Read an Excerpt

Seven Deadliest Wireless Technologies Attacks

SYNGRESS

Chapter One

INFORMATION IN THIS CHAPTER

• How Wireless Networks Work

• Case Study: TJX Corporation

• Understanding WEP Cracking

• How to Crack WEP

• It Gets Better and Worse

• WPA and WPA2 in a Nutshell

• How to Crack WPA PSK and WPA2 PSK

Wireless is a term thrown about quite a bit lately. Everything seems to be wireless to one degree or another, even some things no one ever expected to be, like refrigerators and other appliances. Most often, when the term wireless is used in regards to computing, it's to do with 802.11 networks.

Just about every new laptop that hits the market today has an 802.11 network card built in. It's a technology that has become ubiquitous in our lives, and we can hardly remember a time when it wasn't part of our days. It's a technology that has grown in terms of speed and range to provide the capability to be connected to the Internet from anywhere in our homes or businesses.

This widespread technology would also very quickly become quite an issue from a security perspective. Users quickly demanded to "cut the cable" and be able to access the network from anywhere in the office. Home users were quick to adopt the technology to work from the kitchen, the couch, or (more oddly) the bathroom. This intense push led to a lot of overworked and underpaid information technology (IT) administrators and neighborhood computer know-it-alls to install wireless networks without properly understanding the security risks involved. These early networks would continue to "just work" with users not realizing that the security arms race caught up with them and even passed them, making them prime targets for attack.

In November 2003, Toronto, Ontario, police held a press conference to announce a (at the time) new and unusual crime. The police report indicates that at around 5:00 a.m. an officer noticed a car slowly driving the wrong way down a one-way street in a residential neighborhood. The officer pulled the car over, and when he walked up to the driver, he was greeted with several disturbing sights. The driver was first of all not wearing any pants, which is probably disturbing in and of itself, but more alarmingly, on the passenger seat was a laptop clearly displaying child pornography. The driver had been using open wireless networks in the area to obtain Internet access to download child pornography, unbeknownst to the owners of those networks. The owners were victims themselves, twice. First, they were victims of theft of service since their communications had to compete for bandwidth with the traffic of the unauthorized user. Second, they were victimized because, for all intents and purposes, the child pornography was being downloaded through their connection. Any digital trail left would lead back to them, potentially exposing them to false accusations of downloading child pornography themselves and all the emotional and financial damage that accusation can bring. The suspect's home was searched as a result, and 10 computers and over 1,000 CDs worth of illegal material were seized.

This case, along with others through the years, has shown that operating an access point (AP) without any authentication of client devices is dangerous. If anyone can connect, there is no restriction on what sort of activities those users can partake in. Often, it's simply to check an e-mail or catch up on the latest news, but it may be someone downloading copyrighted materials, sending threatening messages, or doing worse.

Sometimes, connecting to an open network without authorization can occur even without someone realizing he or she is doing it. Windows XP, before Service pack 2, was notorious for automatically connecting to networks named the same as ones it had connected to before. A person carrying a laptop down the street configured for a common network name like "linksys" could drift to any network similarly named "linksys" and be committing an unauthorized access without knowing or interacting. Many users noticed this behavior and thought it more than helpful in gaining access to free Wi-Fi. Attackers noticed this and began to exploit it (more on that in Chapter 2, 802.11 Wireless – Client Attacks).

It's sad to consider that leaving your APs open for anyone to connect to is a dangerous proposition. The idea of everyone sharing free Internet access anywhere he or she goes is a tempting one, but society, as a cross section, contains all sorts of people, some good and some bad, and often the bad ruin such freedoms for everyone.

The Institute of Electrical and Electronics Engineers (IEEE) knew that they had to establish some mechanism to maintain privacy of communications as they were broadcast and restrict who can connect and from where. This is why all APs sold contain various methods of securing communications and limiting who can connect. Originally, Wired Equivalent Privacy (WEP) was the only option available, but as time went on, Wi-Fi Protected Access (WPA) was introduced as an interim solution when WEP was shown to be weak, and eventually WPA2 was brought forth with the final ratification of 802.11i.

As with many security technologies, if you give users the option of using it, they often won't. If you give them too many options, there's no way of guaranteeing that they will keep their systems up to date either.

HOW WIRELESS NETWORKS WORK

A wireless network typically is made up of two classes of device: APs and client devices, typically called stations (STAs). This chapter focuses on security of APs typically found in a home or business. Client security is discussed in Chapter 2, 802.11 Wireless – Client Attacks. These networks can be 802.11a, b, g, or n, but for the most part, and for discussion purposes in this chapter, it doesn't matter. The infrastructure needed is fairly universal, and standards for security are pretty much the same for all of them.

The APs are something everyone in the IT industry and most home computer users are probably familiar with. They come in all shapes and sizes and can have varying features. They are the gateways between the wired and wireless network. If you don't have one at home already, you can usually see them bolted to the wall at many businesses or in public spaces with one or more antennas sticking out of them. The AP is what the client STA connects to in a wireless network (as opposed to the other way around). In their default state, most APs will accept connections from any client STA that asks to join the network. While this is convenient for users, it is also very convenient for anyone else who wants to connect, for good reasons or bad.

In the early days of wireless, this was seen as something positive. Wireless brought out ideas of a brave new world with free Internet access and sharing of a new and useful resource. It didn't take long for the bad guys to figure out that this was very useful for them as well.

As you can see, there are wireless networks everywhere. Wherever there is a population center, you will be able to find wireless networks there.

Wireless is a shared medium. If you remember the bad old days where Ethernet networks were all using hubs and not switches, everyone saw everyone else's traffic. Well, wireless brings all the fun of those networks back. In those days, hubs were simple rebroadcasters, and they had no real intelligence as to what was connected to each port. A client would put a packet onto the wire and the hub would rebroadcast that packet to every other computer on the hub. The intended recipient accepts the packet, whereas the other simply ignores it. As you can imagine, have many clients on the network trying to communicate simultaneously and it gets pretty noisy. Network adapters normally filter out packets that come down the wire that are not intended for their address. If you disable that filter, you can now listen to all the packets, even the ones not intended for that network card. This is usually called promiscuous mode and has been a fundamental tool of network diagnosis since the beginning of networks.

In a wireless network, promiscuous mode does the same thing if you are associated to a network. If you want to listen to other networks without associating or get the management traffic at Layers 1 and 2, then you need to remove the filters from Layers 1 and 2 and the logical separation of networks. This is where monitor mode comes in. Monitor mode is useful as it allows the card to listen to any wireless data, from any network on the same channel in range.

An 802.11 network typically sends out advertising "beacon" frames to announce its presence. These frames contain the network BSSID (Media Access Control [MAC] address), ESSID (commonly known as SSID, the logical name for the network), and various flags about its capabilities (speed, encryption level, and so on). All this information is sent in clear text. Since it's a shared medium, anyone can pick up these beacons and this basic information. This is the essence of wardriving.

Much has been written about wardriving, but the best definition was coined on the netstumbler.org forums by a poster named blackwave:

Wardriving (v.) – The benign act of locating and logging wireless access points while in motion.

Essentially, it is using a wireless-enabled device to search for others. This can be as simple as the Wireless Zero Config utility in Windows searching for a network to programs like Kismet, a full wireless detector and sniffer. Integrating a GPS into the system, and coordinates of those networks can be used to generate maps of local areas for reports, or submitted to sites like wigle.net to add to a larger community data pool.

CASE STUDY: TJX CORPORATION

In April 2007, U.S. retail giant TJX, owners of TJ Maxx, Marshalls, and other retail store brands, publicly admitted in their annual Security and Exchange Commission filings that their network security had been breached and that customer credit card numbers and other information had been available to criminals roaming the network for over a year. The fallout for the company is expected to top 1 billion dollars over 5 years and caused headaches for millions of consumers now open to identity theft and credit card fraud, as well as credit card companies and financial institutions having to pay millions to replace consumers, credit cards. In May 2008, authorities arrested Albert Gonzalez in Miami, Florida, related to another large-scale identity theft. He was eventually charged as the ringleader in the TJX attacks and several other large corporate penetrations, and on August 28, 2009, Gonzalez agreed to a plea bargain and stands to serve 15 to 25 years for his role. There are several other outstanding charges related to similar attacks on other corporations that, at the time of this writing, are still waiting to work their way through the courts.

While many details are not fully known, the seemingly biggest and most well-reported entry point was a St. Paul, Minnesota store's wireless network. The indictment of Gonzalez and others indicates that Marshalls and TJX stores were penetrated through wireless networks in Miami from their own parking lots. The full extent may never be known, but it is clear that wireless networks were a component in these attacks.

Using freely available software, the attackers identified the network and proceeded to crack the WEP key used to secure the network. This provided access to the store's network and gave a foothold into the larger corporate network and all the data it contained. Whether it was a targeted attack of this specific store and chain, or if it was just that they happened by and noticed the weak security, we probably won't know. Various prosecutions of the perpetrators, though, show that many different companies were penetrated and were probably all just targets of opportunity rather than of a specific agenda. The one common element seems to be the presence of these businesses along U.S. interstate 1 in Florida. Likewise, the attackers just drove down the interstate and collected data, returning to tempting and weak targets later.

Various reports since then have indicated that the store's wireless network was secured using WEP. At the time, WEP was known to be fatally flawed and was already outmoded by the introduction of WPA encryption. These networks are often installed for the convenience of bar-code-reading scanner guns used at many stores for inventory control; these connect back to the store server over wireless. Many of these systems are only capable of WEP and are non-upgradeable, and given the amount already invested, companies are often slow to upgrade. Further complicating matters and contributing to the complacency was that, at the time, stores had to meet the Payment Card Industry (PCI) security standards in order to be allowed to take credit and debit cards. Recommendations were made to TJX to upgrade its wireless security to WPA; however, it seems from corporate e-mails that upgrades were delayed in favor of the cost savings associated with not replacing the equipment in many stores. In addition, VISA, one of the members of the PCI group, gave TJX a pass on their compliance with the condition they would do something to improve their wireless security in time. One can be certain that after the incident, wireless security was taken much more seriously. Suddenly, the original costs of upgrading seem a lot smaller than the subsequent costs of cleanup and bad press.

UNDERSTANDING WEP CRACKING

WEP was the original encryption scheme included in the 802.11b wireless standard from 1997. At the time, strong encryption was considered a defense by the U.S. State Department (a lot of manufacturers' head offices were located in the United States) and since there were restrictions on exportation of strong encryption to foreign countries, the key length was limited to 40 bits. This was later relaxed to allow 64- and 128-bit keys to be exported. For many years, this was the only security standard available for wireless.

As early as 2001, implementation problems with the WEP encryption scheme led to the first real break. The problem revolved around the initialization vector (IV) field of the scheme, a random number concatenated with the network key, used to provide some randomization to the scheme. WEP is based on the RC4 stream cipher algorithm, and as with any stream cipher, identical keys must not be used. The IVs change with each packet and eventually repeat, giving an attacker two packets with identical IVs. The counter used for IVs was 24 bits long, which on a fairly busy network meant that there was a good chance that after 5,000 packets, an IV would be repeated, yielding an IV collision where two packets were encrypted with the same key, thus providing a basis for cryptanalysis. If more collisions are encountered, this increases the chances of an attack.

Tools began to emerge like Airsnort that required 5 to 10 million packets to be captured for analysis. On a particularly busy network, this would take a couple of hours to collect. On quieter networks, it could take days, and even then, it was very much a hit-or-miss situation. These tools were later replaced by the original AircrackE suite of tools, which introduced some new methods of attack and reduced the amount of data needed between 200,000 and 500,000 packets for 40- and 64-bit WEP and a million for 128-bit WEP, a much more manageable amount to capture.

Further development of tools allowed for faster and more efficient use of IV data. The advent of the ARP replay attack really shortened the time needed to perform an attack. The ARP replay attack is where an encrypted ARP packet (known because of its unique size, even when encrypted) is captured from a network and retransmitted back to the AP, which in turn sends back another ARP packet with a different IV. This is done rapidly and repeatedly and creates a huge amount of IVs to be used and the counter to roll over and duplicate IVs to be sent. This, along with improvements to Aircrack (by this time abandoned by the original author and now reimplemented as Aircrack-ng), reduced the time to execute an attack from hours and days to as little as 10 min.

The Pychkine–Tews–Weinmann (PTW) attack was arguably the final nail in the coffin for WEP. This attack was able to use more of the packets for analysis and only needed 20,000 to 50,000 packets to work. In combination with the ARP replay attack, this could be executed in as little as 60s, start to finish, yielding the hexadecimal WEP key for the target network.

In the case of TJX at the time of the initial attack, it was widely known WEP had issues and some of these tools had been around for a few years already (since at least 2005 for Aircrack). It was just a matter of a determined attacker to spend the necessary time and energy along with a laptop, wireless card, and felonious intention to penetrate the wireless network at that fateful store one night.

(Continues...)

---

Excerpted from Seven Deadliest Wireless Technologies Attacks by Brad Haines Copyright © 2010 by Elsevier Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---