Wireless Attacks | CompTIA Security+ SY0-601 | 1.4a

In this video you will learn about wireless network attack such as: evil twins, rogue access points, Bluesnarfing, Bluejacking, disassociation, jamming, RFID attacks, NFC attacks, & initialization vectors.

Evil Twin

An evil twin is a fraudulent WiFi access point that appears to be legitimate but is set up to eavesdrop on wireless communications.[1]  The evil twin is the wireless LAN equivalent of the phishing scam.  This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent website and luring people there.  The attacker snoops on Internet traffic using a bogus wireless access point.  Unwitting web users may be invited to log into the attacker’s server, prompting them to enter sensitive information such as usernames and passwords.  Often, users are unaware they have been duped until well after the incident has occurred.

Rogue Access Point

A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.[2]  To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Bluesnarfing

Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, & PDAs (personal digital assistant).[3]  This allows access to calendars, contact lists, emails & text messages, and on some phones, users can copy pictures and private videos.  Bluejacking exploits others’ Bluetooth connections without their knowledge.  Any device with its Bluetooth connection turned on and set to “discoverable” (able to be found by other Bluetooth devices in range) may be susceptible to Bluesnarfing if there is a vulnerability in the vendor’s software.  By turning off this feature, the potential victim can be safer from the possibility of being Bluesnarfed; although a device that is set to “hidden” may be Bluesnarfable by guessing the device’s MAC address via a brute force attack.

Bluejacking

Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius.  First, the hacker scans his surroundings with a Bluetooth-enabled device, searching for other devices.  The hacker then sends an unsolicited message to the detected devices.  Bluejacking doesn’t involve device hijacking, despite what the name implies.  The Bluejacker may send only unsolicited messages.  Hijacking does not actually occur because the attacker never has control of the victim’s device.  At worst, Bluejacking is an annoyance.  Bluejacking can be prevented by setting a device to hidden, invisible or non-discoverable mode.[4]

Disassociation (Deauthentication) Attack

A WiFi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a WiFi wireless access point.  Unlike most radio jammers, deauthentication acts in a unique way.  The IEEE 802.11 (WiFi) protocol contains the provision for a deauthentication frame.  Sending the frame from the access point to a station is called a “sanctioned technique to inform a rogue station that they have been disconnected from the network”.[5]  An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.  The protocol does not require any encryption for this frame, even when the session was established with WEP for data privacy, and the attacker only needs to know the victim’s MAC address, which is available in the clear through wireless network sniffing.  One of the main purposes of deauthentication used in the hacking community is to force clients to connect to an evil twin access point which then can be used to capture network packets transferred between the client and the access point.  The attacker conducts a deauthentication attack to the target client, disconnecting it from its current network, thus allowing the client to automatically connect to the evil twin access point.

Jamming

Jamming is the deliberate jamming, blocking or interference with wireless communications.[6]  In some cases jammers work by the transmission of radio signals that disrupt communications by decreasing the signal-to-noise ratio.[7]  In a lot of instances, the jamming of wireless signals are used to create a full or partial DoS condition in the wireless network.  Most modern wireless implementations provide built-in features that can help immediately detect jamming attacks.[8]

Radio Frequency Identification (RFID)

RFID uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID tag consists of a tiny radio transponder; a radio receiver and transmitter. When triggered by an electromagnetic interrogation pulse from a nearby RFID reader device, the tag transmits digital data, usually an identifying inventory number, back to the reader. This number can be used to inventory goods.  RFID attacks can come in the form of skimming, on-path attacks, sniffing, eavesdropping/replaying, spoofing, & jamming (DoS).  From an authentication standpoint, the attacker uses the attacks to try to find out the passcode.  An RFID tag can also be reverse-engineered if the attacker gets possession of it.  Also, power levels can be analyzed to find out passwords because some RFID tags emit different levels of power when it comes to correct & incorrect passcodes.  To prevent RFID attacks, security administrators should consider newer-generation RFID devices, encryption, chip coatings, filtering of data, and multi-factor authentication methods.[8]

Near-Field Communication (NFC)

Near-field communication is a set of communication protocols that enable 2 electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm of each other.  Although it is rather difficult to attack an NFC-enabled device due to the distance NFC devices have to operate within, there are 3 methods that can be used against NFC technologies such as:[9]

  • Eavesdropping:  where the attacker could use an antenna to record communication between NFC devices.
  • Data Modification:  where data being exchanged is captured & modified by an attacker’s radio frequency device.
  • Relay Attack:  where an attacker holds an NFC reader near the victim’s NFC device & relays data over another communication channel to a second NFC reader placed in proximity to the original reader that will emulate the victim’s NFC device.

Initialization Vector (IV)

An initialization vector is a random fixed-sized input that occurs in the beginning of every WEP or WPA packet.  The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique.  Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message.  Initialization vector attacks are wireless network vulnerability attacks.  An IV attack is a type of related-key attack which occurs when an attacker observes the operation of a cipher using several different keys & finds a mathematical relationship between those keys, allowing the attacker to ultimately decipher data.  The best way to prevent IV attacks is to use stronger wireless protocols such as WPA2 with AES and WPA3.[8]

References

  1. Strange Wi-Fi spots may harbor attacks. The Dallas Morning News.
  2. Identifying Rogue Access Points.  Wi-Fi Planet.
  3. Dagon, D.; Martin, T.; Starner, T. (2004). Mobile Phones as Computing Devices: The Viruses are Coming. IEEE Pervasive Computing.
  4. Bluejacking. Techopedia.
  5. Wright, J. (2005). Weaknesses in Wireless LAN Session Containment.
  6. https://apps.fcc.gov/edocs_public/attachmatch/DA-12-347A1.pdf Enforcement Advisory No. 2012-02 FCC Enforcement Advisory Cell Jammers, GPS Jammers, and Other Jamming Devices Consumer Alert: Using or Importing Jammers is Illegal.
  7. Berg, J. (2008). Broadcasting on the Short Waves, 1945 to Today.
  8. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide. Pearson IT Certification.
  9. Paganini, P. (2013). Near Field Communication (NFC) Technology, Vulnerabilities and Principal Attack Schema. Infosec Institute.