Wireless Security
Technical Point-of-View
W
ireless network (Wi-Fi) is now widely established and utilized at home, offices and
everywhere in public areas such as rail
stations, streets, and etc. This newsletter
provides the technical knowledge of Wi-Fi technologies, relevant threats and countermeasures for
building a secure internal Wi-Fi network.
For the end user best practices of using Wi-Fi, please
refer to another newsletter entitled “Wireless Network, Best Practices for General User”.
Wireless Technologies
Classification of Networks
Technological advancement in wireless communications has led to the worldwide proliferation of networks. The various kinds of network technologies
developed can be classified into the following categories according to their range of coverage:
Wireless Wide Area Network (WWAN)
ments. Internal Wi-Fi within the office area can be
regarded as WLAN.
Wireless Personal Area Network (WPAN)
WPAN has the least coverage among all. It is usually
adopted for devices which perform Bluetooth or
Near Field Communication (NFC) functions. In Hong
Kong, NFC-enabled devices like Octopus Card, is
commonly used as a convenient form of electronic
payment for public transport, retail shops and other
services. In Hong Kong, most banks issue credit
cards with a small chip implant to improve the payment processing time and its security level.
Wi-Fi Type
Authentication
Encryption
Good for
WAN
Good for
WLAN
WEP
WPA
(PSK)
WPA
(PSK)
WPA
(Full)
WPA2
(Full)
none
PSK
WEP
TKIP
X
X
X
BEST
PSK
AES-CCMP
X
BEST
802.1x
TKIP
BETTER
GOOD
802.1x
AES-CCMP
BEST
GOOD
MAN (Metropolitan Area Network) covers across the
entire city and WMAN provides the Wi-Fi network
similar to MAN. WiMAX and Wireless MAN are both
examples of this kind.
Wireless Local Area Network (WLAN)
WLAN is an 802.11i wireless network that facilitates
the access of corporate environment. It is optimal
for low range access with high bandwidth require-
(Expensive)
Table 1
Summary of Wi-Fi Network Algorithm & Recommendation
WWAN offers the largest coverage. Voice and data
can be transferred between mobile phones via messaging apps, web pages and video conferencing. In
order to secure the transfer, encryption and authentication methods are adopted. Examples of WWAN
are 4G, 3G and 2G networks.
Wireless Metropolitan Area Network (WMAN)
(Expensive)
Figure 1
WWAN, WMAN, WLAN and WPAN
The following introduces the technologies and characteristics of wireless network.
WEP
Wired Equivalent Privacy (WEP)1 is a wireless security algorithm introduced as part of the 802.11
standard in September 1999. It used the recognizable key of 10 or 26 hexadecimal digits, and frequently used in router configuration.
Page 1
New Spear Phishing Attack Bypasses Two Factor
Authentication5
By clicking on the “forgot
password” link and requesting the verification
code, the attacker prompts
the email provider to send
an SMS message with the
code to the victim’s mobile
phone.
To get the code, the attacker then sends the victim a separate SMS message saying something like,
“Google has detected unusual activity on your account. Please respond with
the code sent to your mobile device to stop unauthorized activity.”
The victim replies with the
code, and the attacker
gains access to the victim’s
email account.
As Grzonkowski notes, after resetting the account
password, the attacker
could send the victim an
SMS stating, “Thank you
for verifying your Google
account. Your temporary
password is [TEMPORARY
PASSWORD.”
Figure 2 – Authentication Flow of WEP2
Illustration above shows the flow of WEP
authentication. If a non-root bridge tries
to access the client device without authorization, the WEP will automatically
reject the connection.
WEP encryption uses RC4 as a stream
cipher, this serves the purpose of “IV”
which is transmitted as plain text to
avoid any repetition. However, a 24-bit
IV is not long enough to ensure nonrepetition – there is still a 50% chance
that the same IV will appear after 5,000
packets.2
Meanwhile, tools such as Aircrack,
AirSnort, WEPCrack and DWEPutils
which can be easily obtained from the
Internet are capable of cracking WEP key
in less than a minute. Indeed, there is a
serious security weakness of RC4 adoption.
In summary, it is insecure to use WEP to
access wireless network3.
WPA & WPA2
As there are obvious
flaws in WEP, another wireless security
algorithm, Wi-Fi Protected Access (WPA),
was introduced in
2003 by Wi-Fi Alliance4. WPA was the
interim security solution while 802.11i
was then still under development. WPA
adopts a pre-shared key (PSK), known as
WPA-Personal and the Temporal Key
Integrity Protocol (TKIP) for encryption
which is different from WPA-Personal.
WPA Enterprise uses keys or certificates
generated by an authentication server.
Within a year’s time WPA had an upgraded version called WPA2. This new
version allows full 802.11i standard ratification. The major enhancement for
WPA2 is the application of Advanced Encryption Standard (AES) for encryption.
WPA2 is relatively secure – even the US
government encrypts its highly confidential documents with this wireless security protocol.
Wireless Threats
Despite the benefits brought by wireless
network technology, its derivative potential threats towards the network security should not be underestimated.
Different types of attack outlined in the
following paragraphs and tables (Hacker
methodologies and tools6) can be categorised as Active Attack and Passive Attack.
The former includes DoS, Masquerade,
Replay and Message Modification while
the latter one includes Eavesdropping
and Traffic Analysis.
Authentication Attacks
The main objective of Authentication
Attacks is to steal the user’s identification and credentials for the sake of accessing the private network and its services. A list of types, methodologies and
tools is captured in Table 2 for a quick
reference.
Type
Guessing the
shared key
PSK Crack
Logon Theft
Methodologies and Tools
WEP cracking tools
coWPAtty, genpmk, KisMAC,
wpa_crack
Ace Password Sniffer, Dsniff,
PHoss, WinSniffer
Page 2
Wi-Fi
Freeloading: Now
a Crime in U.K.7
A British man has been
fined and given a suspended prison sentence for
connecting to a stranger’s
WiFi access point without
permission, according to a
BBC story. There is no indication that he did anything improper while connected; all he did was to
park his car in front of a
stranger’s house and connect his laptop to the
stranger’s open WiFi network. He was convicted of
“dishonestly obtaining an
electronic
communications service”.
Active Directory Login
Theft
VPN Login
Theft
John the Ripper, L0phtCrack,
Cain
Ike_scan and ike_crack (IPsec), anger and THC-pptpbruter (PPTP)
Capture Tools
802.1X
ID
Theft
Guessing the Password Dictionary
802.1X
Password
802.1X LEAP Anwrap,
Asleap,
THCCracking
LEAPcracker
802.1X EAP File2air, libradiate
Downgrade
Table 2 – Authentication Attacks
Type
Methodologies and Tools
War Diving
Airmon-ng, DStumbler,
KisMAC, MacStumbler,
NetStumbler, Wellenreiter,
WiFiFoFum
Rogue Access
Any hardware and software
Points
Access Point
Ad Hoc Associ- Any wireless card or USB
ations
adapter
MAC Spoofing
MacChanger, SirMACsAlot,
SMAC, Wellenreiter, wicontrol
802.1X RADIPacket capture tool on LAN or
US Cracking
network path between AP
and RADIUS server
Table 4 – Access Control Attacks
Availability Attacks
Confidentiality Attacks
Denying wireless services access to legitimate users can result in Availability Attack.
Attacks that attempt to intercept sensitive information sent over wireless network, whether in the clear text, encrypted by 802.11 or higher layer protocols, is
called Confidentiality Attacks.
Type
AP Theft
Queensland
DoS
Methodologies and Tools
“Five finger discount”
An adapter that supports CW
Tx mode, with a low-level
utility to invoke continuous
transmit
FakeAP
802.11 Beacon
Flood
802.11 Associ- FATA-Jack, Macfld
ate / Authenticate Flood
802.11 TKIP
File2air, wnet dinject, LORMIC Exploit
CON
802.11 DeauAireplay, Airforge, MDK,
thenticate
void11, commercial WIPS
Flood
802.1X EAPQACafe, File2air, libradiate
Start Flood
802.1X EAPSame as above
Failure
802.1X EAP-of- Same as above
Death
802.1X EAp
Same as above
Length Attacks
Table 3 – Availability Attacks
Access Control Attacks
Bypass wireless access control measures
like AP MAC filter and 802.1X port access
control is the main objective of Access
Control Attack.
Type
Methodologies and Tools
Eavesdropping
WEP Key
Cracking
Evil Twin AP
AP Phishing
bsd-airtools, Ettercap, Kismet,
Wireshark, commercial analyzers
Aircrack-ng, airoway,
AirSnort, chopchop,
dwepcrack, WepAttack,
WepDecrypt, WepLab, wesside
cqureAP, D-Link G200, HermesAP, Rogue Squadron,
WifiBSD
Airpwn, Airsnart, Hotspotter,
Karma, RGlueAP
Dsniff, Ettercap-NG, sshmitm
Man in the
middle
Table 5 – Confidentiality Attacks
Integrity Attacks
By adopting Integrity Attacks, fake information or data is sent to mislead recipient for the purpose of financial theft.
Type
Methodologies and Tools
802.11
Frame
Injection
Airpwn, File2air, libradiate,
void11, WEPWedgie, wnet
dinject/reinject
Capture + Injection Tools
802.11
Replay
Data
Page 3
Wireless network
vulnerability
assessment checklist.8
1 – Discover Nearby Wireless Devices
2 – Investigate Rogue Devices
3 – Test Owned Access
Points
4 – Test Owned Stations
5 – Test Owned WLAN Infrastructure
6 – Apply Test Results
Still having no idea for
how to perform the assessment? Check with the
security consultants for
more advisory and service.
802.1X EAP Replay
Wireless Capture + Injection
Tools between station and
AP
802.1X RADIUS Ethernet Capture + Injection
replay
Tools between AP and authentication server
Table 6 – Integrity Attacks
Dip Deeper into Attacks
Here are the illustrations that explain the
three common attacks at Wi-Fi network:
Evil Twin Attacks, Wireless Sniffing
and Peer-to-Peer Connection.
Evil Twin Attacks – Hackers disguised
as legitimate user employ rogue Wi-Fi
access point (AP) to eavesdrop communications. The process is similar to that
of Phishing Scam (Figure 3). The steps to
create an Evil Twin Access Point10 easily
available from the Internet.
Figure 5 – Peer-to-Peer Connection Attack
Internal Wi-Fi Infrastructure
TJX Hacker Gets
20 Years in Prison9
Hacker Albert Gonzalez
was sentenced to 20 years
in prison in 2010 for leading a gang of cyber thieves
who stole more than 90
million credit and debit
card numbers from TJX
and other retailers.
The string of hacks began
in 2005 when Gonzalez
and accomplices conducted war-driving expeditions
along a Miami highway
and other locations in
search of poorly protected
wireless networks, and
found easy access into several retailer networks.
Peer-to-Peer Connection Attack –
When all laptops configure wireless
cards as ad-hoc mode and are connected
together to form a network, attacker can
connect to this network by adopting the
same configuration, and consequently
gain access to sensitive data (Figure 5).
Security Best Practices to Implement an Internal Wi-Fi Infrastructure
Figure 3 – Evil Twin Attack flow
Wireless Sniffing – Unlike Evil Twin,
attacker does not need to set up the
rogue AP but simply deploy a sniffer tool
to intercept data transmission via Wi-Fi
network (Figure 4). It is difficult for victim to detect such attack unless network
monitoring tool is deployed.
After learning the possible security
threats of Wi-Fi, the following security
measures are highly recommended for
the planning, implementation and operation of an internal Wi-Fi within a University environment:
Network WIPS Deployment – Deployment of Wireless Intrusion Prevention
System (WIPS)11 can monitor radio spectrum for any existing unauthorized AP
activities such as AP redirection, significant signal strength changes, AP spoofing
and soft APs. When suspected AP activities are identified, alert will be generated
and logged. Meanwhile, the high-risk
Figure 4 – Wireless Sniffing
Page 4
Hacked the public
Wi-Fi in 11
minutes by 7year-old child12
connection will be disabled immediately
and automatically.
usage, internal applications,
streaming, VoIP calls and etc.
To facilitate the deployment of WIPS,
three approaches can be considered depending on budget and scale.
Just two days after an investigation had revealed
how much personal information public Wi-Fi networks could ‘suck’ from
phones, a child showed
how easy the hotspots are
to hack.
The first approach involves the installation of the lower-end AP which performs
two roles: provide Wi-Fi connectivity
and simultaneously do periodic scan for
rogue APs. However, it is not very effective.
Previous Wi-Fi routers carried traditional QoS; however, this required strong
technical knowledge and experience to
configure the settings. Now the latest
router models provide a user-friendly
way of implementing QoS: Intelligent
QoS. It helps to prioritize the bandwidth
in four categories such as voice, video,
applications and background activities
(internal printing jobs, file downloads
and other traffic).
A seven-year-old broke
into a Wi-Fi hotspot in just
10 minutes and 54 seconds
after watching an online
video tutorial.
The ethical hacking demo
was carried out under the
supervision of an online
security expert to highlight just how vulnerable
the networks are.
Security and QoS
Unite15
Until recently, quality-ofservice and network security technologies lived in
separate worlds. But they
have something important
in common. Certain types
of attacks on network security affect application
performance -- and ensuring application performance is the main mission
of QoS.
By Joanie Wexler
The second approach which is known as
integrated WIPS, requires installing the
sensor together with the AP for rogue AP
scanning and seems to be more effective.
The final approach is called WIPS overlay, it can be implemented by the installation of sensors throughout the whole
building; scanning result will be forwarded to the centralized Wi-Fi management server for further analysis, action and log archiving purposes. This approach is the most expensive one among
the three as hardware implementation is
required, but it is also the most effective
one 13.
Access Control Attack and Confidentiality
Attack can be addressed by implementing such solution.
Wireless Bandwidth Management –
The best way for individual user with
comparatively low risk to seek higher
security protection is to use Quality of
Service (QoS)14 technique. QoS covers
the aspects of network bandwidth, latency, jitter and reliability.
One of the key functions of QoS is inserting control over demanding bandwidth
usage like BitTorrent, online games, HD
movies or else. For business sector, QoS
helps to control access right and balance
videos
Implementation of QoS together with
traditional IDS/IPS system enhances the
level of network security, prevents attack from unexpected and suspicious
behaviours which is bandwidth demanding.
Implementing wireless bandwidth management can prevent Availability Attack.
Network Segregation – Not only can
Network segregation minimise the risk
of sensitive data leakage and unauthorized access of the network, it can also
reduce the possibility of single point of
failure when the network is comprised.
For secure internal Wi-Fi planning and
implementation, the following tips are
worth considering:
Multi-level Network Controls – The more
layers of network segments are added,
the more difficult for cybercriminals to
tap into the network. If the existing network infrastructure restricts such
change, consider implementing isolation
for the newly built internal Wi-Fi or
networks that planned to be built, and
revamp the whole infrastructure by
phases if necessary.
Whitelist or Hybrid Approach – Instead of
blocking or allowing certain types of
Page 5
Wardriving
Burglars Hacked
Business Wi-Fi
Networks16
network access, define both whitelist or
blacklist respectively for acceptable or
unacceptable traffic that are already
known. Continuous audit and review of
these listing should be performed annually or by ad hoc.
Three men were indicted
last week by a federal
grand jury for hacking at
least 13 Seattle-area businesses' wireless networks
to steal sensitive information, as well as burglarizing the premises of at
least 41 businesses.
Least Privileged Access Control – Even
though service vendors request to access
the network (including Wi-Fi) for
maintenance or project-wise tasks, the
mandatory access control should be in
place and access log should be properly
configured and securely stored for review for the sake of security incident investigation.
One of the affected businesses was Concur Technologies. According to a
breach notification sent to
the New Hampshire Attorney General's Office in December 2010, a November
2010 break-in to the
premises of the business
resulted in the theft of
computer equipment containing unencrypted data
on 1,017 employees, including their names, addresses, dates of birth, and
social security numbers.
This security control can block Integrity
Attack proactively and effectively.
"Any company worth its
salt should have realized
that using WEP is about as
much use to secure you as
cotton or wool. It's not going stop anything," said
Graham Cluley, senior
technology consultant at
Sophos, in an interview.
"With PCI, for instance,
they said that companies
should stop using WEP,
years ago. You need more
sensible, hardened encryption, if you're going to
have wireless communications."
Mandatory Access Control – Mechanism like MAC Addresses Registration of
pre-approved university devices and
self-registration of MAC Address from
service vendors’ devices should be
properly updated, defined and operated.
Regular review and audit for MAC addresses access log should be performed
to avoid rogue school devices MAC connection, an issue arising from “Bring
Your Own Device (BYOD)”.
For guests’ devices, Guest Wi-Fi at DMZ
can be configured separately at another
VLAN for the purpose of Internet connection; MAC addresses control to deny
any school devices connection to this
Guest Wi-Fi has to be configured as well.
The latest Wi-Fi encryption protocol,
WPA2 with AES mentioned earlier in this
newsletter, is strong enough for network
encryption, but regular technology review and update are certainly needed.
By applying this practice, Integrity and
Access Control Attacks can be avoided.
Virtual Private Network (VPN) – Some
overseas Universities provide free VPN
connection for their staff and student to
access the Intranet externally17. VPN
service can secure data transmission and
it is not complex to configure and use.
University should consider applying this
service if there are frequent academic
activities held outside campus.
Conclusion
The landscape of IT security threat
changes rapidly. It is prudent for University management and technical staff to
keep abreast of the threats and implement controls to eventually cope with
these challenges.
When planning, building and operating
an internal Wi-Fi infrastructure, it is important to understand the risk implications and apply the security best practices as described in this newsletter. It is
also the university’s responsibility to
maintain the confidentiality, integrity
and availability of information security.
By adopting this security measure, Access Control Attack can be blocked effectively.
Network Encryption Technique –
When using Wi-Fi network, strong encryption protocol should be adopted at
all APs.
Figure 6 - Pocket Wi-Fi is a popular portable device
that provides Internet connection anywhere anytime. The university should pay attention to potential data leakage risk if it is used inside the campus.
Page 6
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
“Wired Equivalent Privacy” Wikipedia, WEB, 19 June 2015
“Configuring Authentication Types” Cisco, WEB, 19 June 2015
“Attacks on the WEP protocol – Erik Tews, Page 81” 15 December 2007, PDF, 19 June 2015
“Wi-Fi Alliance Home Page” WEB, 19 June 2015
“New Spear Phishing Attack Bypasses Two Factor Authentication” 22 June 2015, WEB, 6 July 2015
“A list of wireless network attacks” WEB, 23 June 2015
“Freedom to Tinker” 1 AUG 2005. WEB, 23 June 2015
“A wireless network vulnerability assessment checklist – TechTarget” WEB, 23 June 2015
“TJX Hacker Gets 20 Years in Prison” 25 MAR 2010. WEB, 23 June 2015
“How To Create An Evil Twin Access Point (with WPA/WPA2 Capture) – YouTube” WEB, 23 June 2015
“Wireless intrusion prevention system – Wikipedia” WEB, 24 June 2015
“Hacking Wi-Fi is child’s play! 7-year-old shows how easy it is to break into a public network in less than 11 MINUTES
– MailOnline” 21 JAN 2015 WEB, 24 June 2015
“Motorola AirDefense Services Platform” PDF, 3 July 2015
“What is QoS? – Microsoft” WEB, 24 June 2015
“Security and QoS Unite” 19 JAN 2014 WEB, 6 July 2015
“Wardriving Burglars Hacked Business Wi-Fi Networks” 23 SEPT 2011. WEB, 23 June 2015
“Accès vpnssl : Documentation” WEB, 6 July 2015
Copyright Statement
All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright
and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in
any manner, without the prior written consent of the copyright holder, is a violation of copyright law.
A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals
must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others,
whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright
holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this
document are listed below:
copyright@jucc.edu.hk
Joint Universities Computer Centre Limited (JUCC)
c/o Information Technology Services
The University of Hong Kong
Pokfulam Road, Hong Kong
Page 7