Wi-Fi Technology: Wireless Fidelity - Essay Example

Wi-Fi Technology: Wireless Fidelity Introduction: Wi-Fi stands for Wireless Fidelity. It was originally designed to allow network elements to roam in warehouses and manufacturing facilities without getting out of reach of the connected network and without being subjected to cumbersomeness of wired network elements. Wireless LANs or WLANS are used all over the world now as an alternative to wired LANs or an extension to them (Nepalese Technology Navigator). The Wireless Networks cost less than the wired connections where cables are required to connect every other computer. This results in increased cost and decreased flexibility. To address these issues, wireless LANs were introduced. WLANs were able to achieve what they were intended to – immense popularity due to their less cost and the amount of flexibility they offer (Kerner, 2012). For this reason, WLANs are being installed even when the network is comprised only of non-roaming desktops. Examples of additional applications where the decision to deploy WLANs results in large cost savings include: • Additions, moves, and changes within an organization • Installation of temporary networks • Installation of hard-to-wire locations • Elimination of costly leased lines WLANs also found their places in homes where setting up a home network became quite easy as there were lesser things to setup than a traditional wired network. WLANs are standardized under the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (Prendergast, 2004). Wi-Fi is fairly easy to setup for home networks and offices networks. This easiness also allowed the hackers and malicious users to compromise the security of wireless networks. Wireless Networks use certain security measure to encrypt their communications data. These measures include (Prendergast, 2004): Disabling the network SSID broadcast. Wired Equivalent Privacy (WEP) Encryption. Wi-Fi Protected Access (WPA) Encryption. Wi-Fi Protected Access (WPA 2) Encryption. Wi-Fi Protected Setup (WPS). In spite of these measures, cracking the key and exploiting weaknesses has been relatively easy. However, our focus in this paper would be upon the exploitation of WPS and how it can be easily compromised using brute-force attacks and other kinds of attacks. Wireless LANs or Wi-Fi and their Security: In theory, wireless networks are more prone to attacks and are less secure than the wired networks because all the communications is travelling over the air. A concept of wardriving exists, where people can roam around with their wireless devices (smartphones, laptops, tablets) and connect to any unsecured network. Wirless security is a big concern of most of the network engineers and analysts, and since the failure of WEP (after it was found to be exploited), the concerns have been raised much higher (District Administration, 2006). It is a fact that WLANs were, are and most of the times, will remain unsecured way of communications as compared to Wired LANs. Ways to Infiltrate a Network Wirelessly: There are not but many ways to attack and infiltrate a network wirelessly. Criminals generally take a layered approach to infiltrating a wireless network, starting from the outside and working their way in. To that end securing a wireless network requires a seamless layered approach. A white paper (Motorola Corporation, 2009) released by Motorola Corporation elaborates the tricks of Network Attacks in details as follows: Concealing true identity as a hotspot: This type of attack is usually aimed at the travellers who are usually on the go and utilize Wi-Fi hotspots to connect with their office which is usually located at a different location usually hundreds of miles away. Hackers will bait the business traveller to connect to a different hotspot, but with the same name. In this way, hackers are actually tricking the victim to connect to the Wi-Fi hotspot which is actually setup by the hacker with malicious intentions. Tools for creating such fake Wi-Fi Hotspots are very easily available over the internet, free of cost or for some nominal price. Hackers actually aim this technique to steal important information which is being transmitted from the victim to the corporate enterprise. Companies should beware of such attacks and utilize VPN (Virtual Private Network) which actually forms a private network within the hotspot to allow safe transmission of data and important information (Motorola Corporation, 2009). War driving: This type of attack can be classified as a simple surveillance technique in which hackers usually sniff out unprotected and insecure wireless networks. As wireless signals are not bound to the buildings of an office or enterprise network, it is usually very easy for the hackers to sniff out unsecure networks and intercept the communications which are going on. This technique is termed as “War Driving”. Such communications are of crucial importance as they contain important information about the company i.e. credit card numbers, account information, passwords etc (Motorola Corporation, 2009). Rogue agents and smuggling game: This is one sharp and dirty technique which can even compromise a highly secured network. Hackers are known for their shrewdness and cunning ability to find a loophole in the network, one way or another. Same is the case with this. Although a network may seem secure and will be installed with highly secure network schemes but there is a technique which involves installing a rogue (unprotected) access point. Rogue access points are installed into a seemingly secure network with malicious intentions or by an unaware employee or contractor. The easy installation mechanisms and the plug & play nature of the devices allow very easy installation of such devices. The devices when connected to the network provide an open access point to the hacker as they are not secured by any security mechanism. Therefore these access points are in fact the open points in a network through which the hacker can penetrate and compromise a network. After the rogue is in place, it is as easy for a hacker to access it as accessing an Ethernet port. Once inside the network, the hacker can access any information ranging from desktop computers to Wi-Fi enabled hand-held devices. A hacker might also block all the access to the network through that access point (except the hacker itself). This will cost the downing of the network and also the cost recovering lost information by the company (Motorola Corporation, 2009). Lower Security of Layer 2: The computer network is not just a collection of routers, switches and computers. Well, physically it is, but behind this jungle, a network is being operated in layers. The user is only able to view the last layer which is called “Application Layer”. Application layer is only software based. Starting from Application Layer, these layers are: Application Layer Presentation Layer Session Layer Transport Layer Network Layer Datalink Layer Physical Layer. The problem which arises here is the fact that virtually all of the firewalls block the unwanted and unauthorized access at layer 3. Most of the WLAN activity happens at Layer 2. Therefore, firewalls are not able to capture it when a network is compromised (Motorola Corporation, 2009). The Old School Robbery: Not every hacker or attacker is a geeky computer enthusiast hidden behind a laptop. Inside jobs are also a great deal of threat to the enterprises and offices. The physical theft or robbery of portable computers (Laptops, Tablets) and handheld devices (smartphones) are all too common nowadays. Such kinds of attacks are also the most difficult to stop as the life of the victim is usually at risk, and an enterprise cannot afford to provide private bodyguards to every single one of their employees. Social engineering: This is probably the shrewdest kind of attack a hacker can launch at its target. For this attack to be successful, the hacker must have a very deep insight of the human psychology and human behaviours online. This term was popularized by the notorious hacker Kevin Mitnick, “social engineering” actually refers to the act of tricking the victim to divulge and give up important information such as passwords, credit card information or encryption keys etc. Although this sounds difficult, it is the easiest and most widely used technique of attacking a network and successfully compromising it. Network can be easily compromised if the victim is under the impression that the attacker is authorized personnel, and thus, the victim will provide just ANY information without doubting. This can cause the whole network to be compromised if the hacker is able to obtain the pre-shared key. Social Engineering is as versatile as it can be. It can range from simply peeking at the username/password field while it is being typed, or placing a fake call to an employee and asking for important information to creating a legit looking email or web-form which asks for your personal information or the confidential information about the company (phishing) (Motorola Corporation, 2009). Although such kinds of security risks are also present in the wired networks, they are a hundred fold more easily when implemented over the wireless networks. Wireless networks are subjected to an increased number of attacks as anyone can attack the network with a portable device and the right tools (Tech, 2011). The portability also allows the tracking of the attacker to be near impossible as the hacker can be on the move while attempting to infiltrate a network. The stakes are only raised higher if the job is being done by someone from the inside, which can allow the complete anonymity of the attacker as well (Halfacree, 2012). What is WPS and what are its flaws? WPS or Wi-Fi Protected Setup is a protocol which allows easy establishment of connection between two devices over a wireless network. WPS was designed to be secure against a malicious access point (Kamisnksy, 2012). WPS has flaws which are openly available in the public domain. With free media and information sharing on the rise, the code to exploit the weaknesses in WPS is easily available and will always be available (WonderHowto, 2012). The biggest flaw in the Wi-Fi Protected Setup is the short length of the PIN which is used to maintain a secure connection between the 2 devices within the network. The PIN can be easily brute-forced within a matter of 2 hours due to some bad design choices. By brute forcing the router in this way, a secure connection can be established and the victim’s connection can easily be penetrated and explored further (WonderHowto, 2012). What is a Brute-Force Attack? Brute Force attack is a strategy which is used to crack a long password by trying all the possible combinations (Constantin, 2011). This attack is sure to break any kind of password eventually but it takes time and is usually dependent upon the length and complexity of password (Netgear, 2008). Brute Force attacks are the most usual form of attacks and usually they prove to be very successful as a casual user does not attempt to keep a password very lengthy or complex, usually because it is difficult to remember and inconvenient to enter (especially through smartphones) (Netgear, 2008). Due to this, the passwords which are used by casual users are fairly easy to be broken by brute-force attack and usually the victim is unaware that his/her password has been cracked by a single attack (hackosis.com, 2009). On 21st January, 2010, Imperva released a study after analyzing 32 million passwords and concluded that most of the passwords are simply dumb and easy to crack. The following pie-chart shows the password length and type distribution (Net Security, 2010): Brute-Force Attack and Wi-Fi Protected Setup: The Wi-Fi Protected Setup (WPS) PIN is an eight-digit random number which, under normal circumstances, will take over a 100 million attempts to be broken. But because of some bad design choices, it can be reduced to a mere 11,000 attempts, which can be achieved in less than 4 hours (depending upon the computing power of the attacking computer) (Roving Networks ). In further sections, we will look at the methodology and the design flaws which exist, which can allow malicious users to gain access to the Wi-Fi Protected Setup network (WonderHowto, 2012). Configuration options of the WPS: Wi-Fi Protected Setup is configured in the three following ways: Push-Button Connect: The user has to push a button, either an actual or virtual one, on both the Access Point and the new wireless client device (Viehböck, 2011). Internal Registrar: The user has to enter the PIN of the Wi-Fi adapter into the web interface of the access point. The PIN can either be printed on the label of the adapter or generated by software (Viehböck, 2011). External Registrar: The user has to enter the PIN of the access point into a form on the client device (Viehböck, 2011). 1st Design Vulnerability: Option Physical Address Web Interface PIN Push Button Connect X PIN – Internal Registrar X PIN – External Registrar X As the External Registrar option does not require any kind of authentication apart from providing the PIN, it is potentially vulnerable to brute force attacks. Authentication – Pin External Registrar: 2nd Design Vulnerability: A smart attacker can easily find out about the information of correctness of PIN from the parts of AP responses. If the attacker receives EAP-NECK after sending M4, the attacker can deduce that the first half of the PIN is incorrect. If the attacker receives EAP-NECK after sending M6, the attacker can deduce that the second half of the PIN is incorrect. This witty authentication can easily reduce the number of attempts from 10^8=100,000,000 to 10^4 + 10^4 = 20,000. And after finding out that 8th digit is actually the check-sum of the previous 7 digits of the PIN, at most there are not more than 10^3 + 10^4= 11,000 attempts to break the PIN, which can be achieved in less than 4 hours (Viehböck, 2011). Methodology of a Brute Force Attack: The following flowchart shows the optimized brute force attack which can usually be used to crack a Wi-Fi Protected Setup PIN and thus, into the network (Viehböck, 2011). An Implementation example of Brute-Force Attack: This brute force tool was written to prove the concept of brute forcing the WPS PIN. This code was implemented in Python and uses a Scapy library for generating, sending, receiving and decoding packets. This tool was tested on several routers made by different vendors. Following is the output of the tool (Viehböck, 2011). Output: (Viehböck, 2011) sniffer started trying 00000000 attempt took 0.95 seconds trying 00010009 attempt took 1.28 seconds trying 00020008 attempt took 1.03 seconds trying 18660005 attempt took 1.08 seconds trying 18670004 # found 1st half of PIN attempt took 1.09 seconds trying 18670011 attempt took 1.08 seconds trying 18670028 attempt took 1.17 seconds trying 18670035 attempt took 1.12 seconds trying 18674071 attempt took 1.15 seconds trying 18674088 attempt took 1.11 seconds trying 18674095 # found 2nd half of PIN E-S2: 0000 16 F6 82 CA A8 24 7E 98 85 4C BD A6 BE D9 14 50 .....$~..L.....P SSID: 0000 74 70 2D 74 65 73 74 tp-test MAC: 0000 F4 EC 38 CF AC 2C ..8.., Auth Type: 0000 00 20 . Encryption Type: 0000 00 08 .. Network Key: 0000 72 65 61 6C 6C 79 5F 72 65 61 6C 6C 79 5F 6C 6F really_really_lo 0010 6E 67 5F 77 70 61 5F 70 61 73 73 70 68 72 61 73 ng_wpa_passphras 0020 65 5F 67 6F 6F 64 5F 6C 75 63 6B 5F 63 72 61 63 e_good_luck_crac 0030 6B 69 6E 67 5F 74 68 69 73 5F 6F 6E 65 king_this_one Key Wrap Algorithm: 0000 76 3C 7A 87 0A 7D F7 E5 v Read More