In order to defend a wireless network against attack, you need to have an understanding of how wireless network attacks actually work. In this article, we dive into the dark arts of hacking. While there are several known attacks against wireless networks, most can be avoided simply by using strong security protocols
Disassociation Attacks
This attack works by removing a wireless client from a wireless network.
In a normal situation: After a wireless client authenticates with a wireless AP, the two devices exchange frames, causing the client to be associated with the AP. When the client wants to terminate the wireless connection, it sends a disassociation frame, which includes the wireless client’s MAC address, to the AP to terminate the connection. When the disassociation frame is received, the AP de-allocates the memory used for the connection.
In an attack: Attackers send a disassociation frame to the AP with a spoofed MAC address of the victim. The AP receives the frame and shuts down the connection. The victim is now disconnected from the AP and must go through the authentication process again to reconnect.
WPS Attacks
WPS, which stands for “Wi-Fi Protected Setup” allows configuration of wireless devices by pressing buttons/entering a personal identification number without a passphrase.
WPS is susceptible to brute force attacks by simply iterating PIN combinations until it succeeds. Once the PIN is discovered, you can then discover the passphrase in both WPA and WPA2 wireless networks, so you should disable WPS on all devices. This is typically possible via the AP configuration page. The screenshot below shows the WPS settings of an administrative interface.
Rouge Access Points
Placed in a network without official authorization, a rogue access point is installed to bypass security and leave the network vulnerable in two ways:
- Data Exfiltration: When looking for rogue access points, check in poorly secured wireless closets, as the intent of the access point is to act as a sniffer, broadcasting captured traffic passing through the wired network, using the wireless access point; the attacker capture the pilfered data from a protected location.
- Unauthorized Connections: The rogue access point can be used to connect to the wired network the same way that authorized users can connect to a wired network via a wireless network.
Upon discovery, an unauthorized AP should be isolated as quickly as possible while unplugging the Ethernet cable can stop the unauthorized AP from capturing network traffic, you may kill any ability to trace how the AP got there in the first place.
Evil Twins: Sharing the same SSID as a legitimate access point in a public domain, an evil twin is a rogue access point designed to get unsuspecting users connecting to this evil twin so their traffic and credentials may be captured.
Often deployed by configuring a laptop’s wireless access card as an AP, either in a coffee shop or location near an office. You can catch these by performing site surveys with wireless scanners as the signal gets stronger, the closer you get to the AP.
Misconfigured Access Points: One of the primary reasons that wireless attacks are successful is because access points are misconfigured, as you read on, you’ll discover:
- If an AP is not using WPA2 with AES/CCMP, it is susceptible to a range of attacks.
- If WPS in, a WPS attack can discover the PIN with brute force, which allows the discovery of the passphrase.
WIFI Jamming Attacks
You can launch a denial-of- service attack on Wifi network by transmitting another radio signal on the frequency used by a wireless network which interferes with the wireless transmissions and degrades performance; called jamming and it prevents users from connecting to a wireless network:
Depending on the environment, you can overcome the attack by
- Increase the power levels of the AP to overcome the attack.
- Use different wireless channels. This works with home networks, but not as effective in work environments as the attacker can also switch channels.
Initialization Vector Attacks
In cryptography, an initialization vector (IV) is a random input to a cryptographic primitive. Wireless protocols use an Initialization Vector by combining it with the pre-shared key to encrypt data-in-transit; a wireless initialization vector (IV) attack attempts to discover the pre-shared key from the IV.
An IV attack is successful when an encryption system is forced to reuse the same IV, which happens because WEP uses a small 24-bit number for the IV. Packet injection is used to add additional packets, decreasing the time it takes to crack a WEP key to a very short time, by forcing the AP to respond with more packets, increasing the probability of key reuse.
Near Field Communication Attacks
Near field communications allow mobile devices to communicate with one another when they are close to them. An NFC attack involves using an NFC reader to capture data from another NFC device:
- Eavesdropping attack: The NFC reader intercepts the data transfer between two other devices.
- Malware attack: A more advanced attack using Trojan malware to initiate a payment and an NFC reader to capture the payment data and use it in a live payment transaction.
Bluetooth Attacks
Bluetooth is a short-range wireless system used in personal area networks (PANs) and within networks including smartphones, headsets, and computer devices.
When first configured, Bluetooth devices are in Discovery mode, broadcasting its MAC address, allowing other devices to see it and connect to it. In early versions of Bluetooth, the pairing process in Discovery mode did not require the confirmation of users to accept it. Current versions of Bluetooth requires users to manually pair the device or it fails. Originally designed for a range of about three meters, but often farther, Bluetooth networks can be exploited a number of ways:
- Bluejacking: Involves sending unsolicited messages to nearby Bluetooth devices and is confusing, but relatively harmless to the phone owner
- Bluesnarfing: Theft of information from a Bluetooth device.
- Bluebugging: An attacker installs a backdoor.
Wireless Replay Attacks
Involves an attacker capturing and modifying data sent between two entities, and then using it to impersonate one of the parties by replaying the data.
- WPA2 using CCMP and AES is not vulnerable to replay attacks.
- WPA using TKIP is vulnerable to replay attacks by exploiting TKIP64- bit Message Integrity Check (MIC) used to verify the integrity of the packets, which after discovery, can be used to transmit and decrypt packets and launch a replay attack. This vulnerability is why TKIP was deprecated and should be avoided
Radio-frequency Identification Attacks
Radio-frequency identification (RFID) systems use a reader and tags placed on objects to track and manage assets. As tags lack a power source, they include electronics allowing them to collect and use power to transmit data stored on the device, similar to how a proximity card receives a charge from a proximity card reader to power the transmission of data to the reader. RFID attack vectors include:
- DoS/Denial-of-service attack: If an attacker knows the frequency used by the RFID system, it’s possible to launch a jamming or interference attack, flooding the frequency with noise disrupting services, preventing the RFID system from operating normally.
- Eavesdropping/Sniffing: If the frequency/protocols used by the RFID system is known and you have a tuneable receiver it can be tuned to that frequency it’s possible to collect data.
- Replay: Eavesdropping attacks can be spawned into replay attack.
