A wireless local area network, referred to as WLAN, is a network that is able to connect two or more devices within a defined area without physical connectivity, such as cable. An example of a WLAN may exist right in your home and consist of a network access device (router) that connects to your high-speed Internet service and doubles as a routing device and a switch. This creates the WLAN to connect your home computer, iPad (tablet), or other wireless device. WLAN has exploded in popularity based on the ease of access to the Internet that it can offer. An overly simplistic WLAN can be vulnerable to many different threats as was proved with early forms of wireless security, which didn’t really provide any security at all. Figure 19.1 shows a basic diagram of a wireless LAN.
The simplest way to give a more detailed description of WLAN is to break it down into its major components. The first and most important component of a WLAN is the radio card, which is more commonly referred to as a station (STA). The STA can be either an access point (AP) or a client. The client is the receiver’s radio card, which operates on the standard 802.11 protocols, and consists of devices such as a smartphone or computer. The AP refers to the device that communicates with all of the devices on the current WLAN. The AP works as a gateway through which the client devices can achieve an Ethernet connection. This may not be the case in every WLAN setup, however. Sometimes, the AP is a stepping-stone to another AP, which is then the connection to the Ethernet.
The last two components of a WLAN device are an antenna and the ability to operate under the 802.11 protocol standards. Since all clients exist on the same set of protocols, they all compete equally for the right to gain connection to an AP. When attempting to connect to an AP, a client must either find or receive that point’s service set identifier (SSID). The client accomplishes this by scanning, which can be either active or passive. Active scanning is when the client sends out a probe pulse request to all of the available APs in the area. Passive scanning, on the other hand, is when the client waits to notice the beacon that all APs constantly em it.
Regulatory WLAN Security Standards
The Institute of Electrical and Electronics Engineers (IEEE) originally set the 802.11 standards in 1997. These standards represent all of the operating procedures that a device communicating over a WLAN must follow. Since their inception, these standards have been modified many times, and each time, they are given a new letter at the end (such as 802.11a). The Federal Communications Commission (FCC) is most impactful on WLAN in regulating the spectrum of bandwidth that is allotted for Wi-Fi technology. The FCC does not issue WLAN encryption minimum requirements for businesses and individuals using a WLAN. However, the FCC does strongly recommend using Wi-Fi Protected Access II (WPA2) encryption for any wireless network. It also recommends a number of other measures for individual and business networks including using a firewall, changing the password regularly, changing the default name of the network, turning off network name broadcasting, and using the media and access control (MAC) address filter.
Figure 19.1 Basic wireless local area network.
The FCC defers to the IEEE in their recommendation for WPA2. The IEEE sets the industry standards for wireless security in the 802.11 protocols. These protocols are a set of specifications for the MAC physical layer in a WLAN. The first 802.11 standard was released in 1997, and currently the IEEE is working on 802.11ad, which would set the standards for WLANs with throughput capabilities of 7 gigabits per second by utilizing a frequency of 60 GHz.
WPA2 became the industry standard in June 2004, when the IEEE ratified 802.11i-2004 (802.11i-2004, 2004). 802.11i-2004 implemented the standard for WLAN security standards that still exist today—WPA2. WPA2 replaced Wi-Fi Protected Access (WPA), which was implemented in 2003. WPA was implemented as a stopgap to replace Wired Equivalent Privacy (WEP) because of its glaring deficiencies, which are detailed later in this chapter. The IEEE plays a vital role in security and data, as their standards are frequently the standards adopted by regional, national, and international standards bodies. The following section describes some of the technical definitions of the different 802.11 standard.
This standard operates at 5 GHz and provides data rates between 1.5 Mbps and 54 Mbps. 802.11a was originally common for APs in both the corporate and residential settings, but this is no longer the case; this is because of its limited range and high level of attenuation when traveling through objects. 802.11a is also more expensive than many of the other standards that the IEEE has released, because its limited range made it necessary for more equipment to be bought.
This standard uses an unregulated 2.4 GHz band with a throughput of 11 Mbps. Since this standard uses unregulated frequencies, there is the likelihood of interference in the normal consumer’s home from appliances such as microwaves. 802.11b also offers a lower throughput than 802.11a but has a greater range, which gives it the ability to service a whole home with only one AP. This factor made 802.11b more popular than 802.11a in the residential setting.
Created in 2003, this standard attempted to offer the best of both the 802.11a and 802.11b standards. 802.11g supports a bandwidth of 54 Mbps and utilizes the 2.4 GHz unregulated band. This made AP utilizing either the 802.11a or 802.11b obsolete in both the residential and industrial setting.
Created in 2009, 802.11n has a speed of up to 600 Mbps. This standard operates in both the 2.4 GHz and 5 GHz bandwidths by using multiple input/output antennas. These two features made it so that 802.11n could provide greater range with less interference.
Created in 2013, 802.11ac offers a speed of 1.3 Gbps and operates on the 5 GHz bandwidth. This technology has just recently been implemented, but it is expected to be deployed in upward of 1 billion devices by 2015. It is also important to note that the 802.11ac standard also offers more channels than previous standards.
This type of standard has not yet been implemented, but it is very interesting because it uses the TV white space spectrum. Its throughput is low, however, and it has a maximum throughput at 35 Mpbs. The added frequency bands that are available in the TV white space are a way to begin to increase the spectrum’s capacity as it becomes more popular. In addition, the frequencies are below 1 GHz, thus it can offer a large amount of range compared with other standards.
802.11i is an amendment that defines wireless security concerning WPA2. This is especially important to understand since this is what superseded WEP. The largest difference that separates WPA2 from WPA and WEP is its use of the advanced encryption standard (AES) block cipher. This amendment is also interesting because it is one of the few that does not deal specifically with a new form of signaling for a WLAN (Doherty, 2016).
Wire Lined to Wireless Transition
Since their commercialization, both telephones and computers have been hugely successful. This success came for computers in two ways. The first was the invention of the personal computer (PC), and the second was the implementation of wireless networks. In this section, we will focus on how wireless networks came to be part of computer technology.
When wireless technologies were created, networks were actually of very little use. This is because of the lack of existent and/or legal frequencies that could be used to carry a signal for a wireless network. This all changed after the FCC opened up several bands of radio spectrum for unlicensed use. The bands included 900 MHz, 2.4 GHz, and 5.8 GHz, which were originally reserved for appliances such as microwaves.
After these bands opened and wireless networks were made commercially available, users began to prefer a slower wireless connection to the regular wired connection. This convenience did not just affect consumers; businesses also bought into the trend of wireless network access. This brought about many different trends in the business world, such as bring your own device (BYOD), which is the idea that employees can bring their own devices into the workplace. This soon became a popular method for consumer products too. The demand for a more convenient connection to information made the industry of wireless technology explode, which had a large societal and economic impact.
The wireless network interface card (WNIC) is a card used to connect a device to a WLAN. This WNIC device can also be employed for hacking wireless networks that use the WEP wireless security protocol. Every mobile device that has Wi-Fi capability comes equipped with a WNIC, but WNICs come in a huge range of different types because both their signal strength and protocol communication language have been continually changing.
WINCs do not necessarily have to be inside your device; they can be purchased and attached to the device through a simple USB port. It is the external WNICs that have proved to be problematic for wireless security networks. An external WNIC is not only a threat to information that moves over a wireless network, but it can also attack and access grounded sources that companies may think are protected and only accessible on site.
Corporate Background of Wireless Networks
As stated before, the simplicity of always being on the network is something that is lucrative in both a residential and industrial setting. A wireless environment in the workplace has the capacity to eliminate much of the aggravation that comes with being tied to a desk to be on a company’s network. There are also many risks to a company becoming wireless. This was especially prevalent during the early days of wireless networks when WEP was the primary form of security. When wireless was first introduced into the corporate setting, there was also no way to control how far the signal of an AP would reach. Based on this information, many computer users were able to access company networks when they were in the parking lot or even down the street from the AP. In 2004, Red M. Ltd. did a survey of companies to see what the state of their wireless security was. Within this report, they stated that the wireless industry is doing everything imaginable to protect wireless networks. The weakness comes when end users fail to secure not just their wireless networks, but also their fixed networks. Every wireless notebook represents a clear and present danger to the security of your computer network.
According to a new survey from Red M, for which the company gathered statistics for six months on 100 companies, including large multinational corporations, 80% of corporate networks are accessible from outside their buildings. Within that 80%, 66% of banks, 69% of financial services institutions, 100% of educational institutions and 79% of information technology companies were broadcasting confidential and sensitive information. And 100% of the e-mail messages on insecure corporate networks could be intercepted, read, and manipulated.
Wireless corporate networks have become more insecure in recent years due to several factors:
1. Wireless technology itself has changed and has become much more secure due to developments such as the move from WEP to WPA.
2. Industries recognize the benefits of better protecting themselves when using wireless networks. Although there is a cost imposed by setting up wireless security, the benefits of wireless access outweigh the potential harm.
Wireless Network Security Methods
Networks can require different types and amounts of security, depending on the purpose of the specific network. There are hundreds of ways to secure a network, but networks typically follow one of three intrusion prevention concepts. The first scenario is ideal for smaller networks, such as homes or small businesses. This simple method is to configure restrictions in the APs. These restrictions may include the settings of media access control (MAC) address filtering and SSID broadcasting, potentially paired with a wireless intrusion prevention system (WIPS). Another security tactic is to have a completely open and unsecure network but total isolation. This is usually done by larger businesses or commercial hot spots. Security is achieved through an intranet portal, which then authorizes the user. This method is not as secure, as someone could easily bypass all the security if he or she was to gain an authorized user’s credentials. It is also more prone to denial-of-service attacks. Finally, some parties use full end-to-end encryption, with additional authentication on private resources. This configuration can be more difficult but can give the best results.
CIA Triangle of Confidentiality, Integrity, and Availability
Before securing a network, one must first determine what good security will look like. Confidentiality, integrity, and availability are at the core of every secure network, according to the Central Intelligence Agency (CIA). When a user connects to a wireless network, these three components are the basic expectations that the user has regarding his or her privacy. Confidentiality refers to the information being transferred, stored, and processed. In a secure network, only the designated owner will ever be able to see the information (unless other permissions are explicitly given). Integrity is the expectation that data will not be modified. Lastly, availability is the expectation that users will be able to access the data at the time they want and the speed they want. Bandwidth or downtime should not be a major issue in a secure network.
There are a few other concepts that are important to be familiar with when discussing security. One term is authorization, which is checking to make sure that the users are allowed to do what they are trying to do. For example, when someone wants to edit a file, the system will make sure that the specific user has been given edit rights to that file (or is inheriting rights from someone else who does). Authorization can apply to users, processes, or programs.
Accountability is also an important factor in security. In order for a system to be accountable, it must be able to keep track of who is doing what on the system at any given time. Similarly, non-repudiation is the idea that users should not be able to deny performing an action that they performed (because of the accountability of the system).
When users want to gain access to a restricted system, the first step in the process is identification. This is when users ask to be authenticated, and the system verifies that they are who they say they are. For better security, multifactor authentication should be used.
There are three main authentication factors: something you know (such as a password or personal identification number [PIN]), something you have (such as a security key or smart card), and something you are (biometrics). For best results, at least two different factors should be used for multifactor authentication implementation. Since authentication is so important, the next two sections will outline a few new ways to securely authenticate.
We are all familiar with the magnetic strip that occupies the back of our credit and debit cards. Although magnetic-strip technology is effective and pervasive in the United States, it does lack the stringent security reliability that is desired when it comes to access to payment card information. The security inadequacy of magnetic-strip technology is the reason it will become obsolete in the years to come, when it will almost certainly be replaced by smart cards. Outside the United States, there have been examples of switching to Europay, MasterCard, and Visa (EMV): smart-card technology that decreases fraud and card counterfeiting. In 1992, France introduced these cards and saw a 78% drop in card counterfeiting, accompanied by a 50% drop in total fraud losses.
Smart cards look like any other credit or debit card but are equipped with either a microcontroller or a memory chip that can connect to a smart-card reader to transmit payment information. The microcontroller chip has its own processing power, which allows it to carry out its own encryption protocols and mutual authentication features that allow it to prove its identity to the smart-card reader. The microcontroller is essentially its own computer with the ability to store much more data. A memory chip merely has the ability to store the payment information with a small level of security. They are less expensive than microcontroller chips, but they depend on the smart-card reader’s processing power and encryption to protect the data.
The cards can also be broken down into contact and contactless cards. Contactless cards communicate with the card reader via radio frequencies at a very short distance, between one to three inches. Contact cards must have direct connection to the smart-card reader via a conductive plate on the card. In addition to its obvious implications in the payment card industry, smart cards are also used in employee ID badges, driver’s licenses, passports, and portable medical records cards.
Security Tokens and Software Tokens
Security or authentication tokens are a hardware solution that can help to mitigate the risk of data breaches. A security token could be in the form of a smart card, key fob, or USB drive. Security tokens allow for two-factor authentication, in which the network recognizes the object as an authorized hardware, and then the network will also require the user to have a PIN.
A software token is software that can be installed on an authorized device such as a laptop, PC, or smartphone. While software tokens are cheaper and do not require the user to carry a physical item, they are somewhat more susceptible to attacks and data breaches. Because a security token is a physical item, the user is more likely to notice that it has been stolen or has gone missing. This is not always the case with a software token. If the software is duplicated and installed on another device, it is possible that it could happen without the authorized user being made aware of it.
Wireless Security History, Standards, and Developments
Ever since the mid-1990s, wireless technologies have been rapidly deployed. As a result, the issue of wireless security needed to be addressed. The first encryption standard, wired rquivalent privacy (WEP), was developed in the late 1990s, and was a basic and flawed protocol. Its limitations required serious improvements for the wireless networks to be considered secure. Since then, two main protocols have surfaced: Wi-Fi Protected Access (WPA) and WPA2. WPA2 is synonymous with 802.11i, which is the standard recommended for use today (Figure 19.2).
WEP was developed in 1997 as part of the original 802.11 standard. The goal of WEP was to provide security on the same level as wired networks through the use of CRC-32 checksum and RC4. CRC-32 is an integrity tool used to detect changes in data. RC4 is a cryptography method that was exploited in 2001 by attackers listening on the network to intercept the keys used. The keys used in wireless security are referred to as preshared keys, or PSKs. PSKs are shared by both the client and the AP and are used for authentication.
Figure 19.2 Wireless security protocol comparisons.
In 2004, enough vulnerabilities were discovered that WEP was officially condemned. In 2005, the U.S. Federal Bureau of Investigation (FBI) was able to easily penetrate a WEP-secured network in fewer than 3 minutes. In 2007, after a massive hack against T.J.Maxx, it was discovered that major business were still using the notoriously weak and outdated WEP standard.
WPA was created as a quick link-layer security fix after the vulnerabilities were discovered in WEP. It was not an infallible solution but rather an interim solution to be used while the more complete WPA2 was being developed.
Temporal Key Integrity Protocol (TKIP)
Encryption was implemented through the use of a preshared key technology, TKIP. TKIP is based on RC4, and each packet generates a different 128-bit key (unlike WEP technology, which had a shorter key and was static for each AP). This combats integrity attacks, since every packet has its own unique key. In addition, packets must be in the correct order to be accepted by the AP. Finally, TKIP uses an additional 64-bit message integrity check (MIC), named Michael, which is an improvement on WEP’s CRC-32 checksum method. Michael’s goal was to prevent attackers from changing packet data (Greenfield, 2003). Unfortunately, hackers were still able to find ways to alter packets. Since TKIP is based on older WEP technologies, it has since been identified as insecure and thereafter disapproved.
Extensible Authentication Protocol (EAP)
EAP is a user authentication framework first introduced in WPA security. Unlike WEP, which only authenticates using MAC addresses, EAP uses various authentication methods to verify a user’s identity. Some examples of EAP technologies include token cards, public-key encryption, and one-time passwords. When a user tries to connect to a network, the AP will confirm the user’s identity with an authentication server, such as RADIUS. RADIUS stands for remote authentication dial-in user service, and it is used by Internet service providers (ISPs) to verify usernames and passwords.
Lightweight Extensible Authentication Protocol (LEAP)
There are a few different methods of implementing EAP. LEAP is a proprietary method developed by Cisco Systems. It is based on MS-CHAP, which is a Microsoft authentication protocol that has since been deemed unsecure. The LEAP method is popular but rather weak. Cisco recommends that any user who must use LEAP should be sure to have a complex password. Since LEAP works only on a Cisco-based networking gear, it lacks compatibility with non-Cisco products.
Protected Extensible Authentication Protocol (PEAP)
PEAP is a form of encapsulation that exists within EAP. Encapsulation is the way in which communication is constructed to be sent between two units. In this case specifically, PEAP both encapsulates and encrypts a security access transmission so that it cannot be easily intercepted and decoded. PEAP was created by Microsoft, Cisco Systems, and RSA Security.
Wireless Transport Layer Security (WTLS)
WTLS was the security level for the Wireless Application Protocol (WAP) version 1.1. WTLS provided privacy, data integrity, and authentication of WAP devices. WTLS ensured that the connection between the device and the server remains secure and encrypts the transmission of data. WTLS was largely based on TLS but is adapted for mobile devices. TLS and WTLS are both initialized in the application layer (Layer 5) in the OSI Model and operate in the presentation layer (Layer 6).
WTLS mainly relied on the compression of packet size and on web-content developers creating separate WAP web pages that have less content and will work in WAP format. Today, WAP 2.0 browsers are able to support HTML formats. The improvement in the processing power of devices and in wireless/cellular network throughput capabilities has enabled more powerful mobile devices to display web pages in their original format without needing to use WAP.
With the release of WAP 2.0 in 2002, WTLS was replaced by TLS. Instead of decrypting the data from WTLS and then reencrypting it using secure sockets layer (SSL), servers are able to accept the TLS transmission directly and no longer need to go through the extra step of changing between encryption types.
One major flaw in WPA was the creation of WPS. WPS enabled less experienced computer users to secure their network using WPA. To add new devices to the network, users could use an eight-digit PIN method. Unfortunately, these PINs could easily be cracked using brute-force attacks, thus making WPS extremely unsecure. To avoid this vulnerability, WPS should be disabled.
WPA2 was implemented in 2004 and was based on the newly developed 802.11i standard. The terms 802.11i and WPA2 are commonly interchangeable. WPA2 comes in two main types: personal or enterprise. Personal use involves PSKs and does not require an authentication server. Enterprise scenarios use EAP and involve the client (supplicant), AP (authenticator), and authentication server.
802.11i also defines a robust secure network (RSN), which introduces and implements security primarily through a four-way handshake and group-key handshake. The RSN ensures that the network communication and data transfer are secure through authentication and keys. If a device has been authenticated before, then it joins a robust security network association (RSNA). One downside to WPA2 is that some older hardware may not be compatible with the new protocol or might require a firmware upgrade. Testing and certification from the Wi-Fi Alliance ensure that a network is WPA2 secure and must be done in order for a device to have a Wi-Fi trademark on it. With WPA2, various keys are used to encrypt the traffic as shown in Figure 19.3.
It begins with the pairwise master key (PMK), which is derived from the master session key (MSK). Both the client and AP know the PMK, and the goal is to change this into encrypted temporal keys. The PMK initiates the four-way handshake and then produces the unicast pairwise transient key (PTK) or multicast group temporal key (GTK). The four-way handshake is a method used to establish secure connections in four steps. It enables the AP and client to prove that they know the keys without ever actually stating them.
Figure 19.3 WPA2 encryption keys used to encrypt traffic.
Figure 19.4 The PMK, the four-way handshake.
The WPA2 process begins with the AP and client choosing security methods that they both support. This includes the type of authentication method (e.g., 802.1X—also known as EAPOL [Extensible Authentication Protocol over LAN] or PSK) and the security protocols (e.g., CCMP and TKIP). The variation here depends on the usage (personal or enterprise). Next, the AP requests the client’s identity and, after successful authentication, a PMK is created. After both devices know the PMK, the four-way handshake begins (Figure 19.4).
The AP sends the first message to the client, called ANonce. This is a randomly generated authenticated number that is used only once. The client then generates a PTK (set of encryption keys) from this. Next, the client sends a SNonce (a supplicant/client number that is used only once) protected by a MIC, and then the AP sends back the MIC-protected PTK and GTK (for unicast and multicast traffic) that it has calculated. Finally, the client sends a confirmation message to the AP to confirm that it’s ready for encrypted communication. The pairwise and group transient (temporary) keys are used by the CCMP protocol to confirm integrity and confidentiality. If the GTK needs renewing, a similar group key handshake occurs.
The most notable part of WPA2 security is the mandatory requirement for using the AES-CCMP algorithm. This stands for advanced encryption standard, counter mode cipher block chaining message authentication code protocol. This strong encryption protocol confirms message integrity and confidentiality. CCMP is based on AES and is an improvement on TKIP. WPA2 no longer uses TKIP but has a setting that can make it compatible with older TKIP devices. This is good for compatibility reasons but still risks making a network unsecure, since TKIP is disapproved (Hoffman, 2014). WPA2 uses similar EAP authentication methods as discussed in the WPA section.
WPA2 is more secure and advanced than the earlier wireless security protocols. It eliminates worries about man-in-the-middle (MitM) attacks and packet and authentication forging. PMK caching allows the client to easily reconnect to the AP without having to reauthenticate. It also allows a user to begin making his or her next connection while still connected to the first AP. WPA2 supports all of the older WPA features but adds stronger encryption and authentication with less overhead.
Like most technologies, WPA2 is not perfect. Physical layer attacks are still an issue, and Layer 2 session hijacking is a concern as well. While attackers may not be able to read the data in packets, they can analyze the unencrypted control and management frames to gain valuable information. WPA2 is also vulnerable to DoS attacks and MAC address spoofing (Arana, 2006). The most significant vulnerability with WPA2 is called Hole196. This vulnerability allows an insider who knows the GTK to insert and send false GTK packets to unknowing users. Then, the attacker can decrypt other users’ data, find holes in their Wi-Fi, and put their entire devices in jeopardy.
Aside from the widespread protocols, some basic techniques to secure a wireless network include modifying the default SSID configuration and MAC address filtering. To secure a wireless network, the SSID should not be broadcasted. This way, the user has to know the name in order to try to connect. The default SSID should also be changed to prevent any hackers from guessing the name. MAC address filtering involves configuring the AP to only permit certain approved devices based on their MAC addresses. This is not foolproof, however, because an attacker may be able to discover an approved MAC address and then spoof (or pretend to be) that address.
Other techniques that are not specific to wireless but can still be implemented on wireless networks are virtual private networks (VPNs), firewalls, physical security, and wireless intrusion detection and prevention systems (WIDPS). VPNs allow an organization to have its private network on a public network. This means that even though traffic is being sent over the public network, it’s acting as if it were the company’s private network, with its own security and so on. This is done through virtual connections with tunneling and encryption.
Firewalls are designed to look at all incoming and outgoing traffic and determine what traffic is safe and what is not, based on its configurations. The two main types of firewalls are host firewalls and network firewalls. Host firewalls are implemented on the edge of a single device, while network firewalls are placed on the network, monitoring traffic going across. Routers can implement firewalls, and firewalls can be used in conjunction with VPNs.
Physical security is a basic consideration that is crucial. If a wireless device is not secure, then the wireless network is not secure. First and foremost, every device should be out of reach, if not locked up. Security cameras should be placed on important devices to monitor any suspicious activity. Geographical location should also be considered, since natural disasters may be a threat to networking equipment. There are many ways to physically secure wireless network equipment, but it’s important that there’s at least some physical protection.
Finally, a WIDPS should be implemented to monitor traffic on networks and alert the administrator of any suspicious activity. There are different types of intrusion prevention and detection systems, but a WIDPS is specific to wireless. These systems are able to look at traffic and protocols to determine if the traffic is legitimate or not. If it detects unusual traffic, it can be configured to try to stop the traffic. If nothing else, it at least keeps logs of the traffic’s activity. Some jobs that the system is capable of include resetting connections, blocking certain traffic, or dropping packets.
Not following the accepted wireless security protocols discussed in the previous section can make WLAN infrastructures vulnerable to attack. Due to wireless networks utilizing radio frequencies (RF) as the medium for transmitting information, there are many threats to both secured and unsecured WLANs (Waliullah, Moniruzzaman, and Raham, 2015). It is no surprise that wireless networks have become as popular as they are today because of the mobility of connected devices, their low cost, and the fact that they involve less hardware; however, with the popularity level of wireless networks in corporate and personal environments, there is an ever-growing challenge of network threats due to the nature of the infrastructure. Wireless security grows just as much as the technology itself. Even with the standards of securing WLANs through WPA2 as referenced in the previous section, attacks will be an inherent problem in our society. This section of the chapter will touch specifically on the risks of a weak network that does not have security safeguards in place and the types of common attacks that are present today with WLANs.
When searching for networks to hack, attackers will commonly search for the networks that have not secured their 802.11 WLAN with WPA2 or the other security protocols that have been discussed previously. Their hope is to discover the exact network information in which those very security protocols are used to encrypt and protect. The common goal of an attacker is to associate with the wireless access point, which can allow for the launch of several different attacks. SSIDs, MAC addresses, default configurations, the network encryption protocol used, and weaknesses in physical security are all common categories of information that attackers will look to obtain or discover.
There are a variety of attacking methods used to obtain private network information that will allow attackers to gain access to a WLAN. Typically, these attacks can be placed into five categories: confidentiality, access control, integrity, availability, and authentication. These five categories help to split up the types of attacks, but there will be overlap between categories due to the combination of attacks, depending on what type of information is to be obtained. This section will unravel some of the biggest vulnerabilities to a wireless network and the most common types of attacks that can threaten the WLAN.
The goal of a confidentiality attack is to gain access to private information that is being passed through the WLAN by using either passive attacks or active attacks. Once hackers are able to gain access to this sensitive information, the attack only worsens.
In order to intercept the sensitive data that is being sent across the wireless network, common passive attack methods are used. A passive attack is very difficult to detect because of its non-intrusive nature. The attackers utilizing passive attacks simply observe the transmitted data over a period of time without making any alteration to the data. Eavesdropping and traffic analysis are common types of passive attacks in which hackers will utilize various “sniffing” tools to intercept information from weak or unsecured networks (Chakravarty, 2014). This is a significant issue seen today with public wireless networks or hot spots, where attackers within range of the RF signal can pick up on transmissions across the unsecured networks from just outside the building.
Differing from passive attacks, active attacks are a type of attack whereby hackers will actually take the intercepted data, manipulate it in some fashion, and embed it into a network or communication stream. Two very common active attacks on a WLAN today are the MitM and the evil twin AP. Both of these attacks are usually based on the setup of a rogue AP in which an unauthorized AP is established to a network that typically shares the same SSID information and configurations as the legitimate AP of a wireless network. This has become a challenge in the corporate setting as rogue APs aren’t always set up with malicious intent.
Employees will often configure a rogue AP connected to the enterprise network because they are receiving weak signals from their desk location in comparison to the company’s legitimate APs. The evil twin AP is just a name used for a rogue AP that has malicious intent. The attacker will attempt to get an STA, any device connected to a network, to associate with the rogue AP. Once this happens, the attacker may be able to obtain sensitive credentials or information from the communications between the STA and rogue AP. Due to the difficulty of being able to discriminate between the evil twin AP and a company’s legitimate AP, the end user or STA is vulnerable to associate with the fake AP. Most companies now frequently monitor and audit any setup of rogue APs on their network because of the inability to discern that the configuration’s intent is different.
As previously stated, if an attacker is able to successfully set up a rogue AP on a wireless network they can perform a MitM attack. This is an active attack in which hackers will actually place themselves, as a fake AP, between two communicating nodes and wait for sensitive information to be transmitted, allowing them to intercept the message. In doing so, the attacker usually goes unnoticed and the communicating devices think they are still talking to each other.
Access control attacks are used to gain unauthorized access to a wireless network by a series of attempts to get through the filters and firewalls of the network. As previously stated, some of the attacks will overlap between the five categories, and access control attacks show this overlap. Due to the nature of attacks requiring access into the AP, the evil twin AP setup could very well be placed into the access control category as well as confidentiality. With that being said, for the sake of this discussion, if attackers are looking to obtain confidential information once they have gained unauthorized access to the network, we will consider that a confidentiality attack.
Figure 19.5 Wardriving kit.
One of the most common types of access control attacks is wardriving. This type of attack involves the attempt to access unsecured or poorly secured networks by driving around in a vehicle sniffing out networks. Wardrivers will typically map out an area, often by utilizing a global positioning system (GPS), in order to sniff out the APs from that particular area. Following the completion of mapping the area, they can then go through the route and identify the vulnerabilities or weaknesses of each network. The vehicle will typically be equipped with a laptop that has software installed, often free software, that allows the attackers to listen for the wireless network’s broadcasts and then capture that data on their device. NetStumbler, Kismet, and Kismac are a few of the software tools available today that are used in wardriving. It is important to note that wardriving or sniffing out wireless APs is not a crime, but when the actual theft of information or unauthorized access onto a WLAN occurs, this practice becomes a criminal one. Figure 19.5 shows a typical wardriving kit that can be found in any vehicle performing this attack.
Another access control attack is MAC spoofing. This particular attack allows an attacker to use previously mentioned sniffing tools to find and access the network. The goal is to search for the MAC addresses of the network that are communicated out from the AP and to “spoof” them. If the attacker can successfully spoof the MAC address, they will attempt to have packets routed to their device rather than the actual network host (Mandal and Saini, 2015,). Similar to the other discussions regarding this topic, this attack can be avoided by using effective port security methods. Figure 19.6 depicts how MAC address spoofing is carried out.
The two access control attacks that have been discussed to this point can also be referred to as unauthorized access attacks. This attack is seen as sort of an umbrella to the others within the category because they technically all involve gaining unauthorized access to a WLAN prior to carrying out the attacks. The attack is as simple as the name implies. It is an attack whereby an individual gains access to a network without the proper authentication.
Figure 19.6 MAC address spoofing example.
Wireless technologies have exploded in popularity in the past couple of decades. Since so much of our data is now online and can be transferred wirelessly, it’s crucial that the security is impenetrable. The CIA triad outlines expectations for security: confidentiality, integrity, and availability. These things are becoming increasingly harder to achieve but increasingly important for wireless networks to protect. As of now, the best way to protect a network is through a combination of the different efforts outlined here, the most important being WPA2 implementation.
The attacks discussed and case studies presented illustrate why wireless security must be strongly and correctly implemented—a single, minor configuration error can expose an enormous vulnerability. This is why risk assessment is so important. Frequent penetration testing and constant monitoring are simple steps that an organization can take to make sure their security is up to par. No matter how secure a network is, someone will always be on the other end trying to infiltrate it. It’s up to everyone in an organization to keep a network secure; after all, a chain is no stronger than its weakest link.
QUESTIONS
1. What are the components of a WLAN?
2. What is the core of every secure network?
3. What are smart cards and why are they changing?
4. Explain the disadvantage of the WEP wireless security protocol.
5. What is the Temporal Key Integrity Protocol process?