How safe is your wireless really

How safe is your wireless really?

Wireless networking is a true wonder of the modern internet age.

Before its inception the possibility of truly portable devices was limited to a device that could be transported from A to B. Through its wonders we can not only transport devices from A to B hassle free, but use them on the journey – and everywhere in between.

This ubiquitous access to networks has come at a cost though. In order for the connectivity to appear seamless, security is somewhat lacking. For the most part, the very design of wireless is insecure. Fundamentally the protocol broadcasts what it’s looking for in clear text over the airwaves for anyone with the right equipment to see. Once a suitable connection has been discovered, the security is negotiated from that point forward.

As harmless as that may sound, it does open up a few attack vectors you may not have considered that we will go into later. For now, let’s start with the basics.


Wireless is covered by a standard from the Institute of Electrical and Electronics Engineers Inc. (IEEE) called 802.11. There are a number of “extensions” to the standard that define specific operating modes and speeds such as (a), (b), (c), (g), (i) and (n).


The first wireless security solution was known as Wireless Equivalent Privacy (WEP). This system was designed to protect the data on a network from eavesdropping and to prevent unauthorised devices from connecting. Based on the RC4 Stream Cipher, when initially released it was thought to be more than adequate to protect the data. Not long after its release, an attack was developed that leveraged a flaw in the implementation, exposing the key used for the encryption to a brute force attack from any attacker that managed to listen to a few special packets. In modern times, this has turned into a well-documented and automated attack with the whole process – from identifying that WEP is in use, to being able to decrypt all traffic and access the network – taking only a few seconds.

After WEP came Wi-Fi Protected Access (WPA) & Wi- Fi Protected Access II (WPA2). These new solutions replaced WEP as a secure way of protecting wireless by implementing the Temporal Key Integrity Protocol (TKIP), providing a mechanism to dynamically generate a new key on every packet transmitted, and mitigating the attacks designed to break WEP. WPA2 further extended the available cryptographic approaches to implement the industry standard Advanced Encryption Standard (AES) and Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP).

WPA2 with a strong key in use is considered to be secure by many standards, and it’s true that a direct attack against this mechanism would require a brute force approach and a significant amount of computing power, rendering it a very strong cipher mechanism. What is not so obvious is that WEP, WPA & WPA2 don’t protect wireless from a number of attacks that could easily result in a serious breach. There are many other aspects of this that I will not cover – including a number of active RF defence techniques built into some of the latest generation equipment – as it would turn this post into a book!


Let’s look at wireless from another perspective, that of an attacker. To an attacker, wireless is a noisy information source that is happy to play regardless of whether it is a client device such as an iPad or Android phone, or the wireless access point in your office or school. The protocol does not care. If you ask it the right question, it will answer. Let’s say that I want to attack a school’s wireless system. That system will be broadcasting its name “school.wifi”. This is known as the Service Set Identifier (SSID) and is the name of the wireless that shows up on your client device to connect to. It is possible to hide this name from the device, and at first that sounds like a good idea. But in reality all this does is make it difficult for new clients to connect, as it’s never actually hidden from a hacker, and it’s always in the air if you ask for it!

So let’s assume that this particular “school.wifi” is protected with a strong WPA2 key. I have a few options available to me at this point. I could brute force attack the access point which might take a while or I can attack a client instead. You see, when an IT person thinks about the security of their wireless network, they think about it as they have been told to. We, however, do not.

So, let’s instead launch a tool that can listen for clients rather than access points. In the same way that an access point has an SSID, a client has a Basic Service Set Identification (BSSID). This is the client’s way of seeing if it’s back at a network that it knows about. So when a client wants to connect to the wireless it broadcasts a list of networks, including every network you have ever connected to, just in case you need to connect to them again.

How is this useful I hear you ask? It’s simple really. If I want access to the school all I have to do is force one of the clients to disconnect from the school’s secure network where I know it will also connect to an insecure one, temporarily make my computer look like the insecure network it knows about, and make sure that my signal is stronger than the schools one. That client will now connect to me instead. At this stage I can directly attack the client or route the client’s traffic through me, thus compromising the client and its level of access to be leveraged in a further attack on the school.

Sound complicated?

It’s really not!


How about this for a kick in the teeth to the IT team. The most secure way of deploying wireless is known as WPA2 “Enterprise”. Enterprise mode enables a series of additional features and security protocols I won’t go into, but mainly provides additional authentication linked to the end user’s Active Directory (AD) credentials. This massively increases the complexity of an attack and theoretically makes the maths involved in a cryptographic attack unfeasible.

But then I’m a hacker, so impossible maths is a challenge. Well, actually, it’s a pain. It’s easier to just bypass the need for it instead. The above approach is susceptible to an interesting attack that could be considered just “unfair” in the world of IT!

If I want to break your authenticated, super strong wireless access, first I set up a similar one on my own machine replicating the same WPA2 Enterprise solution using open source tools. I essentially simulate the whole authentication piece, but have no actual knowledge of the username or passwords. Next I force all of the clients connected to your network to disconnect with a special packet I transmit into the airwaves, then transmit a higher power signal with the same network name as your “school. wifi” and all of the clients attempt to connect to me as if I am you. Now, each user is prompted to connect with their username and password – which they do. Of course the connection fails for them, but as soon as I have one person’s username and password, I switch off my copy of your network and everything returns to normal…but now I have a valid user account for your secure network, and just connect as a normal user.

Do you know how secure you really are?

Written by Jay Abbott, Managing Director, JustASC.

Jay Abbott is the Founder and Managing Director of Advanced Security Consulting Ltd. As an independent security expert, he is regularly quoted in the media on the subject of Cyber Security. He has spent most of his career engineering technical solutions to business problems. The rest has been spent reverse-engineering technology solutions to ensure that they are secure, in the ‘design it, build it, break it’ space.