Wireless networks:

The low hanging fruit for hackers

You have secured your wired LAN with all latest
technologies and processes. But is your wireless
network left open to hackers? How do you ensure
the security of your wireless network?

Are wireless networks soft target for “Locking down a wireless

hackers?
In the history of networking, it has never been
easier to penetrate a network with wireless
LAN. Wireless networks are popping up
everywhere today. They provide a lot of
freedom but with a significant downside: Too
many wireless networks are left wide open for
attacks. As with computers or networks,
organizations must understand the latest
security concepts to properly secure 802.11-
based wireless networks. Advancements in
wireless LAN technology have given hackers
and network security professionals inexpensive
and free tools to work with.
Whether you are a Linux user or Windows, the
tools are everywhere. The ever growing and
enduring wares community has given easy
access to expensive analysis and penetration
tools — such as 802.11-protocol analyzers —
with no investment.
Locking down a wireless network involves
more than just port-scanning testing and
patching vulnerabilities. You must also have
the right security tools, use the proper testing
techniques, and possess a watchful eye. And
know your enemy: It’s critical to think like a
hacker to get a true sense of how secure your
information really is!.
network involves more than just
port scanning technique and
patching vulnerabilities.”
Where are wireless networks
attacked most? - WEP
Vulnerabilities
As an encryption algorithm WEP uses RC4
which also acts as a stream cipher. A stream
cipher operates by expanding a short key into
an infinite pseudo-random key stream. The
sender of the message stream XORs with the
plaintext to produce ciphertext.
The receiver has a copy of the same key, and
uses it to generate identical key stream. The
receiver XORs the key stream with the
ciphertext to produce the plaintext.
This mode of operation makes stream ciphers
vulnerable to several attacks. If an attacker flips
a bit in the ciphertext, then upon decryption,
the corresponding bit in the plaintext will be
flipped. Also, if an eavesdropper intercepts two
ciphertexts encrypted with the same key
stream, it is possible to obtain the XOR of the
two plaintexts. Knowledge of this XOR can
enable statistical attacks to recover the
plaintexts. The statistical attacks become
13
 increasingly practical as more ciphertexts that
use the same key stream are known. Once one
of the plaintexts becomes known, it is trivial to
recover all of the others.
Passive Wireless Attack to Decrypt
Traffic
The first attack follows directly from the above
explanation. By XORing two packets the
attacker obtains the XOR of the two plaintext
messages. The resulting XOR can be used to
infer data about the contents of the two
messages. IP traffic is often very predictable
and includes a lot of redundancy. This
redundancy can be used to eliminate many
possibilities for the contents of messages.
Further educated guesses about the contents
of one or both of the messages can be used to
statistically reduce the space of possible
messages, and in some cases it is possible to
determine the exact contents.
An extension to this attack uses a host
somewhere on the Internet to send traffic from
the outside to a host on the wireless network
installation. The contents of such traffic will
be known to the attacker, yielding known
plaintext. When the attacker intercepts the
encrypted version of his message sent over
802.11, he will be able to decrypt all packets
that use the same initialization vector.
“Passive attacks are easier and
gives a hacker total control over
your wireless network”
Active Wireless Attack to Inject
Traffic
The following attack is also a direct
consequence of the problems described in the
previous section. Suppose an attacker knows
the exact plaintext for one encrypted message.
He can use this knowledge to construct correct
encrypted packets. The procedure involves
constructing a new message, calculating the
14
CRC-32, and performing bit flips on the
original encrypted message to change the
plaintext to the new message. This packet can
now be sent to the access point or mobile
station, and it will be accepted as a valid packet.
A slight modification to this attack makes it
much more insidious. Even without complete
knowledge of the packet, it is possible to flip
selected bits in a message and successfully
adjust the encrypted CRC (as described in the
previous section), to obtain a correct encrypted
version of a modified packet. If the attacker has
partial knowledge of the contents of a packet,
he can intercept it and perform selective
modification on it. For example, it is possible
to alter commands that are sent to the shell
over a telnet session, or interactions with a file
server.
What are the common security
problems and Mitigation Techniques?
Risk No. 1: Access constraints
Wireless access points repeatedly send out
signals to announce their availability. The
users can thus seamlessly find them to initiate
connectivity. This signal transmission occurs
when 802.11 beacon frames containing the
access points' Service Set Identifier are sent
unencr ypted. (SSIDs are names or
descriptions used to differentiate networks
from one another.) This could make it easy for
unauthorized users to learn the network name
and attempt an attack or intrusion.
How to mitigate:
1. Enable available security features. The
security features embedded in the access
point’s hardware/software are disabled
by default.
2. Change the default settings. Default
SSIDs are set by the manufacturer. For
example, Cisco's default SSID is
"tsunami," and Linksys' is "linksys." Not
changing these makes it easier for an
 unauthorized user to gain access. Define a
complex SSID naming convention.
Don't change the SSID to reflect
identifiable information, since this too
could make it easy for an unauthorized
user to gain access. Instead, use long,
non meaningful strings of characters,
including letters, numbers and symbols.
3. Disable Dynamic Host Configuration
Protocol and use static IP addresses
instead. Using DHCP automatically
provides an IP address to anyone,
authorized or not, attempting to gain
access to your wireless network, again
making it just that much easier for
unauthorized penetration.
4. Move or encrypt the SSID and the
Wired Equivalent Privacy (WEP) key
that are typically stored in the Windows
registry file. Moving these privileged
files makes it more difficult for a hacker
to acquire privileged information. This
s te p c o u l d e i t h e r p r e ve n t a n
unauthorized intrusion or delay the
intrusion until detection occurs.
5. Use a closed network. With a closed
network, users type the SSID into the
client application instead of selecting
the SSID from a list. This feature makes
it slightly more difficult for the user to
gain access, but education on this risk-
mitigation strategy can reduce potential
resistance.
“Always change the default SSIDs set by the
manufacturer. Define a complex SSID naming
convention to make the hacker’s job tough”
Risk No. 2:
Rogue access points Rogue access points are
those installed by users on ad hoc basis without
consultation with the IT. Because access points
are inexpensive and easy to install, rogue
installations are becoming more common and
points are often poorly configured and might
dangerous Rogue access points are often
poorly configured and might permit traffic
that can be hard for intrusion-detection
software to pinpoint.
How to mitigate:
1. Purchase access points that have
flashable firmware which will allow the
users to install security patches and
upgrades in future releases.
2. Disable Simple Network Management
Protocol community passwords on all
access points. SNMP is used as an
access-point management mechanism.
It does offer operational efficiencies but
at the same time increases the risk of
security breaches.
3. Set Authentication method to OPEN
rather than to shared encryption key.
This might sound insecure because
using encryption for authentication is
typically preferred. However, when
using the shared encryption key feature,
the challenge text is sent in clear text.
This could help an unauthorized party
calculate the shared secret key using the
encrypted version of the same text. So
ironically, using the default OPEN
authentication actually reduces the
possibility of an unauthorized party
discovering your WEP encryption key.
4. 30-minute re-authentication for all
users if enforced, is a secure option.
Risk No. 3
Traffic analysis and eavesdropping without
actually gaining access to the network,
unauthorized parties can passively capture the
confidential data traversing the network via
airwaves and can easily read it because it's sent
in clear text. So an attacker could alter a
legitimate message by deleting, adding to,
changing or reordering the message. Or the
attacker could monitor transmissions and
retransmit messages as a legitimate user.
15
 By default, WLANs send unencrypted or
poorly encrypted messages using WEP over the
airwaves that can be easily intercepted and/or
altered. Currently, wireless networks are beset
by weak 802.11x Access Control Mechanisms,
resulting in weak message authentication.
How to mitigate:
1. Encrypt all traffic over the WLAN.
There are a variety of methods to select
from:
o Use application encryption such as
Pretty Good Privacy, Secure Shell
(SSH) or Secure Sockets Layer.
o Enable WEP, an encryption method
that's intended to give wireless users
security equivalent to being on a
wired network but that has been
proved to be insecure Both 40- and
128-bit keys have been cracked -- the
128-bit encryption only prolongs the
cracking process. Despite its
weaknesses, the WEP security that's
built into wireless LANs can delay an
unauthorized user's intrusion or
possibly prevent a novice hacker's
attacks entirely.
2. Implement two-factor authentication
scheme using access tokens for users
accessing critical infrastructure.
3. Restrict LAN access rights by role.
Risk No. 4
MAC spoofing / session hijacking
Typically 802.11 networks don't authenticate
frames.This may result in frames being altered,
16
authorized sessions being hijacked or
authentication credentials being stolen by an
imposter. Therefore, the data contained
within their frames can't be assured to be
authentic, since there's no protection against
forgery of frame source addresses.
Because attackers can observe Media Access
Control addresses of stations in use on the
network, they can adopt those addresses for
malicious transmission. Finally, station
addresses, not the users themselves, are
identified. That's not a strong authentication
technique, and it can be compromised by an
unauthorized party.
How to mitigate:
1. Limit access to specific MAC addresses
that are filtered via a firewall. This
technique isn't completely secure,
because MAC addresses can be duped,
but it does improve the overall security
strategy. Another difficulty with this
technique is the maintenance effort
required. A MAC address is tied to a
hardware device, so every time an
authorized device is added to or
removed from the network, the MAC
address has to be registered into the
database.
2. Monitor logs weekly and scan critical
host logs daily.