Section 10.8. Physical Layer Wireless Attacks

10.8. Physical Layer Wireless Attacks

The nature of wireless networks and their infrastructure lays the groundwork for a set of attacks that can be mystifying because they operate on different principles than many network administrators are used to dealing with. Each has a defense, and if it is left undefended, it becomes a future watch point for security administrators.

10.8.1. Hardening Wireless Access Points

Of course, the first attack is no mystery: steal the access point. I have seen access points mounted on walls at just above head height, just below the suspended ceiling. In many cases, they mount by two screws that click in to the back of the unit. If someone removes the unit, she creates a denial of service attack for any users that normally associate with that point.

This attack is effective because, for whatever reason, network administrators are at the time of this writing failing to take seriously the concepts of structured cabling as they apply to wireless. No one interested in maintaining their employment would leave a server, switch, or hub, in an exposed physical location. To do so defies the ANSI/TIA/EIA standard 569A regarding telecommunications pathways and spaces. This standard states clearly that telecommunications equipment rooms (formerly called wiring closets) are to be equipped with doors that lock. Cable runs are also in the preview of paths and spaces, so keeping the wires out of harm's way makes sense; the same warning applies to access points.

A wireless installation that can be effective involves mounting a locking enclosure from the ceiling, and suspending it to align with the suspended ceiling. The cover to the enclosure, usually hinged to allow maintenance access, should be equipped with holes that allow the antennas to protrude down into the work area.

The cost of the enclosure shown in Figure 10-10 is likely several times the price of most access points available from consumer electronics stores. Add the cost of the installation (the enclosure must be suspended from the deck above the suspended ceiling, similar to a large florescent light fixture), and possibly the cost of an electrician to bring power to it, and it may become an overwhelming proposition for all but the most serious installations. However, it is often feasible to mount the access point on a wall just above the suspended ceiling. In this way the access point is secured by obscurity. Those who remember back to the days of ThickNet, which also ran above suspended ceilings, can guess what comes next. Do not allow service technicians to remove the suspended ceiling tiles with dirty hands, or at least make sure they lift them with the knuckles instead of the fings. If not, soon, the location of the access point will become obvious by the accumulated fingerprints.

Figure 10-10. A reasonably secure wireless access point that conforms to network wiring standards

By the way, do not consider borrowing some electricity from a nearby florescent light. Most modern buildings operate their lights off a higher voltage circuit than what serves the electrical outlets. The higher voltage is more efficient for lighting, but could be disasterous for equipment. Electricians are paid to deal with things that spark. Use them.

Those who wish to discrupt your network, however, know that denying power to an access point is an excellent attack, one that will just about guarantee that the wireless part of the network will shut down. In most buildings, the servers and switches are, or should be, on UPS or backup power. Any laptops attached to the access points will be capable of operating on batteries. The weak link will be the access point, and a failure to protect it may indicate that you did not do enough planning for contingencies.

Securely providing power to an access point is actually a simple matter. There are several products that feature the ability to use Power over Ethernet. PoE works because there are four pairs of wires in an Ethernet cable, but only two are required for most communications at the speed that will serve an access point. The unused pairs carry power to the AP.

Back in the telecommunications room, either the switch feeding the AP is equipped to provide PoE, or the cable is run through a small device that inserts power on the cable. Devices in the telecommunications rooms have the opportunity to use protected power, that is, power that will continue after normal power is gone. This has the potential of making the wireless portion of the network even more robust than the wired section in some cases, because the desktop PCs and possibly even the telephones are likely to use unprotected power.

An alternative approach may be one of several systems that put Ethernet over power lines. The advantage is that two wiring systems, one for data and one for power, are not required. The security aspects of this system are not yet fully explored. In theory, the signals could leave the home or building and be available for interception.

10.8.2. The Tie That Binds

Although stealing an access point is a feasible attack, it leaves the attacker with the problem of having to carry off the unit, and then to dispose of it. It might be attractive to collect various units, but as long as they exist, they are evidence. A more reasonable attack is to simply cut the wires. If the access point is mounted on a wall in a hallway, this can be accomplished with any cutting tool. If PoE is employed, the attacker will likely use a pair of insulated grip wire cutters the second time he tries it because most systems use -48 volts, a telephone company standard.

Conduit or a flexible metallic "whip" can prevent an assault on cabling; however, installation may be costly and, to be truly effective, you may need to modify the case of the access point. A simpler solution again may be to mount the access point above the suspended ceiling. In this case, PoE is highly desirable because appropriate electrical outlets may be hard to find up there. Many facilities run all of their telecommunications wiring above ceilings, which leads to some important considerations:

If the area above the ceiling is used as an air return for the HVAC system, that space is known as a plenum. Electrical codes require the use of plenum-rated cables, which are jacketed with materials that will not give off poisonous gas when heated by a fire. These gases could threaten people in other areas of the building because of the shared air handling.
If you need to get through a wall that extends from the floor to the ceiling, don't just poke a hole: it could be a firewall. A firewall is designed to seal off smoke and fire for a specified period, giving rescue and salvage workers a chance to work in unaffected areas. Poking a hole in that wall may violate its fire rating, and fire marshals and building inspectors get all excited about that, as do building owners, because it may have insurance ramifications. If you absolutely must go through that wall, look for an existing penetration and try to join it without disturbing the packing and putties that are part of a firewall penetration. Contact a telecommunications wiring specialist if there is any doubt or if you must unavoidably make a penetration.
Once it was common to lay cables on top of the suspended ceiling grid. Standards no longer allow this because the metal of the grid can bend the cables tighter than their minimum bend radius and affect performance. ANSI/TIA/EIA-569-A specifies that cable above suspended ceilings must be supported using an independent system of approved devices. That means you cannot use nylon cable ties to suspend network cables on the wires that hang the lights or the ceiling grid, or tie up to a pipe or electrical conduit. But I won't tell.

On the chance that there is no way to avoid hanging an access point on a wall in an exposed area, at least take this simple precaution: run the wire from the telecommunications room to the wall, and terminate it in a wall-mounted jack. Then, use a short patch cord to go from the jack to the access point. This way, if an attacker tries to damage your network by cutting the cable, you can easily replace the patch cord with one of the spares that you keep in your desk drawer. The installation will then adhere to standards. It is also far easier than trying to install a modular 8-pin connector while perched on a stepladder.

10.8.3. Sophisticated Physical Layer Attacks

A more sophisticated physical-layer denial of service attack involves disturbing the medium, which in this case are radio waves. The classic attack is to overwhelm the receiver with noise, a process called jamming. Any generator of radio frequencies (RFs) in the 2.4-GHz region for 802.11b and 802.11g, and the 5-Ghz region for 802.11a, will suffice. As many surprised owners can tell you, DECT phones, Bluetooth devices, and cordless telephones, can (all in some cases) present jamming signals.

A steady jamming signal would be fairly easy to track down using a directional antenna and a laptop set up to do a site survey. This would be an effective attack, because it would require a sophisticated user to track down the jamming source. Much more devious and hard to trace, however, would be an attack that misuses some principle of the medium itself, for instance, the diversity reception system that is designed to prevent fading as users change their position with respect to each other. As explained previously, due to the wavelengths and the interference patterns involved, sometimes one antenna will have all of the signal, and the other will have none. However, most of the time, both antennas will have a portion of the signal. An effective DoS attack, then, would switch signals from one antenna to the other by introducing one that is stronger, yet invalid, on one of the diversity receive antenna pairs. This signal would not need to take place full time, anything that gates the signal away from where it is supposed to be periodically enough to cause the receiver to drop the link will suffice. This would be enough to cause missed packets, to necessitate retransmissions to replace them, and in general to plug up the network. And it would be very difficult to track down because it would resemble an interference source.

An example of such interference that causes failure in wireless networks occurred in late 2003 and from a surprising source. Some versions of a Centrino chipset contained a wireless adapter specifically designed to facilitate Wi-Fi communications. This chipset may somehow have interfered with a popular chip family used in many wireless access points. This caused many wireless access point owners to have to either upgrade their BIOSs or retire their access points and switch to a different brand.

Any DoS attack based on mimicking interference is a cause of concern. The attack signatures can be almost invisible to all but the most sophisticated detection systems. Worse, the intruding RF does not have to be locally produced but can be transmitted toward the affected network using a directional antenna or perhaps some form of external amplification, neither too hard to purchase. The advantage of the latter course to an attacker is that it would be much easier to camouflage.

While such a chirping jamming signal eventually can be tracked down, it is not hard to imagine such an attack being used to shift traffic from wireless to wired forms, possibly to enable a secondary exploit of some kind. There is precedent to this. Immediately prior to the Normandy invasion, allied signals and intelligence forces did all that was possible to shut down radio communications among occupation forces, shifting it to wired means, which had been compromised by wiretaps and sabotage. This prevented the command infrastructure from shifting forces from diversionary targets in the north to the actual fronts, giving the allied advance time to establish a beachhead and land resources.

The sure cure for such attacks is based on a two-pronged defense. First, control the pathways and spaces. Unknown persons with stepladders should politely be asked to account for themselves. This is a basic principle of physical security. Second, monitor the network. Many successful administrators keep an eye out for unauthorized rogue access points (access points installed by endusers without permission) by using wireless monitoring programs such as NetStumbler or one of several mapping programs designed for the purpose.

10.8.4. Forced Degradation Attacks

In a large wireless installation, users can move from access point to access point, seamlessly being handed off from one BSS (cell) to another. These cells are spaced close enough together that there is some overlap, which insures that the user never experiences a gap in service. In order to achieve this overlapping coverage, access points are set to one of several patterns of alternating channels. Three channels are enough to cover almost any size building or campus, and channel patterns are well known.

However, the Wi-Fi service is unlicensed, which means that if there is interference, it is up to you to work it out with the interferer. There is no governmental recourse, as exists with licensed services. If more than one organization inhabits a given building, frequency coordination is left to the organizations themselves. This assumes that all involved parties are cooperative and communicative.

The government rightly refuses to regulate Wi-Fi, not that it does not need doing, but that it would take tremendous resources to do so. Years ago, regulators removed a portion of the Amateur radio band and created the Citizens band radio service, so that the common person could use CBs to communicate short distances and from car to base. Unfortunately, the band that was selected, 29 MHz, or 11 meters, was able to skip through the ionosphere, and long distance communication was popular. Operators who modified their equipment to increase its power created great interference. The original 23-channel allotment was not adequate to accommodate all users; it was then increased to 40 channels by taking spectrum away from another service. These additional channels did not help much, and even today CB can often be complete bedlam.

The government got it better with the Family Radio service: its frequency does not skip, and the FM modulation system it uses does not interfere with others. Instead, one frequency wins one over another. WiFi similarly does not travel further than line of sight (about 23 miles because the earth curves, and it becomes impossible to see the receiving station, even if on a tower). For this reason, illicit power enhancers will not provide greater range. They may, illicitly, help fill out a building that has a dark spot, perhaps, but will never make the system into a long-range communication medium. Extra power and channel assignments to increase throughput generally serve only to interfere with neighbor users. If the interference is intentional, it becomes a denial of service attack via jamming.

Mother Nature can, of course, provide degradation, although it may not be appropriate to call them attacks. Any atmospheric phenomenon that puts water in the air has the potential to disrupt microwave communications. Snow, rain, hail, and sleet, for instance, can cause rain fade. You may have noticed this if you use a satellite television system and have observed changes in the signal that are related to the weather. Wind and ice loading can also temporarily bend an antenna off axis or out of alignment. Lightning can cause momentary interference as well as lasting damage. Even the sun is a powerful generator of radio waves, and can cause interference, particularly if it rises or sets in the path of a wireless bridge or microwave link.

Man-made interference can also present a problem. Airport radar systems can create interferences, as can high-powered transmitters of any kind that can react inside of the Wi-Fi receive and transmit electronics, setting up spurious signals. And of course, electromagnetic pulse (EMP), the burst of radio frequency energy that accompanies nuclear explosions, or electrochemical or electromechanical devices that simulate EMP, can destroy the electronics of any unhardened radio system.

10.8.5. Eavesdropping Attacks

Most of the concern about wireless is currently around eavesdropping. Most wired communications systems are considered to be bound, that is the media is contained in a controlled manner, such as a conduit. This applies to wire and fiber alike. Unbound media, on the other hand, are not restrained to conduits. Wireless, infrared, and free-space laser communication are unbound.

Unbound media are subject to eavesdropping attacks. Although the dictionary definition of eavesdropping is "to listen secretly to the private conversation of others," the name developed based on the position of the eavesdropperliterally hanging from the eaves of a roof, hoping to catch a conversation snippet via a window or other opening.

Wireless eavesdroppers need not hang from roofs; the park bench across the way will do just fine. The Wi-Fi signal that passes through walls and ends up in the parking lot is fair game to someone equipped with a sensitive receiver and a directional antenna. In fact, a culture has sprung up around locating the stray signals of others. Searching for such hot spots by car is called war driving. Do it by aircraft, and it's war flying. Do so on foot, and it is war walking. The idea is to travel about until a hot zone is located and then see if it is accessible. If it's an unguarded site, the war driver (walker, pilot) can make a mark on the sidewalk that resembles the old hobo code. Generally, it is two parentheses back to back, with diacritical marks indicating frequencies, available bandwidth, and security (or lack thereof). Placing such marks is often called war chalking (see Figure 10-11).

Figure 10-11. War chalking codes indicates the presence of Wi-Fi hot spots

10.8.6. Eavesdropping Defenses

The defense against eavesdropping is to stay off the airnot the goal of wireless communication. Clandestine operators adhere to strict schedules, transmitting only at prearranged times and powering down immediately after the message is sent. A wireless node that you would have to turn on each time you wished to use it would defeat the purpose of wireless, which is mobility and quick access. (It is always a good idea to turn off wireless access points when no one is using them, however, such as at night or on weekends in the case of most offices. There is no point in giving a determined attacker an unattended path into the network or in advertising the network's location.) Besides, didn't your parents tell you to turn off the lights when you left the room?

One potential downside to turning off your access point is that others who wish to install their own wireless systems over the weekend may determine the frequencies are unoccupied and set up shop. This sets up the potential for interference. Some administrators prefer to leave their access points on the air but remove as many identifying signals as possible. This allows them to show up in site surveys, but precludes attackers from gathering information that can be used against the network.

In addition to turning off the access point or suppressing ID, there are two main defenses against wireless eavesdropping attack:

Intrusion detection systems
Encryption systems

As they are somewhat more rare, let's discuss the intrusion detection system (IDS) first. An intrusion detection system operates by monitoring something about a given computer (host-based IDS) or given network (network IDS). Logs are kept during monitoring; such logs can analyze attacks and provide documentation for possible legal action.

The IDS monitors the network for baseline changes, that is, any events that can signal an attack, such as someone unfamiliar logging on, or traffic of one kind or another spiking up or dipping suddenly. The IDS reports each such event, usually by paging a network administrator. The network admin can turn off the threatened access unit or isolate it from the network. The admin can also contact security forces, if they are available, and track down the eavesdropper.

The disadvantage of an IDS is that without an accurate baseline, it is hard for an IDS to detect anomalous traffic. Paging an admin in the middle of the night over a false alarm, or an attack that isn't really happening, is called false positive. Too many false positives and the administrator is likely to disable the IDS, or change its settings and thresholds. These new settings may not pick up or relay a legitimate alarm; this situation is called a false negative. Obviously, neither false positives nor false negatives are desirable.

A full time method of protection that requires less fiddling uses encryption. Wi-Fi has several encryption options; unfortunately, an increasing number of them are falling to attacks by eavesdroppers.

Wired Equivalent Privacy (WEP) is the most common security protocol in older wireless networks. Its original algorithm is not very effective. Readily available software can monitor WEP transmissions until there is enough data to take advantage of a few loopholes, and thereafter will print out cleartext.

Wi-Fi Protected Access (WPA) which is similar to Microsoft's SSNis less vulnerable to hacking. If you can choose between WEP and WPA, use WPA. Cisco users can take advantage of the LEAP protocol between other Cisco units.

AES and the Temporal Key Integrity Protocol (TKIP) can provide the most secure wireless networking. They will likely appear as the wireless standard IEEE802.11i.

HIPAA and WirelessPrescription for Trouble?

I went to my doctor this summer for a checkup. When he was finished with his exam, he started clicking a stylus against a Compaq iPaq. I noticed a radio pack and an antenna on the back of his unit, so I asked "What are you doing about security for that thing?"

His answer was startling: "Security?"

This MD's ignorance unfortunately represents the state of the knowledge of many healthcare practitioners today. Wireless is the new toy. But with wireless comes a responsibility for intense patient-record security, courtesy of the Health Insurance Portability and Accountability Act of 1996.

HIPAA created strong requirements for those who keep and transmit private patient records. The cavalier attitude my MD demonstrated can have big consequences, and the penalties for intentional violation are stiff. Clearly, decisions about the deployment of wireless technologies must take into account the implications of HIPAA security rules, which were issued in final form in February 2003.

Any electronic transmission of protected health information (PHI) comes under HIPAA auspices, and the watchwords are privacy and security. Practitioners must be sure that electronic communications are encrypted and that electronic devices are securethat is, protected from loss, theft or unauthorized use.

10.8.7. Advanced Eavesdropping Attacks

Today, eavesdropping isn't just eavesdropping. There are now advanced forms of it, and wireless may play a role in it. The easiest way to protect against encryption is to read messages before or after they are encrypted. Unfortunately, that is exactly how it is done, using techniques put forward by Dutch scientist Wim van Eck, who in 1985 demonstrated that he could pick up emissions from a VDU (video display unit) or computer screen, and reproduce them clearly several hundred meters away.

The fields that steer the beam that sweeps across your computer monitor or TV form a repetitive pattern, and like any other radio emission, they radiate and can be detected. If you monitor these fields using specialized equipment, it is possible to reinsert into the received signal the sync pulses that tell the beam when to start scanning the following line, or when to return to the top of the screen; this can be done by carefully tuning the correct oscillators. With skill, the display that you see on your screen is also visible to an operator sitting in the pizza van that has been mysteriously parked across the street for several hours. And since your screen is not likely to show encrypted data (after all, you have to be able to read it), the men in black get the cleartext just as you do.

There is a way to deal with this situation and it needs an acronym: Telecommunications Electronics Material Protected from Emanating Spurious Transmissions, or TEMPEST. TEMPEST is a set of standards that determine whether or not a device produces emanations that can be detected and decoded. Almost every device produces an electromagnetic signature that can be decoded, so when dealing with classified materials, TEMPEST certification becomes important. For more information, see Appendix B.

At the cutting edge of wireless weirdness is the idea that even if the field coming from a device is extremely small, to the point that the pizza truck guys cannot make it out, those same emanations may be able to exert an influence on a local source of emission, such as a radio transmitter. The transmitter signal may be detectable at a distance, hence the subtle influences from the signal you wish to eavesdrop may also be recoverable. There is a possibility that the electrostatic and electromagnetic vectors of a radio wave mentioned previously may contribute to this effect. Needless to say, a building with a floor full of wireless devices is a radio frequency cornucopia waiting to be sniffed by those who know what to look for.

10.8.8. Rogue Access Points

A much more down-to-earth threat for wireless networks is the same type of threat that faced networks back in the days of modems. Users would drag in a modem from home, hook it up unbeknownst to the network administrator, and proceed to create massive gashes in the security infrastructure.

In the same vein, rogue access points are extremely easy to install. Some are small enough to plug into a USB port. The defense against such installations is to monitor the environment, looking for unknown stations that attempt to attach to your network. Locating the stray can be a challenge but, generally speaking, a highly directional antenna can be used either with a laptop or with a handheld scanner designed especially for network maintenance (see Figure 10-12).

Figure 10-12. Wireless network maintenance tools, such as Yellowjacket, can guard against rogue access points

The culprit may well be you. As embarrassing as it sounds, it's not unheard of for a network administrator to set up a wireless device in a conference room for a meeting, and then to forget about it.

80/20 Rules

Nothing makes a wireless network completely secure, but most networks can be tightened enough that attackers move to easier prey:

Cloak: Don't broadcast service set identifiers (SSIDs). SSIDs, the 32-character identifiers in WLAN packet headers, can be easily sniffed, and can function as a sort of password. Turn them off. Legitimate users will still find the access point because they know its name. Always change the default user names and passwords that come in equipment from the factory. Hackers know these by heart.
Stealth: Don't hand out a map of your network. Make it harder to navigate or to deduce the layout of the network by avoiding common names for network items exposed to the outside. Only trusted souls need to know what goes where.
Watch your channel plan: Most facilities use a three-channel plan to keep geographically overlapped access points from stepping on each other's radiations. An attacker trying to set up a man-in-the-middle exploit will have to use off-channels. If you detect these, something is afoot.
A time of your choosing: If your office works 9-to-5, don't run your wireless 24/7. Shut down during off hours. You can also control access via signal strength and speed. Signals decline with distance, so users who are in the parking lot instead of the lobby sound farther away. If users do not exceed a certain threshold for strength, cut them off. If a user is struggling to keep up, it may be because they are farther away. Don't create a network security hole while trying to make up for a problematic network design or poor equipment.
Use serious security: Going without security is foolish. WEP is simply not adequate, because a fast network will give out enough packets for a crack in the time it takes to change a tire. Use WPA; use LEAP (look first); use TKIP or AES. Stay tuned for vulnerability notices.
Monitor, monitor: The most brilliant attackers will be able to get past your defenses, no matter what you do. Monitor for the attacks you cannot defend against. Your organization has a lobby ambassador to greet guests, and to call the cops if they act rowdy or threatening. Use an intrusion detection system to monitor against unruly wireless visitors who probe the network or attempt to access it at strange hours. Know what access points are where. Check to make sure that no new access points materialize, and no users inadvertently relay inside traffic outside.