Introduction:

This paper explains brief overview about the Modern Attacks related to Wireless
Technology that can pose a potential threat to the devices that communicate
wirelessly. In a brief format this paper covers several scenarios that theoretically
explain the security issues of the wireless infrastructure. The term Wireless was
taken for the first time in 1880 when the first wireless telephone communication
occurred over wirelessly modulated light beams not up to much distance. The
device was known as a photo phone back then. As noted upon all the drafted
technologies including wireless there is no concept of security whatsoever until
someone tries to exploits certain loopholes and succeeds or in other words does
some damage. As wireless enabled devices such as laptops, cellular phones, and
tablets become increasingly pervasive, the demand for reliable and secure mobile
computing services escalates. Over the years everything as we know it is being
transformed into wireless. But so are the risks that are coming with it. Wireless
technology that submissively controls our planes, phones, and computers is prone
to security flaws. The research paper cover overall studies that relate to common
wireless device flaws in very simple explanation.
This paper contains a theoretical study on how devices as cast as airplanes and as
small as cellphones are vulnerable to wireless attacks. This research paper is an
overview of the upcoming book of the writer which will be out later this year
named as
“Attacking the Air”.
The paper explains the vulnerabilities that are within their protocols of
communication and countermeasures against those issues. Although most of the
countermeasures discussed are already or in the phase of being implemented to
make communication between endpoints as secure as possible. All the topics
being researched are kept in pace of series and in a step deduction format to
maintain legacy and generic security centric problems. All the papers are
concerned with Wireless Infrastructure flaws, Wireless Security vulnerability
research, Wireless Security vectors and Wireless exploitation and penetration
testing.
A Brief Overview of Wireless Communication Standards:
Different methods and standards of wireless communication have developed
across the world, based on various commercially driven requirements. In a
nutshell Let us first talk about IEEE 802.11, the Wi-Fi standard, presents a
collection of Wireless LAN/WLAN standards that were developed by working
group 11 of the IEEE LAN/MAN Standards Committee (IEEE 802). The 802.11
family currently includes six modulation techniques that all use same protocol.

Figure: Copyright rfidc.com (Global Wireless Standards)

There are four global standards that any device using wireless communication can
accommodate to its ease of mobility. These wireless communication technologies
evolved over time to enable the transmission of larger amounts of data at greater
speeds across a global network. Many network protocols and standards used in
wireless communication have conventional methods to transmit data packets. For
instance the same protocol with modifications that is used to link two computers
together is also used in the communication between Wireless Industrial Control
systems.
Wireless Network Terminologies and Protocols:
A complete and rebind list of wireless terminologies to be further ahead can be
found on
http://www.cnp-wireless.com/glossary.html

Vulnerabilities in Wireless Communication and Systems:

After the dawn of personal computing, the usage of “Wi-Fi” has increased
drastically leaving many devices at risk of being exploited. Not only Wi-Fi but
GSM, CA signals also some really alarming loopholes that can be used to
compromise user data in real time.

Figure: Copyright weybu.com (Common devices operated on Wi-Fi)

Now we will be looking at the scope of our research to which extent we will study
wireless devices and methods of their attacks.
1. Wi-Fi and Wi-Max
2. RFID and UAVs
3. Bluetooth and Mobile networks
Wireless Network Attacks Classification:
In the wireless industry, wrapping your arms around wireless attacks and their
potential business impacts can be tough.
All types of Wireless networks are vulnerable to the following attacks and their
classifications:

1. Access Control Attacks

These attacks attempt to penetrate a network by using wireless or evading WLAN
access control measures.
Type of Attack Description
War Driving Discovering wireless LANs by
listening to beacons
Rogue Access Points Installing an unsecured AP
inside firewall
Ad Hoc Associations Connecting directly to an
unsecured station
MAC Spoofing Reconfiguring an attacker's
MAC address to pose as an
authorized AP or station.
RADIUS Cracking Recovering RADIUS secret by
brute force
Methods and Tools
Airmon-ng, DStumbler,
KisMAT
Any hardware or software AP
Any wireless card or USB
adapter
MacChanger
Packet capture tool on LAN
or network path between AP
and RADIUS server

2. Confidentiality Attacks
These attacks attempt to intercept private information sent over wireless
associations.
Type of Attack Description Methods and Tools
Eavesdropping Capturing and decoding Ettercap, Kismet, Wireshark,
unprotected application commercial analyzers
traffic
WEP Key Cracking Capturing data to recover a Aircrack-ng, airoway,
WEP key using passive or AirSnort, chopchop
active methods.
Evil Twin AP Posing as an authorized AP cqureAP, Rogue Squadron,
by beaconing the WLAN's WifiBSD
SSID to lure users.
 AP Phishing Running a duplicate portal or Airpwn, Airsnarf
Web server on an evil twin
AP to "phish" for user logins,
credit card numbers.
Man in the Middle Running traditional man-in-
the-middle attack tools

3. Integrity attacks
These attacks send forged control, management or data frames over wireless to
mislead the recipient or facilitate another type of attack.
Type of Attack Description Methods and Tools
Frame Injection Crafting forged 802.11 Airpwn, File2air, libradiate,
frames. void11,
Data Replay Capturing data frames for Capture + Injection Tools
later replay.
EAP Replay Capturing Extensible Wireless Capture + Injection
Authentication Protocols for Tools between station and
later replay. AP
RADIUS Replay Capturing RADIUS Access- Ethernet Capture + Injection
Accept or Reject messages Tools between AP and
for later replay. authentication server

4. Authentication attacks
Intruders use these attacks to steal legitimate user identities and credentials to
access otherwise private networks and services.
Type of Attack Description Methods and Tools
Shared Key Guessing Attempting Shared Key WEP Cracking Tools
Authentication with guessed,
vendor default or cracked
WEP keys.
PSK Cracking Recovering a WPA/WPA2 PSK coWPAtty, KisMAT,
from captured key
handshake frames using a
dictionary attack tool.
Login Theft Capturing user credentials Dsniff, PHoss, WinSniffer
from cleartext application
protocols.
 Domain Login Cracking Recovering user credentials John the Ripper, L0phtCrack,
by cracking NetBIOS Cain
password hashes
VPN Login Cracking Recovering user credentials ike_scan
by running brute-force
attacks on VPN
authentication protocols.

5. Availability attacks
These attacks impede delivery of wireless services to legitimate users, either by
denying them access to WLAN resources or by crippling those resources.
Type of Attack Description Methods and Tools
AP Theft Physically removing an AP "Five finger discount"
from a public space.
Queensland DoS Exploiting the CSMA/CA An adapter that supports CW
Tx mode
Beacon Flood Generating thousands of FakeAP
counterfeit beacons to make
it hard for stations to find a
legitimate AP.

To begin with let us see the common vulnerabilities of Wireless networks which in
further pages will be given with practical examples to be exploited

Wi-Fi and Wi-Max Vulnerabilities and Exploitation

techniques:
Now a days Wireless is the definition of Wi-Fi for a common. Wi-Fi refers to a
network running on Wireless LAN. When we refer to a Wireless WAN or MAN it is
then called Wi-Max. Wi-Fi is needed to serve for household and corporate needs
of interconnectivity. Wi-Fi technology connects printers to computer, gaming
consoles to router etc.
Wi-MAX serves a larger inter-operable network. Wi-MAX can be used to provide
internet services to a larger area where it can serve households, mobile phones
and even Wi-Fi spots. Wi-Fi and Wi-Max both have security issues that affect a
user’s data privacy.
Wi-Fi uses three types of encryption standards to encrypt the authentication keys
1. WEP-Wireless Equivalence Protocol:
Wired Equivalent Privacy is an easily broken security algorithm for IEEE 802.11
wireless networks. Introduced as part of the original 802.11 standard ratified
in September 1999,
2. WPA-Wi-Fi Protected Access:
WPA (sometimes referred to as the draft IEEE 802.11i standard) became available
in 2003. The Wi-Fi Alliance intended it as an intermediate measure in anticipation
of the availability of the more secure and complex WPA2.
3. WPA2:
Short for Wi-Fi Protected Access 2, the follow on security method to WPA for
wireless networks that provides stronger data protection and network access
control. It provides enterprise and consumer Wi-Fi users with a high level of
assurance that only authorized users can access their wireless networks
Based on the encryption and the location of the access point there are many
attacks that can be listed.
 Fragmentation attack
 Chop-Chop attack
 WPS-relay attack
Basically Wi-Fi Exploitation Techniques are divided into two types
1. External Wi-Fi Exploitation Techniques
2. Internal Wi-Fi Exploitation Techniques
It is common for researchers to think that Wi-Fi security issues are only limited
cracking the keys and getting authenticated to use free Wi-Fi but this is not the
case. There are multiple attack vectors that can be used to misuse the
architecture of Wi-Fi.
External Wi-Fi Techniques:
The main goal of an attacker who is aimed at a Wi-Fi network is to crack the
encryption. An attacker would look for vulnerable Aps to authenticate to perform
further exploitation. For usage purposes in Backtrack or Kali Linux you can use the
following reference links to buy network cards.
http://www.amazon.com/Alfa-Wireless-Original-Screw-On-9dBi/dp/B001O9X9EU
http://www.dx.com/p/alfa-usb-6000mw-802-11b-g-n-150mbps-wi-fi-wireless-
network-adapter-black-115748
It is very to find and detect Wi-Fi If you have a laptop, you can see a list of
available wireless networks, and then connect to one of those networks, no
matter where you are. The wireless networks appear only if your computer has a
wireless network adapter and driver installed and the adapter is enabled.

In Linux it is also similar to this. Here we use Wcid Network Manager to do this

It is also observed that mostly Enterprise Wi-FIs have their BSSID or Wi-Fi’s name
if we speak in normal terminologies hidden. For this purpose we use insider.
InSSIDer is the most popular free and open source Wi-Fi scanning tool available
today. It is easy to use and understand without all the confusing configuration.
After installation, running inSSIDer will automatically select your wireless adapter
to start scanning for available access points.

Initially after finding out the Access points you need to plan an attack that what is
to done with it. Usually the attacker is breaking the encryption keys and trying to
connect to use free internet.
There are different kinds of attacks that can be used based on the encryption
standards and location of the Access point
As mentioned earlier WEP, WPA and WPA2 all three of them have different attack
vectors. WEP uses secret keys to encrypt data. Both AP and the receiving stations
must know the secret keys. There are two kinds of WEP with keys of either 64bits
or 128bits. The longer key gives a slightly higher level of security. In fact the user
keys are 40bits and 104bits long, the other 24bits in each case being taken up by a
variable called the Initialization Vector (IV). WEP is relatively easy to crack
because of the following reasons:
 IV values can be reused
 IV length is too short
 Weak keys are susceptible to attack
 Master keys are used directly
 Message integrity checking is ineffective
So if you find a WEP encrypted Wi-Fi consider yourself lucky because it would be
very easy to crack that network and break in.

Cracking WEP Networks Using Automated crackers:

To crack WEP, WPA or WPA2 you will need to setup a Linux preferably Backtrack
or Kali Linux which you already know about now. 
But Cracking WEP is so automated now a days that you do not even need to code
custom scripts or such coded mayhem to do so. An open source commercial tool
called Fern Wi-Fi cracker is suitable to crack a WEP encrypted Wi-Fi network.
You can use the command below in the Backtrack or Kali Linux terminal to do so
Locate fern
Or you can just browse for fern in the tools menu in backtrack. It is very easy to
find. Okay after you have found fern we have some clicks to make and the WEP
will be easily cracked. First you will need to select the interface

After doing so you will need to click on the second option that Scan for all Access
points in Range.

Then you will find a WEP and network hopefully and you will need to select it.
As talked about earlier Arp Request Replay is the fastest attack that can be used
to crack a WEP key. Just click on Attack and there will be a time frame of about 1-
2 hours based on your network adapter card to crack the wireless network

Cracking a WEP is very easy now a days but WPA/WPA2 are harder because there
much complex algorithms associated with these standards.
Cracking WPA/WPA2 using WPS vulnerability:
Through WPS configuration vulnerability a WPA/WPA2 enabled can also
compromised as easily as WPA2. For this particular purpose we use Reaver-WPS.
It is mostly observed that large password dictionaries and rainbow tables are
required in the cracking process of WPA/WPA2 but the WPS vulnerability allows
an attacker to brute force the WPS pin thus gaining the WPS shared key and then
finding out the authentication key as well.
Reaver-wps performs a brute force attack against an access point’s Wi-Fi
Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be
recovered and alternately the AP’s wireless settings can be reconfigured.
In order for Reaver to start the brute force you will need to supply the BSSID of
the network. Which can be found out by using the command
Airmon-ng start wlan0

Next after seeing the wlan0 working you will have to find out the BSSID by
running airodump on the interface supplied
airodump-ng wlan0
This will provide you with a list of other Aps that have WPA/WPA2 configured on
them to choose from
Then it is all relatively simple to use the command and put reaver to work
reaver -i moninterface -b bssid –vv
Then reaver will take about 3-4 hours to get the WPS pin and reconfigure the
network to obtain the authentication key

There are many ways to prevent this attack as it can compromise almost all
WPA/WPA2 keys. Since the vulnerability lies in the implementation of WPS, your
network should be safe if you can simply turn off WPS (or, even better, if your
router doesn't support it in the first place). Unfortunately even with WPS
manually turned off through his router's settings, Reaver was still able to crack
this password. The inability to shut this vulnerability down is widespread. He and
others have found it to occur with every Linksys and Cisco Valet wireless access
point they've tested. "On all of the Linksys routers, you cannot manually disable
WPS," he said. While the Web interface has a radio button that allegedly turns off
WPS configuration, "it's still on and still vulnerable.

Bypassing Mac filters:

Most of the times, there comes a scenario where the attacker has gained access
to the password but still is unable to connect to the access point. One reason
behind this is that the access point is using white list MAC filters that allow only
certain MAC addresses to connect to the access point. If you are windows user it
would be a bit difficult to find out which MAC is allowed or not. But in Linux it is
easily found out. To bypass mac filters we follow the steps below
First as usual you will need to put the LAN card into monitoring mode
airmon-ng start wlan0
Then we will have to run airodump to capture the packets between Aps and
station to determine which Mac address is white listed
Airodump-ng mon0
Assuming that you have monitoring mode enabled on 0 interface

Okay here we have the Mac address named as the station that is connected to
Access point. Now we have to change our mac address to that
Macchanger –m XX-XX-XX-XX-XX-XX

This will change your mac address and then you can easily connect to the access
point.

Internal Wi-Fi Techniques:

Most of the times in a planned attack, the attacker is not just after the Wi-Fi
encryption key but to penetrate further into the network. Internally a Wi-Fi
network may not be considered as and conventional network because there are
several differences. For the sake of research we will emphasize upon numerous
attacks that an attacker may carry out after being authenticated into the network.
Wireless LANs could be used just to network fixed computers, thereby avoiding
the costs of cabling. Usually, however, they are used to interconnect highly
mobile user populations provisioned with laptop computers. The very nature of
the wireless protocols is to make the network user friendly by facilitating
connection to an access point--and thus the entire network--as the user moves
about. That is to say, the system has weak authentication. One can think of the
cellular telephone network as a rough analog: the cellular network would not be
nearly as useful, if users could not move about freely in their home areas and
away from home.
Attacking the Access point with THC Hydra:
Brute Force software is used for hacking various types of passwords such as RAR
file password, Email account password, Website admin account password, Router
password etc. In order to perform a brute force attack on a Wi-Fi router we will
user a software called THC-Hydra. You can Google and download easily from the
web. Although Old but this tool does the Job really well in Linux.
For this purpose you will need a good Access point and a well formed word
dictionary. Then you will have to open a terminal and type in the following
command
hydra -l username -P password list path -s port IP Address http-get /

As stated this is a brute force attacks so it will take some time to work.

After the password has been found it will connect and prompt accordingly.
Man-in-the-Middle attack Using Arpspoofing:
MITM attacks are probably one of most potent attacks on a WLAN system. There
are different configurations that can be used to conduct the attack. We will use
the most common one—the attacker is connected to the Internet using a wireless
LAN and so is the victim. The attacker can use the Arp table to spoof requests on
the WLAN in order to visualize the victim’s activities.

To perform this attack we use the arpspoofing utility built in backtrack. Ofcourse
you will need to know the victim’s IP as well as yours to know who you are
spoofing. Initially we will need to check for the To accomplish this we will modify
the IP Tables and turn Linux into a router.
cat /proc/sys/net/ipv4/ip_forward

The value is “0”. It should be set to 1. To change the value to 1 enter the
following command:
sudo echo 1 >> /proc/sys/net/ipv4/ip_forward

Now using the command below we check out the ip_forward file and make sure
the value equals “1”
cat /proc/sys/net/ipv4/ip_forward
An arp spoofing attack will redirect data from the victim’s PC going to their
gateway to be redirected to our machine.
sudo arpspoof –i eth1 –t 192.168.1.138 192.168.1.1
The “-i” command specifies which interface. The “-t” specifies the target IP
Address. We will now use another arp spoofing attack to redirect data from the
gateway destined for the victim’s PC back to our Linux box.
sudo arpspoof –i eth1 –t 192.168.1.1 192.168.1.137

Now we launch driftnet. It is listening.

sudo driftnet –i eth1
As the victim’s PC browsing the Internet, images that show up in his web browser
are also displayed on the attacker’s Linux server.
sudo urlsnarf –i eth1
URLsnarf can be used to sniff network traffic and URLs including user-agents that
imply to the browser.
Hacking Wi-Fi through Android Phones:
Since this is the modern age of cellular technology hacking Wi-Fi through a full
fledge PC seems a little outdated. Android technology has propagated into the
market very rapidly. Now we are going to talk about how we can hack an internal
Wi-Fi network using an android phone. For this purpose you will need an android
phone that is rooted because dSploit and BusyBox demand Super user
permissions. For rooting an android phone. See the link below
http://lifehacker.com/5789397/the-always-up-to-date-guide-to-rooting-any-
android-phone

Step 01: Downloading

The first step is to get a copy of dSploit onto your Android device. You should be
able to download a copy directly from whatever browser you use on your device.
If you have a USB port on your device, you can download it on your desktop and
transfer it with a USB drive.
http://dsploit.net/download/
Step 02: Permissions
You will need to do things in terms of permissions on your device. The first
requirement is that it needs to be rooted. This gives dSploit root access to your
wireless interface so that you can put it in promiscuous mode. The second is that
you need to allow sideloading of apps, since dSploit is not on the Play Store.
Step 03: Copying and installation
Once you have the APK copied, or downloaded, you will need to install it. The
easiest way is to use a file manager of some kind, navigate to where the file exists,
and select it. The file manager should start up the installer.
Step 04: Starting
When you start up dSploit, it will immediately start listening on the wireless
network you’re connected to. Depending on the hardware available, this may
affect the responsiveness of your device. You can tap on the menu and then on
“Stop Network Monitor”.
Step 05: Wi-Fi cracking
You can tap on the Wi-Fi signal icon to see which networks are visible. You can
click on a network to connect. If it is a ‘secured’ network that is vulnerable to one
of the cracking techniques available, it will be flagged as green, identifying it as
such. Clicking on that network offers you the options of either connecting or
cracking.
There are many other ways to compromise Wi-Fi internally that include
 Wireless Eavesdropping
 Session Hijacking Using MITM
That would be included with detailed explanation in the upcoming book. Wi-Fi if
not secured both internally and externally can pose a major threat to the user’s
privacy and data which can then result in a major breach.

Copyright © McAfee
A group of skilled wireless hackers drove around markets and connected to free
Wi-Fi hotspots to and launched sniffing attacks to steal user credentials, CCs etc.
Similar to Wi-Fi, The Wi-Max technology also has security issues in it’s very
architecture. In order to understand WiMAX security issues, Initally we need to
understand WiMAX ‘s working architecture and how it’s security
countermeasures are addressed in WiMAX. By adopting the best technologies
available today, the WiMAX, based on the IEEE 802.16e standard can provide
strong support for authentication, secure key management and also control and
management of plain text protection. In order to understand Wi-Max attacks we
need to understand the IEEE 802.16 protocol architecture.

Copyright © Infrastructure of Wi-Max

MAC layer consists of three sub-layers. The first sub-layer is the Service Specific
Convergence Sub-layer (CS), which maps higher level data services to MAC layer
service flow. The second sub-layer is Common Part Sub-layer (CPS), which is the
heart of the standard and is integrated with the security sub-layer. This layer
maintains the rules and mechanisms for system access, bandwidth allocation and
connection management. The last sub-layer of MAC layer is the Security Sub-layer
which lies between the MAC CPS and the PHY layer, addressing the
authentication, key establishment and exchange, encryption and decryption of
data exchanged between MAC and PHY layers.
The PHY layer provides a two-way mapping between MAC protocol data units and
the PHY layer frames received and transmitted through coding and modulation of
radio frequency signals.
Wi-Max attacks are classified with respect to layers. An attacker targeting a Wi-
Max network would retool on layered attack patterns rather than targeting
systems through that network.

Jamming and scrambling packets in Wi-Max Network:

WiMax security is focused in the security sub-layer. Therefore the PHY itself is
unsecure and it is unprotected from attacks targeting at the wireless links such as
jamming, packet scrambling.
Jamming attack can be easily performed by hammering a noise strong enough to
drastically diminish the capacity of the channel. Jamming can be either intentional
or unintentional. It is very easy to perform a jamming attack because necessary
information and tools can be easily found in several books and online stores.
For instance a product named Jammer0086 can be used to jam an entire Wi-Max
network if put in contact with the frequency emitter. Signals in the lower
frequency spectrum that are in proximity to the WiMAX antenna can produce
harmonic waves that can overload the WiMAX signal. For example, take a 850
MHz signal, and you will find a second harmonic, although not as strong, at 1700
MHz (2 x 850). A third harmonic, much weaker, will be located at 2550 MHz (3 x
850).

Copyright © Amazon.com
Scrambling is similar to jamming but only achievable for short intervals of time
and assigned to desired WiMax frames at the PHY layer. Attackers can scramble
the control or management information to affect the desired work tasks of the
network. Parts of data traffic relating to the targets at the SSs can be scrambled
forcing the packets to transmit again. As compared to Jamming, The scrambling
attack is difficult to carry out because the requirement of the attacker to interpret
control information and to send noise packets.

Wi-Max Masquerading attack:

Masquerade attack is an attack in which one endpoint thinks the identity of
another. WiMax supports unbiased device level authentication techniques which
is a RSA/X.509 certificate based authentication. The certificate can be
reprogrammed in a device by the manufacturer. Therefore sniffing and spoofing
can make a masquerade attack possible and easy to carry out.
Identity theft:
An attacker reprogram a device with the MAC address of other device. The
address can be stolen by causing interference in the transferrable messages.

Wi-Max MITM and DOS:

One of the well-known attacks of the wireless networks is the man-in-the-middle
attack found in both the IEEE 802.15 networks and the IEEE 802.11 networks. The
IEEE 802.16 networks also suffer from the attack. The attacker must be able to
intercept all messages going between the two victims and inject new ones, which
is straightforward in many circumstances. A man-in-the-middle attack can only be
successful when the attacker can impersonate each endpoint to the satisfaction
of the other.
Man-in-the-Middle attacks are usually selected by hackers against public-key
infrastructures. In a public key scenario, hackers may replace the interrupted
public key with their forged public keys. Quite often in such cases, the victim
parties are made to believe that they remain safe in communicating with each
other. SS can be compromised by a forged BS which imitates a legitimate BS. The
rogue BS makes the SSs believing that they are connected to the legitimate BS,
thus it can intercept SSs’ whole information. In IEEE 802.16 using PKMv1, the lack
of mutual authentication prevents confirming the authentication of BS and makes
Man-In-The-Middle (MITM) attack through rogue BS possible by sniffing Auth-
related message from SS.

RFID and UAVs Vulnerabilities and Exploitation

techniques:
Radio-Frequency Identification (RFID) tags for the first time were developed as
very small electronic device components with a key operation to broadcast a
unique identifying number upon request.
RFID can be defined as:
 Wireless Transmission between transponder and reader
 Read Write Operation transfer
 Auto-Correlation between object and saved data
RFID technologies do not have a built-in power source and are incapable of I.R
activity. They are operational by the RFID waves received by the reciever, with
their antenna multiplying the source as an inductive power. RFID being a new
technology, low-cost and high convenience rate of RFID tags enables the
possibility for major deployment for automating business applications. However,
current RFID protocols are designed to optimize performance, with lesser
attention paid to resilience and security. Following Components are required in
an RFID network.
 Tags: An RFID tag is often confused with an RFID label. A tag is a
transponder mounted on a substrate. It can be embedded in packaging or
stuck on with adhesive.
 Readers: RFID systems can be classified by the type of tag and reader. A
Passive Reader Active Tag (PRAT) system has a passive reader which only
receives radio signals from active tags (battery operated, transmit only).
Signaling between the reader and the tag is done in several different incompatible
ways, depending on the frequency band used by the tag. Tags operating on LF and
HF bands are, in terms of radio wavelength, very close to the reader antenna
because they are only a small percentage of a wavelength away. In this near field
region, the tag is closely coupled electrically with the transmitter in the reader.
The tag can modulate the field produced by the reader by changing the electrical
loading the tag represents.

Detecting an RFID enabled Device:

With some basic parts like cardboards and LEDs we can easily make a device that
detects RFID enabled systems. According to the Instructables there is an easy
method to make a device that lights u and tells you when an RFID reader or a
device is nearby.
To make the device you will need a simple cardboard, some copper tape, a
soldering iron, an LED and a capacitor.
First you will need to loop the copper tape four times as shown in the image
below.
Sold both the ends together. Then, connect the LED and capacitor, and you have
your RFID device detector.

After that simple device is made we will look at three kinds of attacks related to
RFID exploitation techniques
1. RFID System Destruction attacks
2. RFID data collection attacks
3. RFID Relay attacks
Consider the image below
 Copyright © RFID handbook
The image above shows all the possible attacks on RFID systems. Mostly the
endpoint compromised by an attacker is the Transponder and Reader itself.

Destroying and Jamming an RFID System:

An RFID system can be physically targeted and destroyed easily because of the
weak manufacturing standard of the RFID system. The functions of an RFID
system can be temporarily or permanently disrupted using three ways.

Shielding an RFID system

An RFID system can disrupted by using mechanical means. This attack focus on
having the transponder component de-tuned. There are two ways an RFID
transponder can be temporarily detuned if an attacker has physical access to the
antenna of that transmits the network data packets.

1. Wrapping a metal foil around the antenna

2. By using a capacitive or inductive di-electric to detune the UHF antennas
Also there are multiple ways to permanently disrupt the RFID communications as
well. We will look at one way which is to generate strong magnetic fields to
disrupt the system and cease its operations permanently. We will require an iron
rod, Wire cutters, Copper Wire.
 1. Select a piece of iron for the magnetic core. A 6 to 8 inch long piece of iron,
such as a large nail or spike, will create a powerful magnetic field, but you
can use smaller or bigger rods if you prefer.
2. Wrap the rod in magnetic wire (see Resources). Start at one end and wrap
the wire all the way to the other end. Cut the wire, leaving several inches of
loose wire hanging off either end. Wrap it as tightly as you can. The tighter
the wire wrapping, the stronger the magnetic field.
3. Tape the magnet wire to the iron rod to hold it in place.
4. Strip the insulation off the last inch of each end of the magnetic wire by
heating it with a lighter or match. Clean off any residue with a clean cloth.
5. Stick the exposed ends of magnetic wire under the coils of a lantern
battery. This will cause current to flow through the magnet, creating a
magnetic field.

Copyright © Instructables
Now you need to bring it closer to the RFID system about 25 cm and it will cause
radio waves to fluctuate through their paths and this cease functioning due to
high amount of magnetism eventually. Other methods include Chemical,
mechanical demolition of the RFID chips that could permanently destroy the
system. A very serious option of destroying an RFID chip is using the microwave
but that would also affect the oven itself.
Jamming an RFID system:
Just like any other system and RFID network can also be a subject of jamming.
This requires the attacker to the cease the transmission and receiving of radio
waves on both ends. Jamming is the use of an electronic device to disrupt the
readers function. Covering this very section we will also get a glimpse of how RFID
networks can be used to steal data. It should be noted that RFID chips are very
similar to barcodes except that barcoded cards have to be visible to the
connecting device to get the access to the system while the RFID reader can be
easily scanned through outer covering.
Back in 2005 an RFID tag was scanned at about 69 feet the distance now is as long
as 500 feet for the reading device. The main reason behind a person blocking an
RFID communication between the device and endpoint would be to gain access to
sensitive areas. But we will be talking about jamming an RFID network that how
an attacker could jam communication between two endpoints.
The simplest way to perform this is to introduce a Noise signal up to 13.86 MHZ
(according to black hat into the medium).
Yet another simple way to do this if you have access to the device is to wrap 2
sheets of aluminum over the device.

Copyright © ebay.com
Such devices can easily be bought over web stores. To quote an example of
researcher jamming the Israeli e-voting system. The same methodology of
transmitting a high frequency was followed.
Dosing an RFID network:
RFID networks can be when specially-designed tags are used to overwhelm a
reader’s capacity to differentiate tags. We use anti-collision algorithms to fake
about 100 million number of tags at the same place which over loads the device’s
capacity to detect RFID devices thus turning it off. The algorithm simulates the
RFID device addresses with combinations that are multiples of 0s and 1s

And RFID DOS attack can be carried out very simply by making an algorithm of the
above described UML diagram. Then we would need to reprogram an RFID tag to
hardcode the algorithm that would further exploit the RFID endpoint device to
cause a temporary or permanent denial of service.
Another way of jamming an RFID network is a desynchronization attack, which is
one kind of DoS attacks, the shared secret values among the tag and the back-end
server are made inconsistent by an attacker. Then, the tag and back-end server
cannot recognize each other in future and tag becomes disabled.

Collecting data through RFID exploitation:

As previously talked about, Man in the middle attacks are applicable on all types
of network systems. Similarly in an RFID network an interception between an
endpoint and a device can be made to perform 4 kinds of attacks. All of these
attacks require an attacker to intercept the linking connection and then carry out
specific tasks to do the math and operate accordingly.
Spoofing an RFID device
We have heard of spoofing physical addresses of our PC LAN cards to bypass
several protection mechanisms. Consider RFID tag spoofing as ten time’s
dangerous technique that attackers use to gain access or covertly perform
malicious activities in sensitive areas. RFID spoofing attack may occur at different
frequencies. This attack can be carried out in two steps
1. Reading and storing the User ID and memory data from the RFID tag
2. Emulating the tag with the UID and memory data and transmitting it
Easier said than done. We may say that Spoofing an RFID tag is relatively difficult
than other RFID related attacks. But in some cases for instance for frequencies up
to 125 KHz it is easy to spoof the tags. This RFID spoofing device can be made
easily with simple equipment for low frequency RFID tags.
Components required
 Enamel coated solid core copper wire
 A NPN transistor
 A 10 K Ohm Resistor
 A 10 Nano capacitor (0.01 uF)
 Insulation
 An Arduino System
Listed below is a C code for an RFID spoofing device.
http://www.scribd.com/doc/30215336/RFID-Faker-Code
Next you will need to use the components to build the circuit as shown in the
diagram below.
The Arduino tunes and detunes the antenna. When pin 9 is low then the antenna
is tuned. When the pin is high it "detunes" the antenna. We just need to do this
in the right sequence to send data to the reader. The code generates a tag ID
that's 10 hex F's. If that's what you get in your reader then you know its working.
Just remember to make sure you are in correct contact with the other device.
In an attack scenario, consider an employee with all access RFID pass to a
sensitive area, the victim hold up the RFID tag to the reader which stores the ID
and next just before the victim leaves the premises and enters the area, the
attacker uses the RFID faker device in contact with the victim and then holds it up
to the reader which spoofs the ID allowing the attacker to access that area.

Cloning an RFID device

Also referred to as emulation is a technique to make an RFID device an exact
replica of the other permanently. Cloning and spoofing both are difference in
ways that RFID spoofing is a method to store and represent the data of the
previously used RFID device which after temporary affects fades away. But
Cloning emulates a RFID device on permanent bases.
The idea of creating RFID Cloner come from the idea to create an environment for
developing and experimenting with different RFID applications. An RFID Cloner
can be used as backup device as well as an impersonating device.
For instance if a person lost his car keys and has an emulator that has backed up
the car security codes so this can be used to work it as a backup device. An
attacker who has the ability to make contact with the RFID device can clone the
device and its codes to gain access to victim’s assets.

http://www.offensive-security.com/offsec/cloning-rfid-tags-with-proxmark-3/
In order to make an RFID cloning device refer to the link below that is official
offensive security method to clone RFID tags using Proxmark.
Eavesdropping and Skimming on a RFID device
Eavesdropping and skimming both are considerably the same processes except
for one difference. Eavesdropping refers to a term in which the attacker actively
tries to perform unauthorized listening by intercepting the communication to the
available devices that are over the RFID network, while skimming is a term used
to define a process in which one targeted device is to be detected and then data
is to be read from that device.
In a Skimming attack there are two distances that an attacker considers:
 The distance at which an attacker can power the token and issue a
command.
 The distance at which an attacker can power the token, issue a command
and recover a response.
In an Eavesdropping attacks there three distances that an attacker keeps in mind:
 The distance at which an attacker can detect a transaction, i.e. he can see
activity on the forward channel but cannot reliably recover the actual data.
 The distance at which an attacker can reliably recover the data sent on the
forward channel.
 The distance at which an attacker can reliably recover the data sent on the
backward channel.

We will be describing attack vectors over 13.46 MHz frequency limitation but
these attacks can be carried out.
An attacker can execute an eavesdropping attack if he acquired a suitable
antenna, an RF receiver and a method to sample and record the data. An
inexpensive RF receiver can be easily made using 3 functional units

1. Antenna: Enameled copper wire and adhesive copper tape can easily be
used to construct HF loop antennas of different sizes and number of loops
2. Mixer unit: The mixer’s function is to move a spectral band of interest to a
chosen intermediate frequency (IF) through direct down conversion
3. Filter Bank: Filtering helps to isolate the unwanted frequencies and extract
the data of interest
The attacker needs to capture and demodulate the signal from his receiver. The
signal sample rate used by the attacker depends upon the output of his receiver,
since the rate needs to be at least twice the highest frequency component. An
RFID receiver can be made by reference to the following link
http://www2.eng.cam.ac.uk/~dmh/ptialcd/trf/trf.htm
The skimming attack as described earlier occurs when an unauthorized reader
gains access to data stored on a token. In this attack scenario an attacker tries to
read the token without the victim knowing.
Ideally, an attacker must increase the operational range of his reader to avoid
raising suspicion. Increasing the range is not a new technical challenge and
methods for doing this are in fact described in application notes by several RFID
chip manufacturers. For this purpose we will look at a more practical scenario that
is skimming in ATMs. Theoretically, a skimmer could build such a device and walk
through a crowd, lifting information from nearby credit cards with RFID tags.
An RFID skimmer consists of the following components
 An antenna
 A Power Amplifier
 A Buffer
 A Power supply(+12 V)
Building an RFID Skimmer is a relative complex task than building any other RFID
device. The circuits and the components need to be carefully tuned to perform a
skimming attack. This is best explained in the reference journal given below.
http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html
The above reference article shows clear and complete steps in making an RFID
skimmer device that would perform the attacks

RFID Relay attacks (Non-contact range):

This is a perfect example of Man in the middle attack in an RFID network. But an
RFID relay attacks is rather a complex type attack that is carried out without
physical access of the RFID tag with in the device range. The attack is carried out
by placing a relay that is in sense a simple reading device that consists of a tag and
reader hardware connected by a high range communication link between the
victim’s tag and reader.
There are two devices involved in a relay attack
1. Ghost
2. Leech
These devices collaborate with each other and transmit signals to each other in
order to replicate the data in the victim’s reader. The reader and the tag is forced
into interpreting that both are communicating with each other but in actual
scenario they are being manipulated by the attacker’s relay attacking device.
A leech is the device that replicates the victim’s tag and transmits to the ghost

A ghost is the device that impersonates that data in the range of the reader of the
tag.
It should be noted that relay attacks are carried out in specific scenarios only. The
attacker has a large degree of freedom in performing these attacks and designing
the system. There are 4 ways in which relay attacks are feasible for the attacker to
carry out their plan
 Range increase between Leech and the tag
 Range increase between Ghost and Reader
 Range increase between Ghost and Leech
Now that we have an idea about how relay attacks work. For demonstration
purposes we will be taking review about the new proposed Israeli voting system
that was based on contactless smart cards and how it is vulnerable to RFID relay
attack.
The working scheme as published by the Israeli Election Commission works on the
scenario of the following steps
1. A voter enters the premises of the voting booths
2. He is verified is ID card and assigned a voter number along with a smart
card to confirm his voting action
3. He has to then go to the voting booth where there is complete privacy. In
order reach the voting booth he passed to through a scanner which in fact
has an RFID tag reader installed in it to confirm the voter’s cote has been
casted and marked in the attendee’s column.
 4. The he casts his vote gets out and disposes of the RFID tag
This is all legitimate how this can be misused. There are several flaws in this
voting system and all because of the RFID wireless smart card.
During the research it was found that many false votes could be casted for the
voters who were even not in the premises. This was because they were victims of
the RFID relay attacks.
Attackers has the leech devices with in contact with the victim and the Ghost
devices at the voting booths. This allowed the attackers to cast votes on behalf of
the victim who has not even been to the voting booth.
There are most practical implementations of this kind of attack as well. An RFID
Relay device kit can be easily purchases online and attacks of such types could be
performed. One example is as shown
http://www.buyincoins.com/item/34868.html#.U7xMFfldXww
Hacking UAVs
RFID is only one aspect of how smart cards are so vulnerable and attackers can
freely hack people. But one aspect of wireless frequency analysis is UAV or
Unmanned Aerial vehicle or drones. Many countries have this technology that
relies on wireless frequencies to communicate between control tower and the
Unit. Basically Unmanned Aerial Vehicles (UAVs) are remote-controlled aircraft
that can carry cameras, sensors and weapons over enemy territory.
The decade since 9/11 has seen these remote aircraft increase in prominence
from speculative prototypes to America’s primary counterterrorism weapon.
With a range of 10,000 miles (16,000 kilometers), the largest drone, Northrop
Grumman’s RQ-4 Global Hawk, cruises at high altitude, loitering over an area for
up to 30 hours. The drone produces high-quality surveillance images using its
suite of sensors.
A structure of a simple Drone has many components. It consists, four-cylinder,
four-stroke, 101-horsepower engine, the same engine type commonly used on
snowmobiles, turns the main drive shaft. The drive shaft rotates the Predator's
two-blade, variable-pitch pusher propeller.
The rear-mounted propeller provides both drive and lift. The remote pilot can
alter the pitch of the blades to increase or decrease the altitude of the plane and
reach speeds of up to 135 mph (120 kts). There is additional lift provided by the
aircraft's 48.7-foot (14.8-meter) wingspan, allowing the Predator to reach
altitudes of up to 25,000 feet (7,620 meters).
The slender fuselage and inverted-V tails help the aircraft with stability, and a
single rudder housed beneath the propeller steers the craft.
The GPS Unit is located at the mid center of the UAV to allow maximum exposure
to the Satellite. There is a Camera Sensor array that performs the image
monitoring as well as of course the propeller to propagate the Unit further.

The drone works on principles that are different from the working of normal
aircrafts.
 Copyright © Washington post
The UAV works on the principle of communication switching. When the UAV takes
flight it is initially connected and controlled through the Ground control tower
that controls its movement and monitors the visuals that are sent back. As we
know that the control tower’s communication range is limited in the sense that
after a certain distance it extends the communication range by using the satellite
antenna.
The UAV is then controlled through the satellite and its launch codes and
navigation codes are issued through there. The location of the drone is
determined by the GPS satellite that is in range.
Any UAVs works on two kinds of signals
1. Military signal
2. Clear Access Signal
Mostly Predator drones have Military signal working capability in order to encrypt
the signal to avoid distortion and most importantly avoid attackers. When
communication between the drone unit and the ground tower is lost the drone
tries to reconnect to the last connected signal and searches for it until
reconnected and If not reconnected it just continues to fly until the fuel runs out
and it crashes.
In 2011 Iran hacked a US RQ-170 stealth drone, to show you how drones can be
hacked and what are the current vulnerabilities that put them at risk we will have
to take that incident initially as a reference.
The drone was safely landed near Kashmar a station in Iran. Basically there are
two issues with drones that are currently in the internal devices that Iran took in
notice to hack the drone and that can still be used to hack UAVs.
1. Drone Auto-Pilot Mode
2. Frequency iteration search
It is the behavior of any aircraft to reconnect when the signal is lost. But when so
in Aircrafts such as a Boeing in which there are pilots to control and command
until the signal is reconnected. But in drones the case scenario is until the
reconnection the Drone switches in autopilot mode and flies based on
permutation observations and at the same time researches for available
frequencies that are valid. All this is done in the military signal band. Iran was
somehow able to decrypt the US military signal and flood the UAV with
connection attempts which lead to eventually loss of the original signal and then
came the part of the device called the “Spoofer”. By spoofing false GPS signals the
drone was completely controlled and hacked by the team and landed after that.
It is also possible to hack into UAVs that run on CA signals because there is no
security control applied to the signal being transmitted from the controller and
received by the unit. The civilian GPS signal are completely open and
unauthenticated so it is easy to spoof them. All the operational power of the
signals have to be more than the original controller of the unit. There are many
dangers here as said earlier.
In the future or near future to be exact we are going to have drones in the
Airspace that would be sharing the airspace with planes and military convoys. An
attacker from the ground could force these drones to turn against a crafting
Boeing and cause the mayhem it is not designed to do. Like drones any device
using GPS navigation system can be spoon feeded with false co-ordinates and
hacked.
There are a number of ways to fix this issue that is in drones. One way that is less
secure is to change the receiver design to rely only the satellite adopted
frequencies. Another way is to use the satellite itself to transmit and reduce the
time delay between original frequencies so that the signals cannot be spoofed.
One way or another drones may be hacked because of the design itself has issues.
Bluetooth and Mobile networks Vulnerabilities and
Exploitation techniques:
It has been easy to connect mobile devices with each other using Bluetooth.
Invented by telecom vendor Ericsson in 1994 Bluetooth is the wireless technology
standard for exchanging data over short distances from fixed and mobile devices,
and building personal area networks (PANs).
Bluetooth is a standard wire-replacement communications protocol primarily
designed for low-power consumption, with a short range based on low-cost
transceiver microchips in each device.

Bluetooth exists in many products, such as telephones, tablets, media players,

robotics systems, handheld, laptops and console gaming equipment, and some
high definition headsets, modems, and watches. The technology is useful when
transferring information between two or more devices that are near each other.
Bluetooth connectivity is based on four protocols.
Link Manager Protocol (LMP): The LMP messages are used to set-up links,
maintain security, and maintain control in these piconets.
Logical Link Control and Adaptation Layer Protocol (L2CAP): L2CAP resides in the
data link layer. It is layered over the Baseband Protocol of the Bluetooth
specification.
Service Discovery Protocol (SDP): The Service Discovery Protocol (SDP) provides a
mechanism for applications to discover which services are available and to
determine the characteristics of those services.
RFCOMM: The RFCOMM protocol provides Bluetooth devices with serial port
emulation.

It is too frequent that individuals abandon proper setup of systems/units for the
Convenience of “out-of-the-box” configurations. Bluetooth, like any other
technology, can be quite complex and cumbersome to configure correctly
Bluetooth enabled devices are becoming more prominent in everyday life. Cell
phones, headsets, PDA’s, digital cameras, Bluetooth accessories such as PCMCIA
cards, and mobile computers are just a few of these devices. Together, they
encompass a significant portion of an individual’s everyday life. The average
person may not be aware of what Bluetooth technology is or is too busy to be
concerned with proper setup. This leaves them as well as the information
contained on these devices vulnerable to attacks.
Like all wireless attacks Bluetooth attacks are also about the same but with
different scenarios. Bluetooth has similar attack scenarios as all the other wireless
networks
1. MITM
2. Eavesdropping
3. DOS
4. Sniffing
5. Spoofing
But since the dawn of cellular modern technology, Android, IOS and other
conventional Cellular Oss have adopted hacking in their own ways.

Hacking Bluetooth Devices Kali Linux:

Using a Linux distribution Bluetooth enabled devices can be hacked. Initially we
will be looking at how to exploit Bluetooth devices using Kali Linux. Your laptop
may have an external Bluetooth device. You will need an external Bluetooth
adapter buy online or your local store.
Next connect it your VM or dual boot device and check for the Bluetooth interface
using
hciconfig

Next to check for the interface that is connected

hciconfig hci0

Scan for all devices with Bluetooth enabled

hcitool scan

Now select and copy one Bluetooth device to check if it’s alive using l2ping utility
L2ping [BT-address]
Now to open the utility called BT-Scanner.
Btscanner
There you will have a list of options of types of scan

Press “i” to start inquiry scan.

It will give the same list of targets
Now select the device and double click and it will get you all the information
about that device including
1. SIM card regd Cell number
2. IMEI
3. BT version
And a lot more

In order to discover hidden Bluetooth devices we use a utility called RedFang. It is

used to discover hidden Bluetooth devices in the premises.
In Redfang the user has to give a syntax of a range of addresses to check for
availability.
./fang XXXXXXXXXX-XXXXXXXXXXX
There are many utilities to perform Bluetooth hacks. Some of them are
Blue bugger: Exploits the Blue bug
BT browser: Browses Bluetooth files without permission
Blue scanner: Same as Redfang
BT crawler: Performs Bluesnarfing attack
There are many other utilities available to compromise Bluetooth devices because
of their internal architecture vulnerabilities.
There are several ways to hack cars with virtual private networks as well

That and more Wireless attacks will be discussed in the complete edition of this
research paper in the form a Book “Attacking the Air”
Conclusion:
All the wireless attacks discussed in this research paper were a part of the
theoretical research carried out on various endpoints used in the wireless
technology. Limitless attack vectors exist in the technological aspect of wireless
security that are left unpatched. To sum it all up, wireless technology has matured
to a stage where it has become very common deployment. Wireless attacks are
also evolving as the security standards evolved. Current protection mechanisms
and detection tools have not matured to a stage where detection is sufficiently
reliable.
This paper looks primarily at Wi-Fi, WiMax, UAVs, RFID tags, Voting systems,
Bluetooth enabled devices attacks for wireless LAN, but once that is breached,
and the attacker will then employ traditional types of attack strategies to attack
higher applications. Thus defenders ought to look at defense in depth strategies
other than just concentrating their efforts in Wireless DID type defenses.
In the meantime, enterprises seeking to deploy wireless technologies for
whatever reason should stay aware of current standards, software and hardware
releases so as to better mitigate the risks brought about by these wireless
deployments. We are wide open to attack and prey to attackers if we are
wirelessly connected. This proves that making ease not always make us secure

Ending Note:
This research paper concentrated on various wireless attacks, Most of them were
defined well for the ease of the reader. Like every written or complex piece of
work this one also has mistakes in it and issues with it because it was created by a
human being. And human beings do mistakes if we would not have then we
would have been in the heavens with the angels.
References:
Websites:
www.instructables.com
www.google.com
www.securitytube.net
www.offensive-security.com
www.linuxjournal.com
www.wireless-security.com

Books:
Wireless Penetration Testing Backtrack 5
RFID Handbook
Wireless Hacking Exposed
Bluetooth hacks V1

“Dedicated to all my friends and teachers”