Saturday, December 28, 2013

Different Types of Wireless Attacks - Theory



As we all know that wireless networks are spread at each and every  part of the world starting from personal home to corporate business, schools/universities, cafes etc.. Major merit of wireless network is of eliminating the big and tidy cables which acquires space and not spoiling the look of your working area. But as we all know that each coin has two sides. There are demerits of wireless networks as well. It comes with high possibility of attacks on it. In this article I am going to describe different techniques of wireless attacks from the world and what we should do to prevent those attacks on wireless networks.

Let’s start with WLAN protocol which is also known as 802.11 protocol commonly used for the wireless networking. In this mechanism participants(in terms of end devices) must have transmission and receivers to sending and receiving signals. Major function of this protocol is to link more than one devices. It uses spread spectrum signals. Functionality of this signal is based on radio frequency communication where networking is established between two point-to-point end devices consisting of transmitter and receiver. For connecting to wireless network each participant must have wireless AP (Access Point – Also known as Wi-Fi hot-spot) along with the wireless adaptor. AP acts as a walkie-talkie. It converters radio signals into digital signal and vice-versa. When AP transmit the signals, those signals have SSID known as service set identifier & information of network identification. Receiver detects the signals and lists the available wireless network around him/her along with the signal strength. Not only this but also it identifies that whether the AP is using any security and if yes then what is the level of security. As its wireless network, it allows more than one nodes to let those nodes connect with the network, so that is why authentication is important to ensure there is not any malicious internet user lying in that network. AP holds this responsibility.



Wi-Fi Security
If you look into the wireless network protocol architecture as shown in below figure, you will come to know that there is no inbuilt security in that. 


So researchers implemented techniques such as authentication and encryption on the top of the 802.11 protocol stack. These techniques are WEP and WPA respectively known as “Wireless Equivalent Privacy” & “Wi-Fi Protected Access”. Unlike wired network wireless network’s signals can be effortlessly intercepted and tempered. So encryption and authentication is must for wireless networks.

Establishment of Wireless Network Using Pre-Shared Authentication Technique
For successful establishment of the connection, we know that client will need to access the AP. So client sends the request to AP for the authentication. Then AP sends client a challenge in next step. Now client will need to encrypt the text using pre-configured key and she/he also sends it back to the AP. AP decrypts it using the key and if matching gets successful then connection is established else connection will be dropped. I have written this key exchange and acknowledgement process in very simplified way. In real life scenario it works as shown in below figure 2.



The newer version of protocol consists of SSID with the shared key combined with it. WEP key uses RC4 algorithm however WEP key is completely broken. So big IT firms does not use WEP key in order to put their organization’s wireless network on the risk. Now we completely understand what is Wi-Fi how does it work and what are the protocols there in the action. Now let’s move to the security attacks in wife networks.

Passive Attack : In this malicious user just listens to the all inbound and outbound traffic of a wireless network.  As we know that traffic contains the packets and each packet contains many juicy information such as packet sequence numbers, MAC address and much more. These attacks are not harmful to the networks, these attacks take place for just information gathering. Using this attack malicious attacker can hit active attack to the wireless network. Nature of these attacks is silent, that is why it is hard to detect it. Sometime malicious users use packet deciphering tools in order to steal the information by decrypting the data from it. Deciphering packets in WEP is really easy as WEP’s security is very low and easily breakable. Sometimes this technique is also called as WAR-DRIVING. If you want to know how war driving is practically possible and carried away, then you must check this reference in which there is a report which describes the full method of it.   

Active Attack : As I told that attacker does passive attack in order to get the information about the wireless network. Now she/he will do an active attack. Mostly active attacks are IP spoofing & denial of service attack. 

IP Spoofing : In this attack scenario, attacker access the unauthorized wireless network. Not only that but also she/he does packet crafting in order to impersonate the authorization of that server or network.
Denial of Service Attack : Here attacker hits denial of service attack on particular target by flooding the packets to the server. In most of the case SYN packets are used because they have those capabilities of generating the flood storm.

MITM Attack : Here attacker access the information of AP of any active SSID. Here dummy APs are created.   Attacker listens the communication between to end points. Let’s suppose if client is having a TCP connection with any server then attacker be the man in the middle and she/he splits that TCP connection into 2 separate connection who’s common node will be an attacker himself/herself. So first connection is from client to an attacker and second connection will be from attacker to the server. So each and every request and responds will be taken place between client and server via an attacker. So an attacker can steal information passing in the air between them.


Wireless Signal Jamming Attack : In this attack scenario wireless radio signals are uses. Attacker may have a stronger antenna for signal generator. First, attacker identifies the signal patterns around him or the target AP. Then she/he creates the same frequency pattern radio signals and start transmitting in the air in order to create a signal tornado of a wireless network. As a result target AP gets jammed. On top of that the legitimate user node also gets jammed by signals. It disables the AP connection between legitimate user of wireless network and the network itself. There can be mainly 3 reasons for jamming the wireless network. Those are as shown below.

1.     Fun – Prevent the legitimate user from receiving any kind of data from internet.
2.     Spy – Delay in packet deployment at legitimate user can give more time to an attacker for deciphering the packet in order to steal the information.
3.     Attack – Attacker may spoof the packets and send it to the victim in order to take control over user’s machine or network.

It is a type of DOS attack on the wireless networks. This attack takes place when any fake or rough RF frequencies are making trouble of the legitimate wireless network operation. In some cases those are false positives such as cordless telephone uses the identical frequency as the wireless network users. So in that case, you might see some results in your wireless monitoring software or mechanism, but it is actually not a jamming of signal. It is not a very common attack as it requires a ton of capable hardware.


Above figure 4 describes the architecture of launched attack in which there are different access points, jammers and legitimate transmitters. Jammer’s main function is make an interference in the wireless communication.

Pre-Shared Key Guessing : As we all know that pre shared key is used by both AP as well as node in order to encrypt the data communication. Generally administrators of those Wi-Fi networks don’t change the default key which is in place. Professional hackers always try to find manufacturer of wireless access points in order to give default ID and password. There are some websites which provides the list of default router manufacture name, their administrator id and passwords. Some of them are listed below.

  1. http://www.routerpasswords.com/
  2. http://www.phenoelit.org/dpl/dpl.html
  3. http://www.similarsites.com/goto/defaultpassword.com?searchedsite=routerpasswords.com&pos=2


Above list shows the list of ID passwords for different router’s admin access and configuration setting access. But to connect that part attacker will need to access that Wi-Fi. Now a days every route comes with encryption technology and mostly all the routers are using WEP key. Full form of WEP is wired equivalent privacy which the default standard protocol for 802.11 wireless networks. It is based on the RC4+XOR algorithm in order to convert plain text into cipher text by using 40 bit long key along with 24 bit initialization vector. Below figure 5 shows the standard WEP encryption process using RC4 algorithm along with XOR technique.



However research shows that this encryption mechanism has many weakness and that is why it is completely broken. Research also says that it takes more than 40000 packets of data to crack WEP in minutes. There are some other techniques such as dictionary attack and statistical key guessing attack  can be used to break WEP key in no time.

There are some other attacks too which are potential threat to the wireless networks. Those attacks are mentioned and described as below. Before understanding the different wireless network attack, we need to know that where can wireless attack be perform by an attacker. To illustrate that see below figure 6.


Frame Injection Attacks on 802.11: To perform this kind of attack, an attacker must have a deep understanding and knowledge of protocol. Any professional hacker will perform this method in order to perform injection attack on wireless networks. Firstly, she/he will perform passive information gathering of that network. Then attacker creates wireless protocol frames in order to send it to the targeted network. There are basically two ways of doing so. One can either create a false packet and insert it to that network. The other way is to sniff the network traffic. Once these packets are sent to server, response from that wireless network is captured, intercepted and modified by an attacker to perform man-in-the-middle attack. Make sure that this thing is hard to detect as it happens at layer 2. Illustration of this process is mentioned in below figure 7.


Denial of Sleep Attack: Sometimes wireless network don’t use radio transmission. So in order to reduce the consumption it regulates the communication of that particular node. Malicious user can take an advantage of this mechanism. Attacker many drain the power supply of the sensor device in order to make node’s life very short. Attacker attack on MAC layer to reduce the sleep period of it. So if number of drained node goes high, whole network can be disrupted. Only MAC protocol has an ability to create longer sleep duration. Without that you cannot extend the life time of your wireless network.

Collision Attack: In this type of attack, attacker tries to spoil the packets to be transmitted at the receiver. So when attacker gets succeeded then the resulting packet’s check sum will not be expected at receiver’s end. As a result of that, whole packet will be discarded at receiver’s node. Now retransmission of that packet will consume high energy of that particular sensor node. Second Approach of collision attack can be defined as this. Sometime message gets transmitted on the node via same frequency it can also generate collision. Illustration of this same frequency problem can be understand by below figure.


As you can see in the figure that yellow area is showing that channel 2’s signals are overlapping on to the channel one’s work area. So the amount of channel 2’s work area is overlapping in channel one’s work area, both the channels will suffer the in communication.

De-Synchronization Attack: In this attack, attacker tries to modify the control flags and sometimes the sequence numbers in order to forge the packets, or messages. As a result, attacker limits the legitimate user from exchanging the messages between server and client. It will continuously request for retransmission of those messages. This attack causes infinite cycle of the retransmission. It acquires a lot of energy. We can also say that attacker disturbs the established connection between two end points.

Flooding Attack: There are plenty of DoS attacks which reduces the network lifetime in different ways and manner. One of the common method is denial of service attack. Attacker sends huge amount of packets in order to stop the networking from being communicating with different nodes. Main aim for this attack is exhaust the resources on the victim’s machine.


Replay Attack:  In this process data of the transmission is repeated maliciously. Attacker intercepts the data in order to retransmit it further. It’s a part of masquerade attack which can be carried away by substitution of an IP packet. A stream cipher attack can be taken place into that.


Attacker repeats the copies of the packets to the victim in order to exhaust the energy or power supply. This kind of attack has an ability to crash applications which are designed poorly.

Selective Forwarding Attack: It may also refer as ‘gray hole attack’. In this form of attack, attacker may stop the node to pass packets through in by forwarding or dropping those messages. In form of selective forwarding attack, node selectively rejects the packets by dropping them coming into that network from an individual node or the group of individual nodes.


Above figure illustrates this attack. Here you can see that malicious node is selectively dropping packets from certain group of node or nodes. It may does that or forward it to somewhere else which will create no trustable routing information due to forwarding packets to any wrong path within the network.

Unauthorized Routing Update Attack:  In routing process many components take place such as hosts, base station, access points, nodes, routing protocols etc.. Malicious user may try to update all these information in order to update the routing table. It may possible that due to this attack, some of the nodes gets isolated from the base station. Also network partition may occur due to this attack. Packets may dropped after TTL gets expired. Packets can be forwarded to any unauthorized user. All these incidents are the impact of this attack.

Wormhole Attack: In this type of attack, an attacker copies the whole packet or message by tunneling them to another network came from the originator. Then attacker transmits them to the destination node. When attacker transmits the copied messages or packets to the destination node, she/he transmits it speedily in such a way that copied packets reach to the destination node before the original packets (from legitimate user) reach there. To do that attacker uses wormhole tunnel. Wormhole nodes are fully invisible.


As an example, the impact of a wormhole attack on routing protocols is illustrated in Figures 5,6. In Figure 5, then adversary establishes a wormhole link between nodes s9 and s2, using a low-latency link. When node s9 broadcasts its routing table as in distance vector routing protocols, node s2 hears the broadcast via the wormhole and assumes is one hop away from s2. Similarly, the neighbors of s2 adjust their own routing tables and route via s2 to reach any of the nodes s9, s10 s11, and s12.

Sinkhole Attack: This is a special kind of selective forwarding attack which draws attention on the compromised node. Compromised node attracts all maximum possible traffic of the network. Then it places malicious node to the closest base station and it enables the selective forwarding attack. It is very complex attack. Detection of sinkhole attack is very hard and it affects the higher layer applications. Below figure illustrates the architecture of sinkhole attack.

 
Interesting part is, sinkhole attack can be also done with wormhole attack. Below figure illustrates this scenario in which one malicious node gathers all traffic of the network (sinkhole attack) and it tunnels (Wormhole attack) with another node in order to reach to the base station.


Impersonate Attack & Sybil Attack: This attack is very common and well known that attacker may obtain the legitimate person’s IP address or MAC address in order to steal his/her identity and make it his/her own. Then attacker may attack another victim and can do plenty of things with that new stolen identity of legitimate user. In Sybil attack is an advanced version of impersonate attack in which malicious user (attacker) may steal multiple identities. In technical terms malicious node represents itself to the other fellow nodes by acquiring multiple identities within itself. Impacts will be the same as it was there in impersonate attack.

Traffic Analysis Attack: Here attacker gains the information of network traffic as well as behavior of the nodes. Traffic analysis can be done via checking the message length, pattern of message, duration in which it stayed within the session. Then attacker might correlate all these inbound and outbound traffic at any single custom router which might violate the privacy of the members due to being linked with those messages. Sometime attacker might able to link 2 nodes with unrelated connection within the network.

References

[1] Brownfield, M.; Yatharth Gupta; Davis, N., "Wireless sensor network denial of sleep attack," Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC , vol., no., pp.356,364, 15-17 June 2005 


[2]  Raymond, David R.; Midkiff, S.F., "Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses," Pervasive Computing, IEEE , vol.7, no.1, pp.74,81, Jan.-March 2008

[3]  Oberg, L.; Youzhi Xu, "Prioritizing Bad Links for Fast and Efficient Flooding in Wireless Sensor Networks," Sensor Technologies and Applications, 2007. SensorComm 2007. International Conference on , vol., no., pp.118,126, 14-20 Oct. 2007

[4]  Zi Feng; Jianxia Ning; Broustis, I.; Pelechrinis, K.; Krishnamurthy, S.V.; Faloutsos, Michalis, "Coping with packet replay attacks in wireless networks," Sensor, Mesh and Ad Hoc Communications and Networks (SECON), 2011 8th Annual IEEE Communications Society Conference on , vol., no., pp.368,376, 27-30 June 2011

[5]  How 802.11 Wireless Works. (2003, 03 28). Retrieved from Resources and Tools for IT Professionals | TechNet: http://technet.microsoft.com/en-us/library/cc757419%28v=ws.10%29.aspx

[6]  Deciphering Encoding: Packet Analyzation Tools. (2012, 02 09). Retrieved from Stack Overflow: http://stackoverflow.com/questions/541517/deciphering-encoding-packet-analyzation-tools

[7]  Shared Key Authentication . (2013, 08 04). Retrieved from the Microsoft Developer Network: http://msdn.microsoft.com/en-us/library/aa916565.aspx

[8]  Pre-shared key - Wikipedia, the free encyclopedia. (2013, 11 14). Retrieved from Wikipedia, the free encyclopedia: http://en.wikipedia.org/wiki/Pre-shared_key

[9]  Alejandro, P., & Loukas, L. (n.d.). Selective Jamming Attacks In Wireless Networks.

[10]        Authentication with Private Pre-Shared Key. (n.d.). Retrieved from Aerohive Networks Wireless WLAN Controller-less | AerohiveWorks.com: http://www.aerohiveworks.com/Authentication.asp

[11]        Burak, & Ustun. (n.d.). Security Services in Group Communications over Wireless Infrastructure, Mobile Ad Hoc, and Wireless Sensor Networks.

[12]        Chintan, G. (2013, 07 01). MITM ATTACK - Configuration to Exploit. Retrieved from Information Security Aficionado: http://infosecninja.blogspot.co.uk/2013/07/mitm-attack-configuration-to.html

[13]        Chintan, G. (2013, 06 02). MITM Attack Scenario. Retrieved from Information Security Aficionado: http://infosecninja.blogspot.co.uk/2013/06/mitm-attack-scenario.html

[14]        Christoph, H., & Rafael, W. (n.d.). IP SPOOFING.

[15]        Deng, J., & Mishra, R. H. (n.d.). Countermeasures Against Traffic Analysis Attack in Wireless Sensor Networks. Colorado.

[16]        Different routing attacks on WSNs. (n.d.). Retrieved from http://www.hindawi.com/journals/ijdsn/2013/802526/fig9/

[17]        Garret. (2011, 09 05). Another DNS Attack - And why you need secureauth.. Retrieved from http://www.secureauth.com/blog/another-dns-attack-and-why-you-need-secureauth/

[18]        Hardy, L., & Gafen, M. (2009, 07 21). Mesh wireless sensor networks: Choosing the appropriate technology. Retrieved from http://industrial-embedded.com/article-id/?4098

[19]        Higgins, T. (2010, 01 24). When Wireless LANs Collide: How To Beat The Wireless Crowd . Retrieved from http://www.smallnetbuilder.com/wireless/wireless-howto/31190-when-wireless-lans-collide-how-to-beat-the-wireless-crowd

[20]        Johnson, D. (n.d.). Wireless Pre-shared Key Cracking(WPA, WPA2).

[21]        Lehembre, G. (n.d.). Wi-Fi security – WEP, WPA and WPA2. Hackin9.

[22]        Lemhachheche, R., & Hong, J. (n.d.). Project : WEP Protocol Weaknesses and Vulnerabilities . Retrieved from Riad Lemhachheche, Oregon State University, Information Systems Engineering - Industrial and Manufacturing Engineering: http://www.mobilelife.eu/OSU/ece578/report.htm

[23]        Mdscott. (n.d.). Wireless man-in-the-middle attack. Retrieved from http://itlaw.wikia.com/wiki/Wireless_man-in-the-middle_attack

[24]        mister_x. (2011, 01 16). Aircrack-ng. Retrieved from http://www.aircrack-ng.org/doku.php?id=aircrack-ng

[25]        Mustafa, H. (n.d.). THE SYBIL ATTACK IN SENSOR NETWORK.

[26]        Ou, G. (2007, 04 5). German researchers put final nail in WEP. Retrieved from http://www.zdnet.com/blog/ou/german-researchers-put-final-nail-in-wep/464

[27]        Poovendran, R., & Lazos, L. (2006, 05 08). A graph theoretic framework for preventing the wormhole attack. Retrieved from http://www2.engr.arizona.edu/~llazos/research.php

[28]        Qijun, G., & Peng, L. (n.d.). Denial of Service Attacks.

[29]        Soni, V., Modi, P., & Chaudhri, V. (n.d.). Detecting Sinkhole Attack in Wireless Sensor.

[30]        Vader, G. D. (n.d.). Wardriving Manual.

[31]         Yang, C.-L., Tarng, W., Hsieh, K.-R., & Chen., &. M. (n.d.). A Security Mechanism for Clustered Wireless Sensor Networks Based on Elliptic Curve Cryptography.




No comments: