Thursday, May 28, 2015

Wireless Attacks and Countermeasures

Wireless Attacks and Countermeasures

Wireless communication poses formidable challenges for the security professional. Many wireless manufacturers design their devices for easy set up and use, often at the expense of sound security practices. Many wireless devices default to little or no security. A security professional must take extra precautions to protect sensitive data transmitted over wireless devices.
Two protocols that have been implemented to provide security for wireless communication are:
  • Wired Equivalent Privacy (WEP) implements the 802.11 specification for wireless network connections.
  • Wireless Application Protocol (WAP) is used with mobile devices such as PDA's and smart phones.
The following table describes weaknesses with both WEP and WAP:
Protocol Vulnerabilities
Wired Equivalent Privacy (WEP) WEP suffers from the following weaknesses:
  • The key is vulnerable during authentication.
  • The same WEP key is used for authentication and data encryption.
  • The WEP key is static. Because it doesn't change, it can be captured and broken.
  • Every host on the network uses the same key.
  • Key rotation is difficult.
  • WEP uses a very short initialization vector (IV) - a mechanism that allows a cipher to be executed in any of several streaming modes of operation to produce a unique cipher text using the same encryption key.
  • The integrity check value (ICV) is easily defeated.
  • Unless you specify data encryption, all frames are sent in plaintext.
  • The RC4 encryption cipher could be replaced by a stronger encryption cipher.
  • The Service Set Identifier is broadcast.
  • Authentication can be open, meaning that identity is not checked.
  • Most wireless stations can be configured using the network name ANY.
Wireless Application Protocol (WAP) The most significant weakness of WAP is referred to Gap in the WAP, a security gap between a WAP client (handset) and a LAN host. The Gap in the WAP attack:
  • Exploits the decryption of transmissions at a carrier midpoint.
  • Compromises the carrier before the data is re-encrypted.
  • Exposes plaintext data.
WAP deploys Wireless Transport Layer Security Protocol (WTLS) for authentication:
  • Class 1, Anonymous Authentication
  • Class 2, Server Authentication
  • Class 3, Two-Way Client and Server Authentication 
 
Wireless networks are vulnerable to the following specific security attacks:
Vulnerability Description
Eavesdropping Eavesdropping is the most common threat of a wireless network. Wireless transmissions can be easily intercepted.
Site surveys or war driving Site surveys or war driving are attempts by a hacker to scan the wireless networking area looking for unsecured access points or weak passwords.
Rogue access points or Man-in-the-middle Rogue access points or man-in-the-middle attacks occur when an attacker installs an unauthorized access point into your wireless network, allowing them to connect to the network.
Replay attack In a replay attack, an attacker intercepts and records messages. The captured traffic is used at another time to try and recreate authentication. WEP, with its short initialization vector and static keys is susceptible to replay attacks.

Countermeasures for wireless communications are:
  • First and foremost, treat a wireless network as though it were a publicly accessible network. Don't assume that the traffic on that network is private and secure.
  • Put the access points in separate virtual LANs and implement some type of intrusion detection to help identify when an attacker is attempting to set up a rogue access point or is using a brute force attack to gain access.
  • Encrypt all data transmitted through your access point.
  • Set the access point to accept only Media Access Control (MAC) addresses.
  • Use firewalls on each network access point.
  • Avoid storing sensitive data on wireless machines whenever possible. Encrypt sensitive data that must be stored on the machine.
  • Install security updates as soon as they are available.
  • Install antivirus software on the wireless computer.
  • Require that users connect to the wireless access point with a network cable when sending sensitive data.
  • Disable the broadcasting of the SSID from all access points.
  • Implement EAP-TLS to use different keys for encryption and broadcast traffic.
  • Set the WEP broadcast traffic key to be renegotiated at a certain interval.
  • Set up a RADIUS server and a certificate authority. The RADIUS server authenticates the user back against your network directory service.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)