Cybersecurity researchers are always finding new, scary network attack techniques. But most defenders would get…
the greatest benefit from understanding the most common wireless network attacks, because that’s what most attackers use. Blocking ordinary — but effective — attacks is mandatory before trying to deal with more uncommon advanced persistent threats.
Even though many of them are essentially unchanged since they were first discovered, the most common wireless network attacks are still surprisingly effective. For example, war shipping is the tactic of shipping a live wireless device to a well-protected target organization, and then connecting to the network from inside a package in a bin in the mailroom. While the trappings are new, the reality is this attack is very similar to the traditional war driving attack, in which attackers drive around a targeted area with live wireless devices in order to subvert a network.
Wi-Fi security is tricky: The attack surface is often huge, as is the potential for mayhem. Unauthorized access to the network is just the tip of the iceberg, as attackers with unauthorized access can plunder data, impersonate authorized users and run denial-of-service (DoS) attacks against the victim organization. The first step to securing Wi-Fi networks is to understand attackers’ methods.
While network layer attacks often rely on attackers recording and manipulating IP packets, attackers record and manipulate frames — the protocol data unit for Ethernet or Wi-Fi — to carry out wireless network attacks.
Access control attacks
Rogue access points are the scourge of Wi-Fi security. A rogue access point (AP) is any unauthorized access point connected to the network. If an attacker successfully places such an access point, it gives the attacker access to the network. Even more worrisome is if authorized network users are tricked into using that AP, giving the attacker access to all data those users send and receive. This means a rogue AP is an attack not only against access control, but also a technique for attacking confidentiality, as discussed below.
A direct connection with a device that already has access to the wireless network can enable attackers to gain access to that network. These are referred to as ad hoc associations due to the ephemeral nature of the connections: An insecurely configured mobile device, whether a phone or a personal laptop, can be exploited to make this type of attack. This technique does not require the attacker to place an unauthorized wireless router in the target’s infrastructure; it can succeed just by exploiting an authorized user’s device.
MAC spoofing attacks can be used anywhere network adapters are used. An attacker who can eavesdrop on network traffic can detect network adapter media access control addresses on authorized devices, and then attempt to start a new connection by impersonating that device.
War driving is the practice of literally driving around areas where targeted Wi-Fi networks are in operation with devices capable of connecting to those networks. War driving is a modern attack method based on the classic hacker technique of war dialing, in which hackers sequentially called phone numbers in specific telephone exchanges assigned to targeted organizations in the hopes of hitting a number connected to a modem.
Data confidentiality is extremely difficult to enforce in wired networks where a physical connection to the network is required to sniff traffic. Consider the challenges of maintaining the confidentiality of network traffic that is broadcast wirelessly.
Eavesdropping through packet sniffing is perhaps the simplest method for attackers to gain access to raw network traffic. An attacker with access to a packet sniffer like Wireshark has the ability to detect Wi-Fi traffic and monitor network traffic. Requiring encryption for authorized user traffic is one way to thwart packet sniffers, though network traffic metadata such as endpoints and assigned IP addresses can still be gathered by attackers doing reconnaissance through this method. Unauthorized network traffic sniffing, however, is usually undetectable.
Attackers use key cracking and other attacks on wireless encryption, especially when older wireless security protocols are being used. The first protocol for encrypting Wi-Fi traffic, called Wired Equivalent Privacy (WEP), has been deprecated for several reasons. For one thing, WEP did not support individual keys for all users who had to share a single key. WEP implemented encryption using relatively weak keys that could easily be cracked. And use of WEP was optional, making it possible for users to simply skip encryption entirely.
Even when using the current standard for wireless encryption, Wi-Fi Protected Access II, best practices for security should be followed when configuring WPA2 access points and devices. For example, each authorized user should be given their own preshared key for authenticating access to the network. The Wi-Fi Alliance announced WPA3 in 2018; the new version has backward compatibility with WPA2 and will eventually replace it for wireless security.
As noted above, rogue access points represent attacks not just on Wi-Fi access security, but also a potential attack on confidentiality. Two types of rogue access points are of particular concern to defenders. Evil twin access points and access point phishing are two sides of the same coin, but in either case, they enable attackers to take over and expose confidentiality of network sessions. Hunting for rogue devices can be tricky, but it is a high-priority task for most organizations.
An evil twin access point is one that advertises itself as an existing, authorized access point by beaconing the service set identifier (SSID) of an authorized access point. When attackers are able to disable the authorized AP, an evil twin access point can subvert the entire network. Even if the authorized AP is left untouched, the evil twin AP can still transmit the authorized SSID and get access to at least some network traffic.
A common technique called access point phishing occurs when attackers set up their own access point in a public place, giving it a name that appears to be legitimate. Such attacks are often carried out in airports, using an SSID like “Free Airport Wi-Fi,” with the intention of gaining control over individual network connections.
The person-in-the-middle tactic is another common type of wireless attack that affects confidentiality. In general, any tactic that puts the attacker in the loop between a targeted user and the systems that person is authorized to use is considered a person-in-the-middle attack. This type of wireless attack is usually — but not always — associated with access control attacks like the evil twin AP, access point phishing or rogue AP attacks.
Wireless integrity attacks include any tactic that sends forged data — session control, management or data frames — over wireless networks. Integrity attacks are carried out by impersonating a nonmalicious sender, usually leading to some other kind of attack. For example, integrity attacks can be part of denial-of-service, authentication or wireless hijacking campaigns.
Types of integrity attack include the following:
- Frame injection occurs when the attacker sends crafted frames that appear to be from a nonmalicious sender.
- Data replay occurs when the attacker captures wireless data transmission, with the intention of resending the same frames — or slightly modified versions of those frames — to a target system.
- Authentication replay occurs when the attacker captures authentication exchanges between authorized users, with the intention of reusing those exchanges in access control and authentication attacks.
Not all attackers want to steal information. Sometimes, they want to cause disruption, which they do by running denial-of-service attacks. But, other times, they do just want to steal things, and that can include things like wireless routers or access point devices.
Access point or wireless router theft can be disruptive, because missing a stolen wireless router can block legitimate users from accessing the network. Such thefts also add costs for replacing and reinstalling the stolen devices.
Denial-of-service attacks can be much more disruptive and can be carried out with less risk to the attackers, because they don’t need the same degree of physical access to attacked devices. DoS attacks, which include a wide variety of wireless attacks intended to block legitimate users or flood systems with malicious traffic, make networks inaccessible to legitimate users.
Wireless attack prevention
Enterprises can prevent wireless network attacks in many of the same ways they protect their wired, cloud and hybrid networks. The key to preventing the most common wireless network attack starts with taking a defense-in-depth stance. So, even when some attackers bypass security controls, there are still ways to detect when systems are being actively attacked as a component of an attack that may begin against a Wi-Fi network.
Other actions recommended for defending against the most common wireless network attacks include the following:
- Identify the network attack surface, starting with enumerating all wireless network access points and determining which network resources can be reached through those access points. This type of vulnerability assessment is crucial to avoid missing vulnerable access devices.
- Lock down network AP configurations. Many wireless network attacks depend on insecure AP configurations that enable attacks. Recommended configuration changes include turning off obsolete or deprecated network protocols and cryptographic algorithms, many of which can be exploited easily. In particular, configurations should disable WEP, as well as Wi-Fi Protected Access that was an interim solution to the current WPA2. Wi-Fi Protected Setup is a security protocol aimed at homes and small businesses.
- Manage updates and patches for Wi-Fi network access systems. Attackers depend on using vulnerabilities in access devices that have not been patched.
- Deploy wireless networks using two-factor or multifactor authentication. MFA helps reduce wireless access control attacks, which can reduce all types of wireless network attacks that rely on gaining access.