MOBILE SECURITY
802.11 Security: Attacks and risks
Bruce Potter and Bob Fleck
12.01.2002
Rating: -4.50- (out of 5)
802.11 Security: Chapter 2: Attacks and Risks
802.11 Security
By Bruce Potter and Bob Fleck
O'Reilly & Associates, December 2002
ISBN: 0-596-00290-4
For more information or to order the book, visit the O'Reilly online catalog.
Chapter 2: Attacks and Risks
802.11 networks have unique vulnerabilities that make them an ideal
avenue of attack. Wireless networks cannot be physically secured the
same way a wired network can be. An attack against a wireless network
can take place anywhere: from the next office, the parking lot of
your building, across the street in the park, or a bluff many miles
away.
Understanding the details of various attacks against your wireless
infrastructure is critical to determining how to defend yourself.
Some attacks are easy to implement but aren't
particularly dangerous. Other attacks are much more difficult to
mount but can be devastating. Like any other aspect of security,
wireless security is a game of risk. By knowing the risks involved in
your network and making informed decisions about security measures,
you have a better chance at protecting yourself, your assets, and
your users.
An Example Network
Throughout this book, we will work toward the creation of the example
network illustrated in Figure 2-1. This network is
split into three segments: the Internet, a wireless network
containing access points and wireless clients, and a wired network
containing workstations, servers, and other devices. A gateway
mediates the traffic between these three segments. The focus of this
book is the security of the gateway, access points, and wireless
clients. We will also investigate the effects the security of these
components has upon the rest of the network and the external security
issues that originate from outside the wireless network.
All of these network components must work together, and implement
complimentary security, to establish a secure network. With that in
mind, we will begin by examining the classes of threats to the
wireless network.
Figure 2-1. Architecture of example network
Denial-of-Service Attacks
Denial-of-Service
(DoS) attacks, which aim to prevent access to network resources, can
be devastating and difficult to protect against. Typical DoS attacks
involve flooding the network with traffic choking the transmission
lines and preventing other legitimate users from accessing services
on the network.
DoS attacks can target many different layers of the network. In order
to understand the risk of a DoS attack to a wireless network, you
must first understand the difference between various types of DoS
attacks.
Application (OSI Layer 7)
An application-layer DoS
is accomplished by sending large amounts of otherwise legitimate
requests to a network-aware application, such as sending a large
amount of page requests to a web server, swamping the server process.
The goal of this type of attack is to prevent other users from
accessing the service by forcing the server to fulfill an excessive
number of transactions. The network itself may still be usable, but
since the web server process cannot respond to the users, access to
service is denied. (This can occasionally happen, innocently, when a
web site receives a sudden boost in popularity due to a link from a
high-traffic site, such as http://slashdot.org.)
Transport (OSI Layer 4)
A transport-layer DoS involves sending many
connection requests to a host. This type of attack is typically
targeted against the operating system of the
victim's computer. A typical attack in this category
is a SYN flood. In a SYN flood (SYN packets are the first step of a
TCP connection), an attacker sends an excessive number of TCP
connection requests to a host hoping to overwhelm the operating
system's ability to track active TCP sessions. Most
operating systems have a limit to the number of connections per
second they will accept and a limit on the maximum number of
connections they will maintain. A successful SYN flood will overwhelm
the operating system on one of these two limits, thereby denying
access to the services running on that host. As is the case in the
application-based DoS, the network is usually still functional, but
the target host is
unresponsive.
Network (OSI Layer 3)
A network-layer DoS is accomplished by
sending a large amount of data to a network. This type of attack
targets the network infrastructure of the victim. For example, an
attacker may send 100 Mb/s of data to a network that can only
transmit 10 Mb/s. The victim network obviously cannot retransmit all
the data being sent to it, so the network equipment is forced to drop
packets. This excessive traffic may also cause high loads on the CPUs
within the network equipment itself, causing further network
problems.
A typical network-based DoS attack is a ping flood. An attacker
generates massive amounts of ICMP traffic destined for the victim
network. (ICMP packets are used for management functions such as
querying the availability and services of a host.) This usually
saturates the victim's WAN links. By cutting off the
victim's LAN from the rest of the Internet, the
attacker has denied access to any services that reside on the
victim's LAN.
Data-Link (OSI Layer 2)
A data-link DoS can target either a host or
a network. Data-link attacks are launched to disable the ability of
hosts to access the local network even though the hosts are still
connected. An example of this would be flooding a non-switched
Ethernet network with invalid frames. An attacker (or sometimes a
malfunctioning NIC) can send repeated frame headers with no payload.
These headers are rebroadcast to all hosts on the network and
effectively tie up the medium. Data-link DoS attacks are not common
on wired networks because most networking gear has the intelligence
to prevent data-link attacks from propagating to hosts on the
network.
Physical (OSI Layer 1)
A physical-layer DoS involves severing a
host's connection to the network in some fashion.
Physical attacks are not common in wired networks because they
involve having direct access to the transmission medium involved in
the victim's network. For instance, WAN circuits are
typically buried underground and are difficult to access. LANs reside
inside of buildings, making them difficult targets as well. An
example of an unintentional physical DoS attack is the dreaded
backhoe DoS. Backhoe attacks are common in areas of heavy
construction where a large piece of equipment (like a backhoe) is
digging near buried data cables. One wrong move by the backhoe
operator can sever thousands of telecommunications lines, potentially
taking down many services.
Wireless DoS Attacks
At the application and transport layers,
there is nothing fundamentally different between DoS attacks on
wireless and wired networks. However, there are critical differences
in the interaction between the network, data-link, and physical
layers that increase the risk of a DoS attack on a wireless network.
802.11b physical attacks
A physical DoS attack against a wired
network requires very close proximity to the victim host. This is not
the case with a wireless network. The medium is everywhere and
attackers can launch a physical attack from much farther distances.
Instead of being inside of a building to perform a physical DoS
attack against a LAN, an attacker can be outside of the building.
Unlike a wired network where there is usually evidence of a physical
attack (destroyed cabling, removed cable, attackers on video
surveillance cameras), there are no visible signs that something has
changed.
The 802.11 PHY specifications define a limited range of frequencies
for communication. The 802.11 devices that use a specific PHY are
constrained to these frequency ranges. An attacker can create a
device that will saturate the 802.11 frequency bands with noise. If
the attacker can create enough RF noise to reduce the signal-to-noise
ratio to an unusable level, then the devices within range of the
noise will be effectively taken offline. The devices will not be able
to pick out the valid network signal from all of the random noise
being generated and therefore will be unable to
communicate.
Creating a device that produces a lot of noise at 2.4 GHz is
relatively easy and inexpensive to construct. However, there are
several common commercial devices available today that can easily
take down a wireless network. Unfortunately, many 2.4 GHz cordless
phones that can be purchased in electronics stores have the
capability to take an 802.11b network offline. While not a refined
electronic weapon, these phones can interfere or completely disable a
WLAN. Cordless phones use several different modulation techniques and
can overlap on the frequencies used by 802.11b. This overlapping is
simply noise to an 802.11b radio. The cordless-phone-induced noise
can drop the SNR enough to bring down any WLAN network
nearby.
TIP:
For Christmas one year, Bruce and his wife bought each other 2.4 GHz
phones to replace their older 900 MHz models. After installing the
phones, they noticed that they had many unexplained network outages.
They also noticed an audible crackling noise on the phones. After
reading the specs on the phone, they were able to set the phones to a
different part of the ISM range than the frequencies they had chosen
for their 802.11b network. This got rid of the interference and the
outages. However, they learned the hard way that wireless technology
is not necessarily plug-and-play.
There are also problems with a DoS
from other networking protocols. In particular, Bluetooth uses the
same ISM band as 802.11b and 802.11g. The DSSS modulation in 802.11b
is susceptible to interference from the modulation used in Bluetooth
networks. While there are potential solutions to prevent Bluetooth
from stepping on 802.11b transmissions, large-scale Bluetooth
deployments may still interfere to the point of inoperability with
802.11b networks. As time passes, the 2.4 GHz ISM band will become
more crowded, making unintended DoS attacks against 802.11b networks
commonplace. Sirius and XM satellite radio, who have spectrum
bordering the ISM band, have complained that ISM-band devices may
cause interference with their ground based repeaters and satellites.
802.11b data-link DoS attacks
At the data-link layer, ubiquitous
access to the medium again creates new opportunities for DoS attacks.
Even with WEP turned on, an attacker has access to the link layer
information and can perform some DoS attacks. Without WEP, the
attacker has full access to manipulate associations between stations
and access points to terminate access to the network.
If an AP is incorrectly utilizing
diversity antennas, an attacker can potentially deny access to
clients associated to the AP. The use of diversity antennas is
intended to compensate for multi-path fade. However, diversity
antennas are sometimes used to cover more area with an AP by using
antennas that cover disparate physical regions.
TIP:
Antenna
diversity is a mechanism where a
single radio uses multiple antennas to overcome multi-path fade. A
radio signal usually has many different paths to get to an antenna
due to reflections of the signal off walls, trees, desks, etc. A
radio using diversity antennas will sample a client transmission from
all attached antennas and determine which antenna has the highest
quality signal. The radio will then use that antenna to send and
receive traffic destined for that station.
If the diversity antennas do not cover the same region of space, an
attacker can deny service to associated stations by exploiting this
improper setup, as shown in Figure 2-2. If
diversity antennas A and B are attached to an AP, they are setup to
cover both sides of the wall independently. Alice is on the left side
of the wall, so the AP will choose antenna A for the sending and
receiving frames. Bob is on the opposite side of the wall from Alice
and will therefore send and receive frames with antenna B. Bob can
take Alice off the network by changing his MAC address to be the same
as Alice's. Then Bob can guarantee that his signal
is stronger on antenna B than Alice's signal on
antenna A by using a amplifier or other enhancement mechanism. Once
Bob's signal has been detected as the stronger
signal on antenna B, the AP will send and receive frames for the MAC
address on antenna B. As long as Bob continues to send traffic to the
AP, Alice's frames will be ignored.
Figure 2-2. Attack against improperly provisioned diversity antennas
If a client is not using WEP authentication (or an attacker has
knowledge of the WEP key), then the client is vulnerable to DoS
attacks from spoofed APs. Clients can generally be configured to
associate with any access point or to associate to an access point in
a particular ESSID. If a client is configured to associate to any
available AP, it will select the AP with the strongest signal
regardless of the ESSID. If the client is configured to associate to
a particular ESSID, it will select the AP in the ESSID with the
strongest signal strength.
Either way, a malicious AP can effectively black-hole traffic from a
victim by spoofing the desired AP. For example, if a client is
configured to associate to APs in the SSID
shmoo, the client will look for all available
APs in that SSID. It will then associate with the AP for which it has
the strongest signal. A malicious AP with the SSID of
shmoo can make sure it has the strongest signal
by using a larger or directional antenna, signal amplifier, etc., as
shown in Figure 2-3. The client will associate to
the malicious AP, and the malicious AP can drop or monitor all
traffic sent to it by the client.
Figure 2-3. Malicious AP overpowering valid AP
802.11b network DoS attacks
If a network allows any client to
associate, it is vulnerable to a network-level DoS attack. Since an
802.11 network is a shared medium, a malicious user can flood the
network with traffic, denying access to other devices associated to
the affected access point. As an example, an attacker can associate
to a victim 802.11b network and send an ICMP flood to the gateway.
While the gateway may be able to withstand the amount of traffic, the
shared bandwidth of the 802.11b infrastructure is easily saturated.
Other clients associated to the same AP as the attacker will have a
very difficult time sending packets.
Given the relatively slow speed of 802.11b networks, a network DoS
may happen inadvertently due to large file transfers or
bandwidth-intense applications. A few bandwidth-hungry applications
on a WLAN can hamper access for all associated stations. With the
deployment of higher-speed WLAN technologies, these unintentional
attacks will become less frequent.
Man-in-the-Middle Attacks
Man-in-the-middle
(MITM) attacks have two major forms: eavesdropping and manipulation.
Eavesdropping occurs when an attacker receives a data communication
stream. This is not so much a direct attack as much as it is a
leaking of information. An eavesdropper can record and analyze the
data that he is listening to. A manipulation attack requires the
attacker to not only have the ability to receive the
victim's data but then be able to retransmit the
data after changing it, as shown in Figure 2-4.
Figure 2-4. Eavesdropping versus manipulation
MITM attacks on a wired network generally require access to a network
that the victim's traffic transits. This can mean
physical access to a wire to "tap"
into the wire for interception. It can also mean being on the same
LAN as the victim and forcing traffic to go through the
attacker's host. An attacker can force traffic
through a malicious machine on a LAN by performing an ARP poisoning
attack.
ARP Poisoning
ARP (Address Resolution Protocol) is
the mechanism that IP-enabled Ethernet devices use to determine which
device on a network has a particular IP address. When a host wants to
communicate with another host, it will send out an ARP request
asking, "Who has IP address
192.168.0.1?" All hosts on the
LAN receive the question, and the device that has
192.168.0.1 replies with its MAC address. The
initial host then uses that MAC address to send datagrams to
192.168.0.1.
In order to reduce the number of ARP requests, many modern operating
systems implement a lazy technique to learn MAC addresses. If a host
receives a packet from another host on the same LAN (say,
192.168.0.1), it assumes that the MAC address on
the packet is the MAC address for 192.168.0.1. It
will then enter the MAC/IP address combination into its local MAC
address table and use that MAC address for all future communication
with 192.168.0.1.
An attacker can force packets to go through a malicious host by
exploiting this lazy mechanism of learning MAC addresses. Assume an
attacker wants to intercept traffic between a client
(192.168.0.99) and a server
(192.168.0.1). The attacker and both target hosts
are on the same network. The attacker sends an ARP reply packet to
the client machine with a source IP of the server but with a source
MAC of the malicious machine. The client machine now thinks that the
server has the MAC address of the malicious machine and will send all
frames for 192.168.0.1 to that host. Conversely,
the attacker sends a packet to the server with a source IP of the
client and a source MAC of the malicious machine. As in the
client's situation, packets will be forwarded to the
malicious host.
At this point, the attacker can watch, drop, forward, and manipulate
data moving between the client and the server. Even in a switched
environment, this attack is successful because the switch has no way
of recognizing something is wrong.
Bob Fleck and Jordan Dimov wrote a paper available at http://www.cigitallabs.com/resources/papers/download/arppoison.pdf
that discusses how this kind of ARP poisoning can be used on a
wireless network. A wireless attacker can use ARP poisoning to pull
packets "off-wire" by poisoning the
ARP caches of two wired hosts behind an AP. A wireless attacker can
intercept traffic between any hosts on the same broadcast domain,
regardless if they are wired or wireless by using ARP poisoning.
|
Eavesdropping
In a wireless network, eavesdropping is
easy because wireless communications are not easily confined to a
physical area. A nearby attacker can receive the radio waves on the
wireless network without any substantial effort or equipment. All
frames sent across the wireless medium can be examined in real time
or stored for later examination.
Several layers of encryption can and
should be implemented to obscure transmitted data in an effort to
prevent attackers from gleaning useful information from the network
traffic. Since the ability of an attacker to eavesdrop on wireless
communications is fait accompli, the data-link
encryption mechanism WEP was developed. If the traffic is not
protected at the data-link layer using WEP, then the higher layer
security mechanisms must be used to protect the data. If a security
mechanism such as IPsec, SSH, or SSL is not used for transmission
then the application data is available to anyone with an antenna in
the area without any further effort.
Unfortunately, several flaws in WEP have been uncovered as discussed
in "Wireless DoS Attacks." Even with WEP turned on, a
determined attacker can potentially log gigabytes worth of
WEP-protected traffic in an effort to post-process the data and break
the protection. These weaknesses in WEP drastically increase the risk
due to eavesdropping. If WEP is cracked, there is great deal of
sensitive data that is passed across networks with no further
encryption, such as a user who accesses his mail using the POP or
IMAP protocols. These protocols are widely deployed without any form
of encryption for authentication or data transport, putting the users
at risk when using a wireless network.
Manipulating
Manipulation takes eavesdropping a step
further. An attacker who can successfully manipulate data on a
network can effectively send data masquerading as a victim computer.
Using ARP poisoning, an attacker can force traffic through a
malicious machine. This malicious machine may, for example, change
the content of emails, instant messages, or database transactions.
The malicious machine can also choose not to forward packets along,
effectively denying use of the network from the victim.
Illicit Use
Illicit use of a wireless network
involves an attacker using the network because of its connection to
other networks. Attackers may use a network to connect to the
Internet or to connect to the corporate network that lives behind the
AP. Illicit use may not cause any operational problems, but it still
may be unwanted and unlawful use of the wireless network. An attacker
in this case may simply be someone who drove up near the AP,
associated to the network and is checking his mail. Alternatively,
the attacker may be sending spam to thousands of email addresses. The
attacker may even be attempting to exploit a file server that lives
on the same network as the AP or use the AP as a mask to hide the
source of illegal actions, such as hacking other networks.
No matter what the attacker is doing, his use is unacceptable.
However, the different types of illicit use pose varying degrees of
problems for the organization running the WLAN. Again, in a wired
network, illicit use is not a likely problem. In order to use a wired
network, an attacker must have physical access to the network
infrastructure. For reasons already outlined, this is unlikely and
generally risky for an attacker to do. However, in most wireless
networks, an attacker has much more freedom and is less likely to be
caught attempting to use the network. (Illicit use by authorized
users is a different matter. They already have proper access to the
network but are using it for activities that are forbidden by a
network-usage policy.)
Access points are not difficult to find. An attacker can simply drive
around an area looking for unprotected APs using war-driving software
such as NetStumbler. Once an attacker finds an open AP, he can use it
for whatever illicit use he desires.
Databases of APs have been created,
removing the war-driving step. Some databases such as
Cisco's Hotspot Locator (http://www.cisco.com/pcgi-bin/cimo/Home)
provide the location of closed APs that require payment to access
outside resources. Other databases such as The Shmoo
Group's Global Access Wireless Database (http://www.shmoo.com/gawd) or
NetStumbler's database (http://www.netstumbler.com/query.php) consist
of APs entered by individuals who have encountered them via various
means including war driving. An attacker can query any of these
public databases to determine nearby APs to use as a launching point.
Illicit resource use is a risk for several reasons. An attacker may
launch attacks against external servers. These attacks will be seen
as originating from the IP addresses of the owner of the access
point. If these exploits are detected by remote administrators, they
will be tracked down to the owner of the AP. The AP owner may be
subject to punishment from his ISP or even a criminal investigation.
Without a clear and complete audit trail, this form of illicit use
may cause large problems for the AP owner.
In addition, the AP owner may be paying for transit to the Internet
on a usage basis. If an attacker is using relatively large amounts of
bandwidth, his usage may cost the AP owner money. Even when Internet
access is not paid for on a usage basis, the attacker may be using
enough bandwidth to infringe on the legitimate use by other clients
using the same Internet connection. If an attacker is downloading
mp3s via a 265 kb/s DSL connection, then other users of the DSL
connection may experience extremely slow connectivity to external
services.
Wireless Risks
Many security professionals fall into the trap of dealing only with
the theory and not the practice of defending a network. While it
would be great to be protected from all potential attacks that a
wireless network may come under, that level of protection may not be
practical.
When securing your network, you must consider the risk associated
with each attack and address it accordingly. The topic of risk
assessment and risk management is one that could fill a book on its
own. However, it is important that you understand the basics of risk
assessment so you spend your time and money wisely addressing the
real issues rather than waste resources on topics that present no
risk.
Determining Risk
Figuring out
your risk boils down to questions like: "What can
happen?", "How likely is it to
happen?", "What occurs when it
happens?", and "How hard is it to
defend against?". The "What can
happen" question has already been answered in this
chapter. Determining the likelihood of any particular attack is the
next step.
The likelihood of an attack depends on factors such as:
- How easy it is to launch the attack?
-
An attack that is theoretical today may be widely distributed in
"script kiddie" code tomorrow. The
problems with WEP started out as a paper that described the
theoretical problems with the protocol. Very few people had the
ability to take the vulnerability and write code to exploit it.
Within a few months, several different exploit programs had been
developed and were publicly available on the Internet. Once that code
became available, the likelihood of WEP encrypted traffic being
cracked became much higher
- What is the risk to the attacker?
-
Home
WLANs are great jumping-off points for hackers because home users
tend not to be as diligent as larger corporations. An attacker may
stay off large corporate WLANs for fear of being discovered by
full-time security systems such as IDS systems and observant network
engineers.
- How big of a target are you and your assets?
-
A home network usually does not contain resources or people that will
single out the network in the attentions of hackers. A bank network,
on the other hand, may be filled with user IDs, passwords,
high-profile executives, and (above all) money. Keep in mind that the
prevalence of wide network scanning by hackers may make you a target
simply because you are running a vulnerable service, not because of
what valuable assets the network may contain.
There are other issues that affect likeliness, but this is the basic
idea. When determining the likeliness of an attack, you must use some
common sense and knowledge of the current state of the security
industry.
Then you need to determine what you stand to lose (or gain) if a
particular attack is used against your network. What kind of user IDs
and passwords will be available on the network for eavesdroppers to
pick up? Are there time-sensitive applications that a DoS attack can
affect? Is the wireless network critical to the minute-to-minute
operations of your organization? Can you afford to be sued if a
hacker launches an attack from your network?
Finally, using the previous steps to prioritize your activities, you
need to evaluate how difficult the attacks are to defend against. If
protecting information on your network is your top priority, you must
determine to what lengths you will go to protect the integrity of
your data. If being sued due to illicit use is your biggest concern,
then you must determine the steps you can reasonably take to detect
illegitimate use.
When determining and prioritizing your risks, you do not need to
necessarily go through a formal process. You need to evaluate your
business requirements, your network, and your potential adversary.
Most importantly, you need to think about practical ramifications as
well as theoretical security.
Knowing Is Half the Battle
Now that you are familiar with the kinds of attacks that an attacker
may commit, you know what you're protecting against.
Once you've defined your risk in reference to these
attacks, you need to know what tools are at your disposal to protect
you and your users. The next step in setting up a secure wireless
infrastructure is laying down a strong foundation in your wireless
clients.
This excerpt was reprinted with permission from O'Reilly & Associates. For more information or to order the book "802.11 Security," visit the O'Reilly online catalog.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchMobileComputing.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
