THIS CHAPTER CONSIDERS the threats and vulnerabilities that are directly associated with 802.11 wireless networks, their various topologies, and devices. It also looks at wireless local area network (WLAN) vulnerabilities within the context of IP networking and how cyberthieves and hackers leverage WLANs as the “crack in the door” to the corporate networks they attack.

Wireless networks consist of radio cards that work together in a variety of configurations to form peer-to-peer WLAN infrastructures, bridges, repeaters, extenders, backhaul networks, and distribution integration services. These are used to connect to different mediums, such as Ethernet. The radio waves used in wireless networks are an unbounded medium, open to far greater interference, corruption, and eavesdropping than their wired predecessors were. This inherent feature of all wireless networks makes these networks far more vulnerable to data interception, manipulation, and theft.

Poor wireless design and the careless deployment of access points with regard to radio frequency (RF) coverage typically enlarge the attack footprint. Far too often, in-house technicians with little knowledge of RF or site-survey best practices install wireless networks. The results are what one might expect: good to excellent RF coverage indoors that meets capacity and coverage expectations, but massive areas of RF leakage outside the building. This leakage typically goes largely unnoticed by all but the wrong people. RF leakage does not just cause unnecessary interference with neighbor networks. It’s a huge security back door into the company’s network.

An understanding of this—as well as of the human behaviors of both careless or unsuspecting employees and malicious attackers—is a key aspect of the information security professional’s craft. This chapter weaves elements of relevant human behavior into its discussion of the technical vulnerabilities.

Types of Attackers

Before going into details on specific vulnerabilities, let’s take an instructive look at the differences between types of attackers and the range of skill levels that different attackers bring to bear. In doing so, it will become clear that the vast majority of threats can be reduced if not eliminated outright.

Skilled Versus Unskilled Attackers

Typically, the more skilled an attacker, the more risk there is associated with an attack. But this is not always the case. By way of analogy, there is a difference between a skilled cat burglar and a simple thug who smashes a glass jewelry counter with a hammer. At the end of the day, however, if the bad guys get away with the jewels, it’s of little consequence which technique they used.

This point is made because many aspects of sound IT security are overlooked simply because they seem so obvious. All too often, IT security teams focus their energy and resources on preventing highly sophisticated attacks, but fail to employ simple tried-and-true procedures to prevent more primitive breaches. Remember: The charter of IT security is to reduce risk as much as possible in accordance with the needs of the business and the resources at hand. Employee training and locked doors may not be as exciting as setting up multilayered data-center defenses, but they will prevent many possible (indeed, probable) attacks.

Having said that, it’s also important to recognize that the skill level of some hackers makes the task of 100-percent security all but impossible over the long haul. Even worse is the phenomenon of nation state–backed hacker consortiums. Not only are these teams exceptionally skilled and well funded, they also have an enormous advantage in that their targets have to be right 100 percent of the time, while they need to be successful only once.

These groups are also known as advanced persistent threats (APTs). They launch multi-phased attacks to break into networks to harvest valuable information while avoiding detection. These highly complex, long-term infiltration attacks present a significant risk to financial institutions and government agencies, among others.

Insiders Versus Outsiders

An authorized insider, especially a knowledgeable one, who turns on his or her employer is a nightmare—possibly the worst-case scenario for IT security teams. Any insider can cause significant harm if for no other reason than that he or she is allowed in the building. But insiders are not the only threat. If a wireless network is not properly designed and controlled, an attacker no longer needs to get inside the building to gain access to the network. With wireless, hackers and cybercriminals can overcome one of the biggest hurdles they face: lack of physical access to the network.

Figure 6-1 illustrates some general risk levels of skilled versus unskilled outsiders and insiders. It’s important to note here that you can prevent scenarios in the bottom half of the chart through basic security best practices and employee training. Again, these are not the most glamorous aspects of IT security, but they may very well be the most important and impactful. Later in this chapter, you will read about a low-level, unskilled employee who managed a significant (and embarrassing) data theft that could easily have been prevented.

This brings up one of the sayings you may hear in your career: “You can’t stop stupid.” This refrain is often spoken by IT security specialists in response to users who, through their lack of knowledge or awareness, do something that raises the vulnerability level or results in an actual security breach.

While the phrase is funny, it’s also a copout. Education on security matters is a critical responsibility of the IT security team. If employees don’t understand basic security best practices (at least from a user behavior standpoint), it’s the fault of the security team for not training them, and of company management for not mandating and supporting said training. What may seem obvious to you as a security professional may not be obvious to someone in the HR, legal, or finance department, just as you, as a security professional, are likely unaware of generally accepted accounting principles. Indeed, education may well be your best security tool.

Targets of Opportunity Versus Specific Targets

In general terms, there are two types of targets:

•  Targets of opportunity—A target of opportunity is a target that has not previously been identified or considered, but that becomes available due to circumstances outside the hacker’s control. For example, if someone were to leave a smartphone or tablet at a coffee shop, that might constitute a target of opportunity for a hacker. Other targets of opportunity might include:

•  An unsecured Wi-Fi network in an executive’s home

•  An unsecured wiring closet

•  An unsecured rogue access point (AP) installed by an employee or an employee attaching to a non-verified free Wi-Fi in a public place to avoid a pay-per-use service

A target of opportunity can even include cases in which a hacker has a specific company in mind but not a specific goal.

•  Specific targets—With a specific target, the hacker has a specific goal in mind. This might be the disruption of a business, the theft of customer financial data, or even theft of information for market advantage (corporate espionage).

Like Figure 6-1, Figure 6-2 shows a two-by-two matrix—this time with the dangers associated with targets of opportunity and specific targets. As shown in this chart, you can greatly reduce the threat level in three of four sectors with employee training and the application of best practices. In the fourth sector—in which a highly skilled attacker goes after a specific target—the risk level is higher. Although that is cause for concern, most organizations that would likely be the target of such an attack (financial and retail companies, government organizations, political groups) would typically be aware of their higher risk profile and would hopefully have appropriate policies and staff in place.

Scouting for a Targeted Attack

When planning a cyberattack, attackers will spend a great deal of time profiling the network and organization, probing for clues to the systems and devices deployed on the network. Typically, attackers look for any weak spots or back doors that will enable them to gain access. The first step in the execution of any attack is to gain a foothold.

When assessing an organization’s network, many attackers start by using wireless scanning software to detect the presence of a poorly deployed 802.11 wireless network. If the designers of the wireless network have contained the RF to within the company’s physical boundaries, then this will be difficult for the casual attacker. If, however, RF frequency coverage has been less diligently controlled, then the opposite is true. The attackers will likely be able to detect the network from a safe distance. In fact, using a cheap and easily accessible directional antenna, an attacker could be hundreds of yards away and still penetrate the network.

By gaining access to the wireless signal and the beacons emitted from the wireless network, attackers can capture and analyze packets traversing the air interface. Gaining access to the WLAN at the Physical Layer in this way will enable the attacker to capture packets to map the network and determine the device vendors and operating systems. Using a simple Layer 2 network analysis tool such as Airshark, an open-source program that can be downloaded free, the attackers can capture and eavesdrop on the client station/access point communication crossing the network.

The attackers’ goal during this phase is to gather Layer 2 network information, such as the following:

•  Media access control (MAC) addresses

•  Service set identifiers (SSIDs)

•  Basic service set identifiers (BSSIDs)

•  Device types deployed

•  Authentication use and type

•  Encryption use and type

•  Channels in use

•  Default configurations

•  Neighbors (in multi-tenant buildings)

With this information in hand, the attackers can plan the actual tactics of the attack that will allow them to associate with the access point.

The attackers may also scout individual employees to see where they live and spend their free time. A common practice is to follow employees home and test the security of their home Wi-Fi networks. Attackers may also follow employees to a public location such as a coffee shop to see if they connect to a nonsecured Wi-Fi network. Some attackers may even go so far as to profile these locations and set up an evil twin (discussed later in this chapter).

Why go through all this trouble? Unless the planned attack is a denial of service (DoS) attack, the attacker needs access. In most cases, it’s pretty hard to just walk through the door of an organization and get access to an open port. The next best thing is to find an unsecured or weak wireless network or to gain access to an employee’s authorized device.

This brings us back to Figures 6-1 and 6-2. Even the most sophisticated attacks have to start somewhere, and that “somewhere” typically involves getting access to the network. Once again, using security best practices and educating employees are key to defense. While taking these steps may deter a skilled hacker for only a limited time, it’s still important to do so.

Physical Security and Wireless Networks

The best way to prevent casual eavesdropping, not to mention an attacker performing a Layer 2 packet analysis of the wireless network, is to control the radiation of the RF signal outside the premises. This assumes, however, that the internal network hasn’t been compromised due to a lack of security. It’s essential to treat basic physical security as the foundation of the company’s security strategy, and ensure that policies are in place and enforced.

This not only includes securing physical access to the building or office, but also physically securing internal systems. That means locking doors to rooms containing access switches and installing security doors (with audit logs) for data centers or network labs. In addition, security teams should conduct regular sweeps—that is, survey RF power levels to ensure that RF performance has not changed.

On a related note, you should shut down all switch ports on a computer that are not in use. This prevents users from plugging unauthorized devices into the wired network’s wall sockets. This simple measure alone can prevent attackers or malicious insiders from installing rogue access points.

Social Engineering

A significant weakness in any technical system, whether it be a server, a wired network, a firewall, a virtual private network (VPN), or some other system, is the system’s end users. These end users—even those who are trained and experienced—may fall prey to social engineering. Social engineering is the practice of teasing out information that should not be shared to use it to one’s advantage.

Phishing is an example of social engineering. With phishing, scammers send an e-mail that appears to come from the receiver’s bank or some other trusted organization. This e-mail asks the recipient to click a link, which appears legitimate, but in fact directs the recipient to a site owned by the scammer. The site prompts the recipient to enter his or her user ID and password. When the recipient does so, the scammer is able to collect it.

One would think that as people become more aware of phishing, the practice would stop. But unfortunately, there will always be people who fall for it. This is what these scammers count on. And as skilled as some hackers may be, you should fear the ones who can manipulate people as much as the ones who can manipulate technology.

Social engineering takes advantage of some of the following human tendencies:

•  People are generally nice and want to help other (seemingly) nice people.

•  People tend to reciprocate favors.

•  People are curious.

•  People tend to respond to authority figures.

•  People tend to be creatures of habit.

Of course, this is not an exhaustive list. But it serves to illustrate the point. It should also be noted that all these traits are generally positive. Regardless, hackers who are adept at social engineering use these traits to their advantage—and for good reason. As one famous hacker stated, “It is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.”

Some additional examples of social engineering may help illustrate how it works:

•  Chat-up scam—In this scenario, a hacker calls a company in the hopes of reaching someone who it is chatty. For example, the hacker might pose as a remote employee. After three or four pleasant phone calls with someone in the office, the hacker might then say he or she forgot or erased his or her Wi-Fi password. Often, thanks to the rapport the hacker has established, the in-house employee will simply supply the information. Hackers may also use these types of conversations to collect other information about the company or about employees.

•  Help-desk scam—In this clever scam, a technically savvy hacker calls various employees (at random or not), claiming to be with the help desk and offering to help with some vague system or computer issue. The hacker will then establish a rapport, which enables him or her to contact these employees in the future to ask them “help with an issue”—for example, a “test” involving the Wi-Fi password. This also works in reverse—that is, the hacker, either playing dumb or sounding authoritative, calls the help desk to ask for the password to the wireless network.

•  Curiosity kills scam—In this scam, the hacker drops a few USB sticks in the parking lot of a specific target (typically a company). The idea is to make it look like an employee dropped them by accident. Often, an unsuspecting (or uneducated) employee will pick them up. In an effort to identify the owner of the sticks, the employee will then plug one or more into an office computer, at which point he or she will typically see a single file. If the employee opens this file, a program will be secretly installed on the computer that gives the hacker access. (The author knows a gray-hat hacker who swears by this technique.)

•  Authority scam—With this technique, the hacker, claiming to be an executive or some other authority figure, calls a lower-level employee and demands information, such as the Wi-Fi password. Fearful of getting in trouble, the employee surrenders the information. (This works best in large companies, where not everyone knows each other.)

•  Habits scam—Hackers know that people are creatures of habits, and that many people create passwords based on these habits (or worse, leave the factory default passwords in place, which are easily found online). This knowledge enables hackers to guess employees’ passwords. In one classic case, hackers were able to guess people’s passwords based on the knowledge that the people were fans of Star Trek. The hackers simply tried different combinations of character names and other aspects of the show, and were very successful. Implementing password best practices has helped with this, but it still happens.

•  Tailgating—Tailgating occurs when an authorized person opens a secure door (usually with a key badge), and someone follows him or her in. People who let the “tailgater” through rarely ask to see his or her badge, as it can be socially awkward. Hackers take advantage of this, using it to gain unauthorized access to buildings. One technique is to open an outer (unsecured) door for someone, who then returns the favor on the next door (the one that requires the key badge). This works particularly well on a cold, rainy day. After all, who would ask to see someone’s badge if that person just helped you get in from the cold?

Wardriving

Wardriving is the 802.11 wireless equivalent of wardialing, in which phreakers would search banks of telephone numbers looking for a modem to answer. In this way, they found computer systems that were connected to external resources by modems. Now, wardriving attackers search for wireless access points in a form of unauthorized and covert reconnaissance.

Wardriving doesn’t require special equipment, although it is typically more successful if a high-gain antenna is used. Usually, the wardriver uses a WLAN utility called a sniffer to detect access points and their SSIDs by intercepting and capturing their beacons. Examples of sniffers include Kismet and Airshark, as well as the older but still popular NetStumbler. Wardrivers may also use Global Positioning System (GPS) software and mapping applications such as Google Earth to map and correlate their discoveries.

Wardriving is a tool for finding targets of opportunity. It’s for those keen to detect unprotected wireless networks in the area. These people are looking for vulnerable networks, where users have not secured their access points (usually unknowingly). A desirable target for a wardriver will be an access point with its out-of-the-box default configuration—one that still has its default password (often “admin”). Although this configuration is the quickest and easiest way to get a new user up and running, which makes it attractive to many home users, it is inherently unsecure.

Wardrivers typically look for the following vulnerabilities:

•  Default usernames and passwords

•  Weak or nonexistent WLAN encryption

•  Default SSIDs

•  Default crypto keys for authentication and encryption

•  Default Simple Network Management Protocol (SNMP) settings

•  Default channels

•  Enabled Dynamic Host Configuration Protocol (DHCP)

These vulnerabilities enable wardrivers to easily gain access to and control WLANs.

Wardrivers typically stick to passive attacks or eavesdropping. These types of attacks may not be malicious; they may be done simply out of curiosity. These wardrivers may also map the unprotected networks they find. Other wardrivers, however, launch active attacks on the networks they find. These attacks may take one of several forms:

•  Masquerading—With masquerading, the attacker impersonates authorized users to gain their level of privileges.

•  Replay—In a replay attack, the attacker uses a packet analyzer to capture network traffic between hosts. The hacker can then retransmit that traffic as though from a legitimate user. The message is correctly received, but being “random,” can cause disruptions or server errors.

•  Message modification—This is where an attacker alters, deletes, adds, or reorders the contents of a message. It is an attack on the integrity of the data.

•  Denial of service (DoS)—By constantly transmitting on the Layer 1 level, a client station can deny others access to the network.

Wardriving is an attack from outside the boundaries of the home or business premises. You can mitigate it by lowering the power of the access point and by moving the access point to reduce the radiation of RF outside the building. In addition, following best practices with regard to default password settings, authentication, and encryption (for example, changing the default password, setting up MAC filtering, and turning on Wi-Fi Protected Access 2 (WPA2) encryption) will help prevent most security incidents. Wardriving is typically opportunistic in nature, primarily targeting home WLANs and small businesses. If a wardriver detects a secure WLAN, he or she will likely move on, as there are likely many unsecure WLANs around.

Rogue Access Points

A more significant concern for medium and larger networks is rogue access points. A rogue access point, or rogue AP, is an unauthorized AP attached to the wired network. These can be installed by hackers (with malicious intent), but can also be installed by well-meaning employees who simply want easier access to the network. In the latter case, hackers can easily exploit these rogue APs. In addition to being unauthorized, rogue APs are unmanaged, which makes them doubly vulnerable to attack. They may be added to the network to serve as an attack vector—a deliberately and maliciously installed device that provides an attacker with a convenient back door into the network. An estimated 20 percent of corporations have had rogue APs on their networks at some time.

Rogue AP Vulnerabilities

The dangers of rogue APs are twofold in nature. First, if the rogue AP is installed by an employee who simply seeks easier access to the network, it will likely be poorly done, both in terms of power and security. This can lead to leakage of RF signals from the building, which is akin to leaving a local area network (LAN) Ethernet switch accessible from the street. Second, if a hacker installs the rogue AP, it offers easy access into the corporate network from a safe location, usually from outside the physical security perimeter.

A rogue AP creates a significantly larger attack footprint for an attacker. Potential vulnerabilities include the following:

•  Scanning and mapping of the WLAN network

•  Man-in-the-middle attacks

•  Attacks on the wired network, such as Address Resolution Protocol (ARP) poisoning, DHCP attacks, Spanning Tree Protocol (STP) attacks, and DoS attacks

•  Free and unauthorized Internet access and all the associated problems that come with that (including, but not limited to, launching phishing and DoS attacks and visiting illicit Web sites)

•  Data leakage and theft due to unauthorized access

Rogue APs are a real concern. In a large network—especially one with many locations and departments—preventing the installation of rogue access points and finding ones that already exist can be very difficult. There are some automated tools for finding them—for example, security appliance plug-ins that scan for devices listed as wireless APs—but it’s very easy to hide one if that’s your intent.

One way to reduce the risk of rogue APs is to use Network Access Control (NAC) with mutual authentication, which can block unauthorized devices from connecting. Another approach is to maintain strict control over the Ethernet ports on access switches, ensuring that all unused ports are shut down by default. This would prevent a rogue AP from being inserted into a live Ethernet port, although it isn’t always practical because it takes a lot of hands-on management by IT and can cause employee frustration. Yet another way is to deploy a wireless intrusion prevention system (WIPS), which can actively hunt and block rogue APs connecting to the corporate LAN. If the rogue AP is an evil twin, however, this can be difficult.

Evil Twins

An evil twin is a rogue AP installed with sinister intent. In the case of an evil twin, an attacker poses as a genuine network service provider but actually eavesdrops on activities conducted on the network and steals information and passwords. Evil twins are the wireless equivalent of the fraudulent phishing Web sites used to lure people into divulging their personal information.

The evil twin works because it looks like a legitimate access point. But when users connect to it and use it to access Web sites and perform other tasks, the access point eavesdrops on their every move, stealing credentials, passwords, and anything else of interest. Most banking Web sites and e-mail clients use Hypertext Transfer Protocol Secure (HTTPS) and are therefore not vulnerable to this sort of attack, but a lot of information can nonetheless be gleaned through the use of an evil twin. Evil twins are especially hard to detect because they are easy to set up and can be run on a laptop, which means they can be shut down and relocated very quickly.

Typically, evil twins are configured with the same SSID as an authorized AP. In fact, an evil twin may even pass data directly through the original AP. Users fall for the trap because 802.11 management packets are easily forged and access points are not required to prove their identity. To compound matters, many laptops, smartphones, and tablets are configured to automatically connect to the access point with the strongest signal.

Client stations form associations by connecting to an access point advertising its presence through the use of beacons. The client listens for these beacons while in passive mode. Alternatively, it can actively send out probe requests when in active mode. A probe request initiates a probe response from all listening access points with a given extended service set identification (ESSID) if one has been named in the probe request. If no ESSID was specified, however, then all access points will reply with a probe response.

Access point beacons and probe responses carry all the specifications, characteristics, and functionality that an access point supports, including the basic service set identifier (BSSID), which is often the access point’s MAC address. The client will respond to the access point that has the strongest signal and the correct advertised capabilities with an authenticate request. If the access point is configured for WPA2, there may be a challenge for a shared key.

In most network configurations, however, an authentication response will simply be sent back by the access point. The client and access point then exchange an association request and a response. This forms the association between them, which will be maintained until a disassociate or deauthenticate packet is received. The problem here is that neither Wired Equivalent Privacy (WEP), which is deprecated but still in use in many home networks, nor WPA/WPA2 can prevent associating with an evil twin because encryption only comes into play after association is complete. They cannot prevent ESSID, MAC, or management packet spoofing, which occurs before the association (if formed).

To set up an evil twin, the attacker first listens for an ESSID being broadcast from the genuine access point. He or she might use an application such as Hotspotter to listen for probes being sent from other clients in the area. Alternatively, the attacker might use Airshark or NetStumbler to capture and analyze packets to identify the ESSID for the WLAN. Once the attacker knows the ESSID, he or she deploys a fake access point close to the targeted victim client stations. It’s important to emphasize that the attacker does not install a hardware access point—rather, the attacker runs a software-based access point on his or her laptop. Because most client stations will associate with any access point sharing the same ESSID, it is often not even necessary to forge the MAC address of the genuine access point.

The evil twin is conceptually similar to an Ethernet man-in-the-middle attack (in which attackers insert themselves between two machines to eavesdrop) using ARP poisoning. In this type of attack, the attacker corrupts the victim’s Address Resolution Protocol (ARP) cache with the wrong MAC address, thereby diverting the victim’s traffic to his or her own machine. Creating an evil twin is, of course, easier to do, as there is no need to gain physical access to a switch. Everything can be done over the air.

Evil twins are commonly used to divert traffic to phishing Web sites, where fake pages are constructed to steal login names and passwords. Evil twins are difficult to detect on a network because they are laptop-based and can quickly be shut down and relocated. However, there are ways to mitigate the risks presented by evil twins. The most effective is a basic awareness of these risks. It’s important to educate employees that not all access points can be trusted.

One of the most common indications that a user may be connected to an evil twin is if the user is unable to establish an HTTPS connection. A bank or Internet service provider’s (ISP’s) security certificate is unlikely to be out of date or out of order; chances are, if such a connection fails, it’s due to a problem with the access point. Another less obvious flag is if a location offers free Internet access. It’s true that many legitimate businesses do offer free Wi-Fi. But before you attempt to log on to an AP detected by your device while at a coffee shop, hotel, or other public place, it’s a good practice to ask an employee if that AP is in fact supported by the business. Given the choice of connecting to the Internet for free or for a fee, most people will choose the free offering. Naturally, hackers are aware of this.

In an office environment, techniques such as 802.1x Port-based Network Access Control (PNAC) can be used for robust mutual authentication. Similarly strong authentication protocols that require server certificates issued by trusted certification authorities should also be used.

Bluetooth Vulnerabilities and Threats

Bluetooth is a short-range RF communications protocol initially developed as a wireless replacement for the serial interface RS232, which was a popular short-range interface for computer peripherals. Bluetooth operates in the 2.4 GHz frequency spectrum. It uses the Adaptive Frequency Hopping (AFH) spread spectrum to mitigate the effects of interference and frequency jamming or blocking. Bluetooth’s implementation of FHSS uses 79 randomly chosen frequencies and changes 1,600 times every second. By using spectrum spread in this manner, many devices can share the same radio frequencies because they are constantly changing and any clash will last only a fraction of a second.

Bluetooth is a low-cost, low-power radio interface used to connect personal wireless devices such as headphones, tablets, mobile music players, and smartphones. Bluetooth is heavily associated with the concept of the wireless personal area network (WPAN), as it enables wearable or mobile wireless devices to peer with each other to form ad hoc wireless networks. Bluetooth is used to connect peripherals to computers and is widely employed in business and home electronic consumer devices, which can be conveniently interconnected without the need for cables.

Bluetooth connects to up to eight devices in a piconet (a network created using a Bluetooth connection) but uses only 1 mW of signal. This low power usage conserves battery life but restricts range to around 10 m. However, because Bluetooth works in the 2.4 GHz frequency range, it does not require line of sight. That means the signal can pass between rooms.

An interesting feature of the Bluetooth protocol is how it discovers potential peers. Whenever a Bluetooth-enabled device comes near (within 10 meters or 32 feet) another Bluetooth device, they begin to communicate without any user initiation or intervention. During the communication, they check to see if they have information to share and negotiate a master/slave relationship. By forming this ad hoc piconet, the Bluetooth devices synchronize and frequency hop in unison. This automatic peering is great for plug-and-play connectivity within the home but has serious security implications in the wild.

The Bluetooth specifications allow for three levels of security:

•  Authentication—This is done to verify the Bluetooth device address.

•  Confidentiality—This mechanism prevents eavesdropping.

•  Authorization—This ensures a device is authorized to use a service before being permitted to do so.

Bluetooth also supports four security modes, which define—or rather, initiate—security protection. Not all Bluetooth devices are capable of supporting the security features at any given level, however. The Bluetooth security modes are as follows:

•  Security Mode 1—Devices that use this mode are designed and produced with no security features, making them vulnerable to attack.

•  Security Mode 2—This mode determines whether authorization is required before a device can have access to certain resources.

•  Security Mode 3—This mode requires that Bluetooth devices initiate security before the physical network connection can be established. In Security Mode 3, authentication and encryption are mandatory for all connections.

•  Security Mode 4—This mode, introduced in Bluetooth version 2.1, is a service-level security mode that uses Secure Simple Pairing (SSP). SSP is a secure method of pairing or connecting Bluetooth devices.

Despite there being four modes, there are only two service security types:

•  Trusted—A trusted device has full access to all services of another trusting device.

•  Untrusted—Untrusted devices do not have an established relationship and therefore can reach only restricted services.

These distinctions enable Bluetooth devices to exchange data without asking permission.

With Bluetooth Security Modes 1 and 3, no service security trust model is applied. In contrast, with Bluetooth Security Mode 2, authentication, encryption, and authorization are required. For Security Mode 4, the Bluetooth specifications call out four separate levels of security:

•  Service Level 3—This requires man-in-the-middle protection and encryption, and preferably user interaction.

•  Service Level 2—This requires encryption only.

•  Service Level 1—This does not require encryption; user interaction is not necessary.

•  Service Level 0—This requires neither man-in-the-middle protection and encryption, nor user interaction.

Not all Bluetooth-enabled devices support these security levels. Some devices have a fixed setting, where the manufacturer of the Bluetooth device decides which level of security to apply. With some devices, such as headphones, this is understandable, since they are not exchanging data and are not deemed a security risk. However, early implementations of Bluetooth were set as Level 0 by default, purely for convenience reasons. That made them very vulnerable to attack. This led to a whole host of Bluetooth attacks, such bluejacking, bluesnarfing, and bluebugging.

Bluejacking

Bluejacking came about through the misuse of a Bluetooth feature whereby a mobile phone could exchange a “business card” or messages with another phone in the vicinity. It soon became clear, however, that this was a fine opportunity for interruption marketing and advertising. Typically, a storekeeper in, say, a shopping mall would set up Bluetooth-enabled devices with high gain antennas to spam any Bluetooth-enabled devices passing by.

For this to work, the Bluetooth devices needed to peer before the messages could be communicated. This of course meant that the marketing was actually consent-based advertising, as the passerby (or, more specifically, the passerby’s device) had explicitly agreed to accept the message. The flaw was that the passerby didn’t know with whom his or her device was peering (that is, the “agreement” was the result of a default setting), nor did the passerby necessarily know what the message was until after the fact.

This worked initially because not everyone felt inconvenienced by these unsolicited messages. In Europe, where the first Bluetooth-enabled phones were sold, it became almost a fad, called toothing, in which young people sent flirtatious messages to each other over this wireless medium. Many were glad to receive these anonymous peering requests. Eventually, however, bluejacking was considered to be an intrusion. That’s because after the spammer’s initial message was accepted, his or her Bluetooth device ID was added to the trusted contacts. The spammer’s device was then able send messages at any time (if within range). Initially, this was merely an annoyance. But as more and more stores adopted this form of advertising, it quickly became a real nuisance.

Bluesnarfing

Bluejacking was relatively benign. Indeed, it was even quite popular among some users. A variant that used the same basic exploitation wasn’t so friendly, however: bluesnarfing. Bluesnarfing is a technique whereby an attacker gains access to unauthorized information on a Bluetooth-enabled device such as a laptop or, more commonly, a mobile phone. In the case of a mobile phone, the attacker can then access the contacts, calendar, e-mails, and text messages. Where bluejacking was a harmless annoyance, bluesnarfing was actually data theft.

For bluesnarfing to work, the victim’s phone must have Bluetooth enabled and be in discoverable mode. In this mode, the phone advertises its Bluetooth ID and can be found by other Bluetooth devices also in the same mode. This makes mobile devices susceptible to both bluejacking and bluesnarfing. However, being in discoverable mode is not enough. The Bluetooth devices must also pair, which (per the standards) requires user intervention. In most cases, this means users must take explicit action to allow their mobile phone to pair with another unknown device. However, a bad combination of lack of awareness and greater convenience (that is, vendors shipping the phone set to security level 0 by default) allowed attackers to exploit users with bluesnarfing attacks.

Once the attacker initiates the bluesnarfing attack from his or her laptop, theft is quite simple. Bluesnarfing uses the same business-card exchange feature as bluejacking with one fundamental difference: Whereas bluejacking uses a software method called push to push out the message to the pair device, bluesnarfing uses a get request to pull in from the device. To use the get command, the attacker must know the file structure and directory names on the device. This should make things difficult, but unfortunately for users, the mobile telephone industry named these files and directories using standard nomenclature. For example, on all platforms, the phone book file was named telecom/pb.crf and the calendar file was named telecom/cal.crf. This made theft pretty easy.

In addition to their fixed file locations for the phone book, calendar, and other features, what made mobile phones so susceptible to this type of attack was the fact that they didn’t require authentication. In the early implementations of Bluetooth and its message push feature, especially on Nokia and Sony Ericsson mobile phones, convenience trumped security, and no authentication was required. In hindsight, this may seem like a major failure of security. Remember, however, that both mobile telephones and Bluetooth were new technologies, so convenience and ease of use were paramount design criteria.

Even until 2004, there was much debate with regard to Bluetooth being a secure protocol. Bluejacking and bluesnarfing had done little to dent its solid reputation. Many experts blamed misuse and a lack of user awareness for these security problems rather than security flaws inherent in Bluetooth’s protocols and the 802.15 standard. In 2004, Bluetooth version 2.0 was released. It addressed low data exchange rates, which made pairing laptops to mobile phones for Internet connectivity and data exchange a viable solution. It also made Bluetooth devices much more tempting targets for malicious attackers. Bluejacking and bluesnarfing were nothing compared to the attacks that were to follow.

Bluebugging

Bluebugging was a quantum leap in attack methodology from bluejacking and bluesnarfing. It didn’t just push or get data; it enabled an attacker to commandeer the entire handset. Bluebugging works by first gaining trusted device status, typically through the well-known business-card trick. If successful, the next stage is to establish a connection by tricking the victim’s phone into believing the attacker device to be a Bluetooth headset or some other innocent-looking peripheral. Once this is accomplished, the attacker can control just about every function of the phone via AT command codes, which are specific commands that enable various functions on the device, used by developers and service technicians. (AT stands for attention.)

With full control of the phone, attackers can listen in on conversations (hence the name bluebugging). They can also redirect calls and even make calls without the owner’s knowledge. Fortunately, the vulnerability that allowed bluebugging was addressed in later firmware upgrades, making it obsolete as an attack tool.

Is Bluetooth Vulnerable?

In 2008, the National Institute of Standards and Technology published the Guide to Bluetooth Security. It noted that Bluetooth has benefits but is susceptible to denial-of-service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation.

Like Wi-Fi, Bluetooth presents a trade-off between convenience and security. As such, it will always be vulnerable to the limitations of user education and the risk awareness and risk adversity of the end user. Bluetooth vulnerabilities can be summarized in a few key points:

•  Short PINs used during pairing—Capturing the key exchange as it happens is not easy or even likely without special equipment to force the devices to disconnect and then re-pair. Even so, choosing longer PINs (the access code that allows a connection to be made) makes it more difficult to crack the PINs quickly. This is therefore an advisable way to mitigate eavesdropping of the PIN exchange.

•  Users pairing devices in public—An attacker must be able to eavesdrop on devices while they are pairing. Allowing pairing only while in the security and privacy of a home or office considerably mitigates risk. This requires manual intervention, however.

•  User convenience—Bluetooth will always be vulnerable to users who decide convenience trumps security.

Disabling the Bluetooth feature when in public is the best way to mitigate the risk. A less drastic measure is to switch off discovery mode. The Bluetooth device will still operate, but its Bluetooth ID will remain hidden from other Bluetooth devices. An attacker would have to try to determine the target’s MAC address to make a connection, which, at 48 bits, is not something that can be done quickly—even with a packet analyzer.

Packet Analysis

Packet analysis is the practice of capturing and deciphering packets being transmitted across the air interface. There are several freely downloadable open-source packet analyzers. One of the most popular is a wireless knockoff of the Ethernet Wireshark called Airshark. (Airshark is not affiliated with the Wireshark tool.)

A packet analyzer works in a wireless environment slightly differently than on a wired network segment. On an Ethernet switch, for example, a probe—typically a cable plugged into the network interface card on a PC or laptop—captures all the packets on that port that are destined for that MAC address and all broadcasts for the entire segment. This isn’t of much use, however; the network card must be programmable to work in promiscuous mode. In this mode, the network interface card captures all traffic crossing the wire regardless of MAC address. Unfortunately, this isn’t much of an improvement, as a switch is intelligent, only sending data out on the specific port associated with that MAC address.

To see all the traffic on an entire segment, a network administrator must enable port mirroring. With port mirroring, all traffic on the ports specified is replicated on the port where the mirroring function has been set up. This enables the administrator to see all traffic of interest across many ports on a single port. This feature requires both physical access to the port and administrative access to the switch configuration commands. Obviously, if a hacker has that level of access, wireless security is of little concern.

On a wireless network, all traffic is visible on the same frequencies and channels, making it easily intercepted and captured. All that is needed with Airshark is to run the software. The wireless network card, which enters promiscuous mode, will then capture all the packets it sees cross the airwaves, regardless of protocol or destination. This makes sniffing or eavesdropping on a wireless network far easier than it is on a wired segment, and it’s one of the reasons wireless networks are inherently less secure.

Wireless Networks and Information Theft

Wireless networks are susceptible to information theft because by their nature, they transmit to anyone who cares to listen. All that is necessary is an antenna and a receiver tuned to the correct frequency. A client station need only listen for an access point’s beacon before sending an authentication request and forming an association.

But that’s not the only way in which information can be stolen. An attacker can install a rogue access point or evil twin to steal user credentials. Attackers can also obtain this information via social engineering. In short, there are many ways an attacker can exploit the natural vulnerabilities of wireless communications to steal information.

For this reason, wireless networks were initially deemed unsecure. Common consensus suggested that they be used only for network access at the perimeter of the network and behind the firewall. Network designers deployed wireless networks in zones built on security interfaces on the Internet perimeter firewall. This design ensured that the company’s wired network was behind a firewall and protected from the client stations on the wireless network. Designers considered this to be a secure and practical design, believing that wireless client stations should access only the Internet and the intranet, and not have access to secure areas of the network.

Times and business requirements have changed, however. What was a good design in the late 1990s no longer fit the purpose by the mid 2000s. Wireless user devices started to creep into the workplace in the form of laptops, Wi-Fi–enabled mobile phones, organizers, and BlackBerries, all of which were Internet-capable.

At the same time, there was a trend in application development toward Web service–based software. These applications resided on Web servers and used back-end databases for their dynamic content. Neither the applications nor their clients needed to install anything on a local computer, as they were accessible through a browser using HTTP. When PCs were only located in an office, this was not a big security risk. But with smartphones and tablets, which are easily lost and always connected, a great deal of corporate data could be placed at risk.

By 2010, laptops, smartphones, and tablets were common work tools in the office, and network designers had to cater for them. This meant an expansion of the wireless network into all areas of the workplace. Wi-Fi was now not only for guests; it was all pervasive, penetrating deep into the most secure areas of the network. This was not without serious repercussions with regard to data security and information theft, however. Protected corporate data “walks” outside the building every day, with almost every employee.

Information theft has become a real problem since the acceptance of mobile devices within secure networks. Authorized users now download and store information on mobile devices that leave the company premises. An authorized user downloading information onto a mobile device negates all the controls and security techniques enforced within the network. To compound this problem, the device may or may not be authorized.

The advent of Mobile IP—which is the convergence of WPANs, WLANs, and wireless wide area networks (WWANs) into one coherent administrative entity—has enabled seamless roaming within and between networks. It also, however, has led to serious security threats with regard to information theft. There are simply no border checks between these autonomous wireless networks.

As an example of this vulnerability, consider this simple scenario: An authorized user (or more likely, someone using an authorized user’s credentials), seeking to steal information, accesses it from company databases and downloads it to a local drive. The application rarely checks to determine what device it is downloading to; it simply transfers the data to the requesting device, regardless of whether it is a PC, laptop, or smartphone.

After the user has downloaded the information, he or she can then circumvent all internal security measures by connecting to a mobile (cellular) network provider and uploading the data from the laptop or smartphone with no border checks whatsoever. The person can then delete the data on the local device, secure in the knowledge that the information he or she wanted is now resting happily in a Dropbox folder or some other cloud-based information storage depository. The bottom line? It’s crucial to protect the network from intruders and to keep information private and safe from theft.

Malicious Data Insertion on Wireless Networks

Information theft is an obvious threat to any network. Even with Bluetooth devices, it can be a problem. Stealing digital information is not quite the same as stealing a physical object, however. It does not restrict, curtail, or prevent the rightful owner from accessing the information. That is, the data thieves don’t remove the information; they simply copy it. Although this is a crime, the original asset is left intact.

What may be of more concern on some occasions is when attackers modify data in some way for their own gain. For example, a student might change his or her grade by modifying database fields in a school’s system. Or an attacker with a criminal record might attempt to corrupt or delete police files. Here, the intention is not to steal, but to modify information to benefit the attacker.

Wireless networks are particularly vulnerable to this type of activity, sometimes called malicious data injection. This is because these networks transmit 802.11 frames across an open-air interface. Using a packet analyzer such as Wireshark, an attacker can capture and replay these 802.11 frames. That means an attacker can intercept packets between another client station on the same segment and a network server and inject a compromised payload. This works because by default, 802.11 encrypts only the payload, leaving the MAC address and other headers in cleartext. Capturing a conversation stream using a packet analyzer is easy, and by doing so, the attacker can analyze, modify, and then replay it at his or her convenience. In effect, an attacker injects a genuine frame with a compromised payload back into the network.

If the network does not use encryption, then inserting malicious data on a wireless network is a trivial task. Using a packet analyzer, the attacker can read the contents of the payload in cleartext and modify them as desired. For example, if a student wanted to modify his or her grade, that student could eavesdrop on sessions until he or she discovered a client station conversation with a server requesting a database field update. By capturing that conversation, the attacker could analyze and tailor the request to identify the results database, his or her name, and the grades field. The attacker could then inject the reconstructed frame as part of a replayed conversation.

Without encryption, data insertion and manipulation is not just feasible, but very easy for a reasonably skilled hacker to do. To make the task a bit harder, you can encrypt the network. One option is WEP, but it’s easy to crack with the right tools. WPA2 is the better choice. Using strong encryption will prevent all but the most determined professional attacker. Without the keys, the attacker cannot decrypt the payload, analyze the conversation, or modify it.

Some attackers may be more interested in being a nuisance by modifying and injecting control messages, which have no payload and are therefore still in cleartext. This is more a denial of service attack than a data insertion, even though it uses the same methodology.

Denial of Service Attacks

Wireless networks are particularly vulnerable to denial of service (DoS) attacks because they operate on a half-duplex collision-detection medium. Only one radio client station can talk at a time, including the access point. Devices listen for traffic before transmitting, and if there is something else transmitting, they will wait. Therefore, if a faulty transmitter is constantly transmitting, no other client station will be able to communicate.

If a DoS is unintended, a packet analyzer such as Wireshark is a great tool for quickly identifying the culprit and resolving the problem. Identifying the failing transmitter is especially easy if it resides on your own network. If the failing transmitter is on a neighboring network, it might be easy to detect but not so easy to resolve. Interference can also result in an unintentional DoS. Resolving a DoS that is the result of neighboring sources of interference can be very problematic. This is because the spectrum is unlicensed. There is no one to adjudicate in disputes; everybody has equal rights to the frequency spectrum.

Unfortunately, not all DoS scenarios are accidental. Some are the result of an attacker’s deliberate handiwork. DoS attacks are the weapon of choice for the less skilled, the less imaginative, and the just plain malicious.

On wireless networks, DoS attacks can be categorized into several groups. These include the following:

•  Application Layer attacks—These attacks are common on both wired and wireless networks. In Application Layer attacks, the idea is to overwhelm the application server to prevent it from handling requests. This is typically accomplished by sending thousands of requests per second, such as HTTP get requests. For example, the Mydoom worm issued 64 requests per second. When thousands of infected systems issued it at once, it quickly overwhelmed both the server and the network capacity.

•  Transport Layer attacks—The goal of a Transport Layer attack is to consume the finite number of Transmission Control Protocol (TCP) sockets available on the connecting device, be it a server or a firewall. Called a TCP SYN flood attack, this attack sends the synchronization (SYN) packet in the first part of the TCP handshake but leaves the connection open by never sending the acknowledgment (ACK) packet.

•  Network Layer attacks—In a Network Layer attack, large amounts of data are sent to the wireless network. This floods the bandwidth capacity and overwhelms the target device so it is unable to respond quickly enough to reduce the deluge of traffic. An example of this type of attack is the basic Internet Control Message Protocol (ICMP) echo request flood. Internet Control Message Protocol (ICMP) is a protocol used by network devices to send error messages. If performed in conjunction with other hosts, this can bring down servers and consume bandwidth, denying other hosts service. Many firewalls block ICMP packets to prevent this type of attack, and many intrusion prevention systems can dynamically change firewall rules to block ICMP packets when they detect an attack.

•  Media Access Control Layer attacks—A DoS unique to wireless networks is the authenticate/associate request flood. When a client wants to join a wireless network, it sends an authenticate request followed by an associate request to the access point. In most networks, this is a trivial affair. However, if an attacker spoofs the MAC address and sends continual authenticate and associate requests, the target access point has no way of telling whether they are legitimate, so it attempts to process them anyway. This, like the Transport Layer attack, consumes all the access point’s memory and exhausts its processing capabilities, as it cannot complete the half-open processes. Another technique attackers may use is the deauthenticate/disassociate flood attack, which forces clients to disassociate and then try to reauthenticate and associate. If done in sufficient numbers, this also consumes the resources of the access point and exhausts the capacity of the network.

•  Physical Layer attacks—These are attacks against the frequency spectrum used by the wireless network. An attacker can simply cause enough interference using high-gain antennas to create an unacceptable level of background noise. This affects the signal-to-noise ratio, thereby degrading communications.

Peer-to-Peer Hacking over Ad Hoc Networks

Wireless networks configured using the 802.11 standard take two forms:

•  Infrastructure networks—These require a central access point to serve as the hub of all access and communications. Client stations must communicate with each other via the access point. The same is true for communication beyond the access point via the distribution medium.

•  Ad hoc networks—With ad hoc networking, peer-to-peer relationships are formed directly between client stations to form informal networks.

Ad hoc networks are typically used to connect peripherals to devices—for example, a printer to a laptop. However, they can also be used to temporarily connect laptops to create an impromptu network—for example, during a presentation or a workshop. Some users also use mobile devices to set up hotspots, enabling other mobile devices to connect directly to the corporate network (which is an ad hoc rogue access point). Ad hoc client stations peer with each other to form the network using the same frequencies and channels as the infrastructure network. Therefore, it is important that they not clash or cause interference with the infrastructure network, or the main wireless network, by using the same channel.

Ad hoc networks have a few performance and security issues. First, they frequently cause interference and degradation of service to both the ad hoc and corporate networks. Second, they have no way of authenticating clients, so any 802.11 device configured in ad hoc mode can connect to any other ad hoc station to form a network.

This is another case of convenience trumping security. The idea was for ad hoc networks to offer a quick and simple way to interface peripherals and devices. The term ad hoc, meaning “for this,” signifies that the network is a solution to a particular problem, and is not intended to be adapted for other purposes. Therefore, the 802.11 standards deemed that authentication was not required.

Some IT departments have attempted to ban the use of ad hoc networks. However, it is a common sight to see management use ad hoc networks to peer with partners and clients in meetings to share documents and slides. As a result, the use of ad hoc networks continues, despite IT’s the best efforts to eradicate them from the workplace. This is a problem with user awareness and lack of understanding regarding the potential for unauthorized access and control. The coming wave of near field communication (NFC) applications will put further pressure on IT security teams, as many devices are expected to have this technology available in the near future (and some already do). It’s a good bet that hackers will learn to exploit this technology ahead of the general population’s understanding of the risks.

When an Attacker Gains Unauthorized Control

As you have seen with ad hoc networks, it’s possible for an attacker to gain unauthorized access to and control of an 802.11 network simply because device authentication is not robust. You can secure access points from unauthorized authentication and association by using WEP and WPA (for casual “free” access) or the more robust WPA2. WEP and WPA can be cracked with off-the-shelf tools and should never be used if WPA2 is available. However, WPA2 is not the answer for hotel or café hotspots. In these cases, device authentication and association must take place at Layer 1 and Layer 2, and user authentication must follow at the Network or Application Layer, driven by Web browser username/password challenges.

In a business environment, you generally will not wish to advertise the presence of your WLAN. One way to achieve this is to not advertise the SSID in the beacon. This practice, called network cloaking, is not terribly effective, but it will defeat most casual attacks. Not broadcasting the SSID effectively prevents casual snoopers from identifying the SSID of the network. However, it will not deter a more determined attack because when an authorized device configured to join the network actively probes for the access point, it will send probe requests that contain the SSID. If the attacker uses a tool such as Kismet, which listens for all client station requests and access point responses, he or she will be able to correlate the request from a station and the response from an access point. When the client station joins the network, it inadvertently reveals the SSID to the attacker. In addition, the access point response contains the SSID and the BSID, which is often its MAC address.

In the end, network cloaking is not a good way to secure or even obfuscate a network. That’s because preventing the access point from advertising the SSID in its beacons causes every client device to probe for it. On a very busy network segment with many different networks—for example, in a condominium complex—the network may remain hidden. But even then, a determined attacker will eventually match client probes to access point responses, and that will reveal all that he or she needs. That being said, it should be stressed that network cloaking and using an encryption key such as WPA or WPA2 may not be business-class security, but they are much better than an open network.

CHAPTER 6 ASSESSMENT

1. Unskilled attackers are not a threat and can be disregarded.

A. True

B. False

2. An organization can greatly reduce risk by doing which of the following?

A. Educating employees

B. Deploying simple best practices

C. Adopting least-privilege policies

D. All of the above

3. Unauthorized wireless access is often a means of access for sophisticated attacks.

A. True

B. False

4. Why does social engineering tend to work?

A. People are dumb.

B. Hackers know mind-control techniques.

C. Hackers know how to take advantage of human behaviors and tendencies.

D. Security is weak.

5. Which of the following describes the act of wardriving?

A. Mounting a battering ram on your car

B. Searching for unsecured wireless networks while driving around

C. Jamming other people’s wireless networks

D. Taking over someone else’s Bluetooth connection

6. Wardrivers look for which of the following vulnerabilities?

A. The use of default administrative usernames and passwords

B. No or weak encryption

C. The use of default SSID settings

D. All of the above

7. Which of the following describes an evil twin?

A. A version of a rogue AP in which the device masquerades as a legitimate access point

B. A social engineering scam

C. A Bluetooth hack that takes over another device

D. A peer-to-peer hack

8. Most Bluetooth vulnerabilities are based on how they connect, or peer, with each other, and can be mitigated by disabling connectivity while out of the office.

A. True

B. False

9. Why is packet analysis particularly problematic on wireless networks?

A. You can “listen” to traffic without a physical connection.

B. Unlike wired networks, you don’t need port mirroring to see all the traffic.

C. Packets can be modified and reinserted without authentication.

D. It can be used to initiate a local denial of service attack.

E. All of the above

10. Wireless-based DoS attacks only happen at Layer 1.

A. True

B. False