In this lesson, I'll discuss wireless-based attacks. By the end of the lesson, you'll be able to explain how wireless attacks operate, what kinds of wireless attacks that are out there, and understand how to protect yourself when on an untrusted wireless network. Wireless is everywhere. Everywhere where you turn, there is some kind of wireless connection that you can connect to to get Internet. So hotels, coffee shops, your local gym, even a beach, they have wireless networks that allow you to connect to the Internet. So nearly all the devices out there have some kind of wireless connection built into them, some Wifi hardware that allows you to connect to wireless. We actually get frustrated if we don't have signal. What do you mean I can't use my wireless device in here? I'm expecting to use wireless and have Internet anywhere I go. Wasn't the case as of a few years ago Let's talk about how wireless works in general. So, what do you need to know when we're talking about wireless security and wireless based attacks? So wireless typically comes in many different channels, over many different channels. Depending on what the frequency is that the access point is communicating on, there are certain channels that will be switched in between those different access points. So, for the 2.4 GHz spectrum, we have just three channels that we can connect to. For some of the other ones, for 5 GHz for example, we have a lot of different frequencies that we can connect to. However, if we only use one of those, we're going to have lower speed. What helps boost the speed is channel bonding. Channel bonding uses two of the frequencies together to get a higher speed. The base station serves up an SSID, or the access point for example. So, for example, at the university we have two actual SSIDs. One is called the UCCS-Wireless and the other one is called UCCS-Guest. Guess which one is the most preferred one? Well, UCCS-Wireless you login into it and then you're good to go you can access anything. The guest is pretty restrictive. So when a client connects to UCCS- Wireless they're connecting to the SSID, which is short for Service Set Identifier. An SSID can be almost anything. So, if I were an attacker, I could actually change my SSID to become UCCS-Wireless for example. We identified this in a number of different ways. However, also takes up a certain channel. So, if it's 2.4 GHz, for example, and there's only three channels that I can connect to, it takes out one of the channels that I need to connect. Let's talk about threats to clients. A lot of threats to clients come in a number of different ways, but specifically I'm talking about untrusted networks. So, connecting two spoofed SSID. Spoofed SSID is exactly the scenario I just gave you. So, we operate UCCS-Wireless and somebody puts up an access point that also broadcasts out UCCS-Wireless. Now, some settings are going to change obviously. But you're more trusting of that, even though you're connecting to an untrusted network at that point. What about connecting to an unsecured SSID or an open SSID? This requires no password in general but the problem is an attacker could perform a man in the middle attack on this. Where they actually sniff the traffic over the wireless connection. There could also be denial of service. We could connect to an SSID or just actually broadcast de-authentication packets to a wireless network and kick all clients off. This is actually pretty common. Threats to infrastructure. Signal interference, when there's too many access points or SSIDs up. So if I have a 2.4 GHz access point and I'm in an apartment building, for example, and I see 20 different access points all over the place. We're going to have to put our power very low or we may want it really high to make sure that we can broadcast and kill the other signal from our neighbors. The best thing that you can do is lower your power, in that case. Spoofing SSIDs, again that's a threat to infrastructure as well as a threat to client. WPS. WPS stands for Wifi protected setup. What this is is it's the little button on your wireless router or your access point that allows you to communicate to a device that sends the key back and forth between the base station or the access point and your computer or your device. And what happened a couple of years ago is these were actually not resetting. And so, it was a very easy attack on unprotected or unpatched systems that allowed us to easily obtain the password for a network. Usernames and passwords also can be gathered if you are on an untrusted network. There could be back doors built in to access points. D-Link, Asus, a lot of these smaller consumer grade access points have, or have been identified, to have back doors in them. Or they've leaked their username and passwords for the default account. So, it's important to make sure that whatever wireless network that you're jumping on is protected. What was protected through wires now allows anyone to connect. So, if I'm broadcasting my signal and I have my access point up as high as it can go, so I'm broadcasting to everybody, perhaps that wireless signal is bleeding outside of the building. So any attacker could actually just drive up to the side of the building and start sniffing traffic if you have an open network. We also have threats to communications. An SSID that is secured with WEP, which stands for Wireless Equivalent Privacy, is actually a very weak protocol for security. So keys for accessing that network could be obtained in a matter of seconds. Also untrusted networks, this is open networks like our coffee shop or our gym, for example. Those are threats to communication channels. Encryption is not built in to open SSIDs. So you need to make sure that you're using VPN type service or connect to somewhere where we have at least some kind of network key or a password that you're entering. Defenses, use trusted networks. Don't necessarily use your local coffee shop's network or use a VPN. Secured SSIDs or secure SSIDs are using well known and secure protocols. So WPA2, for example, that is using AS encryption would be the best security that you could have on a non-commercial based access point. And then broadcast only where you intend to use this signal. This goes down to physicality. So, again, don't put an access point way up high in a building so that it can bleed all over the building or even your home. Put it somewhere where it's going to only be accessible in a certain range.
