Cyber Security WiFi Attacks
A potent and important area to computer security is WIFI. Devices and systems are no longer required to be interconnected via physical cables, but can instead be reached by anyone within signal radius. WIFI enables many new devices to be capable of networking.
WIFI as most people know it stems from the IEEE 802.11 protocol. There are other protocols which uses radio for signaling too, for example:
- Bluetooth, for communicating with devices we carry, typically smartphones, headphones etc.
- NFC ("Near Field Communications"), implemented in access badges and credit cards for wireless transmission of data.
- RFID ("Radio Frequency Identification"), used for access cards and other devices, for example a car which can wirelessly transmit its identifier to a toll-road system.
- ZigBee and Z-Wave, used for enterprise and home automation.
Wireless communication is typically done via an AP ("Access Point"), a wireless base station which acts as a switch and router between clients that wish to communicate. Peer-to-peer communications are also possible, but less typical.
The name of a wireless network is known as the SSID ("Service Set Identifier").
Because WIFI signals reach everyone in the vicinity it enables attackers to easily use an antenna to "sniff" communications for anyone transmitting. Sniffing simply means to listen for packets which the network interface can see.
WIFI sometimes allow users to reach internal applications, increasing attack potential. Furthermore, WIFI devices have management interfaces and firmware which can hold vulnerabilities, sometimes not always patched as timely as other assets in the enterprise.
WIFI have the option of
- No security
- Access list based on MAC addresses
- PSK ("Pre-Shared Key")
- Enterprise authentication
Many WIFI attacks rely on network cards with two primary features, namely:
- Monitor Mode: Makes the network card forward packets destined to all MAC addresses to the Operating System, not just its own.
- Packet Injection: The network card supports crafting packets with a different source MAC address than its own.
Open WIFI Networks
An open WIFI network is a network with no password on it. Communication between AP and Clients is not encrypted and everyone has to rely on their own sources of encryption to protect their traffic. These kinds of networks are very convenient and accessible for users, but makes security compromises.
An attacker on these kinds of networks can easily see what everyone else is doing by simply sniffing packets. Such packets can contain sensitive details or simply details about what the users are doing on the network.
AP's can often turn off broadcasting the name of the wireless network. This requires clients to demonstrate knowledge of the SSID to join the network. It is not considered best-practice to enable hidden SSID, because the name of the network is exposed anytime a client joins. Furthermore, the clients now need to ask and broadcast information about the network they want to join, everywhere they travel. An attacker could then sniff the WIFI traffic of clients and potentially learn more information about whom the clients are and where they have joined networks before.
MAC Address Filtering
Some AP's support access control based on MAC Addresses. The AP can create an allow-list of which MAC addresses should be allowed to join and communicate on the network.
This approach is in-secure. An attacker can sniff and observe other systems communicating on the network already. Then record their MAC addresses and update the attackers own MAC address to be one which is already allowed. This effectively bypasses the MAC Address Filtering requirement.
PSK ("Pre-Shared Key")
PSK simply means the network is configured with a password. PSK protection is typically implemented via a protocol called WPA ("WIFI Protected Access"). Older protocols for authentication can also be used, for example WEP ("Wired Equivalent Privacy") but has for a long time been considered obsolete as it is highly in-secure and easy for attackers to crack.
WPA comes in different forms with WPA3 being the latest standard as of the year 2021. WPA is not entirely safe against attackers either, but offers much more protection than WEP. To break into a WPA enabled network the attacker must try to crack the password with a password cracker. This is considered an expensive process in terms of time if the password is reasonably strong.
If an attacker can observe (sniff) anyone whom authenticates to the network, they have enough to engage in password cracking activities. Tools like aircrack-ng ("https://www.aircrack-ng.org/") supports cracking WIFI passwords.
Enterprise Access Points can also support authenticating clients based on certificates, which requires PKI ("Public Key Infrastructure") or enterprise credentials by integrating to a centralized authentication service.
This has some benefits, especially the concept of key management. With a PSK network, the inherent challenge is how passwords are distributed, rotated and revoked.
While Enterprise Authentication provides better security management regarding keys, it also involves a more complex infrastructure and offers other opportunities for attackers.
Fake WIFI Access Points
Attackers can easily start broadcasting networks pretending to be other networks. Often clients will automatically connect to networks in range if they present themselves with the appropriate SSID. This allows attackers to make clients connect to the attackers network, allowing them to sniff and change traffic as the attacker wishes.