Advanced Wireless Network Security

WiFi Attacks

Dr. Zafar Iqbal

Assistant Professor
Department of Cyber Security, FCAI.
Air University, Islamabad.

2
Corporate Computer Security (3rd Edition)
2
Wired LAN

3
Corporate Network

4
 Wireless LANs – Wi-Fi (802.11)

• Wireless LANs (WLAN) have more security issues to consider than wired LANs.

• Wireless networks, for example, can be attacked by drive-by hackers.

• who don’t even have to enter the building to gain access to the LAN.

• They can sit across the street, or in an

• adjacent building, and

• easily access an internal network without raising suspicions.

5
 Wireless Attacks

• Wireless attacks focus on the access point.

• Wireless 802.11 networks typically have a range of 30 to 100 meters extending in all directions

from the AP.

• This allows the attacker to attack the AP, while staying outside the physical boundaries of the

corporate site.

6
 Wireless Attacks

Wireless networks are vulnerable merely due to the fact that they need to broadcast over

the air.
Jamming/ DoS attacks

Evil Twin Access Point

Man-in-the-Middle attack

7
Jamming DoS Attack

8
WiFi Spectrum
 WiFi Spectrum

• Industrial, Scientific, and Medical (ISM) bands

• The ISM bands are located starting at 902 MHz, 2.4 GHz, and 5.8 GHz

2.4 GHz/
100MHz

902 MHz /
100Mhz 5.8 GHz/
150MHz
 Frequency Bands – ISM and UNII Bands

• Unlicensed National Information Infrastructure (UNII) bands.

• Each one of these UNII bands is in the 5 GHz range and is 100 MHz wide

5 GHz/
100MHz
 Jamming/ DoS Attacks

• This method uses wireless radio transmission techniques to create an attack.

• Attacker uses a powerful antenna and a signal generator, and creates frequency

patterns in the range same as wireless signals.

• The frequency patterns are modulated to create a wireless signal storm.

12
Jamming/ DoS Attacks

13
 Jamming/ DoS Attacks

• Frequency storm results in the jamming the access points as well as the nodes, thus

disabling their connectivity.

Mitigation

• Many of the modern networking standards and devices employ techniques to mitigate

the threat of jamming (e.g., 802.11n, 802.11ac and above such as 802.11ax are difficult

to jam).

14
 802.11ax

• 802.11n is an IEEE (Institute of Electrical and Electronics Engineers) industry standard for

local Wi-Fi network communications, ratified in 2009.

• It replaced older 802.11a, 802.11b, and 802.11g Wi-Fi technologies but was superseded

by the 802.11ac in 2013 and 802.11ax (Wi-Fi 6) in 2019.

• 802.11ay (Wi-Fi 7) is up next.

15
 802.11ac

• Uses dual-band wireless technology,

• Supporting simultaneous connections on both 2.4 GHz and 5 GHz Wi-Fi devices

• Microwave ovens may also interfere with wireless signals due to the radio signals they

'leak' during operation.

• The ability to use 5 GHz on a router avoids these problems

16
 802.11ax

• Faster speeds

• More reliable connections during congestion

• Longer battery life

• Better security

17
 802.11ax

• Faster speeds
• Wi-Fi 6 is nearly three times faster than Wi-Fi 5, and
• Latency is reduced by 75 percent.
• Maximum transfer speeds of 9.6 Gbps vs Wi-Fi 5's 3.5 Gbps

18
Latency

19
 Latency

• How much time it takes for your computer, the internet, and everything in between, to
respond to an action you take (like clicking on a link)
• Distance
• distance between your computer and the servers
• Both Side – Round Trip Time (RTT)
• Propagation Delay - how long it takes for your data packets to reach the Destination (One Side)
• Connection Type
• DSL: 24–42 ms
• Cable: 15–27 ms
• Fiber: 10–15 ms
• Satellite: 594–612 ms
What Is Latency and How Do You Fix It? | Reviews.org 20
 Latency

• WiFI vs. Wired LAN – Which has Reduced Latency?

Wi-Fi, the signal is transmitted through the air and can be affected by obstacles,
such as walls or other electronic devices, which can cause interference and
reduce signal quality, packet loss, resulting in higher latency

Wired connections, such as Ethernet cables, tend to have lower latency than
Wi-Fi connections, as they are not affected by interference and offer more
reliable and consistent connectivity.

What Is Latency and How Do You Fix It? | Reviews.org 21

How to reduce Latency?

Reduce interference

Optimize network configuration (Bandwidth)

Wired Connection

Equipment Up-gradation

Mesh NW – Multiple APs

QOS

What Is Latency and How Do You Fix It? | Reviews.org 22

 Latency

• Quality of Service (QoS)

• Modern routers come with a feature called Quality of Service (QoS).

• QOS prioritize certain traffic over others.

• For example, you can tell your router to prioritize your desktop computer
over your kiddo’s tablet.

• This means that your computer gets the best possible online performance,
possibly at the cost of your child’s tablet getting a slower internet
connection.

What Is Latency and How Do You Fix It? | Reviews.org 23

 802.11ax

• Faster speeds

• Wi-Fi 6 is nearly three times faster than Wi-Fi 5, and

• Latency is reduced by 75 percent.

• Maximum transfer speeds of 9.6 Gbps vs Wi-Fi 5's 3.5 Gbps

• More reliable connections during congestion

• Longer battery life

• Better security

24
 802.11ax

More reliable connections during congestion

• Older wireless standards use multi-user, multiple input, multiple output (MU-MIMO) to

offer four separate streams that equally share in the overall bandwidth of the Wi-Fi

connection.

• Wi-Fi 6 - upgrades to eight streams per radio band

• Eight streams – AP transmit and receive up to eight data streams simultaneously on a

single radio frequency band and works on both uploads and downloads.

25
 MIMO

• MIMO routers contain multiple antennas instead of the single antenna.

• Both a Wi-Fi client device and the Wi-Fi router must support MIMO.
• Single User MIMO (SU-MIMO)
• Manage Clients Serially.

• Multi User MIMO (MU-MIMO)

• Manage Clients in parallel.

SU-MIMO vs MU-MIMO | Difference between SU-MIMO and MU-MIMO | ytd2525 (wordpress.com)

26
 802.11ax

More reliable connections during congestion

• A similar Wi-Fi 6 feature that alleviates network congestion is called orthogonal
frequency division multiple access (OFDMA).
• OFDMA allows for multiple users to share the same frequency band without interfering
with each other.
• In OFDMA, the available frequency spectrum is divided into multiple subcarriers.
• Each user or device is assigned a subset of subcarriers, which they use to transmit or
receive data.

27
 802.11ax

• Longer battery life

• Target wake time (TWT) is a feature with Wi-Fi 6 that reduces the energy needs of
devices.
• Allowing the client device to save power during times that it doesn’t need to deal
with wireless data.

28
 Security

• Security
• Wi-Fi 6 device, it has to support Wireless Protected Access 3 (WPA3), a similar but
improved security feature related to WPA2.

29
 Evil Twin Access Point

• A dummy access point with exactly the same name is created by attacker
• Then, signal power is raised to such an extent that the wireless nodes are fooled to believe
that it is the access point to which they should connect to,
• thus creating a man in the middle situation.
• These dummy access points, also called as rogue points, are usually setup in a close proximity
of the nodes to be hacked.

30
 Evil Twin Access Point

• A type of rogue access point attack.

• A WAP is installed and configured with a service set identifier (SSID) that is very similar
to the authorized version.
• As users access the twin, their keystrokes are captured in the hope of gaining sensitive
information.
• Can also be considered a type of wireless phishing attack.

31
Evil Twin Access Point

32
Evil Twin Access Point Protection – VPN Protection

33
 Man in the Middle Attack

• One of the easiest Wi-Fi attacks to conduct is a Man-in-the-Middle (MITM) attack.

• In a MITM attack, sometimes called DNS spoofing
• Cybercriminal puts a Wi-Fi router between the user and the genuine router.
• As a result, your traffic reroutes to the cybercriminal’s router, where they packet sniff to
steal your sent information.
• The cybercriminal then passes on the data packets to the genuine router.

34
 Man in the Middle Attack

• To stop MITM attack from working:

• Use a VPN and encrypt all the data on your network.
• Make all connections encrypted as standard.

35
Wireless Attacks Detection

Access Point Monitoring

Wi-Fi Node Monitoring

Traffic Monitoring

36
 Access Point Monitoring

• As we learnt, securing the SSID of an access point or wireless router is very important.

• Baseline profile

• SSID information should be safe in a database.

• Other crucial details such as MAC ID, the IP restrictions, the wireless channel used, the

beacon settings, wireless signal strength and bandwidth type are stored for each

corresponding SSID.

37
 Access Point Monitoring

• A wireless monitoring device should be used:

• to detect all stations and access point periodically, and are
• compared with the baseline database created earlier.
• Such a routine check audits ensure integrity of the router settings and thus the overall
wireless network security.

38
 Access Point Monitoring

• Along with the access points, each node needs to be monitored too.
• For the nodes, a MAC based security on the access points can be configured
• whereby a particular access point would support only a set of MAC addresses.
• This ensures that the wireless client node cannot roam around beyond the
configured zone, and
• if such a need arise, the request can be fulfilled via an authorization and approval
process.

39
 Access Point Monitoring

• For large organizations, this can result into a system administration overhead

• In which case the nodes can be allowed to connect to all access points;

• however each of those connections and disconnection can be logged and parsed for

anomalous behavior.

40
 Traffic Monitoring

• Network administrators can periodically take samples of data from each access point

and check those for denial of service and SYN flood attacks.

• Multiple connections and disconnection on a particular access point from one or more

client nodes should also trigger a warning.

• As for Layer-2 attacks, a signal spectrum detection tool can be incorporated too, to

detect signal jamming situations.

41
 Protection System

• For small networks, changing the default password and SSID of the access point is a
must.
• Modern routers are equipped with a feature to disable the broadcasting of SSID, which
should be turned on.
• Periodically changing SSID is highly recommended though it can be a tough task for
large number of wireless access points.
• The wireless signal strength of access points should be adjusted in such a way that, it
should be adequate for client nodes and should not cross physical building boundaries
whereby it can be detected by a "drive-by" attacker.

42
 43

Thank you !