Data Interception

One attack that must be considered when using wireless technology is the threat of data interception. In data interception, one of the key benefits of wireless technologies also leads to one of its greatest weaknesses. Because radio transmissions are broadcast through the air to target devices, any system properly configured within the radio broadcast range can also receive the wireless messages. Thus, devices that should not be on the wireless network can receive the transmissions. The extension of the network by wireless technologies has also increased the attack surface available to malicious users; an adversary can become part of a network and interact with systems that were not designed to operate in a hostile environment.

A common activity used for wireless attacks is war driving. A malicious individual can drive around with a laptop and a wireless receiver listening to the radio traffic being broadcast. Programs running on the laptop can be set up to automatically analyze the data and attempt to break into the networks as they are found. In addition, many attackers also correlate the data with GPS information to create a map of wireless access points. Based on their location, attackers can later revisit these access points for further attack.

Data Encryption

The use of data obfuscation through cryptographic ciphers and algorithms has been around for a long time. The Atbash alphabet was used to obscure the names of various items in Hebrew writings, such as the Bible. The obfuscation method commonly used on Usenet, rot13, has its origins in the scytales that were believed to have been used by ancient Greeks, whereby they wrapped a strip of paper around a stick, wrote the message, and transported the strip of paper. Only someone with a stick of equivalent diameter would be able to read the message.

The need for encryption has carried through from ancient times. Modern computer networks also make heavy use of encryption technology. As wireless technologies continue to spread, the use of encryption and authentication schemes has become more important for many users. Privacy concerns, classified information, and trade secrets are transmitted over wireless technologies. An adversary who receives the data being transmitted over the wireless link will still have to crack the encryption before the data being protected can be read. Transmissions from hostile sources trying to spoof the identity of an authorized party still need to subvert or break the authentication mechanism before the data will be accepted.

There are problems and limitations in many of the current encryption deployments for wireless technologies, however. The initial encryption mechanism used by 802.11X protocols is known as Wired Equivalent Privacy (WEP). WEP has a serious design flaw that allows hostile entities to derive the encryption key and see all traffic with relative ease. Access control mechanisms that used the Media Access Control (MAC) address of networked devices no longer give IT professionals any guarantee a rogue device is within an easily identified physical area. Wireless address book synchronization capabilities in cellular phones and other portable devices allow address books to be stolen when implemented incorrectly, for example, Bluesnarfing for Bluetooth-enabled devices.

With advances in cryptanalysis, software for analyzing wireless network traffic and deriving encryption keys and passwords has become commonplace. Assigning a complex encryption key for WEP still allows an attacker to find out what the key is within a matter of minutes using software such as aircrack and WepLab. Using stronger encryption algorithms with weak keys leaves networks vulnerable to dictionary attacks that use lists of words and permutations to try and guess encryption keys. Both aircrack and WepLab support this mode of operation as well.

Input Hijacking

Attackers can do more than just steal data being transmitted over wireless links. Many devices and software services accept input from the user to take action. This command channel can be hijacked, allowing the attacker to interact with sensitive applications they should not have access to.

Using a wireless input device such as a keyboard can allow passwords and credit card information to be intercepted. Hijacking the connection and taking control of the input may be possible as well, allowing the attacker to input arbitrary data, change passwords on online bank account interfaces, purchase a thousand bags of composting material to be delivered to your door, or send letters of resignation to your employer.

Popular wireless keyboard receivers can pick up transmissions from a different keyboard. If the communications travel over radio links instead of infrared, an attacker can sit down nearby and associate with the receiver using the same make and model of keyboard. In many cases, hijacking the mouse can be done through the same receiver as well.

In order to use such devices safely, you must gain a basic understanding of radio emission characteristics in order to assess the risk of using such devices for sensitive data. Chapter 2 will cover the nature of radio emissions to allow you to evaluate the risks of data interception and command channel hijacks in more detail.

Business Impacts of Wireless Threats

There are many consequences of having the network security of a business compromised. Payroll and benefits data may be exposed; trade secrets can end up in the hands of competitors; data theft disclosure laws such as the California Security Breach Information Act (CA1386) can force a company to notify customers their private data have been stolen; and access to business-critical services from third-party vendors may be suspended until problems have been remediated to their satisfaction.

Preventing these problems holds a high priority for IT administrators. Various precautions and security measures implemented at network gateways such as firewalls, creation of bastion hosts, VPN tunnels, and host hardening have been used to mitigate the risks of data theft and network intrusion. However, all of the effort put into securing a network can be rendered moot by the careless installation of a single wireless access point. By enabling wireless devices to connect to the internal network within an office, attackers can enter the range of radio transmissions and join the internal network without having to circumvent the access control mechanisms already in place at the network perimeter and the physical access control systems as well.

The traffic and security monitoring system present at the wired network perimeter will not log attacks carried out from a rogue system already within the trusted network. Deployment of security-critical patches and host hardening activity are often lagging within a trusted network in comparison to the network perimeter.

To address the confidentiality issues of trade wireless networks, the 802.11 standard includes a simple mechanism for encryption of data, it is Wired Equivalent Privacy.

However, several serious vulnerabilities were identified by cryptologists. WEP is sometimes dubbed with the nickname of Weak Encryption Protocol. WEP has been superseded by WPA in 2003 and by WPA in 2004 (WPA2 is the version of the IEEE 802.11i standard certified by the Wi-Fi Alliance.

WEP is an encryption protocol in charge of 802.11 frames using the RC4 symmetric algorithm with key length of 64 bits or 128 bits. The principle of WEP is to define initially a secret key of 40 or 128 bits. This secret key must be declared at the access point and clients. The key is to create a pseudo-random length equal to the length of the frame. Each transmission of data is then encrypted using the pseudo-random number as a mask with an Exclusive or between the pseudo-random number and the frame.

The session key shared by all stations is static, that to deploy a large number of wireless stations it is necessary to configure them using the same session key. Thus knowledge of the key is sufficient to decrypt communications.

In addition, 24-bit key is used only for initialization, which means that only 40-bit 64-bit key used to encrypt and actually 104 bits to 128 bits key.

In the case of 40-bit key, a brute-force attack (trying all possible keys) can quickly bring the hacker to find the session key. Also a fault detected by Fluhrer, Mantin and Shamir on the generation of pseudo-random string makes possible the discovery of the session key stock 100 MB to 1 GB of traffic created intentionally.

WEP is not sufficient to ensure real privacy. However, it is strongly advised to at least implement a 128-bit WEP protection to ensure a minimum level of confidentiality and avoiding in this way 90% risk of intrusion.

To get a higher level of security you should use WPA or WPA2. Use of encrypted tunneling protocols can provide secure data transmission under an insecure network. But replacements for WEP have been developed to restore security to the Wifi  network itself.