Professional Documents
Culture Documents
WiFi Attacks
2
Corporate Computer Security (3rd Edition)
2
Wired LAN
3
Corporate Network
4
Wireless LANs – Wi-Fi (802.11)
• Wireless LANs (WLAN) have more security issues to consider than wired LANs.
• who don’t even have to enter the building to gain access to the LAN.
5
Wireless Attacks
• Wireless 802.11 networks typically have a range of 30 to 100 meters extending in all directions
• This allows the attacker to attack the AP, while staying outside the physical boundaries of the
corporate site.
6
Wireless Attacks
Wireless networks are vulnerable merely due to the fact that they need to broadcast over
the air.
Jamming/ DoS attacks
Man-in-the-Middle attack
7
Jamming DoS Attack
8
WiFi Spectrum
WiFi Spectrum
2.4 GHz/
100MHz
902 MHz /
100Mhz 5.8 GHz/
150MHz
Frequency Bands – ISM and UNII Bands
• Each one of these UNII bands is in the 5 GHz range and is 100 MHz wide
5 GHz/
100MHz
Jamming/ DoS Attacks
• Attacker uses a powerful antenna and a signal generator, and creates frequency
12
Jamming/ DoS Attacks
13
Jamming/ DoS Attacks
• Frequency storm results in the jamming the access points as well as the nodes, thus
Mitigation
• Many of the modern networking standards and devices employ techniques to mitigate
the threat of jamming (e.g., 802.11n, 802.11ac and above such as 802.11ax are difficult
to jam).
14
802.11ax
• 802.11n is an IEEE (Institute of Electrical and Electronics Engineers) industry standard for
• It replaced older 802.11a, 802.11b, and 802.11g Wi-Fi technologies but was superseded
15
802.11ac
• Supporting simultaneous connections on both 2.4 GHz and 5 GHz Wi-Fi devices
• Microwave ovens may also interfere with wireless signals due to the radio signals they
16
802.11ax
• Faster speeds
• Better security
17
802.11ax
• Faster speeds
• Wi-Fi 6 is nearly three times faster than Wi-Fi 5, and
• Latency is reduced by 75 percent.
• Maximum transfer speeds of 9.6 Gbps vs Wi-Fi 5's 3.5 Gbps
18
Latency
19
Latency
• How much time it takes for your computer, the internet, and everything in between, to
respond to an action you take (like clicking on a link)
• Distance
• distance between your computer and the servers
• Both Side – Round Trip Time (RTT)
• Propagation Delay - how long it takes for your data packets to reach the Destination (One Side)
• Connection Type
• DSL: 24–42 ms
• Cable: 15–27 ms
• Fiber: 10–15 ms
• Satellite: 594–612 ms
What Is Latency and How Do You Fix It? | Reviews.org 20
Latency
Wi-Fi, the signal is transmitted through the air and can be affected by obstacles,
such as walls or other electronic devices, which can cause interference and
reduce signal quality, packet loss, resulting in higher latency
Wired connections, such as Ethernet cables, tend to have lower latency than
Wi-Fi connections, as they are not affected by interference and offer more
reliable and consistent connectivity.
Reduce interference
Wired Connection
Equipment Up-gradation
QOS
• For example, you can tell your router to prioritize your desktop computer
over your kiddo’s tablet.
• This means that your computer gets the best possible online performance,
possibly at the cost of your child’s tablet getting a slower internet
connection.
• Faster speeds
• Better security
24
802.11ax
• Older wireless standards use multi-user, multiple input, multiple output (MU-MIMO) to
offer four separate streams that equally share in the overall bandwidth of the Wi-Fi
connection.
single radio frequency band and works on both uploads and downloads.
25
MIMO
26
802.11ax
27
802.11ax
28
Security
• Security
• Wi-Fi 6 device, it has to support Wireless Protected Access 3 (WPA3), a similar but
improved security feature related to WPA2.
29
Evil Twin Access Point
• A dummy access point with exactly the same name is created by attacker
• Then, signal power is raised to such an extent that the wireless nodes are fooled to believe
that it is the access point to which they should connect to,
• thus creating a man in the middle situation.
• These dummy access points, also called as rogue points, are usually setup in a close proximity
of the nodes to be hacked.
30
Evil Twin Access Point
31
Evil Twin Access Point
32
Evil Twin Access Point Protection – VPN Protection
33
Man in the Middle Attack
34
Man in the Middle Attack
35
Wireless Attacks Detection
Traffic Monitoring
36
Access Point Monitoring
• As we learnt, securing the SSID of an access point or wireless router is very important.
• Baseline profile
• Other crucial details such as MAC ID, the IP restrictions, the wireless channel used, the
beacon settings, wireless signal strength and bandwidth type are stored for each
corresponding SSID.
37
Access Point Monitoring
38
Access Point Monitoring
• Along with the access points, each node needs to be monitored too.
• For the nodes, a MAC based security on the access points can be configured
• whereby a particular access point would support only a set of MAC addresses.
• This ensures that the wireless client node cannot roam around beyond the
configured zone, and
• if such a need arise, the request can be fulfilled via an authorization and approval
process.
39
Access Point Monitoring
• For large organizations, this can result into a system administration overhead
• In which case the nodes can be allowed to connect to all access points;
• however each of those connections and disconnection can be logged and parsed for
anomalous behavior.
40
Traffic Monitoring
• Network administrators can periodically take samples of data from each access point
and check those for denial of service and SYN flood attacks.
• Multiple connections and disconnection on a particular access point from one or more
• As for Layer-2 attacks, a signal spectrum detection tool can be incorporated too, to
41
Protection System
• For small networks, changing the default password and SSID of the access point is a
must.
• Modern routers are equipped with a feature to disable the broadcasting of SSID, which
should be turned on.
• Periodically changing SSID is highly recommended though it can be a tough task for
large number of wireless access points.
• The wireless signal strength of access points should be adjusted in such a way that, it
should be adequate for client nodes and should not cross physical building boundaries
whereby it can be detected by a "drive-by" attacker.
42
43
Thank you !