It has been wonderful hearing feedback about last month’s article, titled How Secure is Your Corporate Wireless?
We discussed the content with several customers, who raised understandable concern about their wireless security. One customer I spoke with asked a great question: “Just how easy is it to hack wireless?” So I wanted to explore that question a bit more in this month’s blog post, as well as share some tools and tips that the security team here at FRSecure finds very useful during wireless assessments.
The best hacking tools in life are free
One misconception many companies have is they perceive all attackers as highly educated and trained individuals who are using advanced, customized tools to launch their attacks against a specific target. While those individuals and scenarios certainly do exist, the vast majority of attackers are armed only with a desire to learn, access to Google and Youtube, and a little time. The amount of knowledge that can be gained using free and publicly available resources is staggering – just Google “learn to hack” and you will be treated to over 93 million results containing videos, help sheets, tools, blog posts and podcasts on the topic.
Wireless hacking 101
For hackers-in-training who want to test out their new skills, wireless networks are low-hanging fruit. Just about anyone with an Internet connection has a wireless router, and in most neighborhoods there are several – if not dozens – of access points within reach to attack. So naturally, one of the first things you would learn about wireless hacking are the ways in which attackers discover access points. As an example, using a free tool such as Kismet, I was able to drive around the Chaska/Shakopee area and discover all the access points in range of my car:
What is not shown here is that I can easily zoom into this Google map to learn all kinds of interesting things about each access point, including:
- Near-exact physical location
- Encryption type used (the color coding makes it easy to identify which ones have no encryption, which makes them a juicy target)
- Whether the wireless network is “hidden”
The last point about the access point being “hidden” is an important one, because it seems like hiding the presence of your access point would be good security, right? Unfortunately, that’s not the case.
Hiding in plain sight
You may have heard the term SSID before. The SSID is essentially the name of your wireless connection. For example, if you walk into Caribou, your phone might pick up an access point named Caribou or Caribou Coffee, which is the SSID. Now, it is possible to turn the broadcasting of your SSID off so that the casual passerby does not see your wireless being offered. However, it’s important to note that this does not provide any additional security. By using the same Kismet tool I showed above, I’m able to “sniff” the air and see all kinds of access points that people have configured as hidden, and many of them have no encryption to protect the network. To connect to those networks, I could simply get in range of the access point, join the network and attack the connected machines.
Bad encryption is barely better than none
On the topic of encryption, in last month’s article I touched on a few encryption types you can use, one of which is called WEP. All you really need to know about WEP is not to use it, as it uses weak encryption that can be easily broken.
To further demonstrate that point, I asked a contact of mine for permission to try and crack the WEP encryption on his wireless router. Using a tool called Wifite, I was able to run a series of attacks and attempt to extract the encryption key used. Here’s a screenshot of the tool and its results:
Obviously some information has been obscured intentionally, but essentially the Wifite tool found the access point using WEP, attacked it and cracked the password – all in under 60 seconds. The key (blurred in blue) was presented to me in plain text, and if I was an attacker, I could’ve simply joined this network, typed in the WEP key, and then attacked all the machines connected to the internal network.
Strong encryption = better security (if implemented correctly)
WPA/WPA2 encryption is probably the most common encryption type we see on our assessments. However, it is still possible to crack the password. The good news is, there are steps you can take to make it much harder for an attacker to be successful in discovering the password. More on that in a minute, but here are the basic steps involved in a WPA/WPA2 password attack:
- First, the attacker needs to “listen” to discover access points, as well as the machines connected to them. The Wifite tool mentioned above is able to do this:
- Once the target is identified, the attacker can then send specially crafted information to the access point to essentially tell it to kick one or more devices off the wireless network and ask them to reconnect. Here is what that looks like:
- This action is extremely brief – if your laptop or phone was connected to the network, you would never even notice the interruption. When the devices reconnect to the access point, they do a handshake, which contains the wireless password. The attacker is able to get a copy of this handshake data with ease, as shown here:
Game over, then, right? Well fortunately, the password is strongly encrypted inside the handshake, so additional effort is needed to extract it.
- At this point, the attacker needs to be able to run a utility that will try every password possible to see if a match is found within the handshake. It is trivial for the attacker to download gigantic lists of passwords from the Internet, and then setup a beefy workstation to simply try all the different passwords until there’s a match. Alternatively, the attacker can use online services, such as CloudCracker, which will check the handshake against 300 million passwords in under an hour – all for $17!
To put this simply, if your wireless password is password123, that will be revealed in seconds or minutes. But, if your password is LzjK05GcA^Hb!$AEzujk, that will take considerably longer. This is why it is so important not to assume that stronger encryption means it is acceptable to use a weak password.
Attacking a wireless access point can be done with minimal cost and effort. It is not enough to simply “hide” your access point. You need to use strong encryption and passwords to make the connections as secure as possible. This, of course, all needs to be done as part of a well-managed information security program.
If you have questions about wireless security, I would be happy to talk about them with you. I can be reached at 952-467-6385 or at [email protected].
Coming up next
In August, I’m going to talk about wireless once more – this time we will discuss the risks of using wifi hotspots. Then in September, we’ll switch gears and talk about passwords, and I’ll show you some secure ways to create and manage them without sticky note reminders taped on your monitor or under your keyboard!