Skip to main content

Blurred Edges Fixed and Mobile Wireless Access Points

Abstract

Understanding the end game of potential adversaries is the first step to modeling which attack vector(s) are likely to be the most profitable or least costly. Hacking activity may be motivated by gain, pain, or fear. Specific attack techniques are linked to challenges against specific security objectives (i.e., confidentiality, integrity, availability). For example, eavesdropping and aircracking are associated with confidentiality attacks. By analyzing attacker behavior in terms of market opportunity and the rational drive to maximize return of investment/effort, we can arrive at a better understanding of how to adapt prevention, detection, and control mechanisms to specific real-world contexts. Use case scenarios can capture insights about where the value resides that meets an attacker’s preference for acceptable risk, exploitable attack surfaces, planning/executing time horizon, available tools/skills, reasonable cost, and sufficient payoff.

Keywords

Hacker profile; hacker motivation; ransomware; fixed wireless access point; mobile wireless access point; aircracking; commjacking; skyjacking; SSID; attack vector

The Hacking End Game

Chapter 2, Wireless Adoption, presented a number of successful hack attack strategies that can help the malicious achieve their goals and that present challenges to defenders. The back stories for these and other evolving attack strategies presented in this and subsequent chapters can be instructive. To deconstruct these and other attacks and how they play out in specific contexts, it is useful to attempt an understanding of the motivation behind them by posing the questions: Why do hackers hack? What are the desired outcomes?

The back stories are as varied as the targets and techniques. Numerous academics, researchers, and industry analysts have attempted to define hacker profiles. According to the UN Hacker Profiling Project (HPP), a joint initiative between the UN Interregional Crime and Justice Research (UNICRI) and the Institute for Security and Open Methodologies (ISECOM), profiles have shifted since the 1970s. Opportunistic lone wolves and script kiddies hacking for knowledge, curiosity, or mischief are being replaced by structured groups and cyber mercenaries with a focused, long-term perspective for achieving desired results. Thus the study sees APTs and more sophisticated activities carried out by malware factories, political hacktivists, and cyber mercenaries working on behalf of nation-states, industrial interests, and organized crime.1

Although divisible into multiple subsets, the basic motivations of the threat agents and those who manage them—including those classified as ethical hackers—resonate with those that motivate most human actions: gain, pain, and fear. Table 3.1 shows the relationships between different motivations, end games, manifestations, and hacker profiles. Hackers can, of course, act in response to a combination of motivations. The table indicates some of this overlap. A specific incident may represent a combination of these factors.

Table 3.1

Hacker Motivation, End Game, Manifestation, and Profile Type

Although financial gain frequently comes to mind first, a hacker can also measure “gain” as increases in competitive advantage, intellectual property, reputation, and privileged access (e.g., to online entertainment, system resources that include distributed computing power, ICS). Monetary gain is realized through fraud, accessing financial assets illicitly (often by impersonation), and buying and selling information (e.g., social security numbers, account numbers, medical credentials) to others in the hacking or criminal communities. Ransomware is another modality: threatening to disclose information, destroy, modify, or deny access to information if a cash equivalent payment is not made. Industrial spies realize financial gain by penetrating a company’s information resources and obtaining proprietary information and intellectual property. Sale of this information can be arranged on a contract basis or to the highest bidder on a speculative basis.

Pain as a motivation is demonstrated by causing pain, as well as relieving or avoiding pain. Thus, ethical hackers are motivated primarily by relieving or avoiding pain for others through the identification and often mitigation of vulnerabilities. Clearly, they have the skills to pursue financial and other forms of gain. Fear as a motivation is demonstrated by actions like using active cyber defense as a preventive mechanism. For such a mechanism to be effective, at least at the nation-state level, the defender must communicate credibly its limited tolerance for attacks by others, signal willingness to retaliate successfully and appropriately (i.e., proportionately), and be able to deconstruct triggering events to justify responses.2 The 2007 massive Russian cyberattacks against private and public sector organizations in Estonia inspired fear among Estonian citizens, who are highly dependent on digital communications for banking and news reports.3 It is easy to imagine how to create citizen fear or distrust of current governmental or industrial reliability for the hacker by other acts of disabling or degrading critical infrastructure sectors used by the public (e.g., water, electricity, transportation).

To achieve their end game, hackers must gain access to information assets. Even when physical access is the primary stratagem used by the attacker, it is often enabled or intensified by first performing reconnaissance to determine what weaknesses exist in the protection of these assets—and how to exploit them. Fixed and mobile WAPs often provide convenient entryways for this discovery.

Differentiation Between Fixed and Mobile WAPs

If we start with the premise that any device capable of receiving and transmitting radio frequencies can be considered a WAP—even if being used as a relay station—the number of fixed WAPs is significant. For our purposes, we will define “fixed” WAPs as those with a long-term commitment to place and geographic location, as opposed to those fixed in situ, but not in loco. A car’s factory-installed navigation system, for example, is fixed in situ behind the dashboard; one would not remove it after parking the car for use as an electronic guide while hiking in a national park. And yet, the system is not fixed in loco: Its geographic location changes as the vehicle travels down the road. Meanwhile, a portable navigation system when used in a car is not necessarily fixed in place or geographic location for the long term. Similarly, individuals can create their own mobile wireless hotspot through personal devices, rather than relying on wireless routers that are fixed in place.

Hacking Opportunities in Hybrid Networks and Communications Channels

Wireline connections are less “leaky” than wireless connections due to the innate characteristics of the network media over which signals travel. Still, copper used as the network media is vulnerable to electromagnetic interference (EMI) within the environment from intense, electrical energy sources like motors, transformers, and fluorescent lights. Copper is also subject to crosstalk interference, which occurs when wires are bundled together.4 A copper-wire connection can be tapped by exposing the internal wires and connecting them to a listening device (a phone or less perceptible “bug”). The tap can be located within the target phone or anywhere along the phone line, including lines on a telephone utility pole. The latter approach is also used to hijack phone connectivity to save the expense (or inconvenience) of subscribing to individual phone service. Of course, such intentional eavesdropping requires physical access to the wire—and is prohibited under Federal and state law (with some specific exceptions).5

Businesses and organizations of any size, as well as individuals, may experience wire-based service compromise that generates excessive billing for phone service. Computer users can unintentionally approve a modem hijacking by clicking on web-based ads for “free” content or services.6 The computer’s connection to a legitimate modem is reprogrammed to connect via an international or for-fee phone number.7 Other phone scams are perpetrated by individuals who call to promote various services (charity donations, credit card assistance, extended car warranties, travel packages) and by robocallers (automated dialing techniques using prerecorded messages rather than live operators).8

Fiber optic media, as opposed to copper, are not susceptible to EMI or RF interference and crosstalk. They may, however, be less resilient to physical damage if not adequately protected in conduit, and may be tapped by splicing fiber strands. Coaxial and unshielded twisted pair (UTP) cable are susceptible to EMI interference and can also be physically compromised for eavesdropping.9 At the physical layer, even transmissions over wired lines can be intercepted, although they are more contained than transmissions over wireless radio frequencies. The important thing to acknowledge is that the vulnerabilities of wired systems carry over into wireless systems. The latter systems also add their own exploit flavors. When considering how to hack (or protect) any communications systems, the characteristics of each element—network media, protocols, architecture, connected devices, applications, physical location, data, users, policies—become part of the calculation for attack (or protection).

Challenges for Securing Hybrid Networks and Communications Channels

Wireless exploits and their tools have generated numerous catchy nicknames and trademarks, often based on the particular 802.11x protocol targeted, which include the following:

ent Aircracking—password cracking tool used against Wired equivalent privacy and WPA protections; captures wireless packets to recover password using Fluhrer, Mantin, and Shamir (FMS) attack10

ent Airjacking—tool for injecting forged packets to support a MITM or DoS attack10

ent Bluejacking—sends unsolicited, often anonymous, messages over Bluetooth to Bluetooth-enabled devices; messages may contain a vCard (typically for connection to another Bluetooth-enabled device via object exchange (OBEX) protocol; uses include bluedating and bluechatting)11

ent Bluesnarfing—unauthorized access of information from one Bluetooth-enabled device by another

ent Caller ID spoofing—falsifying the caller ID to a number other than the actual calling station’s12,13

ent Commjacking—intercepting transmissions between any device and the Wi-Fi or cellular networks to which it is connected14

ent Drone skyjacking—drone engineered to take control of other drones within wireless or flying range

ent Juice jacking—gaining user access to phone and its contents while it is being charged over a public kiosk using a common USB connection (can compromise privacy and lead to malware injection)15

ent Skyjacking—exploiting over-the-air provisioning (OTAP) protocols to trap WAPs into connecting to a rogue wireless LAN controller (WLC) or access point; works by transmitting fake radio resource management (RRM) messages with information about the fake WLC; supporting tools include packet injection software16

Implications for Connections With Wired (Legacy) Networks and Systems

The attacks mentioned above are carried out at different layers of the entire communications system and so are included in the taxonomy of network and device attacks that affect all information systems, regardless of whether they are wired, wireless, or hybrid. Any wired network that can be accessed through a WAP, even if that access is indirect (e.g., an approved desktop that has been used to synch calendars with a compromised wireless device), may be susceptible. Although less colorful than the names applied to the foregoing wireless attacks and tools, the following taxonomy of attacks from Lisa Phifer (published by TechTarget)17 corresponds to familiar categories and information security principles (e.g., the confidentiality, integrity, and availability—or CIA—triad; the authentication, authorization, and accounting—or AAA—triad):

ent Network penetration attacks

ent war driving, rogue access points, ad hoc associations, machine address code spoofing, 802.1x remote authentication dial-in user service (RADIUS) cracking

ent Confidentiality attacks

ent eavesdropping, wired equivalent privacy key cracking, evil twin AP, AP phishing, MITM

ent Integrity attacks

ent 802.11 frame injection, 802.11 data replay, 802.1x Extensible Authentication Protocol (EAP) replay, 802.1x RADIUS replay

ent Availability attacks

ent AP theft, Queensland DoS, 802.11 beacon flood, 802.11 associate/authenticate flood, 802.11 Temporal Key Integrity Protocol Message Integrity Check exploit, 802.11 deauthenticate flood, 802.1x EAP-Start flood, 802.1x EAP-Failure, 802.1x EAP length attacks

ent Authentication attacks

ent application login theft, domain login cracking, VPN login cracking, 802.1x identify theft, 802.1x password guessing, 802.1x Lightweight Extensible Authentication Protocol guessing, 802.1x EAP downgrade

Network Penetration Attacks

As in conventional wired networks, penetrating the network is often number one on the attacker’s to-do list. The trick with a wireless network is that defining the network’s perimeter (or parameters, for that matter) is complicated by radio frequency signal leaks (i.e., the ability to receive signals from outside a trusted building or other assumed enclosure). War driving—picking up WAP signals using a mobile device—can be a great learning tool for novice wireless attackers (or defenders). Free software tools are available for installation on common platforms. The tools identify and record device characteristics like name, MAC address, SSID, encryption technology, AP manufacturers, geo-location. From this information it is possible to determine where an unprotected or inadequately protected signal is coming from and, if the default device registration name has not been changed, the likely default password for that device.

Rogue access points are unauthorized installations that may be attributed to a trusted user—or an opportunistic attacker. They function in a wireless installation as a wiretap does in one that is wired. Ad hoc associations, on the other hand, represent a different potential for a kind of rogue access point. Peer-to-peer networking, facilitated through SSID broadcasting by wireless devices, is often a default setting that is left enabled. Accidental, incidental, and malicious eavesdropping can result.

Confidentiality Attacks

Confidentiality is the first element of the security triad and the one associated with privacy: limiting privileged information to those who own it or have an owner-acknowledged need to know it. Concerns about the confidentiality of personally identifiable information have led to enactment of numerous laws globally. Among them are the European Data Protection Directive (1995), the Australian Privacy Act (1998), the US Children’s Online Privacy Protection Act (COPPA, 1998), and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA, 2000).18

Integrity Attacks

Integrity is the second element of the security triad and the one associated with the reliability of information: the assurance that the content and/or associated metadata has not been tampered with. Integrity has not received the kind of attention that incidents involving confidentiality (e.g., data breaches) have received. And yet, compromise of data or message integrity is at the core of some of the most disturbing attacks involving critical infrastructure (e.g., Stuxnet) or critical systems (e.g., Jeep engine hacking demonstration). Data integrity is also critical in medical environments, especially with increased reliance on electronic medical records (EMRs) to minimize undesirable outcomes (e.g., harmful drug interactions). Within the legal sector, the integrity of metadata is critical for date, attribution (or provenance), and time “stamping” of information events and document versions.

Availability Attacks

Availability is the third element of the security triad and the one associated with the reliability, accessibility, and performance of computing resources (e.g., communication networks, data processing applications, servers) and data. DoS attacks have historically been among the most disruptive for large numbers of individuals and organizations. For critical industrial infrastructure sectors like energy and water, the availability of systems that manage physical controls of distribution networks and pipelines is the most important one of the CIA triad. And in a medical context, this dependency on the digital availability of equipment and information (again, those EMRs) is a life-and-death matter for individuals.

Authentication Attacks

Authentication is associated with artifacts that validate the identity of the claimant (individual, system, or process) that is attempting to access an information asset. Various credentials may be presented for authentication. Credential theft and compromise are leading factors in data breaches. Concerns about the inherent vulnerabilities in magnetic stripe credit cards, for example, ultimately forced US companies to adopt Europay, MasterCard, and Visa (EMV) technology for the embedded chip credit cards rolled out in 2015. The theft of credentials is a key factor in multilayered attacks—by allowing privileged access to key host systems—as well as in credit card fraud, identity theft, and unauthorized building access.

C&C Attacks on Automated Processes

Most networks and attached devices are based on a set of automated (i.e., C&C) processes. The ultimate prize for a hacker is to obtain control over the C&C processes using a combination of the above attacks, which then allows the hacker access to all resources, meanwhile either masking or hiding evidence of that activity. C&C servers can continue working for years and are no longer limited to botnet activity or Internet relay chat servers to direct victims. They have been found among cloud infrastructure service providers and a range of Internet domains. Table 3.2 indicates known malware families that reside in C&C servers that affect cloud infrastructure services.

Table 3.2

Malware Families with Command and Control (C&C) Servers on Cloud Infrastructure Servicesa

Malware Family Description
ZeuS Cybercrime
POISON RAT, targeted attacks
CLACK Adware
BOZOK RAT, targeted attacks
IXESHE Targeted attacks
ESILE Targeted attacks
DUNIHI RAT, targeted attacks
KELIHOS Cybercrime     

C&C attacks against critical infrastructure elements also take advantages of known vulnerabilities in legacy software that cannot be patched or updated reliably.

Recommendations for Wireless/Hybrid Systems

The challenges of securing wireless technologies should not obscure their advantages. Fixed wireless access connections are now widely regarded as desirable in terms of installation cost and ease,19 especially in conditions where access to the cable or wiring plant or plenum access is difficult or restricted, time schedules are tight, few walls or other environmental obstructions exist, no competing telecommunications infrastructure is in place, or coverage areas are widely separated or underutilized. The cost of protecting wireless communications, however, must be calculated when building the business case for a wireless or hybrid system. The challenges simply speak to the importance of understanding what your assets are, where they are located, who has access to them, how they are being accessed, and how they should be protected. The objective of such situational awareness is to be aware of what should be and what is. The objective is also to be aware of what could be, thus learn to think like an adversary as Sun Tzu advised: “To know your Enemy, you must become your Enemy.”

Know Your Enemy

By looking at your environment from the perspective of a likely attacker, priorities about where to invest in protection efforts become clearer. Considerable investment may be necessary to achieve a successful attack. The rational attacker will make a deliberate calculation about what constitutes success and the desired return on investment (in terms of time, tool, financial, and skill resources) and weigh these against the probability of success—and the probability of failure or adverse outcomes (e.g., discovery, legal conviction, professional ostracism). Understanding the end game of potential adversaries is the first step to modeling which attack vector(s) are likely to be the most profitable or least costly.

This analysis assumes intentionality and sophistication rather than opportunistic digital vandalism. The latter category can include acts as insipid as keylogging and remote terminal experiments performed by grad students against staff in a university setting to the devastating Morris Worm, launched in 1988 from MIT by Cornell grad student Robert Morris. Estimates vary as to how many computer systems were crashed as a consequence, but 10% of systems connected to the Internet is often cited in articles. At that point in time, about 50,000–60,000 computer systems were connected to the Internet.22 (As a point of reference, a 2015 report estimated that 1.2 billion devices were connected to the Internet; 10% of that would be 120,000,000 devices.) Morris earned fame for his eponymous malware, in addition to 3 years’ probation, a fine for his intentional unauthorized access of others’ computers, and conviction under the federal Computer Fraud and Abuse Act23 (enacted in 1986 as an amendment to the 1984 Counterfeit Access Device and Abuse Act).24

Acts of digital vandalism perpetrated over wireless systems include object lessons designed to create awareness about unsafe practices. A regular feature at the hacker conference DefCon is the large video display, the Wall of Sheep. These are the accounts compromised through the Wi-Fi hotspot by transmitting usernames and passwords in clear text. (It is an educational conference, after all.) This public shaming is, in effect, close captioned, and has not carried the same fatal results as have public shaming through social media bullying.

As a defender of your network and assets, you should:

Importance of Context (Use Case Scenarios)

Initially considered an expensive alternative to conventional circuits, and thus relegated to implementation as a backup to wired communications, wireless is an important feature of most communications infrastructure being built today. As discussed in Chapter 2, Wireless Adoption, wireless connectivity has become the preferred choice in countries that have not historically deployed significant wired infrastructure. Without the legacy of managing communications security and following safe information handling practices, the protection of information assets in these countries may become more complicated.

Although the academic exercise of planning an attack or its defense can be entertaining, looking at real-world instances gets to the operational, legal, regulatory, and behavioral environments in which WAPs are found. The chapters that follow explore the characteristics of specific applications for WAPs in a range of contexts: individual (personal, social, recreational), commercial (retail, multifamily, office).

These use case scenarios will attempt to capture insights about where the value resides that meets an attacker’s preference for acceptable risk, exploitable attack surfaces, planning/executing time horizon, available tools/skills, reasonable cost, and sufficient payoff. By analyzing attacker behavior in terms of market opportunity and the rational drive to maximize return of investment/effort, we can arrive at a better understanding of how to adapt prevention, detection, and control mechanisms to specific real-world contexts.

Comments

Popular posts from this blog

How to hack wifi in Windows 7/8/8.1/10 without any software | using with cmd

How to Hack Wifi password using cmd Hello Friends, In this article we will share some tricks that can help you to hack wifi password using cmd. Youcan experiment these trick with your neighbors or friends. It’s not necessarily that this trick will work with every wifi because of upgraded hardware. But you can still try this crack with wifi having old modems or routers. 1: WEP: Wired Equivalent Privacy (WEP) is one of the widely used security key in wifi devices. It is also the oldest and most popular key and was added in 1999. WEP uses 128 bit and 256-bit encryption. With the help of this tutorial, you can easily get into 128-bit encryption and Hack WiFi password using CMD. 2: WAP and WAP2: Wi-Fi Protected Access is an another version of WiFi encryption and was first used in 2003. It uses the 256-bit encryption model and is tough to hack. WAP2 is an updated version of WAP and was introduced in 2006. Since then it has replaced WAP and is now been used mostly in offices and colle...

A Beginner’s Guide to Getting Started with Bitcoin

A man looks for Bitcoin Oasis If you have heard about blockchain or cryptocurrency, then the term that initially comes to mind is Bitcoin . Launched 12 years ago, it was the late 2017 bull run that created a media frenzy that propelled Bitcoin into the mainstream and our modern day lexicon. Often labeled as the “original” cryptocurrency, Bitcoin has been the catalyst (directly and/or indirectly) behind many new innovations in the blockchain and digital asset space, most notably Ethereum and Monero . Shortly after the late 2017 bull run lost its steam, interest in these new technologies started to fade ― but here we are in 2021 with Bitcoin having risen like a phoenix from the ashes. As you would assume, an appetite for the blockchain and digital asset space has returned and now it is more important than ever that we understand what exactly is behind this unique asset, Bitcoin. This article is meant to be a guide for individuals who are new to cryptocurren...

Copilot - Microsoft is gearing up to introduce its AI companion

 Microsoft is gearing up to introduce its AI companion, Copilot, this upcoming fall season. The highly-anticipated rollout is scheduled for September 26, with Copilot poised to seamlessly integrate with various Microsoft services, including Windows 11 and Microsoft 365. Additionally, enterprise customers can look forward to the availability of a new AI assistant, Microsoft 365 Chat, starting in November. Copilot, described by Yusuf Mehdi, Corporate Vice President and Consumer Chief Marketing Officer at Microsoft, as an "everyday AI companion," aims to make your daily workflow smoother and more efficient. Its primary goal is to embed an AI-powered "copilot" within Microsoft's most popular products, ensuring widespread accessibility. What distinguishes Copilot from other AI assistants is its focus on integration. Rather than operating in isolation within specific applications, Copilot promises a seamless user experience across multiple Microsoft products. This com...