Wireless Network Attacks – CompTIA Network+ N10-006 – 3.2

Wireless networks are much more accessible than wired networks, and this accessibility enables a unique set of attacks. In this video, you’ll learn about rogue access points, evil twins, wardriving, warchalking, bluejacking, and bluesnarfing.
<< Previous: Denial of ServiceNext: Wireless Protocol Attacks >>

A rogue access point on your network can be a significant backdoor. This is where someone can easily gain access to your network because somebody else has plugged in an open wireless access point. There’s obviously a huge security concern associated with this, but it’s so easy to do. You can pick up these wireless access points from almost anywhere. You plug them into the network, you don’t have to configure anything extra, you simply plug them in and now everyone would gain access to your internal network thereby bypassing any security controls that you might have on the inside or outside of your network.

This is why you would probably want to do a periodic survey of the wireless networks in your area, walk around the building or the floors with some device that can then identify where all of the different access points might be. And if you were using 802.1X or Network Access Control or NAC, you would be authenticating everybody who connected to the network, whether they were on a wireless network or plugging into a wired connection. And since your wireless rogue access point would not have a way to authenticate with 802.1X, plugging in the access point would not gain anybody any additional access to the network.

A more direct and intentional circumvention of your network controls might be something with the wireless evil twin. This is where you are effectively building your own access point that’s going to pretend to be somebody else’s access point. These are usually relatively inexpensive, less than $100. You configure it in exactly the same way that the corporate access point may be configured with the same SSID, the same security settings, and you generally make it so that this access point has more power than any of the others access point, therefore it becomes the primary access point that devices will connect to.

You could even be outside the building as long as the power for this access point is stronger than anything else. Usually when you’re in a place that has Wi-Fi hotspots that are wide open, this can be very easy to fool anybody. In fact, they’ll connect to your access point just because of the name that’s associated with it. This is obviously not a good situation for people communicating through this device because everything going through this access point now can be identified, viewed, and examined by the owner of the access point.

That’s why regardless of whether you know you’re on a trusted network or not, you want to use encrypted protocols or virtual private network tunnels so that even if you do send information to a wireless evil twin, all of that information would be encrypted and no one would be able to understand any of the traffic you’re sending. Before there was wireless networks and the internet that hackers could explore, they simply dialed up different telephone numbers to see if there might be a modem on the other side. This was popularized in the movie WarGames, and so people began to call that wardialing.

Well, we’ve taken it now to the next logical step. We’re now hopping into our cars, we’ve got a Wi-Fi monitoring system that integrates with a GPS, and we’re simply driving around. We’re calling this wardriving. We can drive through neighborhoods, we can drive down the middle of town, and our wireless monitoring system is looking at all of the different access points that are out there and making a note of which ones are open, what their SSIDs might be, which ones may be closed, what type of encryption they’re using on these networks, and you can really gather quite a bit of information. The tools to do this are relatively free.

This is a good example of some of them. You can easily load this up on a laptop or a mobile device, start walking around, and begin gathering a lot of intelligence. We’re not just doing this in our cars, of course. There have been instances where the hackers have used remote control airplanes or driven around in their bicycle to be able to gather all of these details.

Now that you’ve accumulated all this information by driving down the street, you can bring it back and put it into a form that makes it a little easier to understand, like overlaying it onto a map. The red is the closed access points, the green dots are the open access points. You can really start to see just how many of these networks are wide open. It would be interesting to see how many of them are designed to be an open access point or how many of them might be at a business or in somebody’s home.

When wireless networking was first introduced, it was very difficult to find an open access point with internet connectivity. None of our coffee shops had any of this installed, so any time you could find an open access point, it was a pretty important thing to know. Well, early on, there were no easy ways to communicate this. There was no Twitter, we weren’t text messaging anyone, but we could draw information on the sidewalk with chalk. And so warchalking was born.

This is now more of a historical footnote. It’s now open access points wherever you might happen to go. Matt Jones created this in 2002 and he created these symbols that we could write on the sidewalk to let people know what type of wireless network was here. Was it open? Was it closed?

Was it encrypted? Was it a mesh node? And by simply looking at the chalk drawings on the sidewalk, you’d have an idea of what type of network was around that particular area. Of course, these days we have found other ways to communicate. Now it seems that open access points are everywhere and the idea of warchalking is one that is now more of a historical footnote than anything.

Since we’re talking about wireless attacks, let’s also discuss attacks that may focus on Bluetooth. One called Bluejacking was one where someone would send an unsolicited message to another device via Bluetooth. So you really didn’t need to go through texting or some type of mobile carrier. This is a communication happening between two mobile devices, generally in a very close area. Bluetooth, of course, has a very limited range, so something like a Bluejacking would only work if you were about 10 meters apart depending on the antenna and the other interference that you might have in the area.

Bluejacking took advantage of the sharing of contact information. You could effectively send contact data to another Bluetooth device that had anything inside of it that you might want. You can send, instead of a contact name, there might be a message inside of it. So this was effectively a harmless kind of attack. There was no data exposed by this particular attack, but it’s one where somebody could send information and conceivably fill up all of the storage area of your mobile device.

There were a couple of third-party softwares that could be used for something like this, Blooover and Bluesniff. These days we’ve designed our Bluetooth communication not to allow someone to put information onto your device without your permission. So Bluejacking is effectively something that you really don’t see any longer. A more invasive Bluetooth attack was Bluesnarfing. This is where you could use this Bluetooth network to access users’ data on a different device.

You could get into contact lists, you could look at emails, you could look at calendars, you could grab video and pictures, anything that was on that particular Bluetooth device. This was really one of the first major vulnerabilities in Bluetooth. It was found in 2003, and it was patched quickly afterwards so devices really aren’t subject to having Bluesnarfing happen to them any longer. It was a serious security issue, however, and for a short period of time, our Bluetooth devices were susceptible to having anybody attack them, grab our information, and copy it out of our mobile devices.