Chap 8 - Wireless Technologies and Security
Wireless Technologies and Security
Agenda
Wireless Communications Overview
WiFi Attacks
WiFi De-Auth Attack Demo
Wireless Communications: An Overview
What is wireless communication?
Transmitting data between devices using air as a medium.
Wireless Technologies
Examples of Wireless Technologies:
Cellular
WiFi
Bluetooth
Near Field Communication (NFC)
Radio Frequency Identification (RFID)
Infrared (IR)
Wireless Frequency
Electromagnetic Waves:
In air, data is transmitted using electromagnetic waves.
Operational frequency measured in Hertz (cycles per second).
Example: 103.7 MHz (Mega Hertz)
Wireless Spectrum
Definition:
Range of frequencies that various electromagnetic waves operate at for data and voice communication.
**Regulation:
Defined by the Federal Communication Commission (FCC).**
Frequency Range:
Spans from 9 KHz to 300 GHz.
Various frequency ranges are subdivided into channels.
Wireless Spectrum: Frequency Ranges and Technologies
Frequency Range (band) | Description | Technologies |
|---|---|---|
Low | RFID | 125 kHz - 134.2 kHz |
NFC | 13.56 MHz | Z-Wave (90.842 MHz) |
Cellular | 824 MHz - 896 MHz | RFID (858 MHz - 930 MHz) |
Cellular | 1850 MHz - 1990 MHz | Wi-Fi: 802.11b/g/n (2.4 GHz - 2.4835 GHz) |
ZigBee | 2.4 GHz - 2.4835 GHz | |
Bluetooth | 2.4 GHz - 2.4835 GHz | |
RFID | 2.446 GHz - 2.454 GHz | |
ANT+ | 2.457 GHz | Wi-Fi; 802.11a/n/ac (5.1 GHz - 5.8 GHz) |
IR | 300 GHz - 300,000 GHz |
WiFi Channels
2.4 GHz Band:
Divided into 14 channels, each 5 MHz apart.
Channels Overlap:
All channels overlap except channels 1, 6, and 11.
Most networks in the U.S. use channels 1, 6, or 11 only to avoid interference.
Spectrum Sharing Technology
Devices sharing the same frequency range:
WiFi, Bluetooth, ZigBee, ANT+, and some satellite signals share 2.4GHz frequency range.
Technology Implemented:
Frequency Hopping Spread Spectrum (FHSS):
Used by devices such as WiFi and ZigBee.
Direct Sequence Spread Spectrum (DSSS):
Used by Bluetooth.
Spread Spectrum Technology: Basics
Normal Transmission (Narrowband):
Like shouting a message in one clear tone.
Fast but prone to interference.
Easily eavesdropped.
Spread Spectrum Transmission:
Like whispering fragments across various frequencies.
Harder to jam and eavesdrop, requiring a secret key.
Direct-Sequence Spread Spectrum (DSSS)
Concept:
Sending a single message encoded in Morse code with a repetitive noisy pattern.
Spreading Code:
Example: Sending ‘1’ uses sequence 1011000, leading to a longer transmission signal.
Result:
Transmits a complex sequence taking up a wider frequency range.
Anti-Jamming: The receiver can recover original data despite noise.
Synchronization: Requires receiver to know the exact spreading code.
Real-World Application: Early Wi-Fi (802.11b).
Frequency-Hopping Spread Spectrum (FHSS)
Concept:
Change radio channels as per a pre-arranged schedule.
Example:
Transmission via various channels, each for a brief moment.
Result:
Anti-Eavesdropping:
Only small, useless data snippets are sent on a single channel.
Anti-Jamming:
Loss only on the channel being jammed, preserving other data.
Real-World Application: Bluetooth, older cordless phones.
Orthogonal Frequency-Division Multiplexing (OFDM)
Concept:
A large file is split into smaller pieces and transmitted simultaneously on multiple closely spaced frequencies (subcarriers).
Result:
Speeds up transmission by sending pieces of data concurrently.
Combats multipath (signal echoes) by ensuring echoes of one signal don't interfere with others, thus improving reliability.
Real-World Application: Modern Wi-Fi (802.11a/g/n/ac/ax), 4G LTE, and 5G.
WiFi Overview
Wi-Fi is based on the 802.11 Standard, developed by IEEE 802.11 Task Force.
802.11 Variations Include:
802.11b
802.11a
802.11g
802.11n
802.11ac
802.11ax
802.11be
Typical Wi-Fi Home Network
Components include:
Internet
Modem
Router
Desktop
Laptop
Phone
Tablet
Printer
Accessing Public Wi-Fi
Example:
Visiting Starbucks and wanting to access the internet without cellular data:
Use a wireless device to scan for access points.
WiFi Scanning
**Types of Scanning:
Active Scanning:**
Computer transmits a probe frame.
Access Point responds with a probe response including status code and ID.
Passive Scanning:
Listening for a beacon frame emitted by the Access Point.
Beacon frame includes SSID, transfer rate, etc.
WiFi Identifiers
SSID (Service Set Identifier):
A unique character string identifying an access point, recommended to change from default for security.
BSS (Basic Service Set):
A group of stations sharing the same AP, identified by BSSID (Basic Service Set Identifier).
ESS (Extended Service Set):
A group of access points connected to the same LAN, identified by ESSID (Extended Service Set Identifier).
ESS allows devices to roam between BSSs while maintaining connectivity.
WiFi Attacks
Common types include:
MAC Spoofing
Rogue Access Points and Unauthorized Association
Access Point Misconfiguration
Denial of Service (DoS)
Man-In-The-Middle Attack
Evolution of Wi-Fi Security
Progression includes the transformation from WEP to WPA3.
WEP: The Original Flaw
WEP was intended to provide wired equivalent privacy but suffered from flaws:
Based on RC4 symmetric encryption standard.
The 24-bit Problem:
Used 64 or 128-bit keys but included a 24-bit IV, leading to a weak effective key size of only 40 or 104 bits.
How WEP Works (and Fails)
Process:
WEP uses XORing with a pre-shared key and an IV to form a secret key.
Flaw: Reused IVs due to the limited size; leads to vulnerabilities in busy networks.
WPA: The Interim Solution
Developed to address WEP's issues:
Utilizes TKIP (Temporal Key Integrity Protocol) to provide stronger key management and integrity checks across packets.
Increased IV size from 24 to 48 bits, enhancing security by eliminating rollover risk.
WPA2: The Successor
A formal successor standard (IEEE 802.11i), approved in 2004.
Uses AES (Advanced Encryption Standard) with key sizes up to 256 bits, which is a significant improvement over WEP.
WPA3
Introduces more resilient authentication methods.
WPA3-Personal:
Utilizes SAE (Simultaneous Authentication of Equals) to better safeguard against password guessing.
WPA3-Enterprise:
Introduced 2018, provides 192-bit cryptographic strength for enterprise settings.
Evolution Summary
Security Protocol | Flaw | Improvements |
|---|---|---|
WEP | RC4, 24-bit IV | - |
WPA | Interim (TKIP, 48-bit IV) | - |
WPA2 | Standard (AES, 256-bit) | - |
WPA3 | Modern (SAE, 192-bit+) | - |
Common Wi-Fi Attacks
Rogue Access Point:
An attacker installs a rogue AP (e.g., SSID "Free_Internet").
Users unknowingly connect, allowing the attacker access to the network.
Evil Twin Attack:
The rogue AP is configured with the same SSID as the legitimate network, using DNS spoofing to redirect traffic.
Deauthentication Attack:
An attacker sends spoofed frames to disconnect clients from legitimate APs, leading them to connect to the attacker’s rogue AP.
WiFi Attack Demo
Conducting a de-authentication attack on wireless devices in a WiFi network.
Requirements:
Sniffing wireless packets requires a compatible WiFi adapter set to monitor mode.
Setting up a Network Environment
Attacker's Setup:
Raspberry Pi with Kali Linux.
Wireless adapter connected to the machine.
Wireless router/AP for WLAN connectivity.
Mobile devices as client stations.
Wireless Router Configuration
Setup:
Enable the WiFi router and connect devices to the network "MyWireless53" with password "password."
Conducting the Attack - Launching De-authentication Attack
Open terminal in Kali and check connected USB devices with the command
lsusb.Check enabled WiFi adapters using
iwconfig.Set the WiFi adapter to monitor mode using
airmon-ng start wlan1.Capture wireless data packets with
airodump-ng wlan1.Send deauth packets using
aireplay-ng -0 100 -a <TARGET_BSSID> -C <CLIENT_MAC> wlan1.Successful handshake detection with Wi-Fi traffic indications.
Password Cracking
Use
aircrack-ngto test potential keys against captured packets and recover the password.