Network security

It Is Simple, If I Can Compromise Your Wireless Router, I Own Your Network! Period!

Shaun Peapell
September 13, 2012 by
Shaun Peapell

It is convenient, it is a necessity, and some devices give you no other option: wireless networking is all around us.

We all use wireless networks on a daily basis, whether you access the Internet on your laptop or your iPad. Most homes in the UK will have a wireless router provided by their ISP (Internet Service Provider), preconfigured and ready to start serving up the information highway. We accept it works with little or no knowledge of how it works and exactly what the risks are.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

In my experience, there are still a vast amount of wireless networks out there that are either not protected or are offering poor protection in the form of encryption or access control. This provides easy access to anybody who wishes to utilise the service which is paid for by you! Without permission from the asset owner, it is theft, pure and simple. If don't protect your wireless network and ensure only those that you authorise to use the service have access, then you are also to blame. Not locking down your network also gives the infiltrator access to your computer systems and the ability to capture, steal and glean your personal information. It is simple, if I can compromise your wireless router, I own your network! Period! Before I discuss the fruits of the hack or compromise, I will talk a little about the wireless network standards.

A wireless network pretty much delivers information in the same way as a wired network except you don't have wires. This brings freedom of movement with ever increasing bandwidth speeds. So how does the data or information travel from one device to another? Through radio waves. The Institute of Electrical and Electronics Engineers (IEEE) standards for wireless networks are the IEEE 802.11 family, these standards are numerous and carry depth, however, for this paper I will be concentrating on the most common types.

The 802.11 family utilises a series of half-duplex over-the-air modulation techniques that use the same basic protocols. The most common operating on the 2.4 GHz band are the 802.11b, 802.11g and 802.11n. IEEE 802.11a is another standard, however it utilises a different band of 5 GHz opposed to the more common 2.4 GHz. Firstly we shall discuss the standards, the frequency at which they operate and throughput.

The IEEE 802.1a standard operates in the 5 GHz band with a maximum throughput rate of 54 Megabits per second, plus error correction code, which gives a realistic throughput, on average of around 25 to 30 Megabits per second. Although this standard does suffer from interference, due to the fact that there are fewer devices in this spectrum, it experiences less interference and therefore boasts a healthy throughput.  The 2.4 GHz band is vastly over crowded, so much so that it does suffer. Through using the relatively unused 5 GHz band, the 802.11a has an advantage.

The IEEE 802.11b operates in the 2.4GHz band and has a maximum throughput of 11 Megabits per second. 802.11b devices appeared on the market in early 2000 and were rapidly accepted by consumers as the prices of this technology dropped massively. 802.11b devices suffer interference from other products operating in the 2.4 GHz band. Devices operating in the 2.4 GHz range include microwave ovens, Bluetooth devices, baby monitors, cordless telephones and some amateur radio equipment. The throughput of 11 Megabits per second were purported to be increased to 22 Megabits per second by software based enhancement. With a greater range than that of the 802.11a, the 802.11b was replaced by the 802.11g in 2003.

IEEE 802.11g is the third standard and works in the 2.4GHz band as does the 802.11b. It operates at a maximum throughput of 54 Megabits per second and is fully backward compatible with 802.11b hardware and therefore suffers the same legacy issues that reduce throughput. Due to the higher demand of greater data throughput rates, 802.11g was welcomed in the consumer arenas, and with reduced manufacturing costs, this standard was seen almost everywhere.

The final standard I would like to discuss is the IEEE 802.11n, conforming to a draft in 2007 and finally published by the IEEE in 2009. 802.11n improved on previous 802.11 standards by adding multiple-input multiple-output antennas (MIMO). In radio,  MIMO is the use of multiple antennas at both the transmitter and receiver to improve communication performance. It is one of several forms of smart antenna technology. 802.11n massively increased throughput and range, and is the common standard seen today.

With all this technology pushing our personal information through the air, there has been no mention of security. After all, we know that radio waves are very easily intercepted; we listen to our radios, baby monitors and multiple other devices. So how do we stop others, eavesdroppers, hackers and criminals from listening or reading our data? Encryption is the answer. Without it, there is nothing stopping anyone associating with your wireless router, using your Internet service and essentially giving them the keys to your internal computing systems. Like I said earlier, if I own your wireless router, I own your network.

Let's play through a scenario - You are a career criminal who knows that your home broadband browsing habits could be traced to you by virtue of your IP address. Nobody in their right mind would sign their name to a crime, would they? There are other ways in which a user could hide their true internet identity by use of proxies, however, they are beyond the scope of this discussion. The said criminal would look for anonymity by using another individual's wireless internet. He would scan the area for wireless network services with firstly, no encryption or protection, this resembles seriously low hanging fruit which provide the perfect conduit to facilitate his crime. If the career criminal uses your Internet service to view or upload illegal or indecent images, whose door do you think the law authorities are going to knock on when they establish an originating IP address? YOURS!

There are various degrees of 'low hanging fruit' in the wireless network protection or encryption arena. Firstly having no encryption is downright foolish, almost as much of a school boy error as having Wired Equivalent Privacy (WEP). WEP was one of the first encryption standards introduced to the wireless network world, introduced as part of the original 802.11 standard ratified in September 1999. Its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP uses two methods of authentication, Open System authentication and Shared Key authentication. It was advised that the Open System authentication was better than Shared Key, even though both methods utilised the RC4 cipher.

WEP keys came in different lengths from 64 bit, 128 bit and 256 bit, all represented in hexadecimal (base 16) format. Although each was doubling its length, they all had something in common, a 24 bit Initialisation Vector (IV). For example, the 64 bit key would have the first 40 bits derived from the user's key and the final 24 bits from the IV. For every hexadecimal character entered for the key, it represented 4 bits. A 64 bit WEP key would have ten hexadecimal characters set by the user. RC4 is a stream cipher; the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition. The 24-bit IV is not long enough to ensure this on a busy network. WEP is massively vulnerable to a related key attack. For a 24-bit IV, there is a 50% probability the same vector will repeat after 5000 packets.

Cracking a WEP key on a wireless router or access point is very simple. By capturing enough data or in this case IVs, the key can be calculated. For a 64 bit key you would need to harvest at least 50,000 data packets or IVs, a 128 bit WEP key, around 100,000 data packets or IVs. Capturing the data is very simple; there are numerous open source tools on the Internet, one being the most common, the Aircrack-ng suite. This suite brings together an awesome set of tools that allows the attacker to configure the wireless network interface beyond that of the normal user, capturing data from all channels and wireless networks that it can see. Then of course the number crunching element, dependant on the number of IV's you have captured and the speed of the computer you are using, it can take a matter of seconds to reveal the WEP key. Once inputted on the authentication challenge to join the wireless network, bingo you are in! Nothing always goes to plan and at times you may want to pull your hair out waiting for the data or IVs to stack up. This can be totally dependent on the amount of traffic passing through the network, are the users streaming video or are they just browsing? These two different scenarios would produce two different capture rates. Should you find yourself in a very slow capture rate situation you can always inject traffic into the network to generate IVs, anything is possible!

As time went on, Internet Service Providers (ISP) were giving wireless routers as part of consumer contracts. Knowing that WEP was massively insecure a newer more robust encryption was used, Wi-Fi Protected Access (WPA).

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks.  These new standards were introduced to replace and answer the insecure sibling WEP.

WPA was designed to supply enhanced security over the older WEP protocol. Standard WPA utilises the Temporal Key Integrity Protocol (TKIP) and has a Pre-Shared Key (PSK). WPA2 was then introduced and offered a much stronger Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) over TKIP, offered by WPA, with Advanced Encryption Standard (AES) based encryption again with a PSK. Despite the new standards, both WPA and WPA2 are vulnerable to attack. Upon the WPA four way authentication handshake, you ask your device for the relevant password or passphrase to connect to the wireless router or access point. Once the handshake has been captured, the attacker can then move away from the victim and start number crunching the handshake to produce the key. If you find that the wireless client or target is already connected to the wireless router, you have two options, wait for someone to join the network thus capturing the handshake, or disassociating the already associated client off the network, forcing them to reconnect. This enables the attacker to capture the handshake.

Disassociation attacks or de-authentication attacks are very simple to employ and could be used as a crude Denial of Service (DoS) attack, by constantly de-authenticating a client off the network. The Aircrack-ng suite offers such tools to be deployed by the attacker.

Once the attacker has captured the handshake, the attacker must then crack it. The method of cracking the handshake would be by straight forward bruteforce or dictionary attacks. Wordlist or dictionary attack lists are getting more and more comprehensive, offering millions and millions of alpha-numeric variations and symbol strings which are brute forced against the captured handshake until it cracks it or has exhausted the list. WPA and WPA2-PSK can be attacked and cracked when the PSK is shorter than 21 characters. Given enough time and computing power, bruteforcing over 1500 key variations a second, it doesn't take long to arrive at a key with a password that has less than ten characters in it.

So in conclusion, is wireless safe? Basically yes and no, it would depend on what you are using it for. If you are moving highly sensitive data around, I would not recommend it. Basic browsing without credential inputting, by that I mean Internet banking etc; use it with caution, make sure you have sufficient encryption and protection. By using over 21 alpha numeric with symbol passphrases that mean absolutely nothing, ensuring non readable constructed sentences and utilising WPA2 with AES, you should be able to thwart the opportunistic attacker.

Sleep well tonight, but not too well, the persistent SOB attacker is out there and will find your network, it is not a matter of if, more of a matter of WHEN!

We have come to place our trust in so many wireless devices that run and support our lives. From mobile phones, Near Field Comms (NFC), Radio Frequency Identification (RFID) and many more, all can and have been hacked, cracked and exploited to some degree. Put your total trust into these devices at your peril, manage your security and manage those that secure the devices for you.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

For more info, visit www.pentesting.co.uk

Shaun Peapell
Shaun Peapell

Shaun Peapell is the Information Security Consultant at CY4OR and is responsible for the

overall running of the CY4OR Secure team including vulnerability assessments, penetration

testing and information security based investigations. Shaun’s skill set extends into wireless

network vulnerability and compromise confirmation. Shaun also project manages GSM

bespoke requirements including cell site analysis. Before joining CY4OR, Shaun served 16

years in the Royal Air Force Police specialising as a Counter Intelligence and Information

Technology Security Investigator.

As an experienced information security consultant, Shaun is a TIGER Qualified Security

Team Member (QSTM) and has participated in over countless investigations involving

information security, wireless networking and unauthorized access. Shaun has been directly involved in the conception, design and build of portable GSM autonomous networks. For more info, visit http://cy4or.co.uk/.