As we all know that wireless networks are spread at each
and every part of the world starting
from personal home to corporate business, schools/universities, cafes etc..
Major merit of wireless network is of eliminating the big and tidy cables which
acquires space and not spoiling the look of your working area. But as we all
know that each coin has two sides. There are demerits of wireless networks as
well. It comes with high possibility of attacks on it. In this article I am
going to describe different techniques of wireless attacks from the world and
what we should do to prevent those attacks on wireless networks.
Let’s
start with WLAN protocol which is also known as 802.11 protocol commonly used
for the wireless networking. In this mechanism participants(in terms of end
devices) must have transmission and receivers to sending and receiving signals.
Major function of this protocol is to link more than one devices. It uses
spread spectrum signals. Functionality of this signal is based on radio
frequency communication where networking is established between two
point-to-point end devices consisting of transmitter and receiver. For
connecting to wireless network each participant must have wireless AP (Access
Point – Also known as Wi-Fi hot-spot) along with the wireless adaptor. AP acts
as a walkie-talkie. It converters radio signals into digital signal and
vice-versa. When AP transmit the signals, those signals have SSID known as
service set identifier & information of network identification. Receiver
detects the signals and lists the available wireless network around him/her
along with the signal strength. Not only this but also it identifies that
whether the AP is using any security and if yes then what is the level of security.
As its wireless network, it allows more than one nodes to let those nodes
connect with the network, so that is why authentication is important to ensure
there is not any malicious internet user lying in that network. AP holds this
responsibility.
Wi-Fi Security
If
you look into the wireless network protocol architecture as shown in below
figure, you will come to know that there is no inbuilt security in that.
So
researchers implemented techniques such as authentication and encryption on the
top of the 802.11 protocol stack. These techniques are WEP and WPA respectively
known as “Wireless Equivalent Privacy” &
“Wi-Fi Protected Access”. Unlike
wired network wireless network’s signals can be effortlessly intercepted and
tempered. So encryption and authentication is must for wireless networks.
Establishment of Wireless Network Using
Pre-Shared Authentication Technique
For
successful establishment of the connection, we know that client will need to
access the AP. So client sends the request to AP for the authentication. Then
AP sends client a challenge in next step. Now client will need to encrypt the
text using pre-configured key and she/he also sends it back to the AP. AP
decrypts it using the key and if matching gets successful then connection is
established else connection will be dropped. I have written this key exchange
and acknowledgement process in very simplified way. In real life scenario it
works as shown in below figure 2.
The
newer version of protocol consists of SSID with the shared key combined with
it. WEP key uses RC4 algorithm however WEP key is completely broken. So big IT
firms does not use WEP key in order to put their organization’s wireless
network on the risk. Now we completely understand what is Wi-Fi how does it
work and what are the protocols there in the action. Now let’s move to the
security attacks in wife networks.
Passive Attack : In this malicious
user just listens to the all inbound and outbound traffic of a wireless
network. As we know that traffic
contains the packets and each packet contains many juicy information such as
packet sequence numbers, MAC address and much more. These attacks are not
harmful to the networks, these attacks take place for just information
gathering. Using this attack malicious attacker can hit active attack to the
wireless network. Nature of these attacks is silent, that is why it is hard to
detect it. Sometime malicious users use packet deciphering tools in order to
steal the information by decrypting the data from it. Deciphering packets in
WEP is really easy as WEP’s security is very low and easily breakable.
Sometimes this technique is also called as WAR-DRIVING.
If you want to know how war driving is practically possible and carried away,
then you must check this reference in which there is a report which describes
the full method of it.
Active Attack : As I told that
attacker does passive attack in order to get the information about the wireless
network. Now she/he will do an active attack. Mostly active attacks are IP
spoofing & denial of service attack.
IP Spoofing : In this attack scenario, attacker access
the unauthorized wireless network. Not only that but also she/he does packet
crafting in order to impersonate the authorization of that server or network.
Denial of Service Attack : Here attacker hits
denial of service attack on particular target by flooding the packets to the
server. In most of the case SYN packets are used because they have those
capabilities of generating the flood storm.
MITM Attack : Here attacker access the information of AP of
any active SSID. Here dummy APs are created.
Attacker listens the communication between to end points. Let’s suppose
if client is having a TCP connection with any server then attacker be the man
in the middle and she/he splits that TCP connection into 2 separate connection
who’s common node will be an attacker himself/herself. So first connection is
from client to an attacker and second connection will be from attacker to the
server. So each and every request and responds will be taken place between
client and server via an attacker. So an attacker can steal information passing
in the air between them.
Wireless Signal
Jamming Attack : In
this attack scenario wireless radio signals are uses. Attacker may have a
stronger antenna for signal generator. First, attacker identifies the signal
patterns around him or the target AP. Then she/he creates the same frequency
pattern radio signals and start transmitting in the air in order to create a
signal tornado of a wireless network. As a result target AP gets jammed. On top
of that the legitimate user node also gets jammed by signals. It disables the
AP connection between legitimate user of wireless network and the network
itself. There can be mainly 3 reasons for jamming the wireless network. Those
are as shown below.
1. Fun – Prevent the
legitimate user from receiving any kind of data from internet.
2. Spy – Delay in packet
deployment at legitimate user can give more time to an attacker for deciphering
the packet in order to steal the information.
3. Attack – Attacker may
spoof the packets and send it to the victim in order to take control over
user’s machine or network.
It is a type of DOS attack on the wireless networks.
This attack takes place when any fake or rough RF frequencies are making
trouble of the legitimate wireless network operation. In some cases those are
false positives such as cordless telephone uses the identical frequency as the
wireless network users. So in that case, you might see some results in your
wireless monitoring software or mechanism, but it is actually not a jamming of
signal. It is not a very common attack as it requires a ton of capable
hardware.
Above figure 4 describes the architecture of launched attack in which
there are different access points, jammers and legitimate transmitters.
Jammer’s main function is make an interference in the wireless communication.
Pre-Shared Key
Guessing : As
we all know that pre shared key is used by both AP as well as node in order to
encrypt the data communication. Generally administrators of those Wi-Fi
networks don’t change the default key which is in place. Professional hackers
always try to find manufacturer of wireless access points in order to give
default ID and password. There are some websites which provides the list of
default router manufacture name, their administrator id and passwords. Some of
them are listed below.
- http://www.routerpasswords.com/
- http://www.phenoelit.org/dpl/dpl.html
- http://www.similarsites.com/goto/defaultpassword.com?searchedsite=routerpasswords.com&pos=2
Above
list shows the list of ID passwords for different router’s admin access and
configuration setting access. But to connect that part attacker will need to
access that Wi-Fi. Now a days every route comes with encryption technology and
mostly all the routers are using WEP key. Full form of WEP is wired equivalent
privacy which the default standard protocol for 802.11 wireless networks. It is
based on the RC4+XOR algorithm in order to convert plain text into cipher text
by using 40 bit long key along with 24 bit initialization vector. Below figure
5 shows the standard WEP encryption process using RC4 algorithm along with XOR
technique.
However research shows that this
encryption mechanism has many weakness and that is why it is completely broken.
Research also says that it takes more than 40000 packets of data to crack WEP
in minutes. There are some other techniques such as dictionary attack and
statistical key guessing attack can be
used to break WEP key in no time.
There are some other attacks too which are potential
threat to the wireless networks. Those attacks are mentioned and described as
below. Before understanding the different wireless network attack, we need to
know that where can wireless attack be perform by an attacker. To illustrate
that see below figure 6.
Frame Injection Attacks on 802.11: To perform this kind
of attack, an attacker must have a deep understanding and knowledge of
protocol. Any professional hacker will perform this method in order to perform
injection attack on wireless networks. Firstly, she/he will perform passive
information gathering of that network. Then attacker creates wireless protocol
frames in order to send it to the targeted network. There are basically two
ways of doing so. One can either create a false packet and insert it to that
network. The other way is to sniff the network traffic. Once these packets are
sent to server, response from that wireless network is captured, intercepted
and modified by an attacker to perform man-in-the-middle attack. Make sure that
this thing is hard to detect as it happens at layer 2. Illustration of this
process is mentioned in below figure 7.
Denial of Sleep Attack: Sometimes wireless network don’t use radio
transmission. So in order to reduce the consumption it regulates the communication
of that particular node. Malicious user can take an advantage of this
mechanism. Attacker many drain the power supply of the sensor device in order
to make node’s life very short. Attacker attack on MAC layer to reduce the
sleep period of it. So if number of drained node goes high, whole network can
be disrupted. Only MAC protocol has an ability to create longer sleep duration.
Without that you cannot extend the life time of your wireless network.
Collision Attack: In this type of
attack, attacker tries to spoil the packets to be transmitted at the receiver.
So when attacker gets succeeded then the resulting packet’s check sum will not
be expected at receiver’s end. As a result of that, whole packet will be
discarded at receiver’s node. Now retransmission of that packet will consume
high energy of that particular sensor node. Second Approach of collision attack
can be defined as this. Sometime message gets transmitted on the node via same
frequency it can also generate collision. Illustration of this same frequency
problem can be understand by below figure.
As you can see in the figure that yellow area is showing that channel
2’s signals are overlapping on to the channel one’s work area. So the amount of
channel 2’s work area is overlapping in channel one’s work area, both the
channels will suffer the in communication.
De-Synchronization Attack: In this attack, attacker tries to modify the
control flags and sometimes the sequence numbers in order to forge the packets,
or messages. As a result, attacker limits the legitimate user from exchanging
the messages between server and client. It will continuously request for
retransmission of those messages. This attack causes infinite cycle of the
retransmission. It acquires a lot of energy. We can also say that attacker
disturbs the established connection between two end points.
Flooding Attack: There are plenty of
DoS attacks which reduces the network lifetime in different ways and manner.
One of the common method is denial of service attack. Attacker sends huge
amount of packets in order to stop the networking from being communicating with
different nodes. Main aim for this attack is exhaust the resources on the
victim’s machine.
Replay Attack: In this process data of the transmission is
repeated maliciously. Attacker intercepts the data in order to retransmit it
further. It’s a part of masquerade attack which can be carried away by
substitution of an IP packet. A stream cipher attack can be taken place into
that.
Attacker repeats the copies
of the packets to the victim in order to exhaust the energy or power supply.
This kind of attack has an ability to crash applications which are designed
poorly.
Selective
Forwarding Attack: It may also refer as ‘gray hole attack’. In this form of attack, attacker may stop the
node to pass packets through in by forwarding or dropping those messages. In
form of selective forwarding attack, node selectively rejects the packets by
dropping them coming into that network from an individual node or the group of individual
nodes.
Above figure illustrates
this attack. Here you can see that malicious node is selectively dropping
packets from certain group of node or nodes. It may does that or forward it to
somewhere else which will create no trustable routing information due to
forwarding packets to any wrong path within the network.
Unauthorized
Routing Update Attack: In
routing process many components take place such as hosts, base station, access
points, nodes, routing protocols etc.. Malicious user may try to update all
these information in order to update the routing table. It may possible that
due to this attack, some of the nodes gets isolated from the base station. Also
network partition may occur due to this attack. Packets may dropped after TTL
gets expired. Packets can be forwarded to any unauthorized user. All these
incidents are the impact of this attack.
Wormhole Attack: In this type of
attack, an attacker copies the whole packet or message by tunneling them to
another network came from the originator. Then attacker transmits them to the
destination node. When attacker transmits the copied messages or packets to the
destination node, she/he transmits it speedily in such a way that copied
packets reach to the destination node before the original packets (from
legitimate user) reach there. To do that attacker uses wormhole tunnel. Wormhole nodes are fully invisible.
As an example, the impact of
a wormhole attack on routing protocols is illustrated in Figures 5,6. In Figure
5, then adversary establishes a wormhole link between nodes s9 and s2, using a
low-latency link. When node s9
broadcasts its routing table as in distance vector routing protocols, node s2 hears the
broadcast via the wormhole and assumes is one hop away from s2. Similarly,
the neighbors of s2
adjust their own routing tables and route via s2 to reach any of the nodes s9, s10 s11, and s12.
Sinkhole
Attack: This is a special kind of selective forwarding attack
which draws attention on the compromised node. Compromised node attracts all
maximum possible traffic of the network. Then it places malicious node to the
closest base station and it enables the selective forwarding attack. It is very
complex attack. Detection of sinkhole attack is very hard and it affects the
higher layer applications. Below figure illustrates the architecture of
sinkhole attack.
Interesting part is,
sinkhole attack can be also done with wormhole attack. Below figure illustrates
this scenario in which one malicious node gathers all traffic of the network (sinkhole attack) and it tunnels (Wormhole attack) with another node in
order to reach to the base station.
Impersonate
Attack & Sybil Attack: This attack is very common and well
known that attacker may obtain the legitimate person’s IP address or MAC
address in order to steal his/her identity and make it his/her own. Then
attacker may attack another victim and can do plenty of things with that new stolen
identity of legitimate user. In Sybil
attack is an advanced version of impersonate attack in which malicious user
(attacker) may steal multiple identities. In technical terms malicious node
represents itself to the other fellow nodes by acquiring multiple identities
within itself. Impacts will be the same as it was there in impersonate attack.
Traffic
Analysis Attack: Here attacker gains the information of
network traffic as well as behavior of the nodes. Traffic analysis can be done
via checking the message length, pattern of message, duration in which it
stayed within the session. Then attacker might correlate all these inbound and
outbound traffic at any single custom router which might violate the privacy of
the members due to being linked with those messages. Sometime attacker might
able to link 2 nodes with unrelated connection within the network.
[1] Brownfield, M.;
Yatharth Gupta; Davis, N., "Wireless sensor network denial of sleep attack,"
Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth
Annual IEEE SMC , vol., no., pp.356,364, 15-17 June 2005
[2] Raymond,
David R.; Midkiff, S.F., "Denial-of-Service in Wireless Sensor Networks:
Attacks and Defenses," Pervasive Computing, IEEE , vol.7, no.1, pp.74,81,
Jan.-March 2008
[3] Oberg, L.; Youzhi Xu,
"Prioritizing Bad Links for Fast and Efficient Flooding in Wireless Sensor
Networks," Sensor Technologies and Applications, 2007. SensorComm 2007.
International Conference on , vol., no., pp.118,126, 14-20 Oct. 2007
[4] Zi Feng; Jianxia Ning;
Broustis, I.; Pelechrinis, K.; Krishnamurthy, S.V.; Faloutsos, Michalis,
"Coping with packet replay attacks in wireless networks," Sensor,
Mesh and Ad Hoc Communications and Networks (SECON), 2011 8th Annual IEEE
Communications Society Conference on , vol., no., pp.368,376, 27-30 June 2011
[5] How 802.11 Wireless Works.
(2003, 03 28). Retrieved from Resources and Tools for IT Professionals |
TechNet: http://technet.microsoft.com/en-us/library/cc757419%28v=ws.10%29.aspx
[6] Deciphering Encoding: Packet
Analyzation Tools. (2012, 02 09). Retrieved from Stack Overflow: http://stackoverflow.com/questions/541517/deciphering-encoding-packet-analyzation-tools
[7] Shared Key Authentication .
(2013, 08 04). Retrieved from the Microsoft Developer Network: http://msdn.microsoft.com/en-us/library/aa916565.aspx
[8] Pre-shared key - Wikipedia,
the free encyclopedia. (2013, 11 14). Retrieved from Wikipedia, the free
encyclopedia: http://en.wikipedia.org/wiki/Pre-shared_key
[9] Alejandro, P., & Loukas,
L. (n.d.). Selective Jamming Attacks In Wireless Networks.
[10] Authentication with
Private Pre-Shared Key. (n.d.). Retrieved from Aerohive Networks Wireless WLAN
Controller-less | AerohiveWorks.com: http://www.aerohiveworks.com/Authentication.asp
[11] Burak, & Ustun.
(n.d.). Security Services in Group Communications over Wireless Infrastructure,
Mobile Ad Hoc, and Wireless Sensor Networks.
[12] Chintan, G. (2013, 07
01). MITM ATTACK - Configuration to Exploit. Retrieved from Information
Security Aficionado: http://infosecninja.blogspot.co.uk/2013/07/mitm-attack-configuration-to.html
[13] Chintan, G. (2013, 06
02). MITM Attack Scenario. Retrieved from Information Security Aficionado: http://infosecninja.blogspot.co.uk/2013/06/mitm-attack-scenario.html
[14] Christoph, H., &
Rafael, W. (n.d.). IP SPOOFING.
[15] Deng, J., & Mishra,
R. H. (n.d.). Countermeasures Against Traffic Analysis Attack in Wireless
Sensor Networks. Colorado.
[16] Different routing
attacks on WSNs. (n.d.). Retrieved from http://www.hindawi.com/journals/ijdsn/2013/802526/fig9/
[17] Garret. (2011, 09 05).
Another DNS Attack - And why you need secureauth.. Retrieved from http://www.secureauth.com/blog/another-dns-attack-and-why-you-need-secureauth/
[18] Hardy, L., & Gafen,
M. (2009, 07 21). Mesh wireless sensor networks: Choosing the appropriate
technology. Retrieved from http://industrial-embedded.com/article-id/?4098
[19] Higgins, T. (2010, 01
24). When Wireless LANs Collide: How To Beat The Wireless Crowd . Retrieved
from http://www.smallnetbuilder.com/wireless/wireless-howto/31190-when-wireless-lans-collide-how-to-beat-the-wireless-crowd
[20] Johnson, D. (n.d.).
Wireless Pre-shared Key Cracking(WPA, WPA2).
[21] Lehembre, G. (n.d.).
Wi-Fi security – WEP, WPA and WPA2. Hackin9.
[22] Lemhachheche, R., &
Hong, J. (n.d.). Project : WEP Protocol Weaknesses and Vulnerabilities .
Retrieved from Riad Lemhachheche, Oregon State University, Information Systems
Engineering - Industrial and Manufacturing Engineering: http://www.mobilelife.eu/OSU/ece578/report.htm
[23] Mdscott. (n.d.).
Wireless man-in-the-middle attack. Retrieved from http://itlaw.wikia.com/wiki/Wireless_man-in-the-middle_attack
[24] mister_x. (2011, 01
16). Aircrack-ng. Retrieved from http://www.aircrack-ng.org/doku.php?id=aircrack-ng
[25] Mustafa, H. (n.d.). THE
SYBIL ATTACK IN SENSOR NETWORK.
[26] Ou, G. (2007, 04 5).
German researchers put final nail in WEP. Retrieved from http://www.zdnet.com/blog/ou/german-researchers-put-final-nail-in-wep/464
[27] Poovendran, R., &
Lazos, L. (2006, 05 08). A graph theoretic framework for preventing the
wormhole attack. Retrieved from http://www2.engr.arizona.edu/~llazos/research.php
[28] Qijun, G., & Peng,
L. (n.d.). Denial of Service Attacks.
[29] Soni, V., Modi, P.,
& Chaudhri, V. (n.d.). Detecting Sinkhole Attack in Wireless Sensor.
[30] Vader, G. D. (n.d.).
Wardriving Manual.
No comments:
Post a Comment