Before we move onto forensic investigation of wireless security breaches, we need to understand the various facets of wireless protection and the elements of security therein.
Let's start with a bit of a walk down memory lane.
During September, 1999, the WEP security algorithm was created. Wired Equivalent Privacy (WEP), as the name suggests, was supposed to be as secure as wired Ethernet networks. At one point of time, it was the most used security algorithm. This was due to the fact that it was backwards compatible and was the first choice in the early router control options.
The early versions of WEP were particularly weak as the US Government had restrictions on the export of cryptographic technology that used greater than 64-bit encryption. This led the manufacturers to restrict themselves to the 64-bit encryption.
Once the US Government lifted the restrictions, 128-bit and 256-bit encryptions were introduced. However, most deployments of WEP happened with 128-bit decryption. While both 128 bit and 256 bit encryptions increased the key space and supposedly enhanced the security, the actual fact was that WEP was found to have numerous security holes and flaws. WEP networks were extremely vulnerable and easy to exploit with freely available software. In 2004, WEP was officially retired by the Wi-Fi Alliance.
WEP was formally replaced with Wi-Fi Protected Access (WPA) in 2003 (a year before WEP was finally phased out) due to the increasing vulnerabilities and security flaws being discovered in the WEP standard.
While WEP used 64-bit and 128-bit keys, the keys used by WPA-PSK are 256-bit, which is a significant increase over the previous protocol.
Since WPA was born out of the need to implement stronger security, significant additional changes were implemented. To find out whether an man-in-the-middle (MITM) attack has compromised the integrity of the data being transmitted, message integrity checks and Temporal Key Integrity Protocol (TKIP) were added. WEP used a fixed key system; TKIP employed a per-packet key system thus, really increasing the security quite dramatically. Further security enhancements led to the Advanced Encryption Standard (AES) in addition to or superseding TKIP. TKIP was actually designed to be set up via firmware upgrades on the existing WEP devices, therefore, it had certain elements for compatibility purposes, which led to its exploitation.
While a number of attacks have been demonstrated against WPA, one of the most common ways that WPA has been breached is via the supplementary Wi-Fi protected system. The Wi-Fi protected system is essentially provided on Wi-Fi devices for the purpose of making connectivity to wireless access points (WAPs) easy.
WPA was officially superseded by WPA2 in 2006.
WPA was significantly changed to its new avatar, WPA2, by including the mandatory use of the more secure AES algorithm.
WPA2 still has some obscure vulnerabilities (however, a lot less than WPA), which requires an intruder to have insider access to the secured network in order to gain access to the security keys.
That said, the biggest vulnerability for WPA2 networks remains the same as that of WPA networks, namely, the Wi-Fi Protected Setup (WPS) implementation. Though it does take between 2-10 hours (depending upon your infrastructure) to break into a WPA/WPA2 network, the security risk is real and cannot be ignored. Ideally, WPS should be disabled on the device and if possible, the firmware flashed to eliminate WPS altogether.
The various iterations of the WEP, WPA, and WPA2 are shown in the following table. This table sums up their security rankings in a nutshell (as of now) for quick reference:
|
Sr. No. |
Description |
Security rank (1 is best) |
|---|---|---|
|
1 |
WPA2 + AES |
1 |
|
2 |
WPA + AES |
2 |
|
3 |
WPA + TKIP/AES |
3 |
|
4 |
WEP |
4 |
|
5 |
Open network |
5 |
The best options to implement, from a security perspective, are WPA2 + AES, along with disabling WPS. Everything else is on a sliding scale after that, with WEP being just a single step above a completely open network.
Wi-Fi security isn't as straightforward as that of a normal network. Essentially, this is because every device that is a part of the network is also accessible from both within and outside the network.
Thus, any compromised device can open the gate to the complete network. That is definitely not a bridge you want an outsider to cross.
Wi-Fi security is not a small affair and requires serious thought and planning on the part of the implementation team.
Let's outline some of the following important security aspects to consider:
- Turn on/Upgrade your Wi-Fi encryption: As we had discussed in the earlier section, we must ensure that our network encryption is at the highest possible level for our network. WPA2 + AES with WPS turned off is the preferred option as of now.
- Change your router password: Keeping the default password same as the one that came from the manufacturer is a cardinal sin in the world of security. In fact, the Internet has lists of the default usernames and passwords of just about every router that is ever manufactured. Some of these can be found at the following:
- Update router firmware and consider an upgrade to third party firmware if possible: Ideally, the router should be running the latest firmware especially, if the firmware eliminates the WPS option. Alternatively, it is worth considering an upgrade to third-party firmware, such as Tomato or DD-WRT.
- SSIDs – To Hide or Not to Hide?: Routers are routinely shipped with the default SSIDs set by the manufacturer, such as Netgear. To a determined miscreant, it doesn't make any difference whether you hide an SSID or not, there are a number of tools out there that allow us to identify the hidden SSIDs. However, it does make sense to rename the SSID to something that does not give away the make/model as well any information related to the owner, such as the company name, address, and so on. All these pieces of information can be quite useful to a person planning to target you from both inside and outside. This only works on the principle of security by obscurity; wherein the security is dependent on not being found out. Tools such as kismet and kisMAC can detect hidden SSIDs.
- MAC filtering: This is an option that allows only specific computers (as defined by the MAC addresses) to access your Wi-Fi network. The MAC address is a unique ID that is assigned to every network interface card (NIC). Unfortunately, any data sent in a packet carries a header, which lists out the MAC address of the NIC that is sending it. This makes it really easy for a hacker to spoof any allowed network card and get unfettered access to the Wi-Fi network.