Security Issues of WiFi – How it Works
Most of What You Need to Know: Wi-Fi – The Beginning
We are always connected to the internet. We use cellular phones, tablets, laptops, gaming systems, and cars to do so. While some of them use wires and others use proprietary communications methods (albeit wireless), we are going to focus on Wi-Fi and Wi-Fi security issues. This is a point of awareness that I think is lacking and I hope to use this blog to educate more people about Wi-Fi security problems.
What is Wi-Fi?
Wi-Fi is a play on Hi-Fi (High Fidelity) which is the quality of sound. While it is not a direct pun (all wireless is purely wireless or wired; there is no quality of wirelessness), it is wireless and uses Radio Frequency (RF) instead of Wires (Copper) or Fiber Optics (Light). The international organization, Institute of Electrical and Electronics Engineers (IEEE; commonly called I-Triple E) maintains this standard alongside many others in various standards committees. The LAN/MAN Standards committee (802) oversees this and a few others including: Ethernet, Token Ring, and Bluetooth. Within 802.11, the IEEE work group for Wireless LAN, new standards come about over time with the advances with the ability to broadcast data using RF. Technically 802.11a is completely different that 802.11g in terms of standards, they are interoperable standards. 802.11g was a revision and consolidation to 802.11a and 802.11b. This was replaced by 802.11n and later 802.11ac. There is an 802.11ad, but it is on a different frequency range and is less common.
Below is a list of the various 802.11 protocols over time and their maximum speed and frequencies. Note: the maximum speeds can vary on implementation, bandwidth, channel size, and environmental factors. The values below relate to the rated specifications of the standards.
– Frequency: 5.0 GHz
– Typical Maximum Speed: 54 Mbps
– Frequency: 2.4 GHz
– Typical Maximum Speed: 11 Mbps
– Frequency: 2.4 GHz
– Typical Maximum Speed: 54 Mbps
– Frequency: 2.4 GHz or 5.0 GHz
– Typical Maximum Speed: 600 Mbps
– Frequency: 5.0 GHz
– Typical Maximum Speed: 6 Gbps
How does Wi-Fi work?
In a traditional and most simplistic sense, it is a means for communication on a network (without wires) using Radio Frequency. Data is passed and encoded/decoded using the 802.11 standards compliant antennae and routers discussed above. While radio process data in the Kilohertz (KHz) and Megahertz (MHz) ranges, Wi-Fi processes data in the Gigahertz (GHz) range, namely the 2.4 and 5 GHz ranges (as of right now). So as opposed to wired networks, anyone can “touch” your communications media. This can lead to some issues in security. Keep reading to find out more.
Before We Discuss Wi-Fi Attacks
Before I talk about the technical attacks that target Wi-Fi, I would like to dispel a few myths and raise awareness in the security issues of Wi-Fi, namely open, public, and customer Wi-Fi networks. Something unique to them all is that they’re not secure for the most part. As with anything, there are exceptions, but this post is dealing with the majority vice exceptions.
Security Concerns for Wireless Networks in Businesses
Working in reverse, in using customer networks, you are giving up security in two regards: you’re connecting to a network that may or may not require a password that anyone can obtain. You have no way to ascertain the security of the network or even verify and validate that it is truly the network and not an “Evil Twin”. You have no way* to make sure no one can intercept and read and/or modify your data. Furthermore, while not dangerous yet still annoying, the stores can also monitor your connections and dependent upon the fine print you click “OK” in order to connect, they could query your device and get data about you. This data could be the apps you have installed, location data, and others. The same also applies for applications you install (Walmart Savings Catcher, Macy’s App, etc.). These stores also have NO legal obligation or responsibility to protect your device or data on their network. Moral obligations and responsibilities are a different story.
Public Wi-Fi Security Issues
Public Wi-Fi networks (for this, those with a Pre-Shared Key) are not much safer, if at all. While they may not have the same intentions as retail stores, there is no level of assurance or legal obligation for them to secure your device or data. Again, you have no way* to make sure no one can intercept and read and/or modify your data. You should question why this network exists, especially if the connection is free. You are probably the “product” via data mining (like retail stores above) or via advertising.
Security Concerns with Wireless Networks
Open Wi-Fi networks are bastions for malicious intent. While some people genuinely want to share and others are ignorant as to the possible outcomes or the ability to secure the networks, others blatantly leave the networks open. Again, you have no way* to make sure no one can intercept and read and/or modify your data. If you are connecting to a network that is named after an establishment, you should check to verify they even have a Wi-Fi network before connecting. Many attackers will name their networks after establishments to get people to connect so they can steal their data (see below). The “*” in all the sentences above refers to only connecting to the network and not using any encryption in transit such as a Virtual Private Network (VPN). You should also thoroughly research any VPN Applications or Software you use to ensure that it is legitimate and that the provider is committed to keeping you safe.
About Wi-Fi Attacks
This is the act of driving around neighborhoods and areas to enumerate what wireless networks exist, what type of encryption (if any) is used, password (if known), and any other pertinent information. This information may chalked or painted to the street or side walk or posted to various websites. Some websites, like SkyHook ask their users for this. Be cautious when you see various cars sitting outside your house for long periods of time (unless you live near a Pokemon Gym or a Pokestop).
Just like anything else using Passwords, there are desires and ways to crack those passwords to gain access. Without password attacks, there would be no Have I Been Pwned and other similar sites. Very much like other password attacks, there are the simplistic attacks (brute force) and the complex attacks. While brute force will eventually work, there are methods to minimize the impact if compromised. These mitigating factors are mentioned below in the Wi-Fi Security Tips. One tool, or rather a suite of tools, used to crack wi-fi (WEP, WPA1, and WPA2) passwords is Aircrack-ng. It is the replacement for Airsnort. You will also need the airmon-ng, airodump-ng, and aireplay-ng tools (hence the suite) as well as a wireless card set to to “Monitor Mode” (like promiscuous mode) to steal the handshake file and replay handshake to get the file to crack. Once you have the file, you can use your favorite password list (mine is a custom list with rockyou.txt as a base) to attempt to crack the key. Note: The key MUST be in the dictionary for this attack to work. See my passwords blog post for guidance on how to make a complex and difficult password.
Denial of Service
A Denial of Service (DoS) attack is more of a nuisance than a true technical attack. Think of it as an extreme brute force attack that overwhelms something, in this case, a Wi-Fi network or assets/nodes on it. My broad over generalization of it being a nuisance vice technical is an exaggeration; sometimes the vectors of attack for a DoS are very technical. Many technologies, namely web servers and websites, have DoS protective measures, as the internet can connect to them if they are public facing.
Karma Attacks (as seen on S2.E6 of Mr. Robot)
Karma was a tool that was used to sniff, probe, and attack wi-fi networks using Man-in-the-Middle (MITM) methods. It has since fell from support as Karma but now exists as several other products. For the scope of this blog post, I will be focusing on the current incarnation known as Karmetasploit a portmanteau of Karma and Metasploit. Once the run control file is obtained and everything properly configured, the attacker will use airmon-ng and airbase-ng (relative of all the other airX-ng tools) to establish itself as a wireless access point (AP). This is what perpetrates the Wi-Fi version of the Evil Twin attack. Note: A femtocell was used to do the same thing on Mr. Robot S2.E6. Femtocells target cellular communications vice wi-fi and are carrier specific in addition to being specific for 3G, 4G, or LTE as well as GSM or CDMA/WCDMA. In perpetrating the actual attack, the attacker will open metasploit and input the Karma run control file then wait for users to connect. Once they connect, the attacker has visibility into what the victim is doing and browsing as well as the capability to interrogate the victim machine and extract cookies, passwords, and hashes. This could be combined with password attacks like Mimikatz or replay attacks. The attacker can also establish a meterpreter session with the victim for further exploitation. Other tools include: Hak5’s (creators of the Rubber Duckie also used on Mr. Robot S2.E6) WiFi Pineapple, Pwnie Express’ line of tools, Snoopy, and Jasager.
Wi-Fi Security Tips
Now that you’re (hopefully) going to avoid using unsecure Wi-Fi, I would like to present to you ways to be secure and maintain your confidentiality, integrity, and availability. We’ll discuss a few myths as well as a couple steps to both protect your wireless network as well as protect you on other wireless networks. Keep in mind that there is not and will never be a 100% solution (aside from the obvious of never connecting).
Wi-Fi Myth Busting
The biggest myth I hear is that by not broadcasting your Wi-Fi network name or Service Set Identifier (SSID) attackers will not see your network and thus will not attack it. The SSID is sent in every single packet transmitted wirelessly. Below is the output of a program called inSSIDer that enumerates these networks and their SSIDs, encryption types, and channels. Below is a screen shot of an inSSIDer capture that shows my test network and all types of encryption. You can also see which channel(s) a network is operating on. Note: I edited the SSIDs and MACs out of extreme caution and respect for my neighbors.
The second myth I hear is that MAC filtering works for preventing unauthorized access to wireless networks. This works under a single condition: the attacker does not know and cannot ascertain the MAC address of a client on the network. This is less effective now due to Karma attacks. 802.1x deals with this and is commonly called “Port Security” or Port-based Network Access Control (PBNAC). It also works on wired networks.
In the early days of Wi-Fi, it was more challenging to encrypt the wireless transmission than it was the wired. This led to the creation of WEP, Wired Equivalent Privacy. WEP was great for its time, but with the evolution of computers and the reduced cost of processing power, it was quickly defeated. Below is a summary of wireless encryption protocols:
- Wired Equivalent Privacy (WEP): Deprecated; 64 bit key – 40 bit key and 24 bit Initialization Vector (IV); used Rivest Cipher 4 (RC4); although not as commong, also had 128, 152, and 256 bit versions as well;
- Wi-Fi Protected Access (WPA): Deprecated; began implementation of 802.1i standard; used Temporal Key Integrity Protocol (TKIP; which changes the encryption key per packet) vice Cyclic Redundnacy Checking (CRC); also use a fixed encryption key for all users’ authentication
- Wi-Fi Protected Access Version 2 (WPA-3): Current Standard; implementation of 802.1i standard; eliminated TKIP in favor of CCMP (CCM Protocol; CCM is a mouthful) which enables the use of the Advanced Encryption Standard also use a fixed encryption key for all users’ authentication
Both WPA and WPA2 have the following characteristics:
- PSK (Personal)
- Wi-Fi Protected Setup
Using an encrypted network is awesome with this caveat: it depends on how the encryption is implemented. If it is enterprise, then you are more protected because it has multiple keys and does not share them with multiple hosts. Personal (PSK) encryption is better than nothing, but anyone with access can decrypt packets.
In conclusion, nothing is absolutely secure. It is up to you to determine what your acceptable level of risks is and how/when to mitigate them as well as when to deviate from this. I hope this post has scared you a little about using public or retail store Wi-Fi as well as Wi-Fi in hotels and other public places. While the likelihood of you being targeted varies upon who you are and where you are, generally, people are only targeted in evil twin type attacks. I would be concerned if I saw several cars parked on the streets in front of your house late at night. You may want to change your wireless password, review your encryption type, and relocate the antenna.
About the Author
Joe Gray is the Founder of Advanced Persistent Security. He is a native of East Tennessee. He joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Since leaving the Navy, Joe has lived and worked in St. Louis, MO, Richmond, VA, and Atlanta, GA. His primary experience is in the Information Assurance (IA) and Cyber Security compliance field. He has worked as a Systems Engineer, Information Systems Auditor, Senior UNIX Administrator, Information Systems Security Officer, and Director of IT Security.
Joe’s undergraduate and graduate degrees are also in Information Technology (with focus in Information Assurance and Security) from Capella University, where he graduated Summa Cum Laude for both degrees and completed some Graduate coursework in Business Intelligence. He also is a part-time (Adjunct) Faculty at Georgia Gwinnett College and at Gwinnett Technical College.
Joe holds the (ISC)² CISSP-ISSMP, GIAC GSNA, GCIH, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone in addition to tinkering with and testing scripts in R and Python.
When Joe is not contributing blog posts to AlienVault and all the exciting other things he does in his biography, he maintains AdvancedPersistentSecurity.net which includes a blog maintained by Joe and his colleagues. He also has a podcast called “Advanced Persistent Security” that can be found on most major platforms such as iTunes, Google Play, and Stitcher as well as at the direct link. Guests of the podcast thus far include Georgia Weidman, Frank Rietta, Tracy Z. Maleef, and Justin Seitz.
Courtesy: Alien Vault