Types of Wireless Network Attacks
February 18, 2016
Our modern networks are increasingly moving towards wireless technologies. As convenient as they are, wireless connections have one major drawback – security. Compared to their wired counterparts, securing wireless technologies poses a bit of an extra challenge.
My main focus for this article will be security over WiFi access, but I’ll address 3G/4G and Bluetooth as well. Read on to learn about the methods that hackers use to steal data and what you can do to keep them out.
This content is relevant to know for offensive and defensive cyber security professionals, specifically those individuals looking to earn a EC-Council Certified Ethical Hacker (CEH) certification and eventually become a Licensed Penetration Tester (LPT). The information is also valuable for networking professionals, especially those with CompTIA Network+ certifications.
In a wired network, packets of information are transferred along a physical medium, such as a copper cable or fiber optics. In a wireless setup, your data is quite literally broadcast through the air around you. Furthermore, physical access is not required to gain access to a network. What this means is that cyber criminals now have new ways to wreak havoc on your network infrastructure. Let’s take a look at these wireless attacks.
Types of Wireless Attacks
Wireless Attacks can come at you through different methods. For the most part you need to worry about WiFi. Some methods rely on tricking users, others use brute force, and some look for people who don’t bother to secure their network. Many of these attacks are intertwined with each other in real world use. Here are some of the kinds of attacks you could encounter:
- Packet Sniffing: When information is sent back and forth over a network, it is sent in what we call packets. Since wireless traffic is sent over the air, it’s very easy to capture. Quite a lot of traffic (FTP, HTTP, SNMP, ect.) is sent in the clear, meaning that there is no encryption and files are in plain text for anyone to read. So using a tool like Wireshark allows you to read data transfers in plain text! This can lead to stolen passwords or leaks of sensitive information quite easily. Encrypted data can be captured as well, but it’s obviously much harder for an attacker to decipher the encrypted data packets.
- Rouge Access Point: When an unauthorized access point (AP) appears on a network, it is refereed to as a rouge access point. These can pop up from an employee who doesn’t know better, or a person with ill intent. These APs represent a vulnerability to the network because they leave it open to a variety of attacks. These include vulnerability scans for attack preparation, ARP poisoning, packet captures, and Denial of Service attacks.
- Password Theft: When communicating over wireless networks, think of how often you log into a website. You send passwords out over the network, and if the site doesn’t use SSL or TLS, that password is sitting in plain text for an attacker to read. There are even ways to get around those encryption methods to steal the password. I’ll talk about this with man in the middle attacks.
- Man in the Middle Attack: It’s possible for hackers to trick communicating devices into sending their transmissions to the attacker’s system. Here they can record the traffic to view later (like in packet sniffing) and even change the contents of files. Various types of malware can be inserted into these packets, e-mail content could be changed, or the traffic could be dropped so that communication is blocked.
- Jamming: There are a number of ways to jam a wireless network. One method is flooding an AP with deauthentication frames. This effectively overwhelms the network and prevents legitimate transmissions from getting through. This attack is a little unusual because there probably isn’t anything in it for the hacker. One of the few examples of how this could benefit someone is through a business jamming their competitors WiFi signal. This is highly illegal (as are all these attacks), so businesses would tend to shy away from it. If they got caught they would be facing serious charges.
- War Driving: War driving comes from an old term called war dialing, where people would dial random phone numbers in search of modems. War driving is basically people driving around looking for vulnerable APs to attack. People will even use drones to try and hack APs on higher floors of a building. A company that owns multiple floors around ten stories up might assume nobody is even in range to hack their wireless, but there is no end to the creativity of hackers!
- Blueooth Attacks: There are a variety of Bluetooth exploits out there. These range from annoying pop up messages, to full control over the a victims Bluetooth enabled device.
- WEP/WPA Attacks: Attacks on wireless routers can be a huge problem. Older encryption standards are extremely vulnerable, and it’s pretty easy to gain the access code in this case. Once someones on your network, you’ve lost a significant layer of security. APs and routers are hiding your IP address from the broader Internet using Network Address Translation (unless you use IPv6 but that’s a topic for another day). This effectively hides your private IP address from those outside your subnet, and helps prevent outsiders from being able to directly attack you. The keyword there is that it helps prevent the attacks, but doesn’t stop it completely.
Another thing to take note of, is that our mobile devices are at risk whenever they connect to public WiFi. Whether you use a phone, tablet, or laptop; accessing an insecure network is putting a target on your data. Understand the risks or consider using a VPN.
Unauthorized AP Access
If you are in an area where other businesses or homes are in close proximity, you could encounter attempts of an attacker trying to steal WiFi credentials and gain access. This can be problematic on many levels, as a hacker might not stop at using your internet for free. Once inside your subnet, any connected device is vulnerable. This can get especially troublesome if you happen to have security cameras in your house that are connected to your wireless network. This kind of attack often happens with WEP encryption, as it is much easier to crack than WPA/WPA2. Of course, a determined hacker can likely find a way in regardless of what encryption you use
While WPA/WPA2 are far more secure than WEP. If you have WPS enabled I can gain access pretty quick with a tool like Reaver. Even if you have followed the guidelines above, there’s still a chance I can get in your wireless network.
Warning: Because the following contains information that could be used for illegal purposes, I want to really drill this into your head: hacking a network you do not own or have permission to attack is multiple felonies! This information is for educational purposes, particularly for aspiring cyber security professionals. If you are convicted of a felony you can be put into prison, fined heavily, you lose your right to vote, cannot own a firearm legally, and you now have to disclose your status as a convicted felon to to future employers.
If you don’t have a place to practice legally, find one or make your own. Save up some cash and build a test lab inside your home. It doesn’t need to be expensive. If you happen to be in the Columbia MD area, I can refer you to Howard Community College’s cyber defense lab. You may need to register as a student to use the facility though.
With that legal disclaimer in mind, let’s look at some of the techniques used to crack wireless router passwords.
Hacking WEP, WPS, and WPA/WPA2
WEP: If I’m honest, if you have WEP encryption you may as well name your SSID “Free WiFi” and disable the password. All I have to do is set my laptops wireless card to monitoring mode (not all wireless cards are capable of this) and see what APs are around. From here I focus in on the one I want to hack and start capturing packets and storing them into a file. If you happen to have WEP on your wireless setup (I hope not!) or you have an old wireless router laying around that you can setup to practice on, check out this tutorial for hacking WEP.
After around 10,000 packets (This doesn’t take as long as you may think) I take a shot at using a tool to crack it. If it doesn’t work I wait until I have more packets and try again. In a fairly short period of time I have a password in front of me, and access to your router. The only defense against this attack is to upgrade to WPA/WPA2 (preferably WPA2)
WPS: This takes a few more steps. If WPS is enabled on your WPA2 router it’s almost as vulnerable as one using WEP!!This article on Ars Technica will give you an in-depth look at hacking WPS. If you own a router with WPS enabled see if you can follow along. To defend yourself from this, turn off WPS on your wireless router.
WPA/WPA2: These are far more secure than WEP so long as WPS is turned off. Of course, there is still a way in. If you have a weak password, I can perform a brute force attack with a password file. Essentially, there are massive lists of already cracked passwords, words from the dictionary, default credentials, and common password variations available on the internet. In fact, Kali Linux has one built in. Of course, this method requires time, or some serious computing power. The more complex your password is, the longer this process takes. Essentially what you want to do is delay a hacker for so long that they get bored and give up.
There is another WPA2 exploit. When a router is deauthenticating and forcing a device offline to reauthenticate with a new key, there is a short opening that can be exploited. You could configure your access point to use MAC filtering to stop this, but if the attacker is skilled enough to perform this they will easily spoof your MAC address.
Tips for Securing WiFi
Now that you don’t trust anything on the Internet anymore, let’s build that confidence back up. There are a lot of ways to make yourself less susceptible to wireless attacks.
- Use WPA2 security: This takes enough work to crack that most hackers will look for an easier target. Make sure WPS is turned off!
- Minimize Your Networks Reach: Try to position your router in the center of your home or building. There are tools available to measure the reach of your network, and you can adjust the signal level. Try to make it so that the signal beyond your walls is degraded enough that it isn’t usable. You may also consider using a directional antennae if central placement is not an option.
- Use Firewalls: Make sure your APs firewall is enabled. If you can afford a hardware firewall and feel you need the extra security, go ahead and install one. Household networks generally can get away with the standard router firewall, and operating system firewalls.
- Use a VPN on Open Networks: If you really must use public WiFi, set up a VPN. Most smartphones have this capability. You can set one up on your PC. This allows you to communicate through an encrypted tunnel back to your home or office. You can even send web traffic through a VPN.
- Update Software and Firmware: Keep your system up to date with the latest patches, and make sure any online applications you use are updated as well. Check for AP firmware updates related to security flaws, and implement them as soon as possible. Remember to follow best practices for network modification to ensure you don’t interrupt a critical task. Check out your updates in a test lab to make sure that they don’t interfere with an important application. Don’t perform updates during normal operating hours if possible, and if you must update during work hours make sure everyone is aware that network connectivity could slow down, or be cut off temporarily while you work.
- Use Strong Passwords: I recommend you use at least a 15 character password.Use a mix of upper/lowercase letters, numbers, and symbols. Again, don’t make it easy. Is the only capital letter at the start? Is there an exclamation at the end? Are there any words in there? These are common bad password practices, and hackers love them.
- Change the Login Credentials: Make sure you change the administrative login credentials. This is often something like admin/admin or admin/password by default.
- Disable your SSID (service set identifier) Broadcast: This isn’t a security measure. The right tools will still find your network’s SSID (this is the name of your network in case you didn’t know). However, there’s a small chance it could help your network fly under the radar.
- Enable MAC Filtering: Again, MAC filtering is not security. A knowledgeable hacker knows how to monitor your network and copy the MAC address of a connected device. They can then spoof their own MAC to appear as an authorized device to gain access. However, this is another annoyance for them to deal with.
It’s a good idea to monitor your network connections to look for unusual activity. If you have an Android phone you can use this free network IP scanner to see the IP addresses of connected devices. Desktops can use something like the nmap tool. For a home network with few devices, you want to find out what your devices IP addresses currently are, and see if there are any that don’t match. Be aware that if your WiFi uses DHCP (automatically assigned IP’s) that these could change over time.
Note that your router has an IP as well, most likely it will be either 10.10.1.1 or 192.168.1.1 but it may vary according to your setup.
There are a lot of ways for hackers to come after your data, but taking these simple precautionary measures, and proactively monitoring for threats can make a world of difference.