UNIVERSITY OF SUNDERLAND

The threats to security associated with using WiFi in a business environment.

A Critical analysis of current security techniques
Robert Ian Hawdon 29/01/2012

Wi-Fi networks are very popular amongst both home users and businesses. But with ever smarter, tech-savvy, computer hackers, can we trust personal data to be transferred using this method?

2|Page the same standard as a wired one. Sadly, due to the way WEP encrypts, using whats known as an Initialisation Vector or IV (used to power the RC4 ciphering algorithm), and a shared key. The IV is always 24bit, and it is borrowed from the overall bits used for the WEP key (a 64bit key leaves 40 bits for the shared key, and a 128bit key leaves 104 bits). The IV is broadcast between devices in plain text, and are rarely changed, which means if someone was to monitor the connection long enough, they would be able to figure out the key used to access the network, and use that to monitor the traffic on that network. (Rowan, 2010) If an attacker was able to see the raw traffic going through a network, they would be able to cause a considerable amount of damage, as most Internet traffic is broadcast in plain text, and from this, an attacker would be able to capture data, such as usernames, passwords, or cookies. A penetration tester could easily demonstrate accessing someones online account by using freely available tools. If the tester has access to a WPA2 network, and the MAC addresses of the clients router and computer, then theyll also be able to view the packets on these more secure networks. This kind of attack is known as Social Engineering, where the attacker cleverly gets the password for a network, by either directly, or indirectly asking someone who knows it. The penetration tester will probably have been given the WPA2 key if their testing environment is from the point of view of an employee in a company. Once a hacker has access to a breached wireless network, they can easily view unsecure traffic travelling over the network, which is a huge security threat for both the company, and the individuals using it.

Introduction
Wireless networking makes life easy for those that use it. But, unless it is properly configured, it is also remarkably easy to attack. (Bradbury, 2011) The IEEE 802.11 standard, which implements wireless local area network, has extended the abilities that were once limited in a networking environment by allowing users to use portable devices on a network without the need for wires, or the ability to build a network in a building where wires are just not an option. (Rowan, 2010) The problem with wireless networks though is that, unlike modern wired solutions which will protect users from being spied upon, wireless connections can be intercepted. Several standards have been used to improve wireless security, but older standards such as WEP can be easily broken into, and WPA/WPA2, although there is no known way of cracking, can be broken into via other hacking methods, such as social engineering.

Broadcasting Information

Personal

When using a wireless connection, there is no way to only allow certain devices to receive your information. Its essentially the same as overhearing a conversation in a public place. Whilst you cant physically block devices listening to your traffic, it is possible to scramble the data, so that unauthorised devices cant understand whats being broadcast. (Saito, 2011) WEP, which stands for Wired Equivalent Privacy, aimed to secure a wireless network to

Robert Ian Hawdon

3|Page

An example of a security breach

Lets say, for example, and employee of a company, in his spare time, uses the companys wireless network to access, the popular social network service, Facebook. By default, Facebook uses an insecure HTTP service, this means any data passed from the users browser, and the server and back, could be intercepted at any point. A hacker within range of the wireless network could use a packet sniffer, such as WireShark, to view the packets being sent over this network, in real time. Theoretically, if the user was to log in to Facebook at the same time the hacker was monitoring the network, one of the packets sent to Facebook would contain the victims username and password. But in practice, users set their accounts to automatically log in, or are already logged in when the attack is started. So, rather than sniffing their username and password, the hacker can then target cookies. Sites like Facebook use cookies to allow the service to authenticate the user each time a page is loaded without requiring a username and password. This cookie, known as a session cookie, is transmitted on every page load request, which means theres more opportunity to capture one of these cookies. (Gold, 2011) With this cookie, the hacker is able to inject it into their own browser, go to the Facebook site, and theyll be automatically logged in with the victims account. From here, the hacker has a potentially unlimited amount of data they can steal, including the victims name, email address, friends names, hometown, contact details, or anything the user has decided to put on the

site, even if its not public. Without knowing the users password, some things cant be changed, but having the users email address is the starting point for another attack. (Hawdon, 2011) In the worst case scenario, if the victims password was captured, and that user uses the same password for all of their accounts, then theyve given the hacker to an almost infinite amount of information about themselves, which could be used for Identification Theft. From a companys point of view, if their business details were stolen, the consequences would be so severe that it could be enough to put them out of business.

Strengthening Encryption

Wi-Fi

When the IEEE 802.11 standard was defined, there were concerns over how secure sending data over airwaves would be. To remedy this, a standard of encrypting data was proposed. As mentioned earlier, WEP was created to make Wi-Fi networks more secure, and was advertised as being as secure as a wired network. In reality though, a WEP encrypted network can be cracked into anywhere between 5 to 30 minutes depending on how busy the network is at the time of the attack. (Rowan, 2010) This lead to the development of a more secure encryption protection known as Wi-Fi Protected Access (WPA). WPA uses the same encryption technique as WEP, but treats the IV with a little more care, increasing the size from 24bit to 48bit. This means the collision issue from WEP is practically eliminated; causing the WEP based attack to be rendered useless. WPA adds another layer of protection in called MIChael, which also protects the network from the kind

Robert Ian Hawdon

4|Page of attack used in WEP, known as a replay attack where the attacker floods the WEP network with packets to make an IV collision occur more regularly. When the WPA network detects a replay attack (which is achieved when it sees two identical packets occur in a minute) it will shut down the whole network for another 60 seconds, this would make hacking a WPA network very time consuming and impractical. WPA also has two modes of operation, the most commonly used mode is WPA-PSK (Wi-Fi Protected Access Pre Shared Key) where both the access point, and the client know a password which is needed to connect to the wireless network. This has a similar issue that WEP has in that the keys are rarely changed. Weak passphrases can be brute forced, but like any authentication system, care should be taken to make sure a strong passphrase is used. All WPA-PSK keys are 256bit, which is more secure than the stronger WEP key options. The other mode WPA can be used in is an Enterprise level using WPA-EAP (Wi-Fi Protected Access Extensible Authentication Protocol), this requires hardware that can use this method of encryption such as a RADIUS server. This method of encrypting on WPA gives each device on the network a unique key that cant be changed by the user. This is by far the most secure option in terms of the protection of sensitive data, but WPA (and WPA2) Wi-Fi enabled access points are still vulnerable to other kinds of attacks sucks as Denial of Service (DoS). (Odhiambo, Biermann and Noel, 2009) WPA was a stopgap used to address the issues with WEP on old hardware, new hardware supports a revised standard, WPA2, which strengthens the network further, by using Robust Security Network (RSN). RSN introduces the concept of a 4 way handshake which is another step taken to secure the network, this is done when the client access the access point. (The Institute of Electrical and Electronics Engineers, Inc., 2004)

Using Wi-Fi workplace

in

the

Does this mean Wi-Fi shouldnt be used in the workplace? It would be a bit impractical to boycott Wireless network access in a workplace all together, as there would be other ways to penetrate into a company via the use of Trojen horses, any part of the companys network thats publically available online, or even by tricking an employee though social engineering. (Wang, 2003) Instead, care should be taken to ensure that a wireless network cant be breached by any amateur wannabe hacker. (Fourati, Ayed and Banzekri, 2004) Firstly, choosing the right kind of encryption is vital; a small company with only a few employees wouldnt generally need to bother with enterprise WPA2 as the equipment needed to set up such a network would be impractical when the personal WPA2-PSK method is still secure enough. In a large enterprise, the more secure solution, with a RADIUS server should be used. Unsecure networks and WEP networks should never be used, especially when sensitive data could be sent over the network. Secondly, most routers, and/or access points have the option of filtering by MAC (Media Access Control) address, whilst this wont stop anyone from viewing unsecured or WEP traffic, it will stop them from connecting to the network in question. This can be overcome by more serious hackers if they know a MAC address of a computer that is trusted on the network (which could be

Robert Ian Hawdon

5|Page acquired though the use of a packet sniffer), and make their network card spoof another MAC specifically to connect to the compromised network. Finally, the company can opt for their access points to not broadcast its SSID (Service Set IDentifaction), which will make their network invisible, or appear as an unnamed network. This would then require the user to know both the SSID as well as the encryption key needed to gain access. This isnt recommended though, as SSID requests will be sent in plain text, and its also possible for a hacker to fake an access point to capture data. (Davies, 2007)

Conclusion
In conclusion, there is no sure way of securing a wireless network connection and using a wired connection is far more secure. But if a wireless connection is nessessary, using the newer encryption methods such as WPA2 is currently the most secure way of ensuring data is kept safe.

Robert Ian Hawdon

6|Page

Works Cited
Bradbury, D. (2011) 'Hacking wifi the easy way', Network Security, vol. 2011, no. 2, February, pp. 9-12. Davies, J. (2007) Non-broadcast Wireless Networks with Microsoft Windows, 19 April, [Online], Available: http://technet.microsoft.com/enus/library/bb726942.aspx#EDAA [29 January 2012]. Fourati, A., Ayed, H.K.B. and Banzekri, A. (2004) 'Security issues of M-commerce over hotspot networks', 2004 IEEE Wireless Communications And Networking Conference (Vol 1-4), New York, 873-878. Gold, S. (2011) 'The cookie monster', Computer Fraud & Security, vol. 2011, no. 9, September, pp. 12-15. Hawdon, R.I. (2011) How To Hack Into A Friend's Facebook Account, 9 December, [Online], Available: http://robertianhawdon.me.uk/blog/2011/12 /09/how-to-hack-into-a-friends-facebookaccount/ [25 January 2012]. Odhiambo, O.N., Biermann, E. and Noel, G. (2009) 'An integrated security model for WLAN', AFRICON, 2009, Nairobi, 1-6. Rowan, T. (2010) 'Negotiation WiFi security', Network Security, vol. 2010, no. 2, February, pp. 8-12. Saito, W.H. (2011) 'Our Naked Data', Futurist, vol. 45, no. 4, July/August, pp. 42-45. The Institute of Electrical and Electronics Engineers, Inc. (2004) 'IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements - Part 11: Wireless LAN Medium

Access Control (MAC) and Physical Layer (PHY) specifications - Amendment 6: Medium Access Control (MAC) Security Enhancements', IEEE Std 802.11i-2004, New York, 1-190. Wang, W. (2003) Steal This Computer Book 3, San Francisco: No Starch Press, Inc.

Robert Ian Hawdon