Purpose of Bluetooth, general principles of building Bluetooth networks, Data transfer to Bluetooth, protocols. Packet structure, operation of the Bluetooth protocol. Security issue in Bluetooth networks

SECURITY ISSUES IN WIRELESS NETWORKS.
METHODS AND WAYS FOR PROTECTING WI-FI NETWORKS.
REALITIES AND PROSPECTS.

Andrushka Igor, Design Engineer, Department of Applied System Research for the Development of the Information Society, Center for Applied System Research for the Development of the Information Society, State Enterprise “Registru”

Introduction

Over the past few years, wireless networks have become widespread throughout the world. And, if earlier it was mainly about the use of wireless networks in offices and hot spots, now they are widely used both at home and for deploying mobile offices (during business trips). Wireless access points and wireless routers are sold specifically for home users and small offices, and pocket wireless routers are sold for mobile users. However, when deciding to switch to a wireless network, do not forget that at the current stage of their development they have one weak point. We are talking about the security of wireless networks.

General description of the problem

Wireless network security includes two aspects: protection from unauthorized access and encryption of transmitted information. Let us note right away that it is impossible to solve them today with a 100% guarantee, but it is possible and necessary to protect yourself from all kinds of “amateurs”. After all, wireless equipment and software by default contain certain security measures; all that remains is to use them and configure them correctly. However, before moving on to evaluating these funds, we will present several facts confirming the severity of the problem.
If you look at the results of a survey of chief managers of IT companies conducted by Defcom, an interesting picture emerges. About 90% of those surveyed are confident in the future of wireless networks, but are postponing it indefinitely due to the weak security of such networks. modern stage. Equilibrium, in terms of security, between wired and wireless networks will come, in their opinion, only in 3-5 years. And more than 60% claim that insufficient security seriously hampers the development of this area - there is no trust, and accordingly, many do not risk abandoning time-tested wired solutions.
So, let's move directly to the methods and means of ensuring the security of wireless connections.
Every wireless network has at least 2 key components: a base station and an access point. Wireless networks can operate in two modes: ad-hoc (per-to-per) and infrastructure. In the first case, network cards communicate directly with each other, in the second using access points that serve as Ethernet bridges.
The client and the endpoint must establish a connection before transmitting data. It is not difficult to guess that there can be only three states between the point and the client:

- “authentication failed and the point is not identified”;
- “authentication passed, but the point is not identified”;
- “authentication accepted and point connected.”

It is clear that data exchange can only take place in the third case. Before establishing a connection, the parties exchange control packets, the “access point” transmits identification signals at a fixed interval, the “client”, having received such a packet, begins authentication by sending an identification frame, after authorization, the “client” sends a join packet, and the “point” sends an join confirmation packet wireless “client” to the network.

Protection Mechanisms

The fundamental standard for building this type of network is the 802.1 standard. This wireless network standard provides several mechanisms to ensure network security. Among them, the most used are the following:
- Wired Equivalent Protocol, or WEP, developed by the author of the 802.1 standard. The main function of WEP is to encrypt data during radio transmission and prevent unauthorized access to a wireless network. By default, WEP is disabled, but you can easily enable it and it will begin encrypting every outgoing packet. WEP uses the RC4 algorithm for encryption.
- WEP 2 – introduced in 2001 after many holes were discovered in the first version, WEP 2 has an improved encryption mechanism and support for Cerberus V.
- Open System Authentication – the default authentication system used in the 802.11 protocol. Actually, there is no system as such - anyone who requests is authenticated. In the case of OSA, even WEP does not help, because During the experiments, it was found that the authentication packet is sent unencrypted.
- Access Control List – not described in the protocol, but used by many as a supplement to standard methods. The basis of this method is a client Ethernet MAC, unique for each card. The access point limits access to the network in accordance with its list of MAC addresses, there is a client in the list and access is allowed, no means no.
- Closed Network Access Control - it’s not much more complicated here: either the administrator allows any user to join the network, or only those who know its name and SSID can enter it. The network name in this case serves as a secret key.

Types of attacks on Wi-Fi networks.

Access Point Spoofing & Mac Sniffing - an access list is quite usable in conjunction with the correct identification of users in this list. In the case of the MAC address, the Access Control List is very easy to overcome, because such an address is very easy to change (wireless network cards allow you to programmatically change the MAC address) and even easier to intercept, since even in the case of WEP it is transmitted in clear text. Thus, it is easy to penetrate a network protected by the Access Control List and use all its advantages and resources.
If the intruder has his own access point in the stash, there is another option: installing an Access Point next to the existing network: if the hacker’s signal is stronger than the original one, then the client will connect to the hacker, and not to the network, transmitting not only the MAC address, but also password and other data.
- WEP Attacks – clean data undergoes an integrity check and a checksum (integrity check value, ICV) is issued. The 802.11 protocol uses CRC-32 for this. The ICV is appended to the end of the data. A 24-bit initialization vector (IV) is generated and a secret key is “linked” to it. The resulting value is the initial value for generating a pseudorandom number. The generator produces a key sequence. The data is XORed with this key sequence. The initialization vector is added to the end and the whole thing is broadcast.
- Plaintext attack - in such a hack, the attacker knows the original message and has a copy of the encrypted response. The missing link is the key. To receive it, the attacker sends a small part of the data to the “target” and receives a response. Having received it, the hacker finds the 24-bit initialization vector used to generate the key: finding the key in this case is just a brute force task.
Another option is regular XOR. If a hacker has the sent plain text and its encrypted version, then he simply XORs the cipher and at the output receives a key, which, together with the vector, makes it possible to “load” packets into the network without authentication at the access point.
- Cipher reuse - the attacker extracts the key sequence from the packet. Since the WEP encryption algorithm allocates quite a bit of space per vector, an attacker can intercept the key stream using different IVs, creating a sequence of them for himself. Thus, a hacker can decrypt messages using the same XOR; when encrypted data flows over the network using previously generated key streams, it can be decrypted.
- Fluther-Mantin-Shamir attack - a hacker can exploit vulnerabilities and, using specialized software, can obtain both a 24-bit WEP key and a 128-bit WEP 2 key.
- Low-Hanging Fruit – this type of attack is designed to extract unprotected resources from unprotected networks. Most wireless networks are completely unsecured, they do not require authorization and do not even use WEP, so a person with a wireless network card and a scanner can easily connect to an Access Point and use all the resources it provides. Hence the name - low hanging fruit that is easy to pick.
How to protect networks? The main ways to protect networks include the following:
1. MAC address filtering: in this case, the administrator compiles a list of MAC addresses of client network cards. In the case of several APs, it is necessary to ensure that the client's MAC address exists on all of them so that it can move smoothly between them. However, this method is very easy to defeat, so it is not recommended to use it alone.
2. SSID (Network ID) – use of a network identifier system. When a client tries to connect to the AP, a seven-digit alphanumeric code is sent to it; By using the SSID tag, you can be sure that only clients who know it can connect to the network.
3. Firewall: access to the network must be done using IPSec, secure shell or VPN, the firewall must be configured to work specifically with these network connections.
4. AccessPoint – the access point must be configured to filter MAC addresses; in addition, the device itself must be physically isolated from others. It is also recommended to configure the point only via telnet, disabling the ability to configure via browser or SNMP.

Attack of a client device on Wi-Fi networks

Despite the fact that there are still methods of protection in wireless networks, administrators of such networks must take preventive measures. It should be noted right away that hacking “head-on” such networks is practically impossible, unless one considers hacking a denial of service (DoS) attack at the first and second levels of the OSI model. However, there are still some types of attacks that wireless networks can be susceptible to. The most dangerous type of these "bypass attacks" are attacks against unassociated client hosts.
The general idea is this:
1. An unassociated client device is located, or the network is flooded with deassociation or deauthentication frames to obtain it.
2. An access point is specifically emulated to connect this host.
3. An IP address is issued, as well as the IP addresses of the fake gateway and DNS server via DHCP.
4. The device is being attacked.
5. If this is necessary and remote access to the device has been successfully obtained, the host is “released” back to the “native” network, and a “Trojan” is first launched on it.
Starting next year, all manufactured laptops and notebooks will have built-in Wi-Fi support. And even now, many client devices already have built-in support for an enabled and constantly searching network for associations, often without the knowledge of their owner. This fact is ignored by most system administrators. Often, IT security professionals look exclusively for unauthorized access points and ad-hoc networks, without paying enough attention to Probe Request frames from “lost” clients.
It would seem, at first glance, that “catching” such clients is not particularly difficult. But a person engaged in this type of activity needs to have some information. We will try to reveal what kind of information this is.
First, he needs to know according to what algorithm client devices automatically search for networks to connect to. Will they associate with any detected 802.11 network with a strong enough signal? What if there are several such networks? What will their choice be based on? What about networks with a "private" ESSID and networks secured with WEP or WPA? The answers to these questions depend both on the operating system of the client host and on the wireless hardware it uses, its drivers and user settings. Let's consider one of the most used today operating systems Windows family.
To establish a wireless connection in Windows XP and Windows Server 2003, the “Wireless Self-Configuration Algorithm” (WSA) is used. This algorithm operates with two lists of 802.11 networks: the list of available networks (ALN) and the list of preferred networks (LPN). The SDS is a list of networks that responded to broadcast Probe Request frames during the last active scan. SPS is a list of networks to which a full connection was established in the past. The most recent networks with which the device was associated appear first in this list. The network description in both lists contains its ESSID, channel and encryption method - “plain text”, WEP or WPA. These lists are used as follows during the operation of the ABS:
1. The client device composes the VTS by sending broadcast Probe Request frames with an empty ESSID field, one to each of the used 802.11 channels and parallel processing of responses to these frames.
2. If networks located in the ATP are detected, then association occurs with such networks in the order of their location in this list. That is, the client device is associated with the topmost SPS network, which is present in the SDS.
3. If such networks are not detected, or successful association with them did not occur due to differences in 802.11 standards or authentication problems, the ABS “goes to the second round”, sending Probe Request frames specifically to search for networks listed in the ATP. In practice, this means that these frames are sent to the channels of the SPS networks and contain their ESSID. At the same time, the sending of these frames is absolutely independent of the content of the SDS. The point of having a “second circle” ABS is to search for networks with a “closed” ESSID.
4. If suitable Infrastructure networks are not found, the next stage of the search is to find ad-hoc networks. For this purpose, a comparison of the ad-hoc networks of the VTS and SPS is carried out.
5. If there is at least one ad-hop network in the SPS, but it is not found in the SDS, the ABS sets the client device to ad-hop mode and assigns an IP address to the wireless interface belonging to the 169.254.0.0/16 range (RFC 3330). Thus, the host becomes the first node of a potential new ad-hoc network and the algorithm ends its work.
6. If there are no ad-hock networks in the ATP, then the ABS checks the “Connect To Nonpreferred Networks” flag. If this flag is equal to one, then the client device will try to associate with each VTS network in the order of their order in the list. For attackers, this flag is zero by default.
7. If the above flag is not enabled by the user, then the wireless card is “parked” as a client with a pseudo-random 32-digit ESSID set. In this state, it operates for 60 seconds, after which the network search algorithm restarts.
Basically, hackers' attacks are always aimed at the ABS algorithm itself. Let's look at the obvious weaknesses of this algorithm. First of all, during the “second round” of the ABS (point 3), the client device actually reveals the content of the ABS. If we imagine a situation where such a host is out of reach of its “native” network. For example, a corporate laptop is taken by an employee to his home or on a business trip (and is used at the airport, airplane, hotel, and so on). For an attacker who discovers such a laptop, it will not be difficult to determine the first network in the ATP by the ESSID of the frames sent by the Probe Request device, and set exactly this ESSID value on his access point. The same applies to the search for ad-hock ATP networks. If the first ATP network is protected and requires a WEP or WPA key for connection, the attacker goes further down the list and looks for an open network in it, including ad-hoc WLANs. The probability of finding such a network is quite high. For example, most Wi-Fi hotspots use methods to protect wireless data transmission at higher levels of the OSI model, usually level seven. Connecting to such networks will leave a description of the “unprotected” (at the 2nd level) network in the ATP, which an attacker can easily use.
This description leads to a second weakness. In the absence of such an ad-hock network nearby (an extremely likely scenario, given that ad-hock connections are usually made for short periods of time and often with a new ESSID each time), the Windows client will be installed in permanent mode as an ad-hock node, waiting for other clients (point 5). An attacker can easily become such a client, take one of the RFC 3330 addresses, and not conduct broadcast pings or send ARP requests to discover the victim’s IP address and carry out further attacks. Moreover, such a connection does not require any interaction from the user. It is fully automatic.
Finally, in the absence of unprotected and ad-hoc networks in the ATP and the “Connect to Non-Preferred Networks” flag is turned on, the algorithm will achieve setting the client card in “standby mode” with sending Probe Request frames with a long pseudo-random ESSID (point 7). The problem is that these "mysterious" ESSID values ​​are quite "working". That is, it is enough to install an access point with such an ESSID in the neighborhood, and the “client” will happily “peck” at it in order to obtain an IP address via DHCP and be subject to further attacks. It should be said that this problem has already been eliminated in Longhorn, but a total transition to this operating system is still far away. And now the most important thing: since a network with a long pseudo-random ESSID is not present in the ATP, connecting to such a network not only does not require any interaction on the part of the attacked user, but will not even be shown as existing by the Windows XP wireless indicator. This indicator will indicate that the device is not associated with any Wi-Fi network, and only the Windows network options installation control panel will show the presence of a connection and the assigned IP address. It should be mentioned that latest versions Drivers for 802.11a/b/g cards with the Atheros chipset, although they send Probe Request frames with pseudo-random ESSIDs, do not support automatic connection to access points configured with such ESSID values.
What should an attacker do if, as was just mentioned, automatic association using pseudo-random ESSIDs is impossible, and the SPS does not contain networks unprotected at the second level? If the networks to which the attacked device was connected are protected using non-dictionary WPA-PSK or WPA-802.1x using EAP-TLS, then at the moment There are no prospects for a successful hack. If at least one such network was protected using WPA-802.1x using EAP-TTLS or EAP-PEAP, then it is possible to carry out attacks on these protocols according to the algorithms described by the hack group Shmoo "The Radical Realm of Radius, 802.1x , and You".
Speaking about outdated security mechanisms for 802.11 networks, it is impossible not to mention the well-worn WEP. Attacks against it can also be used against individual client devices, the networks of which are “protected” using WEP. If all ad-hock networks in the SPS have WEP in their settings, then an arbitrary ad-hock configuration with an RFC 3330 address, as described in point 5 above, will use WEP. The problem is that such an ad-hoc node will not “maintain silence” - just remember sending NetBIOS HELLO packets every 2 seconds. Accordingly, this kind of traffic can be successfully used to crack a WEP key using various methods, from simple dictionary brute force using WepAttack to accelerating hacking by injecting packets using Christopher Devine's aireplay (a modified false authentication attack or interactive reinjection of packets, with which you can force a single ad-hoc client to send an encrypted ARP packet for subsequent ARP reinjection).
Even more interesting example- clients with pseudo-random ESSID (clause 7) and WEP, which “occur” in cases where all networks listed in the ATP are secure. The very fact that even though there are WPA-protected networks in this list, WEP is still used is already a vulnerability. But, moreover, since the settings of such a network are not defined anywhere and are “self-configuring” without user intervention, an attacking access point is able to impose on such clients an insecure 802.11 authentication method using a distributed WEP key. By imposing this method, the cracker can send a challenge string with known text to the client device and receive it back, XORED with part of the RC4 stream. Thus, by XORing what was received with the original text, the attacker learns 144 bytes of the RC4 stream for a given initialization vector (IV). This attack has many possible uses. In particular:
- you can send more and more challenge requests until the RC4 cipher stream is opened for all initialization vectors of the 24-bit WEP IV space
- you can attack the received response by brute force in the dictionary using WepAttack and similar utilities
- you can use the known 144 bytes of flow to reinject packets to the client device using Anton Rager's WepWedgie. A successful reinjection will force the attacked host to send an encrypted ARP packet, which is easy to intercept and use with aireplay.
In any of the above cases, a single client device requiring a WEP-protected connection can hardly be called invulnerable.

Conclusion

The security of wireless networks should be given special attention. After all, a wireless network has a long range. Accordingly, an attacker can intercept information or attack the network from a safe distance. Fortunately, there are now many different methods of protection and, provided they are configured correctly, you can be confident in providing required level security.
In conclusion, I would like to note that the author of the article does not encourage readers to “actively take action” and attack the wireless resources of various companies. IN in this case the purpose of this article was different, namely: to help system administrators of IT companies secure company resources as reliably as possible from any type of unauthorized access and intrusion.

List of used literature

1. http://www.ferra.ru
2. http://www.denet.ru
3. http://www.cnews.ru
4. Andrey Vladimirov “Attacking client devices on Wi-Fi networks”, “Hacking and Protection”, 2006

Wireless Security Issues

Control

Communication, communication, radio electronics and digital devices

Today, as standards for wireless networks are approved, prices for equipment for them decrease and their capacity increases, an increasing number of IT managers are unable to resist the temptation to implement wireless LANs in their company.11b and a number of measures are provided to reliably protect small wireless networks The question of whether these measures will be effective in environments with dozens of access points and hundreds of users still remains open. This is providing access to the wireless network only to registered...

As well as other works that may interest you
37588.		INCREASING THE EFFICIENCY OF MANAGEMENT OF THE ACTIVITIES OF ECONOMIC DIVISIONS OF AN INDUSTRIAL HOLDING	1.25 MB
	Main economic indicators of the holding's activities General requirements to the financial statements of the corporation Consolidated statements of the corporation Domestic mortgage lending schemes Domestic trends in mortgage lending Regions as participants in mortgage lending) Didn't find the answer to your question? Look here Harmful working conditions Documents confirming work in hazardous working conditions Topic in German “Umwelt” (Environment) Message in German on the topic of nature How do you understand the main idea of ​​the excerpt from the poem N