Each time a new wireless technology is released, there seems to be a tendency to forget the past. Wireless hacking didn't begin when the first 802.11 equipment rolled out; it has been going on for years. Wireless hacking has existed since the days when wireless was used exclusively for voice and video transmission. Early owners of C-band satellite dishes soon learned that it was possible to pick up all sorts of video signals without paying. After all, the telecommunications industry never imagined that homeowners would place 8 to 12 feet satellite dishes in their backyards. It's true that these signals were eventually encrypted, but for a while complete access was available to those willing to set up a dish.
Anyone remember their first cordless phone? The early ones had no security at all. If you and your neighbor had the same type of cordless phone, there was a good chance that you could get a dial tone on his line or even overhear his phone calls. Many models had 6 to 10 frequencies to choose from in the 900Hz range, but if someone deliberately wanted to overhear your phone call, it wasn't that hard. Individuals who were serious about cordless phone hacking would go so far as to wire a CB antenna to the cordless phone and attempt an early version of wardriving to find vulnerable phone systems to exploit. Others simply bought scanners to listen to anyone's phone call that was within the required range. Although modern wireless phones have moved into the gigahertz range and now use dozens of channels, they are still vulnerable to eavesdropping if someone has the right equipment.
Satellite TV has been battling hackers for years, from the early days when signals were unencrypted to more modern times when DIRECTV and DISH Network became the two main satellite TV providers. Satellite hacking started in the mid-70s when hackers started constructing homemade electronics and military surplus parts to construct systems that were capable of receiving HBO. By the late 1970s, satellite dealerships started opening up all around the U.S. People who lived outside cities or who didn't have access to cable TV were especially interested in these systems. Although satellite TV providers were concerned that these individuals were getting their signals free, they were more concerned that some cable providers were also getting the signals, charging their customers, but not passing those profits back. Cable companies were pirating from them. This led to the development of the Videocipher II satellite encryption system.
At the time of its release, the Videocipher II satellite encryption system was deemed as unbreakable and is based on Data Encryption Standard (DES) symmetric encryption. It wasn't long before a whole series of vulnerabilities were released for the Videocipher II satellite encryption system. One of the first was the Three Musketeers attack. Its name originated from the fact that as the hacker subscribed to at least one channel, he had access to all. Many more attacks followed. They all focused on the way the decryption system worked, not on cracking DES. Eventually, the analog satellite providers prevailed and implemented an encryption system that was technically robust enough to withstand attack.
Captain MidnightThe Man Who Hacked HBO
During the mid-1980s, satellite communications was going through a period of change. Services, such as HBO, Showtime, and The Movie Channel, begin to encrypt their channels. Up to this point, home satellite owners had been getting a free ride. John R. MacDougall, a satellite TV dealership owner, made a quick decision that something should be done to speak out about these changes. His solution was to knock HBO off the air. John had a part-time job at the Central Florida Teleport, a satellite uplink station. On Saturday April 26, 1986, John repositioned the satellite dish that he controlled to point at Galaxy 1, the satellite that transmits HBO. For four and a half minutes, HBO viewers in the eastern United States saw this message:
FROM CAPTAIN MIDNIGHT
NO WAY! (SHOWTIME/MOVIE CHANNEL BEWARE)
During these four and a half minutes, there was a fight between the HBO uplink in New Jersey and the uplink in Florida that John was running to overpower the other's signal. In the end, HBO gave up and let the rogue signal continue unimpeded.
By July of the same year, the FBI had identified John R. MacDougall and brought charges against him. He received a $5,000 fine and one year's probation. Congress subsequently raised the penalty for satellite interference to a $250,000 fine and/or 10 years in jail to dissuade others from attempting the same feat. The FCC also implemented strict rules requiring that every radio and television transmitter use an electronic name tag that leaves a unique, unchangeable electronic signature whenever it is used.
DIRECTV and DISH Network decided to take another approach and implemented smart card technology. Both these systems also came under the attack of determined hackers. Over a period of years, DISH Network and then finally DIRECTV were capable of defeating most of these hacking attempts. DIRECTV dealt a major blow to hackers in 2001 after it finished uploading new dynamic code into its smart chips and killed over 100,000 hacked boxes in one night. DIRECTV wanted the hacking community to know that the company was winning, so the first 8 bytes of all hacked cards knocked out that night were signed with the message that read "GAME OVER."
Cell phone providers, similar to the other wireless industries discussed, have been fighting a war against hackers since the 1980s. During this time, cell phones have gone through various advances as have the attacks against these systems. The first cell phones to be used are considered First Generation (1G) technology. These analog phones worked at 900MHz. These cell phones were vulnerable to a variety of attacks. Tumbling is one of these attacks. This technique makes the attacker's phone appear to be a legitimate roaming cell phone. It works on specially modified phones that tumble and shift to a different pairs of electronic serial number (ESN) and the mobile identification number (MIN) after each call.
1G cell phones were also vulnerable to eavesdropping. Eavesdropping is simply the monitoring of another party's call without permission. One notable instance was when someone recorded a cell phone call between Prince Charles and Camilla Parker Bowles, which came to be known as Camillagate. In another case of eavesdropping, a cell phone call was recorded in which Newt Gingrich discussed how to launch a Republican counterattack to ethics charges. Other types of cell phone attacks include cell phone cloning, theft, and subscription fraud. Cloning requires the hacker to capture the ESN and the MIN of a device. Hackers use sniffer-like equipment to capture these numbers from an active cell phone and then install these numbers in another phone. The attacker then can sell or use this cloned phone. Theft occurs when a cellular phone is stolen and used to place calls. With subscription fraud, the hacker pretends to be someone else, uses their Social Security number and applies for cell phone service in that person's name but the imposter's address.
These events and others led the Federal Communications Commission (FCC) to the passage of regulations in 1994, which banned the manufactured or imported into the U.S. scanners that can pick up frequencies used by cellular telephones or that can be readily altered to receive such frequencies. This, along with the passage of Federal Law 18 USC 1029, makes it a crime to knowingly and intentionally use cellular telephones that are altered, and to allow unauthorized use of such services. The federal law that addresses subscription fraud is part of 18 USC 1028 Identity Theft and Assumption Deterrence.
For the exam, you should know that Federal Law 18 USC 1029 is one of the primary statutes used to prosecute hackers. It gives the U.S. federal government the power to prosecute hackers who produce, use, or traffic in one or more counterfeit access devices.
Besides addressing this problem on the legal front, cell phone providers have also made it harder for hackers by switching to spread spectrum technologies, using digital signals, and implementing strong encryption. Spread Spectrum was an obvious choice, as it was used by the military as a way to protect their transmissions. Current cell phones are considered 3G. These devices work in the 2GHz range, offer Internet access, and offer broadband wireless.
Bluetooth technology was originally conceived by Ericsson to be a standard for a small, cheap radio-type device that would replace cables and allow for short range communication. Bluetooth started to grow in popularity in the mid to late 1990s because it became apparent that Bluetooth could also be used to transmit between computers, to printers, between your refrigerator and computer, or a host of other devices. The technology was envisioned to allow for the growth of personal area networks (PANs). PANs allow a variety of personal and handheld electronic devices to communicate. The three classifications of Bluetooth include the following:
Bluetooth operates at a frequency of 2.45GHz and divides the bandwidth into narrow channels to avoid interference with other devices that use the same frequency. Bluetooth has been shown to be vulnerable to attack. One early exploit is Bluejacking. Although not a true attack, Bluejacking allows an individual to send unsolicited messages over Bluetooth to other Bluetooth devices. This can include text, images, or sounds. A second more damaging type of attack is known as Bluesnarfing. Bluesnarfing is the theft of data, calendar information, or phone book entries. This means that no one within range can make a connection to your Bluetooth device and download any information they want without your knowledge or permission. Although the range for such attacks was believed to be quite short, Flexilis, a wireless think-tank based in Los Angeles, has demonstrated a BlueSniper rifle that can pick up Bluetooth signals from up to a mile away. Some tools used to attack Bluetooth include
Bluejacking involves the unsolicited delivery of data to a Bluetooth user, whereas Bluesnarfing is the actual theft of data or information from a user.
What's important about each of these technologies is that there is a history of industries deploying products with weak security controls. Only after time, exposed security weaknesses, and pressure to increase security do we see systems start to be implemented to protect the nescient technology. Wireless LANs, a widely deployed and attacked technology, is discussed next.
Part I: Exam Preparation
The Business Aspects of Penetration Testing
The Technical Foundations of Hacking
Footprinting and Scanning
Enumeration and System Hacking
Linux and Automated Security Assessment Tools
Trojans and Backdoors
Sniffers, Session Hijacking, and Denial of Service
Web Server Hacking, Web Applications, and Database Attacks
Wireless Technologies, Security, and Attacks
IDS, Firewalls, and Honeypots
Buffer Overflows, Viruses, and Worms
Cryptographic Attacks and Defenses
Physical Security and Social Engineering
Part II: Final Review
Part III: Appendixes
Appendix A. Using the ExamGear Special Edition Software