5 common Wi-Fi attacks – and how to defend against them
By Eric Geier (Our Owner & Lead Wi-Fi Consultant)
Originally published on NetworkWorld
You’re probably aware that hackers can try to crack your Wi-Fi passwords in order to gain access to your network. So, you’re already using strong passwords.
But that doesn’t mean your Wi-Fi security worries are over. A determined hacker who wants to get in or wreak havoc can utilize other vulnerabilities, such as social engineering, internal snooping or hijacking, rogue access points, and signal jamming.
So, in addition to using strong passwords, you need to prepare your network for these types of attacks. Here are some common vulnerabilities and how to protect against them.
1. Lost of stolen device
When using the simple pre-share key (PSK) mode of WPA2 security, there is one global password for the entire Wi-Fi network. That password is usually saved by all of the devices that connect. If an employee leaves the organization or a Wi-Fi device is lost or stolen, you should change the password. This involves changing the password on all routers or access points, sharing the new password with all Wi-Fi users, and having them input it when they connect again.
Since this isn’t exactly a user-friendly solution for you or the users, and you most likely won’t change the password when you probably should.
For better control and management over Wi-Fi access, use the enterprise mode of WPA2 security, which uses 802.1X authentication. Though this mode requires setting up a RADIUS server for authentication, it allows you to define individual login credentials for each Wi-Fi user, such as usernames and passwords or even security certificates. So if an employee leaves the organization or a Wi-Fi device becomes lost or stolen, simply revoke or change their specific login credential.
2. User-to-user snooping
Though you still may find the PSK mode of WPA2 useful for guest or contractor access on a separate SSID and VLAN, you can see how beneficial the enterprise mode is for your main private wireless network.
Threats don’t always come from the outside. A guest, contractor, or even an employee can snoop on wireless traffic. Though the PSK mode of WPA2 utilizes encryption to scramble the traffic, if someone has the password they can decrypt the traffic and snoop on other users of the “secure” network. This is another vital reason why the enterprise mode of WPA2 is beneficial: it stops this type of user-to-user snooping, while still allowing sharing among users if desired.
3. Sessions hijacking accounts
There are many tools that make session hijacking via poorly secured Wi-Fi quick and easy for anyone, as demonstrated by DroidSheep and FaceNiff. For these particular apps to work, they just need a rooted Android device and someone on the Wi-Fi to log into a website that’s not fully secure. Then the app will detect the unsecured login and the session hijack would allow the eavesdropper full access to the compromised account without having to enter a password.
Though Wi-Fi users can try to ensure they’re logging onto websites or services via a secured HTTPS/SSL connection to prevent session hijacking, sometimes the session cookie is sent over clear-text, making the user unknowingly vulnerable to this attack.
Keep in mind, this type of account hijacking is only possible if the Wi-Fi is unsecured, using WEP security, or using the PSK mode of WPA or WPA2 security. Again, the enterprise security mode prevents user-to-user snooping, which includes preventing session hijacking of unsecured logins. This is yet another reason to utilize the enterprise mode of Wi-Fi security for your networks. But when end users are on public hotspots and other Wi-Fi networks, you may consider requiring a VPN connection to wrap your traffic in another layer of encryption.
4. Rogue access points
If someone wants unauthorized wireless access to your network, they could attempt to connect via an existing rogue access point or setup their own. Any access point that’s not properly secured could be classified as rogue.
For instance, an employee could innocently bring in a wireless router from home to help boost the Wi-Fi signal in their office, but leave the access open or use their own security password. Even scarier, an outsider could come inside to find an accessible Ethernet wall port and quickly plug in their own wireless router or access point. Or, if an access point is accessible to them they could simply use the reset button to restore it to factory defaults, making it broadcast wide open.
To protect against rogue access points, use a wireless intrusion detection or prevention system to help actively look for this type of vulnerability. Consider using an access point that offers some intrusion detection or prevention functionality, or consider deploying a third-party solution. You should also look for these rogue access points when performing wireless site surveys.
To help prevent employees from setting up their own wireless routers or access points, consider drafting a Wi-Fi usage policy that includes what users can and can’t do involving the wireless network. Also, educate them on the vulnerabilities, and how they can help combat them.
Paying attention to physical security of the network is also important. Ensure all network equipment is secured in a locked closet or otherwise inaccessible to the public and general employees. To cut down on the likelihood of an employee or outsider having an Ethernet port to plug in a router or access point to begin with, keep tabs on all ports.
Ensure that wall ports, cable runs, patch panels, and switch ports are all labeled so you can easily identify both ends of the cables. Then you can easily check to make sure that unused ports are unplugged or disabled to help reduce unauthorized use.
5. Denial of service
Because Wi-Fi uses the airwaves, all wireless networks are susceptible to denial of service attacks. Someone inside or outside can send traffic to disrupt the wireless performance, or halt the network altogether. This is because wireless encryption doesn’t apply to all management and broadcast frames, enabling someone who’s not connected or authenticated on the wireless network to send spoofed management traffic. Furthermore, no network can be completely protected against these types of attacks.
For instance, one could repeatedly send spoofed de-authentication frames to clients, continually kicking them off the network. Or a large amount of spoofed association request frames could be sent to the access point, overloading it and causing connectivity issues for all associated clients.
Though the 802.11w standard improves upon these types of vulnerabilities by adding sequencing to prevent replays and a message authentication code to detect forgeries, it cannot protect against all types of denial-of-service attacks.
Apart from using special walls, paints, and windows to help shield your building from outside rogue signals, you can use wireless intrusion detection or prevention functionality to help detect or even slow denial of service attacks.
A more innocent denial of service situation could simply be interference from neighboring wireless networks. Maybe a nearby business changes the channels of their access points or starts utilizing wider channel widths, negatively affecting your Wi-Fi. Significant interference can also come from within your organization from other types of wireless devices using 2.4 or 5GHz, such as security cams, alarm systems, cordless phones, or wireless speakers.
Summarizing the threats and preventative measures
Utilizing the enterprise mode of WPA or WPA2 security with 802.1X authentication can help prevent a few of these serious vulnerabilities: session hijacking and user-to-user snooping via Wi-Fi and easy recovery of the Wi-Fi password. Although you must use a RADIUS server with this security mode, there are many options, including cloud or hosted 802.1X services specifically designed for securing and managing Wi-Fi access.
You’ve also seen how your network can be accessed via rogue access points or interrupted by denial-of-service attacks, both of which can be at least detected by utilizing a wireless intrusion detection or prevention system. Yet this doesn’t eliminate the need of periodic site surveys, where you can get a deeper look at channel usage, interference, and manual verification of access points.
Physical security is also important to reduce chances of unauthorized use. Disabling unused Ethernet ports and ensuring network equipment is physically secured from the public and employees can reduce chances of misuse.