SHREE LEARNING ACADEMY

Introduction

The domain of wireless communication is rapidly growing, encompassing a wide range of technologies aimed at networking, connectivity, data exchange, and communication. There are literally thousands of wireless protocols, standards, and techniques available for use. This encompasses devices such as cell phones, Bluetooth-enabled devices, cordless phones, and wireless networking technologies. With the increasing prevalence of wireless technologies, it is essential for your organization's security measures to extend beyond merely securing its local network. For comprehensive security, it is crucial to implement an end-to-end solution that covers all types, approaches, and techniques of communication.

Wireless networking is now prevalent in both corporate and home networks, but effectively managing it to ensure dependable access and security can be a complex task. In this section, we will explore different wireless security concerns.

IV

The abbreviation IV stands for initialization vector, which is a mathematical and cryptographic concept referring to a random number. To enhance their security by limiting predictability and repeatability, most modern cryptographic functions employ IVs. When an IV is too short, transmitted without encryption, or inadequately chosen, it can be a vulnerability. Therefore, an IV attack is the act of taking advantage of the mishandling of the IV. An instance of an IV attack is when Wireless Equivalent Privacy (WEP) encryption is cracked.

For wireless networking, 802.11 initially used WEP as its encryption method, which is built on RC4. The main weakness of WEP is associated with its IV due to errors in its design and execution. Specifically, the WEP IV is transmitted in clear text and has a length of only 24 bits. In addition, WEP does not verify the freshness of packets, which, combined with other factors, makes it possible to carry out a successful live WEP crack in less than a minute. This can be accomplished by using tools such as Wesside-ng from the Aircrack-ng suite available at www.aircrack-ng.org.

Evil twin

The term "Evil twin" refers to a type of cyber attack where an unauthorized individual creates a fake access point that mimics a legitimate access point. This false access point is designed to intercept a client device's request to connect, and then automatically replicate, or "twin," the identity of the legitimate access point. Whenever a device connects to a wireless network, it saves the details of the network in its history or wireless profile. The wireless profiles stored on a device are utilized to facilitate automatic reconnection to a network as soon as the device is within the coverage area of the associated base station. Whenever a wireless adapter is activated on a device, it endeavors to establish a connection with a network and sends out reconnection requests to all the networks listed in its wireless profile history.

As part of the reconnection process, the device sends out requests containing the MAC address of the original base station and the SSID of the network. In an evil twin attack, the attacker's system intercepts these requests by listening in on the wireless signal. After intercepting the reconnect request, the evil twin attack system forges its identity using the same parameters and provides an unencrypted connection to the client. The client unwittingly accepts the request and proceeds to connect to the fraudulent evil twin base station. As a result, the attacker gains the ability to intercept communications using a man-in-the-middle attack. This could potentially result in various security threats such as session hijacking, data tampering, credential theft, and identity theft. The attack succeeds due to the fact that the responsibility of managing authentication and encryption lies with the base station and is not strictly enforced by the client. Despite the authentication credentials and encryption information being present in the client's wireless profile, the client may still accept any type of connection offered by the base station, even if it's unencrypted. This makes the client vulnerable to evil twin attacks.

To protect against such attacks, it is crucial to be vigilant about the wireless networks that devices connect to. If you happen to connect to a network that is not within your vicinity, it could be a clear indication that an attack is underway. In such a situation, it is advisable to immediately disconnect from the network and find a different source for internet access. It is also recommended to regularly remove any outdated or unnecessary wireless profiles from your history list, as this would reduce the number of potential targets available to attackers.

Rogue AP

One of the most frequent security issues encountered during a site survey is the detection of unauthorized wireless access points (WAPs). These rogue WAPs can be set up by an employee for their convenience, or they may be operated externally by an attacker. An employee-installed wireless access point can be easily connected to an open network port. However, such unauthorized access points are typically not configured with proper security measures or are not configured in accordance with the organization's approved access points. It is crucial to identify and eliminate rogue wireless access points to prevent unregulated access to an otherwise secure network. Attackers often resort to visiting a company through various means such as posing as repair technicians or food vendors, or even breaking in at night, to plant rogue access points. Once a rogue access point is installed, an attacker can gain easy access to the network from a relatively short distance away from the front door. In addition to this, external attackers can also set up rogue WAPs to target both existing and future wireless clients visiting the network.

An attack on existing wireless clients necessitates the rogue WAP to be set up in such a way that it duplicates the SSID, MAC address, and wireless channel of the legitimate WAP. However, the rogue WAP operates at a higher power rating, which can lead to clients with saved wireless profiles inadvertently selecting or preferring to connect to the rogue WAP instead of the genuine WAP.

The second approach is geared towards attracting new wireless clients visiting the network. To accomplish this, the rogue WAP is configured with a social engineering tactic where the SSID is set to an alternate name that appears genuine or even more desirable than the legitimate wireless network's SSID. To illustrate, suppose the original SSID is "CityCafe." In that case, the SSID of the rogue WAP could be "CityCafe-2," "CityCafe-LTE," or "CityCafe-VIP." The MAC address and channel of the rogue WAP do not need to be identical to those of the original WAP.

To protect against rogue WAPs, it's important to know and recognize the correct and legitimate SSID. This is crucial because attackers often set up rogue WAPs with alternate names that seem like better network options, tricking new visitors into connecting to the fake network instead of the genuine one. To detect and prevent the presence of rogue WAPs, it is recommended that an organization utilize a wireless intrusion detection system (IDS) to monitor the wireless signals for any signs of misuse or abuse. This includes detecting newly appearing WAPs, especially those with cloned or similar SSID and MAC values.

Jamming

Radio waves are utilized in wireless communication to transmit signals over a certain distance. Since the radio wave spectrum is limited, it must be properly managed to ensure multiple simultaneous connections with minimal interference. Frequency is a metric used to quantify the number of wave oscillations within a particular time interval, typically expressed in Hertz (Hz), or oscillations per second. This frequency measurement is used to distinguish and allocate the radio spectrum. Radio waves can be found within a frequency range spanning from 3 Hz to 300 GHz, and these frequencies have been assigned to different uses, such as AM and FM radio, VHF and UHF television, among others. At present, wireless products in commercial use commonly employ the frequencies of 900 MHz, 2.4 GHz, and 5 GHz since they are classified as unlicensed.

To manage the limited radio frequencies and enable multiple simultaneous connections, various spectrum-use techniques have been developed. These techniques include spread spectrum, frequency hopping spread spectrum (FHSS), direct sequence spread spectrum (DSSS), and orthogonal frequency-division multiplexing (OFDM). Spread spectrum is a technique used to allow communication over multiple frequencies simultaneously. In this technique, a message is divided into smaller pieces, and each piece is transmitted at the same time, but on a different frequency.

The concept of spread spectrum involves communication taking place over multiple frequencies simultaneously, resulting in parallel communication rather than serial communication. One early implementation of spread spectrum is known as frequency hopping spread spectrum (FHSS). Instead of transmitting data in parallel, Frequency hopping spread spectrum (FHSS) sends data in a sequential manner while continuously switching the frequency being used. While the entire range of available frequencies is utilized, only one frequency is used at any given moment. As the sender changes from one frequency to the next, the receiver must follow the same hopping pattern to pick up the signal. FHSS was designed to minimize interference by constantly shifting frequencies instead of using only one frequency that could be affected.

Direct sequence spread spectrum (DSSS) is a technique that uses multiple frequencies simultaneously in parallel to achieve a higher rate of data throughput compared to FHSS. DSSS, unlike FHSS, utilizes multiple frequencies simultaneously in parallel through a process called spreading, resulting in a higher data transfer rate. In addition, DSSS uses a chipping code encoding mechanism that enables a receiver to reconstruct the data even if parts of the signal were distorted due to interference. This process is similar to how RAID 5 parity allows for the recreation of data on a missing drive.

Orthogonal frequency-division multiplexing (OFDM) is a modulation technique that uses a digital multicarrier scheme to effectively use the available frequency spectrum. This method allows for a more densely packed transmission of data. OFDM utilizes a digital multicarrier modulation scheme, in which the modulated signals are orthogonal, or perpendicular to each other. This results in a more compacted transmission without any interference between the signals. OFDM is capable of providing higher data throughput, while requiring a smaller frequency set, or channel bands.

Unintentional interference can occur by chance, while intentional interference is known as jamming. Jamming refers to the deliberate transmission of radio signals aimed at reducing the effective signal-to-noise ratio and preventing reliable communication.

To avoid or mitigate interference and jamming, the placement of devices should be adjusted, one can begin by repositioning devices. Additionally, it is important to verify if there are other devices utilizing the same frequency or channel. If there are conflicts, one should modify the frequency or channel being used by the devices under their control. If you suspect that an interference attack is underway, attempt to locate the source of the attack through triangulation, and take necessary measures to address the issue. If the source of the interference is outside your premises, contact law enforcement to deal with the problem.

WPS

The WiFi Protected Setup (WPS) is a security protocol designed for wireless networks that aims to simplify the process of adding new clients to a securely configured wireless network. When the WPS button on the base station is pressed by the administrator, WPS, a security standard for wireless networks, automatically connects the first new wireless client seeking the network. However, the standard also includes a code or PIN that can be transmitted remotely to the base station to initiate WPS negotiation without the need for physical button pressing. A potential vulnerability of the WPS security standard is that a hacker could conduct a brute-force guessing attack to obtain the WPS code, which would allow them to connect an unauthorized system to the wireless network. The WPS code consists of two four-digit segments, which can be guessed separately with confirmation from the base station. This attack can be completed in less than 6 hours, making it a serious concern for wireless network security.

One of the requirements for device WiFi Alliance certification is the inclusion of the WPS feature, which is usually enabled by default on most wireless access points. However, as part of a predeployment process that prioritizes security, it is crucial to disable WPS. It's crucial to disable the WPS feature during the pre-deployment security assessment because it poses a significant vulnerability. While most wireless access points have WPS enabled by default, it's recommended to turn it off. If a device lacks the option to disable WPS, upgrading the firmware or replacing the device entirely may be necessary. In general, it's best to keep WPS turned off to avoid potential security issues.

To ensure all settings, including WPS, are set properly, it is important to perform your security-focused predeployment process again each time you upgrade your firmware. If you need to add many clients to a network, you may temporarily re-enable WPS, but be sure to disable it immediately afterward.

Bluejacking

Bluejacking is the act of sending unsolicited messages to Bluetooth-enabled devices without obtaining the owner's permission. These messages may be displayed automatically on the device's screen. Sending unsolicited messages to Bluetooth-enabled devices, known as bluejacking, can be done with almost any device that supports Bluetooth, including PDAs, cell phones, and notebook computers. Typically, a virtual business card (vCard) is sent using the Object Exchange (OBEX) protocol, which is also utilized for infrared communications. Devices with small portable designs typically have a 1 mW power antenna, which can limit Bluetooth accessibility to 10 meters or less. However, notebook computers with a 100 mW power antenna can provide Bluetooth accessibility up to 100 meters. Nonetheless, by using a powerful transmission antenna, Bluetooth accessibility range can extend beyond these distances up to a mile or more.

The vCard's name field is often used to position a bluejack message, with minimal or no additional content, restricting the messages to brief text strings. However, bluejacking can still be utilized for various pranks, teasing, and advertisements. Moreover, some phones that can receive multimedia messages are also capable of receiving images and sounds through bluejacking. Bluejacking is considered relatively harmless as it typically does not involve malicious code. To date, bluejacking attacks have not been associated with significant security risks. However, many devices are configured with a level of defense against bluejacking by not automatically accepting messages transmitted via Bluetooth from unknown, or unpaired, sources.

A warning may appear on devices configured with a level of defense against bluejacking that do not automatically accept Bluetooth-transmitted messages from unpaired sources. The warning will notify the user that a message from an unknown device has been received and give them the option to accept or reject it. To minimize the risk of exposure, users can keep Bluetooth turned off when not in active use. Since bluejacking is simply the transmission of a message or announcement, all Bluetooth devices are susceptible to this type of attack. Additionally, there are other types of Bluetooth-based attacks that are cause for concern, such as bluesniffing and bluesmacking.

Bluesniffing refers to the act of eavesdropping or capturing packets of Bluetooth communications. Since Bluetooth communication is primarily transmitted in plain text, this attack can potentially allow an attacker to monitor various Bluetooth activities, including keystrokes, phone calls, and other data.

Bluesmacking is a type of denial-of-service (DoS) attack that targets Bluetooth devices. To mitigate these risks, it's recommended to avoid using Bluetooth in public locations or to turn it off when not in use."

Bluesnarfing

Bluesnarfing refers to the unauthorized retrieval of data through a Bluetooth connection, but it is often incorrectly referred to as bluejacking. Bluesnarfing refers to the illegal act of gaining unauthorized access to data through a Bluetooth connection. Attackers have been able to successfully extract various types of data, such as calendars, contact lists, text messages, emails, pictures, videos, and more, from PDAs, cell phones, and notebooks. It's important to note that bluesnarfing is different from bluejacking, and it is considered illegal in most countries due to its nature of stealing data without permission.

Bluesnarfing is usually carried out over a paired link between the hacker's device and the target device. If the target device is not set to be discoverable or allow pairing with unknown devices, then bluesnarfing is usually not feasible. An exploit in Bluetooth was previously discovered, which allowed bluesnarfing to occur even on private phones, but it has already been fixed. It is also possible to perform bluesnarfing on non-discoverable devices by knowing their Bluetooth MAC addresses, but this type of attack is usually impractical since the 48-bit address has to be guessed.

Another intriguing attack that can be performed via Bluetooth is bluebugging, which provides a hacker with the ability to control your device's hardware and software remotely via a Bluetooth connection, often enabling the attacker to remotely activate the device's microphone and use it as a wireless bug. Bluesnarfing and bluebugging attacks are not due to an inherent flaw in Bluetooth, but rather to vulnerabilities in certain device implementations. Therefore, while these types of exploits are not common, they can be significant if your device is susceptible. Hence, it's essential to keep your firmware up to date to reduce the risk.

RFID

RFID (Radio Frequency Identification) is a tracking technology that relies on the capability to activate a radio transmitter by generating current in an antenna when placed in a magnetic field as shown in this Figure. RFID can be powered and read from a significant distance away, sometimes spanning hundreds of meters. RFID technology can be affixed to or incorporated into various types of devices, including notebook computers, tablets, routers, switches, USB flash drives, portable hard drives, and more. This enables swift inventory tracking without requiring physical proximity to the device. The information transmitted by the activated RFID chips in the area can be collected simply by walking into a room with an RFID reader. This has raised concerns about the potential privacy violations associated with RFID technology.

If your device has an RFID chip, anyone with an RFID reader can detect its signal and retrieve its unique code or serial number. However, without a corresponding database that links the number to the specific object or person, the information transmitted by the chip is meaningless. If you're the only person in the vicinity and someone captures your RFID chip code, they can associate you and/or your device with that code for future detections of the same code.

NFC

Near Field Communication (NFC), allows devices to establish radio communication with each other when they are in close proximity. NFC is a technology that facilitates automatic synchronization and association between devices by bringing them close together or touching them. It is a form of field-powered or -triggered device and is derived from RFID. A typical application of NFC technology is in smartphones and various mobile device accessories, which use it to perform data transfers between devices, establish direct communication, or access more sophisticated services, such as connecting to WPA-2 encrypted wireless networks through linking with the wireless access point using NFC. As NFC operates on radio signals, it has its own set of vulnerabilities. Some of the potential attacks on NFC include man-in-the-middle attacks, eavesdropping, data tampering, and replay attacks.

Disassociation

One of the various types of wireless management frames is disassociation, which can be utilized in multiple forms of wireless attacks. For instance, in networks with hidden SSIDs, a disassociation packet is sent to a connected client with a MAC address spoofed as that of the WAP. This disassociation causes the client to lose its connection, and subsequently, it sends a Reassociation Request packet that includes the SSID in the clear. An attacker can send repeated disassociation frames to a client, preventing reassociation and causing a denial-of-service (DoS) attack. Using disassociation frames, an attacker can initiate a session hijack event by keeping the client disconnected while impersonating the client and taking over their wireless session with the WAP.