Wireless is here to stay and becoming more and more pervasive. Understanding wireless and the risks and vulnerabilities involved with its use are crucial concerns for your organization’s security staff.
We have all heard the horror stories associated with a company’s Wi-Fi used to breach their security. The most famous case is the TJ Maxx case. TJ Maxx’s parent company secured its wireless LAN (Local Area Network) using Wired Equivalent Privacy (WEP). WEP is the weakest form of security available for securing wireless LANs. Hackers broke in and stole records: which included millions of credit card numbers.
The TJ Maxx security breach was many years ago when Wi-Fi security options were fewer and much weaker. In a nutshell, there is a well-known vulnerability in the WEP protocol and because TJ Maxx was ignorant of that fact, or overlooked it, they negatively affected their financial situation and their reputation. Your organization does not want to make similar mistakes, so make sure you do your due diligence to avoid a scenario similar to this one.
A wireless penetration test will examine your network using a methodology similar to the standard wired penetration test. However, they will focus on the wireless as the gateway to exploit your vulnerabilities. Thus selecting the right partner to conduct the wireless penetration testing is an important decision. Look for certifications such as OCSP, OSCE, GPEN, CEH, CPT, and CWNP.
Select a company that has technical expertise. If their knowledge is both deep and wide, they will be able to dig deeper and therefore provide you with information that is more valuable. Ask for an example of a deliverable report from a similar wireless penetration test. The report should be detailed and self-explanatory. With the proper business acumen, the testers can tailor their work to you vertical and its regulatory mandates. Penetration testing should mimic a real-life attack in as many ways as possible.
There are many benefits to conducting a wireless penetration test. Identifying vulnerabilities that threat actors are able to exploit is paramount. Testing the effectiveness of your security posture or exposing unintended weaknesses allows an organization to remediate these problems before they happen for real. This penetration test will also serve as a third-party validation of your company’s threat/vulnerability management.
Finally yet importantly, remember that Wi-Fi is not the only wireless technology a hacker can exploit. There many Bluetooth and Bluetooth Low Energy (BLE) devices commonly found in the public. There are also other less pervasive wireless technologies, like ZigBee, Z-wave, and DECT (cordless phones).
Understand Data Collection and Analysis
There are phases of conducting a Wireless Penetration Test. The first stage is Data Collection, which is followed by the analysis of that data. For a good tester to understand how to collect data from deep in the wireless network, the tester needs a thorough understanding of some things germane to wireless. The professional conducting the test needs to understand signal leakage.
Essentially signal leakage (or bleed) is any wireless signal that propagates beyond the intended coverage area. Complete suppression of this leakage is impossible. However, minimizing the signal leakage and maintaining knowledge of where the bleed exists is a best practice. The penetration tester also needs to have a detailed understanding of how the security protocols used in wireless operations. When you understand the protocols inner workings, you can better test the exploitation of a vulnerability.
Additionally, the tester needs to understand denial of service (DoS) attacks, Man-in-the-middle (MITM) attacks, and Access Point (AP) attacks to test and protect against them. Lastly, knowledge of the user and their host vulnerabilities is another key aspect to testing for potential exploits.
How a Man-in-the-Middle Attack is Perpetrated
Let us say you are at the coffee shop and you try to connect to any one of the more popular banking institutions with online banking. If you do not verify to which website you are connecting, and it is not a secure sockets layer (SSL) connection to the splash page to accept the terms-of-use, there is a chance you will be compromised. Let us say I am in the diner next door or in the parking lot with a laptop running unix. I can broadcast an SSID and issue IP address info and a DNS server with a free DHCP server running on the same laptop. I can poison your DNS and direct you to a bogus IP address for which a webpage will reply with any number of banking institutions. When you enter your credentials, I collect them and you are compromised.
Yes, it is very scary.
Understand Organizations and Associated Standards
Any good security professional conducting a wireless security assessment should be familiar with all the industry organizations the guidelines they recommend and the standards that they define. A thorough understanding of the associated organizations and their prescriptions is one of the most valuable skills, because testers do not need to reinvent the wheel. They can follow the existing recommendations while addressing the specific needs of a specific customer.
Wi-Fi Alliance makes sure that all Wi-Fi equipment is interoperable. The FCC regulates the RF spectrum from which Wi-Fi, Bluetooth and the other wireless technologies operate. The IETF helped define RADIUS and EAP. The wireless expert should also be well versed in all the flavors of EAP including LEAP, PEAP, EAP, EAP-GTC, TLS, TTLS and the rest.
There are many regulatory bodies as well. Personal Credit Information (PCI) protects consumer’s credit info from exposure by a company not doing their due diligence to protect the info. Health Insurance Portability and Affordability Act (HIPAA) protects the confidentiality of patients’ health info. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student educational information. ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
A proper understanding of these diverse bodies is what will make your wireless penetration test relevant, tailored to your technology, and serve as a third-party audit for your company. The experienced tester will know to look at all wireless technologies. This will included looking at point-to-point links that are often licensed links from the FAA. Looking at Bluetooth (802.15) will be helpful exposing any vulnerabilities that exist in the use of that technology within your network.
In summary, the wireless penetration tester needs to be, not only a good penetration tester but also, an expert wireless engineer. Ask questions relevant to your industry or vertical when considering a company to conduct the wireless penetration test. If you do this then you will be able to weed out the less knowledgeable testers from the more expert ones.
Understand Wi-Fi Testing Tools
The methodology for testing is as follows:
- Wireless LAN (WLAN) Assessment
- Rogue AP analysis
- Wireless Hotspot
- Attacking encryption protocols
WLAN Assessment entails many actions: passive AP fingerprinting techniques, information element disclosure, and client post-processing analysis with Kismet XML files. Identifying the authentication and encryption options used on the WLAN with Kismet and Wireshark and mapping the range of indoor and outdoor WLANs. Assessing traffic captured in monitor mode for information disclosure, identifying multicast protocols with MAC analysis, evaluating encrypted traffic and proprietary encryption functions all help analyze the strength or weakness of your WLAN.
Another aspect of testing is rogue AP analysis. Testers can locate rogue devices through RSSI signal analysis and triangulation. The penetration tester should be aware of Ad Hoc networks. Bogus “Free-Wi-Fi open networks and malicious rogue clients. Also make sure the testers look for devices that are in the environment but connecting to SSIDs that not authorized by your company. By connecting a corporate asset to another Wi-Fi network, it can be unsafe for a plethora of reasons. Some of these are watering hole attack, phishing attack, MITM attack, etc.
In 2017, wireless hotspots are everywhere. Having them at the coffee shop and the pizzeria is certainly convenient, but can be very perilous to your corporate assets. This is especially true when the coffee shop is located next door to your corporate office. Without getting into the details, your employee will expose your company to risk when they join an open network. A good tester will look for this and note where these hotspots are and what the SSID is. Then you can take steps to help educate users and configure endpoints appropriately.
Since the cracking of WEP many years ago, free tools have appeared on the market to help crack pre-shared keys. Unbelievably, these tools can even crack WPA and WPA2. A thorough penetration tester should see if any pre-shared keys can be cracked within a short time frame (hours not days). This is good as a shock factor to illustrate how easily a standard key with 8 or 10 characters can be broken. Then after that testing, feed PSKs into a password strength tool reveal the relative strength of the key.
Understand IEEE 802.11 and Other Wireless MAC Layer Information
This is where you separate the experts from the ankle biters. A good penetration tester who wants to exploit your network using the WLAN needs to possess intimate knowledge of the MAC and PHY layer of 802.11. First, there must be an understanding of how an ad hoc network operates versus an infrastructure network. A full understanding of the phases of station authentication and association will be key. Knowledge of the three packet types: Management, Control, and Data is necessary along with the header and footer format of these. Expert knowledge of the 80.1x framework and the accompanying EAP type is the most important of all.
Any wireless transport mechanism will have a MAC layer with the exception of DECT as it operates in a closed phone system and not over TCP/IP endpoints. Bluetooth, which is a wireless personal area network (WPAN) defined by IEEE 802.15.1. Understand Bluetooth operations and hacking becomes relatively easy. Zigbee is another WPAN. ZigBee is defined by 802.15.4, which was created for low data rate transmission that allows a device a very long battery life. ZigBee also uses the MAC layer so knowledge of its working is also necessary if this technology is in use. As previously explained DECT does not use a MAC and unless there is an IP that makes it an Internet of things (IoT) device the only concern would be decoding and eavesdropping. A DECT device would not be a gateway into your IP network.
Summing It All Up
Selecting a Penetration Tester that focuses on wireless will be expensive and take time and energy. That is why selecting the right one is so important. Make sure you keep in mind all the points presented in this article. Ask him how he does things, which weakness he will focus on. In the end, selecting the right consultant with the right credentials will yield a successful effort. By reading this article you have educated yourself to help make an educated decision on the Penetration Tester you select.
Author Bio: John Busso is a Senior Network Engineer/Mobility Specialist at CCSI. He has almost 20 years experience providing secure voice and data solutions. John has been a Subject Matter Expert for Enterprise Mobile Solutions such as Guest WiFi and BYOD, providing vision for diverse clients.
John has been an Adjunct Professor and trainer. He holds numerous Industry certifications, including CISSP CWNP, CCNP, ACMP and ITIL. His experience includes working with retail, TNL-Couriers, DC’s and Airports, Healthcare, Education, DOD, Local Government, Financial, Non-Profit-Public WiFi, Entertainment and Hospitality industries. His expertise is in mobility, security, WLAN, WAN, LAN, VoWiFi, RFID, RTLS, WIPS, WIDS, DAS, licensed/unlicensed PTP and PTMP networks. Connect with John on Twitter via @JohnBusso.