8.5.2 Wireless Attack

Wireless Attacks

Overview of Wireless Attacks

  • Wireless networks pose unique security challenges, making them vulnerable to various types of attacks.
    • Improperly configured wireless networks can lead to significant security risks.
  • This section reviews multiple attack types, including denial-of-service, replay attacks, jamming, and rogue access points.

Wireless Denial-of-Service (DoS) Attacks

  • Description:
    • A wireless DoS attack prevents clients from connecting to legitimate access points.
    • Disruption may occur due to interference from other radio sources. This interference can be unintentional or may be caused by an attacker intentionally jamming the network input.
  • Mechanism:
    • Attackers can set up a rogue access point (AP) with a stronger signal to jam legitimate networks.
    • DoS can also target clients through the exploitation of management frame traffic, which is unencrypted.
    • A common type of disassociation attack involves injecting management frames that spoof the MAC address of a single legitimate AP.

Wireless Replay and Key Recovery Attacks

  • Wi-Fi Authentication Vulnerabilities:
    • Wireless authentication is at risk from replay attacks capturing hashes when a client associates with an AP.
    • Captured hashes may face offline brute-force and dictionary attacks.
  • KRACK Attack:
    • KRACK (Key Reinstallation Attack) exploits the WPA and WPA2 4-way handshake.
    • Effective regardless of whether the authentication mechanism is personal or enterprise.
    • It is crucial that both clients and access points remain fully patched against such attacks.

Evil Twin Attack

  • Description:
    • A rogue AP mimics a legitimate network creating an evil twin scenario.
    • The attacker sends a disassociation notification to a victim station, disconnecting it from the legitimate network.
    • Upon reconnection, users may inadvertently connect to the attacker's rogue AP.
  • Mitigation:
    • Conduct radio frequency (RF) noise analysis to detect malicious rogue APs employing jamming techniques.

Initialization Vector (IV) Attack

  • Details on WEP Security:
    • WEP (Wired Equivalent Privacy) uses 24-bit IVs and a 40-bit key, allowing approximately 16 million IVs.
    • Malware can exploit packet flooding to identify matching IVs quickly.
  • Attacker Impact:
    • WEP encryption can be cracked in 1-2 minutes due to IV reuse and vulnerabilities.
  • Seed Value Definition:
    • An IV serves as a seed value in encryption, determining the key used for the secure generation process.
  • Recommendation:
    • Avoid using WEP; switch to newer standards like WPA2 and WPA3, which do not utilize IVs in their encryption processes.

Jamming Attacks

  • Nature and Types:
    • Interference corrupts or destroys signals from APs, denoting both legitimate and malicious types of interference.
    • Jamming attacks can employ varied techniques to disrupt Wi-Fi network communications.
  • Types of Jamming Signals:
    • Random Noise Jamming: Producing varied amplitude and frequency signals. This attack is intricate as it often goes unrecognized by users as natural radio noise.
    • Spark Jamming: Most effective by delivering high-intensity RF signals rapidly to authentic networked devices.

Deauthentication and Disassociation Attacks

  • Mechanism of Attack:
    • Rogue APs can achieve deauthentication by exploiting unencrypted management packets used for device authentication in the 802.11 standard.
    • Attackers impersonate the legitimate AP and disconnect the device, enabling interception of any data trafficked.
  • Rogue Access Point Definitions:
    • A rogue AP is unauthorized and can be installed with either malicious intent or accidentally. Masquerading rogue APs can be considered an evil twin.
    • Rogue access points can affect network integrity and security profoundly.
  • Execution of a Deauth Attack:
    • The attacker mimics the wireless router, causing disconnections and intercepting reconnection attempts to siphon user credentials proactively.

Comparison of Wi-Fi Networks

  • Operational Behavior:
    • an example of two Wi-Fi networks using the same SSID "Struct-Guest" displayed different MAC address details and signal strengths, indicating the vulnerabilities inherent in systems where similar identifiers are present.

Bluetooth Attacks

  • Bluetooth General Information:
    • Operates in the 2.4 GHz range and uses adaptive frequency hopping (AFH).
    • Devices communicate within a personal area network (PAN).
  • Common Bluetooth Attacks:
    • Bluejacking: Sending unsolicited messages to nearby Bluetooth devices in discovery mode, which is primarily annoying and less harmful than invasive.
    • Bluesnarfing: This attacks exploits vulnerabilities within the OBEX protocol, permitting an attacker to read data from the target device post-pairing.

RFID and NFC Attacks

  • RFID Attack Types:
    • Eavesdropping: Using RFID readers to listen to conversations between a tag and a reader.
    • Man-in-the-Middle (MTM): Intercepting an RFID tag signal to manipulate data; often utilized to breach systems.
    • Denial-of-Service (DoS): Interfering with radio signals causing reading disruptions.
    • Cloning and Spoofing: Crafting a duplicate tag to gain unauthorized access into secure systems.
  • NFC Vulnerabilities:
    • Captured data via relay attack exposure where malicious entities impersonate devices.
    • Security measures in NFC systems can limit these vulnerabilities.
  • Risk Mitigation Tactics:
    • Keep Bluetooth active only when necessary; avoid discovery mode during non-use to curb unauthorized access.
    • Employ advanced motivations in RFID tech to operate at distinct frequencies, thwarting data interception attempts.