Hacking

Wireless Attacks Unleashed

As we all know, wireless networks are spread at each and every part of the world, starting from personal home to corporate business environments, schools/universities, cafes, etc. The major merit of wireless networking is to eliminate the big and untidy cables, which acquires space and unspoils the look of your working area. But as we all know, each coin has two sides. There are demerits of wireless networking as well. It comes with high possibility of attacks on it. In this article I am going to describe different techniques of attacks on wireless networks and what we should do to prevent them.

Let’s start with WLAN protocol, which is also known as 802.11 protocol, commonly used for wireless networking. The major function of this protocol is to link more than one device. It uses spread spectrum signals. The functionality of these signals is based on radio frequency communication where networking is established between two point-to-point end devices consisting of a transmitter and a receiver. In this mechanism, participants (in terms of end devices) must have transmitters and receivers to send and receive signals.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

To connect to the wireless network, each participant must have wireless AP (Access Point – also known as Wi-Fi hot-spot) along with the wireless adaptor. The AP acts as a walkie-talkie. It converts radio signals into digital signal and vice-versa. When AP transmit the signals, those signals have SSID, known as service set identifier & information of network identification. The receiver detects the signals and lists the available wireless network around him/her, along with the signal strength. Not only this, it also identifies whether the AP is using any security, and if yes, then what is the level of security. As its wireless network, it allows more than one node to let those nodes connect with the network, so that is why authentication is important to ensure there is not any malicious Internet user lying in that network. The AP holds this responsibility.

Wi-Fi Security

If you look into the wireless network protocol architecture as shown in the figure below, you will come to know that there is no inbuilt security in that.

Figure: 802.11 Protocol Architecture

So researchers implemented techniques such as authentication and encryption on the top of the 802.11 protocol stack. These techniques are WEP and WPA, respectively known as “Wireless Equivalent Privacy” & “Wi-Fi Protected Access”. Unlike wired networks, a wireless network’s signals can be effortlessly intercepted and tampered with. So encryption and authentication is a must for wireless networks.

Establishment of Wireless Network Using the Pre-Shared Authentication Technique

For successful establishment of the connection, we know that the client will need to access the AP. So the client sends the request to the AP for authentication. Then the AP sends the client a challenge: the client will need to encrypt the text using the pre-configured key and she/he also sends it back to the AP. The AP decrypts it using the key, and if matching, the connection is established; otherwise, the connection will be dropped. I have written this key exchange and acknowledgement process in a very simplified way. In real life, the scenario it works as shown in figure 2 below.

Figure: Pre-shared Authentication Process

The newer version of the protocol consists of SSID with the shared key combined with it. The WEP key uses the RC4 algorithm, however the WEP key is completely broken. So big IT firms do not use the WEP key, in order to not put their organization’s wireless network at risk. Now we completely understand what is Wi-Fi, how it works, and what are the protocols in action. Now let’s move to the security attacks in Wi-Fi networks.

Passive Attack: These attacks are not harmful to the networks; they take place for information-gathering. A malicious user just listens to the all inbound and outbound traffic of a wireless network. As we know, traffic contains packets, and each packet contains juicy information such as packet sequence numbers, MAC address, and much more. The nature of these attacks is silent, that is why they are hard to detect. Using this attack, a malicious attacker can make an active attack to the wireless network. Sometimes malicious users use packet-deciphering tools in order to steal information by decrypting the data from it. Deciphering packets in WEP is really easy, as WEP’s security is very low and easily breakable. Sometimes this technique is also called WAR DRIVING. If you want to know how war driving is possible and carried out practically, then you must check the reference at the end, in which there is a report which describes the full method of it.

Active Attack: As the attacker does a passive attack in order to get information about the wireless network, now she/he will do an active attack. Mostly, active attacks are IP spoofing & Denial of Service attack.

IP Spoofing: In this attack scenario, the attacker accesses the unauthorized wireless network. Not only that, but also she/he does packet crafting in order to impersonate the authorization of that server or network.

Denial of Service Attack: Here the attacker makes an attack on a particular target by flooding the packets to the server. In most cases, SYN packets are used because they have those capabilities of generating the flood storm.

MITM Attack: Here the attacker accesses the information of the AP of any active SSID. Here dummy APs are created. The attacker listens the communication between to end points. Let’s suppose a client is having a TCP connection with any server, then the attacker will be the man in the middle and she/he splits that TCP connection into two separate connections, whose common node will be an attacker himself/herself. So the first connection is from client to an attacker, and the second connection will be from the attacker to the server. So each and every request and response will be taking place between client and server via an attacker. So an attacker can steal information passing in the air between them.

Figure : MITM attack scenario

Wireless Signal Jamming Attack: In this attack scenario, wireless radio signals are used. An attacker may have a stronger antenna for a signal generator. First, the attacker identifies the signal patterns around him or the target AP. Then she/he creates the same frequency pattern radio signals and starts transmitting in the air in order to create a signal tornado of a wireless network. As a result, the target AP gets jammed. On top of that, the legitimate user node also gets jammed by signals. It disables the AP connection between a legitimate user of wireless network and the network itself. There can be mainly three reasons for jamming the wireless network:

1. Fun – Prevent the legitimate user from receiving any kind of data from the Internet.
2. Spy – Delay in packet deployment to the legitimate user can give more time to an attacker for deciphering the packet in order to steal the information.
3. Attack – Attacker may spoof the packets and send it to the victim in order to take control over the user’s machine or network.

This is a type of DOS attack on the wireless networks. This attack takes place when any fake or rough RF frequencies are making trouble with the legitimate wireless network operation. In some cases, those are false positives, such as a cordless telephone that uses the identical frequency to the wireless network. So in that case, you might see some results in your wireless monitoring software or mechanism, but it is actually not a jamming of signal. It is not a very common attack, as it requires a ton of capable hardware.

Figure 4. Access Points, Transmitters and Jammers

Above, figure 4 describes the architecture of a launched attack in which there are different access points, jammers and legitimate transmitters. The jammer’s main function is make an interference in the wireless communication.

Pre-Shared Key Guessing: As we all know, a pre-shared key is used by both the AP as well as the node in order to encrypt the data communication. Generally administrators of those Wi-Fi networks don’t change the default key in place. Professional hackers always try to find the manufacturer of wireless access points in order to get the default ID and password. There are some websites which provide the list of default router manufacturer name, their administrator ID and passwords. Some of them are listed below:

• http://www.routerpasswords.com/
• http://www.phenoelit.org/dpl/dpl.html
• http://www.similarsites.com/goto/defaultpassword.com?searchedsite=routerpasswords.com&pos=2

These websites show a list of ID passwords for different router admin access and configuration setting access. But to connect to that part, the attacker will need to access Wi-Fi. Nowadays every router comes with encryption technology, and mostly all the routers are using a WEP key. The full form of WEP is wired equivalent privacy, which is the default standard protocol for 802.11 wireless networks. It is based on the RC4+XOR algorithm in order to convert plain text into cipher text by using a 40 bit long key along with a 24 bit initialization vector. Below, figure 5 shows the standard WEP encryption process using the RC4 algorithm along with the XOR technique.

Figure 5. Standard WEP Encryption Process using RC4 algorithm with XOR operation

However, research shows that this encryption mechanism has many weaknesses, and that is why it is completely broken. Research also says that it takes more than 40,000 packets of data to crack WEP in minutes. There are some other techniques such as dictionary attack and statistical key guessing attack  that can be used to break a WEP key in no time.

There are some other attacks too which are potential threats to the wireless networks. Those attacks are mentioned and described below. Before understanding the different wireless network attacks, we need to know where a wireless attack can be performed by an attacker. To illustrate that, see figure 6 below.

Figure 6. Places where wireless attacks can be performed

Frame Injection Attacks on 802.11: To perform this kind of attack, an attacker must have a deep understanding and knowledge of the protocol. Any professional hacker will perform this method in order to perform an injection attack on wireless networks. Firstly, she/he will perform passive information gathering of that network. Then the attacker creates wireless protocol frames in order to send it to the targeted network. There are basically two ways of doing so. One can either create a false packet and insert it into that network. The other way is to sniff the network traffic. Once these packets are sent to the server, the response from that wireless network is captured, intercepted and modified by an attacker to perform a man-in-the-middle attack. This is hard to detect, as it happens at layer two. An illustration of this process is shown below in figure 7.

Figure 7. Frame Injection & MITM attack scenario in wireless networks

Denial of Sleep Attack: Sometimes wireless networks don’t use radio transmission. So in order to reduce consumption, it regulates the communication of that particular node. A malicious user can take  advantage of this mechanism. An attacker may drain the power supply of the sensor device in order to make node’s life very short, or attack the MAC layer to reduce the sleep period of it. If a number of drained nodes goes high, the whole network can be disrupted. Only the MAC protocol has an ability to create a longer sleep duration. Without that, you cannot extend the lifetime of your wireless network.

Collision Attack: In this type of attack, the attacker tries to spoil the packets to be transmitted to the receiver. So when the attacker is successful, the resulting packet’s checksum will not be expected at the receiver’s end. As a result of that, the whole packet will be discarded at the receiver’s node. Now retransmission of that packet will consume high energy of that particular sensor node. A second approach to collision attack can be defined as this: Sometimes, messages get transmitted on the node via same frequency, and it can also generate collision. An illustration of this same frequency problem can be understand in the figure below.

Figure 8. Channel Overlapping Scenario

As you can see in the figure, the yellow area is showing that channel two’s signals are overlapping on to  channel one’s work area. Both channels will suffer in communication.

De-Synchronization Attack: In this attack, the attacker tries to modify the control flags and sometimes the sequence numbers in order to forge the packets, or messages. As a result, the attacker limits the legitimate user from exchanging the messages between the server and client. It will continuously request retransmission of those messages. This attack causes aninfinite cycle of retransmission. It acquires a lot of energy. We can also say that the attacker disturbs the established connection between two end points.

Flooding Attack: There are plenty of DoS attacks which reduce the network lifetime in different ways. One of the common methods is Denial of Service attack. An attacker sends a huge amount of packets in order to stop the network from communicating with different nodes. The main aim of this attack is to exhaust the resources on the victim’s machine.

Figure 9. Flooding in Wireless Network

Replay Attack: In this process, transmission data is repeated maliciously. An attacker intercepts the data in order to retransmit it further. It’s a part of masquerade attack which can be carried away by substitution of an IP packet. A stream cipher attack can be taken place into that.

Figure 10. Replay Attack Process Flow

An attacker repeats copies of the packets to the victim in order to exhaust the energy or power supply. This kind of attack has an ability to crash applications which are designed poorly.

Selective Forwarding Attack: It may also refer as ‘gray hole attack’. In this form of attack, an attacker may stop the node to pass packets through by forwarding or dropping those messages. In one form of selective forwarding attack, a node selectively rejects the packets by dropping them from coming into that network from an individual node or a group of individual nodes.

Figure 11. Selecting Forwarding Attack Scenario

The above figure illustrates this attack. Here you can see that a malicious node is selectively dropping packets from a certain node or group of nodes. It may do that or forward it to somewhere else which will create no trustable routing information due to forwarding packets to any wrong path within the network.

Unauthorized Routing Update Attack: In the routing process, many components take place such as hosts, base station, access points, nodes, routing protocols, etc. A malicious user may try to update all this information in order to update the routing table. It may be possible that due to this attack, some of the nodes get isolated from the base station. Also, a network partition may occur due to this attack. Packets may be dropped after the TTL expires. Packets can be forwarded to any unauthorized user. All of these incidents are the impact of this attack.

Wormhole Attack: In this type of attack, an attacker copies the whole packet or message by tunneling them to another network from the originator. Then the attacker transmits them to the destination node. When the attacker transmits the copied messages or packets to the destination node, she/he transmits it speedily in such a way that copied packets reach the destination node before the original packets (from the legitimate user) reach it. To do that, the attacker uses a wormhole tunnel. Wormhole nodes are fully invisible.

Figure 12. Wormhole Attack Scenario

As an example, the impact of a wormhole attack on routing protocols is illustrated in Figure 12. The adversary establishes a wormhole link between nodes s₉ and s₂, using a low-latency link. When node s₉ broadcasts its routing table as in distance vector routing protocols, node s₂ hears the broadcast via the wormhole and assumes it is one hop away from s₂. Similarly, the neighbors of s₂ adjust their own routing tables and route via s₂ to reach any of the nodes s₉, s₁₀ s₁₁, and s_12.

Sinkhole Attack: This is a special kind of selective forwarding attack which draws attention on the compromised node. A compromised node attracts all maximum possible traffic of the network. Then it places malicious node to the closest base station and it enables the selective forwarding attack. It is a very complex attack. Detection of a sinkhole attack is very hard and it affects the higher layer applications. The below figure illustrates the architecture of a sinkhole attack.

Figure 13. Sinkhole Attack Scenario

The interesting part is, a sinkhole attack can be also done with a wormhole attack. The below figure illustrates this scenario in which one malicious node gathers all traffic of the network (sinkhole attack) and it tunnels (Wormhole attack) with another node in order to reach to the base station.

Figure 14. Sinkhole Attack with Wormhole Attack

Impersonate Attack & Sybil Attack: This attack is very common and well known. The attacker may obtain the legitimate person’s IP address or MAC address in order to steal his/her identity and make it his/her own. Then the attacker may attack another victim and can do plenty of things with that new stolen identity of the legitimate user. A Sybil attack is an advanced version of an impersonate attack in which a  malicious user (attacker) may steal multiple identities. In technical terms, a malicious node represents itself to the other fellow nodes by acquiring multiple identities within itself. Impacts will be the same as in  in an impersonate attack.

Traffic Analysis Attack: Here an attacker gains the information of the network traffic as well as the behavior of the nodes. Traffic analysis can be done via checking the message length, pattern of message, and duration in which it stayed within the session. Then the attacker might correlate all this inbound and outbound traffic to any single custom router, which might violate the privacy of the members due to being linked with those messages. Sometimes an attacker might able to link two nodes with an unrelated connection within the network.

References

[1] Brownfield, M.; Yatharth Gupta; Davis, N., "Wireless sensor network denial of sleep attack," Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC , vol., no., pp.356,364, 15-17 June 2005

[2]  Raymond, David R.; Midkiff, S.F., "Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses," Pervasive Computing, IEEE , vol.7, no.1, pp.74,81, Jan.-March 2008

[3]  Oberg, L.; Youzhi Xu, "Prioritizing Bad Links for Fast and Efficient Flooding in Wireless Sensor Networks," Sensor Technologies and Applications, 2007. SensorComm 2007. International Conference on , vol., no., pp.118,126, 14-20 Oct. 2007

[4]  Zi Feng; Jianxia Ning; Broustis, I.; Pelechrinis, K.; Krishnamurthy, S.V.; Faloutsos, Michalis, "Coping with packet replay attacks in wireless networks," Sensor, Mesh and Ad Hoc Communications and Networks (SECON), 2011 8th Annual IEEE Communications Society Conference on , vol., no., pp.368,376, 27-30 June 2011

[5]  How 802.11 Wireless Works. (2003, 03 28). Retrieved from Resources and Tools for IT Professionals | TechNet: http://technet.microsoft.com/en-us/library/cc757419%28v=ws.10%29.aspx

[6]  Deciphering Encoding: Packet Analyzation Tools. (2012, 02 09). Retrieved from Stack Overflow: http://stackoverflow.com/questions/541517/deciphering-encoding-packet-analyzation-tools

[7]  Shared Key Authentication . (2013, 08 04). Retrieved from the Microsoft Developer Network: http://msdn.microsoft.com/en-us/library/aa916565.aspx

[8]  Pre-shared key - Wikipedia, the free encyclopedia. (2013, 11 14). Retrieved from Wikipedia, the free encyclopedia: http://en.wikipedia.org/wiki/Pre-shared_key

[9]  Alejandro, P., & Loukas, L. (n.d.). Selective Jamming Attacks In Wireless Networks.

[10] Authentication with Private Pre-Shared Key. (n.d.). Retrieved from Aerohive Networks Wireless WLAN Controller-less | AerohiveWorks.com: http://www.aerohiveworks.com/Authentication.asp

[11] Burak, & Ustun. (n.d.). Security Services in Group Communications over Wireless Infrastructure, Mobile Ad Hoc, and Wireless Sensor Networks.

[12] Chintan, G. (2013, 07 01). MITM ATTACK - Configuration to Exploit. Retrieved from Information Security Aficionado: http://infosecninja.blogspot.co.uk/2013/07/mitm-attack-configuration-to.html

[13]Chintan, G. (2013, 06 02). MITM Attack Scenario. Retrieved from Information Security Aficionado: http://infosecninja.blogspot.co.uk/2013/06/mitm-attack-scenario.html

[14] Christoph, H., & Rafael, W. (n.d.). IP SPOOFING.

[15] Deng, J., & Mishra, R. H. (n.d.). Countermeasures Against Traffic Analysis Attack in Wireless Sensor Networks. Colorado.

[16] Different routing attacks on WSNs. (n.d.). Retrieved from http://www.hindawi.com/journals/ijdsn/2013/802526/fig9/

[17] Garret. (2011, 09 05). Another DNS Attack - And why you need secureauth.. Retrieved from http://www.secureauth.com/blog/another-dns-attack-and-why-you-need-secureauth/

[18] Hardy, L., & Gafen, M. (2009, 07 21). Mesh wireless sensor networks: Choosing the appropriate technology. Retrieved from http://industrial-embedded.com/article-id/?4098

[19] Higgins, T. (2010, 01 24). When Wireless LANs Collide: How To Beat The Wireless Crowd . Retrieved from http://www.smallnetbuilder.com/wireless/wireless-howto/31190-when-wireless-lans-collide-how-to-beat-the-wireless-crowd

[20] Johnson, D. (n.d.). Wireless Pre-shared Key Cracking(WPA, WPA2).

[21] Lehembre, G. (n.d.). Wi-Fi security – WEP, WPA and WPA2. Hackin9.

[22] Lemhachheche, R., & Hong, J. (n.d.). Project : WEP Protocol Weaknesses and Vulnerabilities . Retrieved from Riad Lemhachheche, Oregon State University, Information Systems Engineering - Industrial and Manufacturing Engineering: http://www.mobilelife.eu/OSU/ece578/report.htm

[23] Mdscott. (n.d.). Wireless man-in-the-middle attack. Retrieved from http://itlaw.wikia.com/wiki/Wireless_man-in-the-middle_attack

[24] mister_x. (2011, 01 16). Aircrack-ng. Retrieved from http://www.aircrack-ng.org/doku.php?id=aircrack-ng

[25] Mustafa, H. (n.d.). THE SYBIL ATTACK IN SENSOR NETWORK.

[26] Ou, G. (2007, 04 5). German researchers put final nail in WEP. Retrieved from http://www.zdnet.com/blog/ou/german-researchers-put-final-nail-in-wep/464

[27] Poovendran, R., & Lazos, L. (2006, 05 08). A graph theoretic framework for preventing the wormhole attack. Retrieved from http://www2.engr.arizona.edu/~llazos/research.php

[28] Qijun, G., & Peng, L. (n.d.). Denial of Service Attacks.

[29] Soni, V., Modi, P., & Chaudhri, V. (n.d.). Detecting Sinkhole Attack in Wireless Sensor.

[30] Vader, G. D. (n.d.). Wardriving Manual.

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Learn More

[31] Yang, C.-L., Tarng, W., Hsieh, K.-R., & Chen., &. M. (n.d.). A Security Mechanism for Clustered Wireless Sensor Networks Based on Elliptic Curve Cryptography.