Wireless security tutorial: Wireless intrusion detection systems and wireless attacks
Good network design can go a long way to preventing unauthorized access, affording an attacker the means by which to compromise the network and its resources. It is the responsibility of the wireless intrusion detection system (WIDS) to protect the network from any such attacks.
Wireless LAN (WLAN) attacks can occur at layer 1, the physical layer, or layer 2, the data link layer. Layer 1 attacks involve compromising the RF signal, the medium. Layer 2 attacks involve manipulating management and control frames used to control access to and operation of the network, respectively. In a wireless network, there are three types of frames: data, management, and control. The majority of attacks are directed against management frames. These frames are responsible for controlling authentication, association, and disassociation with the wireless network. Being as wireless management frames are not transmitted past layer 2 to the upper layers, a wired network intrusion detection system would not detect an intruder.
A WIDS, in its simplest form, is a software algorithm that monitors the network for intruders. In more sophisticated implementations, the WIDS is a separate sensor network that mirrors the coverage of the WLAN; some systems incorporate the WIDS sensors into the access points (APs) themselves. The WIDS accepts all incoming traffic on all channels and detects anomalies that would indicate illicit traffic. Detection of illicit traffic can be based upon known attack signatures, comparisons of device signatures to an approved device database, or traffic anomalies that differ from normal patterns of network behavior. In the former case, a rogue access point would be detected if its MAC address does not match the approved database; in the latter, a drastic increase in network traffic on the network could indicate an attempt to crack an encryption key.
The first and most common method of compromising a secure network is called "social engineering," otherwise known as "human hacking." The vast majority of networks are compromised using this method.
4 social engineering hack methods
Social engineering methods are simple.
- The most common method is sharing of passwords among "friends" because someone has either forgotten the password or wasn’t trusted with one. This happens all too often, particularly among rank-and-file employees.
- A disgruntled employee can create havoc by widely distributing confidential network keys.
- A lapse in security can occur when a discharged employee is not stripped of his or her credentials or the credentials are not changed after discharge.
- Another common method is a variation of confidence schemes; an employee gets a call from a "technician" from "IT" or "tech support" who needs to upgrade the employee’s computer and needs his or her password for remote access. This method is widely employed both in corporate and private settings and is a very common method for obtaining personal information from unsuspecting people in furtherance of identity theft.
A well-conceived security policy that includes education, monitoring, regularly changing passwords, and scrupulous maintenance of employee records and security credentials can virtually eliminate the threat posed by social engineering attacks.
A frequently implemented WLAN attack is called the "man-in-the-middle" attack, or MIM (or MITM). A MIM operates by using a rogue access point that masquerades as an authorized access point. By using bogus management frames, a mobile client is coerced into disassociation from a legitimate access point and then association with the rogue access point. This is usually accomplished by providing a stronger signal than the real AP, as clients will normally associate with an access point (AP) having the strongest signal or lowest signal-to-noise ratio (SNR). The rogue is bridged to the legitimate AP, and all traffic from the hijacked mobile client is intercepted by the rogue and captured. If properly executed, the attacker can get complete control of multiple clients’ network connections. Some methods of capturing data are to set up a phony captive web portal, which is a web page that asks for login credentials for the network. This is very common in public, unsecured hotspots. Incredible amounts of confidential data can be obtained in a very short time by using this method. A sophisticated attacker could also inject code into the data stream that will allow the attacker to exploit any device on the network.
Jamming, a federal crime
Another common method of attack is the denial of service (DoS) Attack. A DoS attack is one in which the availability of the network resources is denied to authorized users. This can happen as a result of unintentional interference being generated by common devices: microwave ovens, cordless phones, and Bluetooth. DoS can also be accomplished by intentionally interrupting the radio signal at the physical layer, layer 1, by introducing a jamming signal; this requires that an attacker be relatively close to the transmitter or receiver. Jamming devices are usually portable, low-power devices that emit a noise signal at the operating frequencies of the system. This will effectively render that channel unusable and cause all connected devices to disassociate or deauthenticate. Layer 1 attacks are typically used in MIM attacks to cause client devices to disassociate from legitimate APs. The jamming signal is then removed and client devices will re-associate to the AP with the best signal or lowest SNR. Jamming is a federal crime in all cases.
Traditional layer 2 (MAC Sub layer) DoS attacks involve overwhelming a particular device with an enormous amount of traffic or bogus management frames. A variant of this method, used by the Anonymous crew, is called the distributed DoS (DDoS) because it involves an enormous amount of traffic from multiple attackers in a coordinated manner. DoS attacks are difficult to prevent and guard against. DoS attacks can also take the form of packet injection, excessive web page requests, or search queries. The effect of these attacks is to cause the server or AP to become overwhelmed, become inoperative, or lock up, ceasing to provide the network service it was designed to provide. If this were an authentication server, for instance, even clients with valid credentials would render the network unreachable. DDoS attacks have been directed against web servers and networks serving commerce, creating much havoc and interrupting trade. Unintentional layer 2 DoS usually results from co-channel or adjacent channel interference from a nearby Wi-Fi AP.
Don’t assume it is secure
No security measure of any type is completely secure. There is always an element of risk, particularly when dealing with an unbounded medium like wireless. It should never be assumed that any wireless communication is secure when using a public Wi-Fi hotspot or a foreign access point. In fact, it is not unwise to assume that any wireless communication is completely secure or private. It is up to the client to ensure it is using the latest and strongest security methods. Currently, WPA2 is the strongest security available and will adequately protect the vast majority of users against common attacks. In a facility, access to the network can be completely controlled and protected if a good security policy is developed and strong physical protection systems are in place. Controlling access to the facility to exclude unauthorized people and to control access by authorized personnel is the first line of defense. In protecting a facility and its assets, more is better, and a layered approach is both manageable and effective.
Much of the credit for the development of modern encryption and access methods goes to the legion of researchers and hackers, both ethical and unethical. Without these people constantly testing security for vulnerabilities, clients would operate under a false belief that their communications are secure. The various testing methods started as "hacking" techniques developed by some very talented individuals.
700 billion guesses per day
Wired equivalent privacy (WEP) was thoroughly tested and eventually cracked. An effort was immediately commenced to find a stronger method of securing wireless communication-the future of the technology depended on it. In response to WEP being compromised, the temporal key integrity protocol (TKIP) was developed as an interim measure. TKIP can be cracked using the Beck-Tews Attack, which exploits vulnerabilities in the keystream generating process.
Stronger methods based on counter mode cipher block chaining message authentication code protocol (CCMP) were subsequently developed to provide very secure communication over wireless; however, even WPA2-PSK is vulnerable to brute force attacks, which use sophisticated algorithms to guess passwords. Also called a "dictionary" attack, some algorithms can generate 8 million password guesses per second, or about 700 billion guesses per day. While this may appear impressive, these attacks can be mostly thwarted by the use of longer and stronger passwords. Some basic guidelines for picking a strong password are to make your password a minimum of 10 characters and design it to allow you to type it accurately and, of course, to remember it. The password should never be divulged to anyone; the system security is immediately compromised if the password is shared.
Wireless security is constantly being tested for vulnerabilities. It is a fact that eventually the latest and greatest security methods will be compromised. It is the responsibility of system administrators to implement a solid security policy that supports and enhances physical- or software-based security solutions. Diligence in monitoring and intrusion detection is essential to maintaining a secure system. Finally, upgrading system software and equipment will allow a degree of "future-proofing" and pre-emptive defenses against sophisticated attacks.
Wireless security references
There are a number of very good references on the topics presented above. The Certified Wireless Security Professional certification program by the CWNP industry group is an excellent source of information covering practically all aspects of wireless security. COMPTIA also provides training and documentation on the many aspects of wireless security. A search of the Internet provides a veritable trove of white papers and tutorials on all aspects of security.
– Daniel E. Capano, owner and president, Diversified Technical Services Inc. of Stamford, Conn., is a certified wireless network administrator (CWNA). Edited by Chris Vavra, production editor, CFE Media, Control Engineering, firstname.lastname@example.org.
www.controleng.com/blogs has other wireless tutorials from Capano on the following topics:
Wireless security: Cryptology basics, fundamentals
Wireless security: Extensible authentication protocols
Wireless security: Port-based security, EAP, AKM
www.controleng.com/webcasts has wireless webcasts, some for PDH credit.
Control Engineering has a wireless page.