Risky Business: Understanding WiFi threats

In this first part of a four-part series, Lisa Phifer of Core Competence Inc. describes wireless attacks, such as a man-in-the-middle attacks, that can cripple wireless LANs. Then she explains how to create a wireless security policy that can thwart these threats.

Wireless Security Lunchtime Learning:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact [email protected].    

Carolyn Gibney: Hello, and welcome to today's SearchSecurity.com wireless lunch
time learning video presentation, Risky Business: Understanding WI-FI
threats, with special guest speaker Lisa Phifer. My name is Carolyn Gibney and I'll be your host. The goal of SearchSecurity.com’s wireless lunch time learning security school is to equip you with strategies and
tactics for defending you organizations wireless LAN, in a format that fits
your busy schedule. Today's presentation focuses on Wi-Fi Threats,
including common attacks, and vulnerabilities specific to wireless
networks, weak points on the wireless network, and how to assess business
related risks. Our expert speaker, Lisa Phifer, has been involved in the
design, implementation, and evaluation of data communications, Internet
working, security, and network management products for over 25 years. Lisa
owns Core Competence Inc., the consulting firm specializing in network
security and management technology, and teaches about wireless LAN's,
mobile security, and virtual private networking at many industry
conferences, and online webinars. Thank you for joining us today, Lisa.

Lisa Phifer: Thanks Carolyn.

Carolyn Gibney : As a reminder, you can see all the tips and videos in our
wireless lunch time learning security school at any time by navigating to
SearchSecurity.com/wirelesslunchtimelearning. Now we're ready for your
presentation Lisa, take it away.

Lisa Phifer: Great. Over the last 10 years, 802.11 wireless LAN's have really
reshaped the network landscape, by extending connectivity into hard to wire
areas, and by fostering huge a explosion in workforce mobility. Today
wireless LAN's have really matured, and 802.11n is fast replacing Ethernet
as the network access method of choice. Along this road, there has been
some stumbling blocks, from changing of architectures, and concerns over
stability, to interference problems, and management tools. But, no other
challenge has been as pervasive, or as persistent as security. Significant
improvements have been made in wireless LAN security since 802.11 first
emerged back in 1999. Contemporary Wi-Fi products do include security
measures that can mitigate business risks and comply with privacy mandates.
Nonetheless, as this latest state of the market report illustrates,
security remains a top concern. In today's webcast we'll be exploring just
what makes wireless LAN's vulnerable. By understanding how Wi-Fi works, and
where its weaknesses lie, you'll be equipped to assess your risk, and
defend your network from misuse and attack.

In many respects, 802.11 is just another local area network technology.
Like 802.3 Ethernet, 802.11 Wi-Fi delivers work group access to a shared
media, and, just like Ethernet, wireless LAN's are vulnerable to upper
layer threats. For example,fishing messages, and mass mailing worms can
be carried by e-mail that's sent over wired, or wireless. Spam box and
Trojan down loader's can load their malicious back call channels just as
easily, over wired or wireless. So, we really can't forget about network
transport and application threats when we actually want to build a secure
wireless LAN.

What I'm going to focus on in our lunch time learning series is where
wired and wireless really differ at the data link, and physical layers.
Wired Ethernet LANS have long relied locked offices, wiring closets, and
copper, or fiber to actually deter unauthorized access. Of course, those
physical barriers don't actually apply to wireless. Messages carried by
radio waves pass through air that surrounds us. Doors, floors, and bodies
that are encountered along the way, actually do attenuate those radio
waves, which reduce signal strength, but those obstacles don't prevent
wireless from reaching nearby lobbies and parking lots. Our inability to
effectively contain radio is what makes wireless LAN's vulnerable to a
different set of attacks designed to exploit these new physical and data
link vectors. You can defend a wireless LAN more effectively if you know
just a little bit about how Wi-Fi devices connect, disconnect, and send
data. Any device that speaks 802.11 is called a station. Today, that
includes every laptop, devices like IPhones, along with many windows mobile
smartphones, and voice-over IP handsets. Even stationary devices, like
printers, and media servers can now be 802.11 stations. No matter what
their purpose, all 802.11 stations actually can operate in two ways, Ad-
hoc mode, where peers connect directly to each other, or infrastructure
mode, where stations connect to a wireless access point in order to reach
some other network. We'll focus on the infrastructure mode that is used by
most businesses.

To deploy a wireless LAN, companies install as many access points as it
takes to cover an entire floor, building, or even campus. So that those
access points can work together as one big wireless network, they're all
configured with the same network name. That's called an extended service
set identifier or SSID. Suppose that your IPhone wants to connect to a
wireless LAN. It starts by scanning all channels, listening for beacons
that access points send to advertise themselves. Your IPhone may also send
probes, and it listens for access point responses. It then compares all
those beacons and probe responses to the desired SSID that it is looking
for, in order to select the best available access point. Finally, your
IPhone will send and authenticate and associate request to that access

Today, most access points are configured to accept every compatible
stations request. That establishes a data link connection called an
association. Notice that I breezed right over that authenticate request,
and that's because very few wireless networks use that option, which was
defined by the original 802.11 standard. Instead, most wireless networks
that want to permit or deny stations actually use authentication after the
association is established. That occurs with one or two handshake options
certified by the alliance, in the protected access, WPA, test program.
When using the personal option, the access point and station complete a
handshake that proves they both know a secret pass phrase, called a pre-
shared key. When using the enterprise option, the access point and station
complete a much lengthier exchange defined by 8021X. This port access
control standard lets the radius server decide whether to grant access,
based on an authenticated user identity. These two authentication options
can be used with both protected access versions 1 and 2.

In either case, the station that associates can't actually send any data
through the access point into another network, until it completes the
handshake. Once the station is associated and optionally authenticated,
that station can send and receive wireless data. Logically, a wireless
station has achieved a state that is similar to when you plug a wired
station into an Ethernet switch. Like Ethernet stations, stations have a
media access control, or MAC, address. Like Ethernet, 802.11 data frames
carry part or all of an IP packet. However, because 802.11 data frames are
sent over the air, instead of a CAT5 or a CAT6 cable, they need to be
cryptographically protected to stop eavesdropping. It's up to the access
point to decide whether to require protection on a given wireless network,
and if so, which standard method actually must be used to protect all data
frames. Today, there are three 802.11 encryption standards that are widely
implemented by products. The original wired equivalent privacy, or WEP
protocol, the temporal key integrity protocol, or TKIP protocol used by WPA
version 1, and the advanced encryption standard CCM protocol, required by
WPA version 2. As we'll see many wireless vulnerabilities actually depend
on which three of these standard encryption protocols are used.

You might not think much about what happens when a station disconnects,
but it turns out this step is a pretty crucial one for security. 802.11
standard defines three different disconnect scenarios. First, that station
that moves form one coverage are, to another, within the same wireless LAN,
can inform the access point by sending a re-associate frame. Second, a
station that wants to maintain it’s authenticated state during the lifetime,
and if it's an association, can void that state by sending a de-
authenticate frame. Finally, a station can be immediately disconnected
with a disassociate frame. Unlike data, the management frames that I just
discussed, that are used to disconnect, and also the ones that are used to
connect stations, are not cryptographically protected.

Many attacks have emerged to exploit this fact, and that prompted
development of a new standard called 802.11W. This new amendment, which
hasn't actually been ratified yet, will close the security loop holes for
management frames. Some vendors have already implemented pre-standard
variations, but business should really watch for products that support
final 802.11W standard, next year. Given this basic understanding of 802.11
protocol, and how they're used, let's start to examine the underlying
vulnerabilities that attackers actually try to exploit when they compromise
a wireless network. Let's consider how well 802.11 protocols meet typical
business security requirements. For confidentiality, that's keeping private
data away from prying eyes and ears. For integrity, that's preventing
messages from being added, subtracted, or changed. For availability,
that's your need to reliably deliver wireless service to those that deserve
it. Access control, that's our ability to keep outsiders out of our
network. And authentication, which is our requirement to prove users are
who they claim to be, so that we can decide whether or not they're really
entitled to use our network.

Let's start with confidentiality. Wireless is inherently vulnerable to
eavesdropping. Anyone that is close enough can passively capture traffic,
using a wireless LAN analyzer, sometimes called a sniffer. What sensitive
information can be exposed in messages that are sent over wireless? First
of all, there's the header of every wireless frame. Exposed fields are
there, that simply can't be hidden, which includes the source and
destination MAC address, the local area network name, which I mentioned is
called the SSID. Next, there comes the IP payload that is carried by data
frames. When that data is not encrypted, information that can be seen by
sniffers, include things like IP addresses, TCP and GDP port numbers, user
names, clear text passwords, domain names, file share names, and of course
anything you actually send in your application message. If you run a
sniffer in most wireless hotspots, you'll quickly find that you can capture
e-mail messages, file attachments, and Web pages being surfed by all the
users surrounding you. That's what happens when data protection is turned

What happens when data protection is turned on? Most business should
actually enable 802.11 protection using encryption to scramble data frame
payload, so that captured packets are basically gibberish. The original Web
protocol is first method. It is cryptographically broken. Turning on WEP
does discourage casual eavesdropping, but it's relatively easy to guess the
web key, used by the RC4 cipher to scramble your data when you turn WEP on.
That broken method was replaced by TKIP, in late 2002. For compatibility
with existing products, TKIP uses the exact same cipher, RC4, but it does
that without the protocol mistakes that actually made it possible to crack
web keys. Turning on TKIP will prevent eavesdropping, but it does that at
the expense of performance, and, as we'll see, TKIP has a few
vulnerabilities of its own. In 2004, the 802.11I standard instituted a
faster, and much more robust encryption protocol called, the advanced
encryption standard, or AES CCMP. Back then, only new products had the
horsepower to support AES, but today all Wi-Fi certified products include
this strong wireless data protection option.

All three of these protocols scramble your data that is sent over
wireless, using secret keys. Anyone who knows, or learns the key, can then
decrypt your data, so it's very important to start with a unique, hard to
guess key. Whenever you can eavesdrop, it's also easy to capture and replay
frames, with, or without change. Preventing this is known as insuring data
integrity. When 802.11 data protection is turned off, those data frames
can be replayed or forged. Turning WEP on doesn't actually change that.
However, turning on TKIP, or AES CCMP, does. Those TKIP and AES CCMP can
detect inserted, deleted, or modified data frames. Unfortunately, TKIP
reacts to a flurry of messages that fail those integrity checks, by
suspending LAN service for one minute, and that makes it relatively easy
to trigger a short denial-of-service attack on a network using TKIP. More
recently, researchers learned to guess the key that's actually used to
protect short, predictable frames, like ARP frames, for example.

Thus, it's become possible to insert a very limited number of forged
messages into a wireless LAN that's using TKIP. Fortunately, AES CCMP can
resist all these data integrity attacks, but keep in mind, that robust
protection applies only to data frames, not, currently, management frames.
All 802.11 management, and control frames are vulnerable to replay or
forgery, including the messages that are used to probe, authenticate,
associate, disassociate, and de-authenticate users from wireless LANS.
802.11W will fix this, by letting receivers cryptographically detect
replays, and also verify each frame's origin. In fact, denial service is
one wireless that is still very hard to mitigate. That's because 802.11
networks are inherently vulnerable to RS interference, whether malicious,
or accidental. Wireless LAN's share unlicensed radio spectrum with many
other devices, including Bluetooth, and cordless phones. Even microwave
ovens generate radio waves at the 2.4Ghz band frequencies, used by some
802.11B, G, and N channels. Networks using 802.11A, and 802.11n, in the 5
GHz band, are less likely to encounter that accidental interference,
primarily due to radar systems. However, most wireless LAN's experience at
least some interference from neighboring businesses, and metro area Wi-Fi
networks. As companies deploy new 802.11n networks, they often encounter
nearby legacy networks that prevent them from realizing the full
performance gain of 802.11n.

The only effective way to avoid competition for the physical medium is to
actually move your access point to an unoccupied or less crowded channel.
In the old days, access points were manually configured to use channels
that didn't overlap with those used by adjacent access points, but today
enterprise class products can automatically adjust their channel
assignments and power outputs to avoid, or reduce interference. In fact,
for all products that operate in the 5 GHz, you need to E sub band,
you're actually required to implement something called dynamic frequency
selection, which is a standard method of automatically avoiding detected
interference. Moving up a layer, wireless LAN's are also vulnerable to a
wide variety of data link DOS attacks. Forged to de-authenticate, floods
can be used to disconnect all stations, and keep them disconnected. Random
associate frames can consume an access point's resource to stop legitimate
users from connecting. There are many badly formatted frames that can be
used to crash devices with known implementation flaws. There's even a new
attack, which uses a forged lock acknowledgment message, found in 802.11n,
to disrupt video that's streamed over a new wireless network that uses
that protocol. Most of these DOS attacks are facilitated by, either SSID,
or MAC spoofing. Remember, those values can be easily observed in traffic
sent by legitimate devices. That makes it easy to include those spoofed
SSID, or MAC values in traffic sent by attackers. The bottom line is you
never trust any 802.11 frame that you receive, that it came from the
stated SSID or source MAC address. That's true even when encryption has
been used to obscure the frame payload.

If the only devices that could reach your network where actually located
inside your facility, then all service attacks would be a bit less
worrisome. But unfortunately wireless attacks can be launched over quiet a
distance. The Guinness world record for 802.11 is a whooping 279
kilometers. The photo on this slide shows that DEFCON Wi-Fi shootout
contest, where winners actually manage to receive un-amplified
transmissions over 125 miles of desert. Of course, these records were
achieved under pretty extreme conditions, using high gain antennas that
reach a lot further than ordinary office access points. In fact, businesses can position their access points and use antennas to focus signal in an
entire direction, but doing so, while it includes performance, can reduce
signal leakage. However, it's very hard to completely stop transmissions
from bleeding into undesirable locations without also creating some
coverage gaps. At least one enterprise wireless vendor can generate 802.11
noise, by drowning out exterior leakage. For example, to actually stop
people who might be sniffing traffic from a nearby parking lot, but that
technique still won't prevent leakage between floors, or in semi-public
areas inside your building, like lobbies. Ultimately, what this means is,
you should never rely upon a weak signal to actually control network
access. Instead, you need to actually take steps to control network use.
What do I mean by that?

Access control lists can help us control network usage, but we've seen that
MAC addresses are not a reliable form of identification. Ideally, we want
to base our decision on something else, some kind of authenticated
identity. Most hotspots and guest networks operate in open system mode.
That's a mode where any station can connect to 802.11 without really being
required to authenticate. Many of those open networks are, actually,
applying some other kind of authentication at a higher layer, like a
captive portal. Most home networks use pre-shared key authentication. Doing
that gives you quick and easy control over who can use your network, but
it's important to realize that those pre-shared keys, or PSKs, are both
simple, and limited. PSKs have the same vulnerabilities as any group
password. They can be shared with outsiders, they can be a guest, and if
anyone loses a laptop, you won't be able to tell whether your wireless LAN
is being used by friend, or foe, until you begin to start using a new PSK
on your access point. The only 802.11 authentication alternative that can
effectively mitigate all of these vulnerabilities is 802nx port access
control. We're going to be talking about 802nx port access control in
detail in a future (recording skips)

For now let me just summarize what 802nx brings to the table. 802nx
restricts upstream network access by demanding station authenticate before
they can actually send or receive data through a wireless access point.
802nx lets businesses apply radius based authentication, accounting, and
auditing to wireless connectivity. For example to limit a report on use
based a person's identity, or affiliation. But 802nx isn't the silver
bullet. It still can't stop attackers from transmitting 802.11 frames, it
only stops those frames from actually being forwarded through the access
point into the upstream network, and attackers can connect top your 802.11
access point, but never even try to authenticate using 802nx, when they do
that, they can still hear frames that are sent and received by others. In
addition, 802nx, itself, may be attacked, depending on the type of
extensive authentication protocol being used. For example, something called
lightweight EAP, or LEAP, implements password authentication in a way
that's very vulnerable to dictionary attacks.

We'll be exploring this topic further in lesson three. For now, simply
understand that strong wireless authentication is possible, but certainly
not a given in every wireless network. So far, we've focused on 802.11
protocols and its vulnerabilities, but securing the data link is not
enough. We must also secure the devices at either end of the link, as Wi-Fi
stations and access points. For example if you adopt WPA2 enterprise, but
Smartphone users save their8021x passwords, then your network could still
be vulnerable to unauthorized access from a lost or stolen device.
Relatively new devices, including access points, controllers, and voice
over IP handsets, frequently harbor un-patched security flaws, at least
initially, As grows more ubiquitous, many consumer electronics are being
shipped with interfaces that go unused, and that means unsecured, for
example, printers that automatically offer ad-hoc access.

Finally, wireless represents an opportunity to exploit many of those old
network vulnerabilities that we see in wired networks. For example,
attackers can try to poison ARP and DNA patches on wireless devices, access
points can be attacked through their management interfaces by accepting
TELNET SNMP or web protocols, wireless stations, normally sitting on
trusted Ethernets, can accidentally expose file shares when someone uses
them on a public network, like a hotspot, and so on. Of course, these
vulnerabilities don't matter if attackers never try to exploit them. Most
new technologies follow predictable patterns, illustrated on this graph.
When a technology is first introduced, hackers study the protocol, probe
devices, and look for vulnerabilities. Experts then cobble together some
programs, and scripts to try to exploit those vulnerabilities. Over time,
those tools tend to become more focused, more automated, and more readily
available. Eventually, attack tools get published as open source and
shareware programs that can be run by almost anyone. So, where are we with
802.11 vulnerabilities? 802.11 is now a relatively mature technology.

Over the past, maybe, seven years, wireless attack methods, and tools have
followed along this path; reaching the point where many highly automated
exploits now exist. Wireless security auditor tool kits are even available
on bootable CDs and USB thumb drives, for those so inclined to use them.
But, research still continues, for example, fizzing to find new 802.11n
product flaws is now underway. Fortunately these mature attack methods and
tools also mean, that we've had a very long time to study vulnerabilities,
and exploits, and we've learned quite a lot about how to implement counter
measures. That said, you can't eliminate all vulnerabilities, and even if
you could, you would probably waste money by defeating some low
probability, low impact attack. Network security is always going to be a
game of balancing acceptable risk, with the effort that you put into
mitigating vulnerabilities. To achieve balance, you want to assess your
business risk, and then take action to deter the most important, the most
damaging, and the most frequent attacks. There is no one size fits all
security solution for wireless, because what's important to your business,
may not be important to everyone. However, as a rule of thumb, wherever
802.11 security is a concern today, maximize your use of WPA2. Doing so
puts you on par with Ethernet, by overcoming the most vulnerably that are
uniquely inherent to wireless.

Realistically, securing your wireless network will be an ongoing process.
If you start by eliminating the biggest security loopholes, attackers are
going to look for easier targets. As the old story goes, you don't have to
outrun the bear that's chasing you, just try to outrun the guy behind you.
Contemporary wireless LAN's can be made secure for most business uses.
There may always be selected venues and applications that can't risk using
wireless. Our goal here is to educate you about wireless threats, so that
you can design and deploy a network that really satisfies your own risk
tolerance. To learn more I recommend checking out our companion tips, and
also tune into our next web cast, where I compare built in and
complimentary security measures, that can be used to defeat some of the
threats we talked about today.

Carolyn Gibney: Great presentation Lisa, thank you. This brings us to the end of
today's video presentation. Once again, we'd like to thank Lisa Pfeiffer,
of Core Competence, for joining us. For more information on threats, read
Lisa exclusive companion tips on, creating vulnerabilities assessments
checklists, rogue hunting, and wireless attacks from A to Z. Those tips and
all of the great learning material are available in our wireless lunchtime
learning security school, by navigating to
SearchSecurity.com/wirelesslunchtimelearning. A final thanks to all our
listeners joining us today. I'm Carolyn Gibney. Have a great day.


View All Videos