Wi-Fi: How it Works andSecurity Measures

What is Wi-Fi?

Any wireless local area network (WLAN) product that meets the Institute of Electrical and Electronics Engineers' (IEEE) standards

Typically covers a range of 20 meters indoors

The OSI Model

International Standards Organization (ISO) developed the Open Systems Interconnection (OSI) model

It is meant to divide all network communication into seven distinct parts

Each layer takes care of a specific job, then passes the data on to the next layer

Layer 1 - Physical

Refers to any physical device meant to transmit data

Examples are cables, wireless cards, antenna, and fiber optics

These devices handle the actual transmission of data (like carrier pigeons)

The actual data that is to be sent or received through this layer is determined by higher-level layers

Layer 2 – Data Link

Figures out what Media Access Control (MAC) Address data should be going to

MAC Addresses are unique numbers assigned to all wireless devices that are used in identifying different devices on a local network

This layer only handles data sent across ONE network, an internet connection that sends data over multiple networks uses Layer 3

Layer 3 - Network

Handles data transmission to other networks using the Internet Protocol (IP) Address

Like Layer 2, this layer only handles the addressing and routing of data (it gets data to where it needs to go)

Layer 4 - Transport

This layer makes sure that data is reliably transferred to upper layers

Communication protocols operate on this layer to ensure that the data packets were sent correctly and in the right order

This is necessary due to the fickle nature of sending data through various mediums and over long distances, such as internet connections to prevent packets from being duplicated, fragmented, and to account for lost data

Layer 7 - Application

The highest layer – applications that want to send data put it into here

Data that is sent is expected to arrive in an identical condition at the destination

If a WLAN card was sent data, Layer 1 will pass it up to Layer 7

If a program is sending data to another target, that data will be sent from Layer 7 down to Layer 1

Connecting to a WLAN: Authentication

Whenever a client wants to connect to a WLAN, it must first authenticate to it

Authentication serves to identify to a WLAN the client that is attempting to connect

For WEP (Wired Equivalency Protection) encrypted APs, this can be done in two ways: shared-system authentication and open-system authentication

Shared-System Authentication

To begin shared-system authentication, a client will send a message to the access point (AP) saying that it is ready to begin

The AP will respond with an unencrypted (or “clear text”) message

The client will encrypt this message using the key that its user entered and send it back to the AP

If the message was encrypted using the correct key, the AP will inform the client that it is now authenticated

Open-System Authentication

This is essentially like having no authentication

The client will send a data frame to the AP to identify itself

The AP sends back a successful authentication frame

Which is more Secure?

The answer here is actually that open-system authentication is more secure

It is very important to remember that with wireless traffic, waves are sent everywhere, not just to a single intended destination

If someone has set their wireless card to “sniff” (monitor) all wireless traffic rather than just the traffic intended for their terminal, they could capture a sample of a correctly encrypted frame versus a clear text frame

WEP Security Shortcomings

WEP is a stream cypher, so its security relies on its initialization vectors (IVs) to never be used more than once

Due to the limited size of an IV, however, there is a 50% chance that an IV will be repeated after 5,000 packets of data – a number that is quickly reached on a busy network

A program such as aircrack-ng (will be demonstrated later) can run statistical analyses on captured IVs to crack the key in less than five minutes

WPA Encryption

WPA (Wi-Fi Protected Access) encryption was developed in response to the discovery that WEP was insecure

It uses a more secure method of both authenticating and transferring data

The Four-Way Handshake

The “handshake” is the conversation a client has with the AP as it tries to authenticate using WPA encryption

This authentication process is drastically more secure than WEP because the key used to decrypt the traffic changes every time a client connects, and the key is never divulged across a wireless medium

The WPA Security Hole

Even though the PMK is never transmitted using the four-way handshake, WPA is still able to be compromised

If a potential hacker is monitoring the handshake, he/she will be able to use a dictionary file containing possible PMKs to see if any of them would yield the same result as a successful handshake

This method only works on weak passwords, however, and a complete brute force attempt at cracking the key would take hundreds, thousands, or even millions of years depending on the password length

Deauthentication Attacks

Normally, whenever a client wishes to disconnect from an AP, it sends a disassociation packet to the AP telling it to cease communications with it

The AP, however, does not know necessarily where that packet originated from, it can only see the MAC address that the data frame claims that it has come from

Knowing this, any client can send an AP a deauthentication request for any other client on the network. Operating systems do not usually provide a method for doing this, as there is no legal usage for doing so

This type of attack has different uses

In the case of cracking a WEP key, it can be used to generate traffic between the client and the AP, because Windows will automatically try to re-authenticate with an AP that it has lost connectivity with, thus continually generating traffic that can be captured and used to crack the key

In the case of cracking a WPA PMK, this attack can force the client to redo the four-way handshake, allowing to to be captured for use with a dictionary attack

Or, of course, you could just free-up all of the broadband for yourself. . .

Script Kiddies

Now that the internet is so widely accessible and there are plenty of tools available that can be used to break into and deface virtual

property, a new type of hacker, the “Script Kiddie” is commonplace

The Blaster Worm

The Blaster Computer Worm was a virus propagated in the early 2000s that was designed to turn victim's PCs into tools to overflow windowsupdate.com with useless traffic (a DoS attack)

On August 29, 2003, Jeffrey Lee Parson (seen on the last slide), an 18-year-old from Hopkins, Minnesota was arrested for creating a variant of the worm, adding only his screen name and a back door into the virus