computationally intensive nature

• IEEE 802.1x authentication

– Originally developed for wired networks

– Provides greater degree of security by implementing

port security

– Blocks all traffic on a port-by-port basis until client is

authenticated

45

Wi-Fi Protected Access 2 (cont’d.)

• Extensible Authentication Protocol (EAP)

– Framework for transporting authentication protocols

– Defines message format

– Uses four types of packets

• Request

• Response

• Success

• Failure

• Lightweight EAP (LEAP)

– Proprietary method developed by Cisco Systems

46

Wi-Fi Protected Access 2 (cont’d.)

• Lightweight EAP (cont’d.)

– Requires mutual authentication used for WLAN

encryption using Cisco client software

– Can be vulnerable to specific types of attacks

• No longer recommended by Cisco

• Protected EAP (PEAP)

– Simplifies deployment of 802.1x by using Microsoft

Windows logins and passwords

– Creates encrypted channel between client and

authentication server

47

48

Table 8-3 Wireless security solutions

Other Wireless Security Steps

• Antenna placement

– Locate near center of coverage area

– Place high on a wall to reduce signal obstructions

and deter theft

• Power level controls

– Some APs allow adjustment of the power level at

which the LAN transmits

– Reducing power allows less signal to reach

outsiders

49

Other Wireless Security Steps (cont’d.)

• Organizations are becoming increasingly

concerned about existence of rogue APs

• Rogue access point discovery tools

– Security personnel can manually audit airwaves

using wireless protocol analyzer

– Continuously monitoring the RF airspace using a

wireless probe

• Types of wireless probes

– Wireless device probe

– Desktop probe

50

Other Wireless Security Steps (cont’d.)

• Types of wireless probes (cont’d.)

– Access point probe

– Dedicated probe

• Wireless virtual LANs (VLANs)

– Organizations may set up to wireless VLANs

• One for employee access, one for guest access

– Configured in one of two ways

• Depending on which device separates and directs the

packets to different networks

51

Summary

• Bluetooth is a wireless technology using short-

range RF transmissions

• IEEE has developed five wireless LAN standards to

date, four of which are popular today

– (IEEE 802.11a/b/g/n)

• Attackers can identify the existence of a wireless

network using war driving

• Wired Equivalent Privacy relies on a secret key

shared between wireless client device and access

point

52

Summary (cont’d.)

• Wi-Fi Protected Access (WPA) and WPA2 have

become the foundations of wireless security today

• Other steps to protect a wireless network include:

– Antenna positioning

– Access point power level adjustment

– Detecting rogue access points

53