Picture This: A Visual Guide to Wireless Vulnerabilties
For many security certification exams, you must be familiar with various forms of vulnerabilities that can exist with wireless networks. The Security+ exam from CompTIA (SY0-301), for example, currently expects you to be able to distinguish between nine different ones (but refers to them as types of attacks) and that list is scheduled to expand with the next version of the test (currently slated for release in the second quarter of 2014).
This guide looks at some of the most common wireless vulnerabilities/attack types and consists of a subset of those you need to know to earn the Security+ designation. Sometimes, the easiest way to understand the difference between similar concepts is to use an analogy. In the spirit of that, imagine that you’ve decided to go to your favorite sandwich shop for lunch and want to congenially place your order, get your food and return back to work as quickly as possible.
Figure One: Under ideal conditions, you order the perfect sandwich and just the fixings you want and get back to work as quickly as possible.
Problems lurk within the simple sandwich shop lunch, however, just as they do with wireless communication. The following figures illustrate how things can go awry.
Interference and Jamming
While trying to place your order and get the extra helping of the pickles you so relish, someone stands nearby and obnoxiously shouts into their cell phone. Their conversation is so loud that it keeps the employee on the other side of the counter from correctly hearing your order and fixing the sandwich the way you like it. Even though you try to get your message through, it isn’t received.
Figure Two: Your message is unable to be correctly transmitted due to interference.
With wireless devices, interference can be unintentional (caused by other devices in the vicinity, for example), or intentional. When it is intentional, then it is often referred to as jamming, as the intent is to jam the signal and keep the legitimate device from communicating. For the analogy, imagine that the manager is so upset with the employee taking your order that she begins berating her in the middle of the store. One of the purposes behind the outburst is to get the full attention of the employee and keep them from responding to anything else at the moment.
Figure Three: You are unable to communicate and place your order due to jamming.
In a wireless network, both interference and jamming can occur with the access point, or any individual device(s). If it is the access point that is jammed, the possibility exists for the user(s) — either out of frustration, foolishness, or just lack of knowledge — to turn to other access points that could be less secure and/or harmful.
As you’re ordering, someone else in line keeps shouting out things to be added to the sandwich and the employee gets confused and adds them to your order, thinking you are the one who wants them. Now instead of not getting the double pickles you crave, you wind up with them and a double helping of black olives — which you despise and will need to pick off later.
Figure Four: With bluejacking, someone keeps telling them to add items to your order that you don’t want.
With the popularity of Bluetooth, two vulnerabilities have become common: bluejacking (also sometimes referred to a “blue jacking” or “blue-jacking”) and bluesnarfing. Bluejacking is the sending of unsolicited messages over the Bluetooth connection (think spam). While it is annoying, it is usually considered harmless. Bluetooth is often used for creating personal area networks (PANs/WPANs), and most Bluetooth devices come with a factory default PIN that you will want to change to more secure values.
Bluesnarfing is the gaining of unauthorized access through a Bluetooth connection. This access can be gained through a phone, PDA, or any device using Bluetooth. Once access has been gained, the attacker can copy any data in the same way they would with any other unauthorized access
The order you’re placing is overheard by another who is paying very close attention to what you are doing. After you take your order and head for the door, that person then tells the employee that they are with you they need another order — exactly the same as what you just left with — and it should be added to your bill.
Figure Five: With a replay attack, your order is intercepted and can later be replicated.
Replay attacks are not limited to wireless and, in fact, can be even more easy to pull off in a wired environment. In its simplest form, a replay attack essentially amounts to capturing portions of a session to play back later and convince a host that they are still talking to the same party.
After you order, someone you do not know tells you that you can get the exact same sandwich next door for half the price and it has twice the toppings. This is not a conversation that you entered into, solicited, or are interested in. The conversation is based upon their interception, and interpretation, of data they should not have obtained.
Figure Six: With packet sniffing, another party sees your order and responds to it.
If the interconnection between the access point isn’t encrypted, packets between devices may be intercepted (which is referred to as packet sniffing), creating a potential vulnerability. This vulnerability is called a “gap in the WAP” (the security concern that exists when converting between the Wireless Application Protocol and SSL/TLS) and was prevalent in versions of WAP prior to 2.0.
Other Possible Problems
In addition to those illustrated here, two other possible problems could exist as well:
Rogue access point: As soon as you walk through the door, you see the long line winding through the queue and think about going elsewhere. Before you have the time to make that decision, however, an employee who is on break recognizes you as a regular customer and offers to make you a sandwich from ingredients in the back room rather than making you wait. While this offers the opportunity to get your food in a timely way, it has the potential to circumvent the cash register and short the owner the money they are due; it also includes risks for you since the employee in the backroom isn’t wearing gloves, or using the sterilized cutting board.
Evil twin: Distracted by the rain, you get out of your car and run into what you think is your favorite sandwich shop only to find out that you went in one door too soon and are in a rival sandwich shop that charges twice as much and gives half as much meat. This shop has gone to a great deal of trouble to make it appear as if they are the other, more preferable shop and all of their business comes through confusion.
In a networking environment, the difference between the two is that any wireless access point added to your network that has not been authorized is considered a rogue. The rogue may be added by an attacker, or it could have been innocently added by a user wanting to enhance their environment — the problem with the user doing so is that there is a good chance they will not implement the security you would, and this could open the system for a man-in-the-middle attack. An evil twin attack is one in which a rogue wireless access point poses as a legitimate wireless service provider to intercept information users transmit.
One of the best solutions to dealing with wireless vulnerabilities is to educate and train users about the wireless network and the need to keep it secure — just as you would train and educate them about any other security topic. They may think there is no harm in joining any wireless network they can find a strong signal from, but a bit of training can explain to them that it is in their best interest their own, and the company data, safe and secure.