If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of several known attacks against wireless networks. Most can be avoided by using strong security protocols such as WPA2 with CCMP. In contrast, WPA is vulnerable to many attacks, especially if it is using TKIP.
For example, can you answer this question?
Q. Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but on other days they don’t have any problems. You suspect this is due to an attack. Which of the following attacks is MOST likely causing this problem?
A. Wireless jamming
B. IV
C. Replay
D. Bluesnarfing
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Jamming Attacks
Attackers can transmit noise or another radio signal on the same frequency used by a wireless network. This interferes with the wireless transmissions and can seriously degrade performance. This type of denial-of-service attack is commonly called jamming and it usually prevents all users from connecting to a wireless network. In some cases, users have intermittent connectivity because the interference causes them to lose their association with the AP and forces them to try to reconnect.
In some cases, you can increase the power levels of the AP to overcome the attack. Another method of overcoming the attack is to use different wireless channels. Each wireless standard has several channels you can use, and if one channel is too noisy, you can use another one. Although this is useful to overcome interference in home networks, it won’t be as effective to combat an interference attack. If you switch channels, the attacker can also switch channels.
NFC Attacks
Near field communication (NFC) is a group of standards used on mobile devices that allow them to communicate with other mobile devices when they are close to them. For example, you can share pictures, contacts, and other data with friends. One person shares the data, and after placing the smartphones close to each other, the other person selects it to download.
During an NFC attack, an attacker uses an NFC reader to capture data from another NFC device. One method is an eavesdropping attack. The NFC reader uses an antenna to boost its range, and intercepts the data transfer between two other devices.
A more advanced attack was discovered by security researchers in 2012. They designed Trojan malware and installed it on an Android-based smartphone. They used the Trojan to initiate a payment. The NFC reader was then able to capture the payment data and use it in a live payment transaction. Google quickly modified Google Wallet to prevent this type of attack.
Bluetooth Attacks
Bluetooth is a short-range wireless system used in personal area networks (PANs) and within networks. A PAN is a network of devices close to a single person. Bluetooth devices include smartphones, headsets, and computer devices.
The range of Bluetooth was originally designed for about three meters (about 10 feet), but the range is often farther, and ultimately extends beyond a person’s personal space. Attackers have discovered methods of exploiting these networks. Some common attacks are bluejacking, bluesnarfing, and bluebugging:
• Bluejacking is the practice of sending unsolicited messages to nearby Bluetooth devices. Bluejacking messages are typically text, but can also be images or sounds. Bluejacking is relatively harmless, but does cause some confusion when users start receiving messages.
• Bluesnarfing refers to the unauthorized access to, or theft of information from, a Bluetooth device. A bluesnarfing attack can access information, such as email, contact lists, calendars, and text messages. Attackers use tools such as hcitool and obexftp.
• Bluebugging is like bluesnarfing, but it goes a step further. In addition to gaining full access to the phone, the attacker installs a backdoor. The attacker can have the phone call the attacker at any time, allowing the attacker to listen in on conversations within a room. Attackers can also listen in on phone conversations, enable call forwarding, send messages, and more.
When Bluetooth devices are first configured, they are configured in Discovery mode. Bluetooth devices use MAC addresses, and in Discovery mode the Bluetooth device broadcasts its MAC address, allowing other devices to see it and connect to it. This is required when pairing Bluetooth devices.
In earlier versions of Bluetooth, this pairing process could happen any time a device is in Discovery mode. However, most software vendors have rewritten their software to prevent this. Today, users typically manually pair the device. If a user doesn’t acknowledge an attempted pairing, it fails. As a result, Bluetooth attacks are rare today. However, if a device doesn’t require a user to manually pair a device, it is still susceptible to these attacks.
Wireless Replay Attacks
In a replay attack, an attacker captures data sent between two entities, modifies it, and then attempts to impersonate one of the parties by replaying the data. WPA2 using CCMP and AES is not vulnerable to replay attacks. However, WPA using TKIP is vulnerable to replay attacks.
WPA uses a sequence counter to number the packets and an access point will reject packets received out of order. Additionally, TKIP uses a 64-bit Message Integrity Check (MIC) to verify the integrity of the packets. While this sounds secure, security experts identified a method to discover the MIC key. After discovering the key, an attacker can transmit and decrypt packets. Later, other security experts improved this attack allowing them to launch a replay attack. This is one of the reasons that TKIP was deprecated in 2012 and should not be used.
Q. Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but on other days they don’t have any problems. You suspect this is due to an attack. Which of the following attacks is MOST likely causing this problem?
A. Wireless jamming
B. IV
C. Replay
D. Bluesnarfing
Answer is A. A wireless jamming attack is a type of denial-of-service (DoS) attack that can cause wireless devices to lose their association with access points and disconnect them from the network. None of the other attacks are DoS attacks.
An initialization vector (IV) attack attempts to discover the passphrase.
A replay attack captures traffic with the goal of replaying it later to impersonate one of the parties in the original transmission.
Bluesnarfing is a Bluetooth attack that attempts to access information on Bluetooth devices.
See Chapter 4 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on wireless attacks.