WiFi was created in 1997 by the 802.11 committee. Since then, it has grown to be an essential part of our lives. It is a convenient and easy gateway to the internet but as with most tech, it comes with vulnerabilities. This article will roughly go over most of the known vulnerabilities and attacks.
Listening
The greatest benefit to WiFi is that it is wireless. This convenience is what makes WiFi so popular but it is also WiFi’s biggest weakness. WiFi works by emitting radio signals on the 2.4 and 5 gigahertz frequencies. This allows hackers to listen in on any of the frequencies and capture the data that is being sent. Due to the nature of radio, the victim will not even know that their data is being read by a third party. This means that in open WiFi networks such as Starbucks WiFi, all the traffic being sent can be seen, collected, and used by a hacker (HTTPS and VPNs prevent this but we won’t go into detail about those here). Luckily the guys at 802.11 thought of this so encrypted networks were created.
WEP
WEP stands for Wired Equivalent Privacy and is the first encryption standard for WiFi. WEP’s name certainly suited it well, as its security was no better than plugging in an ethernet cable. In other words, it’s BAD if you want your data to stay secure. These days, a WEP passcode can be cracked in a few minutes with simple equipment, so don’t use it. WEP was quickly made obsolete and today’s routers don’t use WEP anymore.
WPA & WPA2
These two are what most home networks use today. They are much more secure than WEP but still come with their own security holes. The biggest difference between WPA and WPA2 is the encryption standards they use. WPA uses TKIP while WPA2 uses AES-CCMP. WPA is also vulnerable to the Beck-Tews attack which allows the attacker to act as a man in the middle and see all traffic between the client and router. WPA2 patches the Beck-Tews vulnerability but both standards are vulnerable to the next 5 attacks.
Deauthentication
A deauthentication attack forces a target to disconnect from the network. The attack works by exploiting the fact that the management frames in WiFi are unencrypted. To perform the attack, the attacker first gets the mac address of the target and the router. Then, the attacker disguises themself as the router using the mac address and sends the deauthentication packets to the target. If the target receives the packets they will automatically disconnect from WiFi. It is also possible for the attacker to target all the clients on the network, classifying it as a DOS attack. This can be mitigated by enabling protected management frames.
4 Way Handshake
To connect to WiFi, a device must perform what is known as a 4 way handshake. This system authenticates the device with the router, allowing it to connect. The issue with the 4 way handshake is that it can be intercepted and used to figure out the password of the network. An attacker can set up a listening device, capture the handshake, and use tools such as hashcat to crack the password. The problem with capturing the handshake is that it can only happen when a device is connecting with the router. However, this can be solved by first performing a deauthentication attack. The deauthentication forces the client to disconnect and when the client tries to reconnect the handshake is captured. This attack can be mitigated by setting a strong password as the resulting handshake is still hashed.
PMKID
A handshake is great but can’t be captured if there are no devices on or trying to connect to the network. An alternative to the handshake is the PMKID attack. Here, instead of attacking a client, we attack the router. PMKID attacks only work against routers that have the roaming feature enabled. This is usually present in mesh networks and sometimes on single routers. An attacker first sends out specially crafted frames to request the PMKID from the router. If the attack is successful the attacker can attempt to crack the PMKID to gain the WiFi password. This attack can be easily mitigated by disabling roaming or by setting a strong password.
Evil Twin
An evil twin sounds exactly like what it is. This time the device user is attacked instead of the device or router. The attacker starts by creating a fake network with the same name as the target network. On the fake network, the attacker will be able to see all the traffic that goes through. The goal is to have the target connect to the fake network. To do this, the attacker performs a deauthentication attack on the real network. The victim, now without internet, tries in desperation to connect to the fake network. The problem here is that unless the password for the real network is known, the fake network will not have a password in place. If the victim is smart they will notice something is wrong and not connect to the fake network.
KRACK
KRACK stands for Key Reinstallation Attacks. Think of KRACK like an Evil Twin attack but without its problems. A KRACK attack allows the attacker to force android and Linux devices to change their encryption keys to all zeros, making it trivial to decrypt the data sent. To perform the attack, the attacker does similar things to an evil twin attack. The attacker first creates a fake network, then deauthenticate the target. However, this time the network is encrypted, making the device think it is the correct network. When the device tries to connect, the KRACK attack is applied and the connection succeeds. The device is able to make a connection because its key was changed to all zeros. This allows the attacker to decrypt the data as they know the key was changed to zeros.
WPS
If you thought WEP was bad enough then you haven’t seen WPS. WPS stands for WiFi Protected Setup and it is far from protected. WPS works by having the client send a preshared eight digit (digit meaning only numbers) pin and if the pin is correct the router sends back the WiFi password in plaintext. If you didn’t know, an eight digit pin is very insecure, allowing WPS to be brute forced in just a few minutes. Some routers have restrictions put in place to only allow a few tries before blocking further attempts. However, the reason WPS is worse than WEP is that it’s possible to get the pin in as little as five seconds without going over the attempt limit. By using what is known as a pixiedust attack an attacker can guess the pin using the data transmitted by the router. This can be done in about two to five attempts, making pixiedust extremely potent. Luckily pixiedust only works with certain routers but not all vulnerable routers have been discovered yet. WPS attacks can be easily mitigated by disabling WPS in the router settings.
WPA Enterprise
WPA enterprise is different from WPA and WPA2. Instead of having a password, WPA enterprise asks for both a username and password (some networks ask for a certificate which is more secure). In theory, this should make it more secure and in most cases it does. However, WPA enterprise is susceptible to mana/karma attacks. Karma is similar to an evil twin attack and a KRACK attack. To start a Karma attack, the attacker first sets up a WiFi enterprise network using hostapd-mana. The attacker can then wait for the device to try and change routers (most WPA enterprise networks are mesh networks in businesses or colleges) and if the fake network is stronger than the real one then the victim will connect to it. This gives the attacker the victim’s username and password hash, but the attacker can also perform a GTC downgrade attack, giving them the username and password in plaintext.
WPA3
WPA3 is the next generation of WiFi encryption. It supposedly patches all of the attacks mentioned above. It uses protected management frames to mitigate deauthentication attacks, uses the new dragonfly handshake system to prevent password cracking, and implements forward secrecy to prevent listened data to be decrypted. The biggest flaw in WPA3 is backward compatibility with WPA2 in devices. An attack known as the Dragonblood attack tricks wpa3 capable devices into downgrading to wpa2. By setting up a fake wpa2 network with the same name, the target device will attempt to connect using the wpa2 standard. This allows the handshake for the password to be captured and cracked later. WPA3 is still rather new so new exploits are bound to be found.
Jamming
The most impractical WiFi attack. Jamming works by pumping the air full of 2.4 or 5 gigahertz radio waves. This is typically done with expensive specialized equipment and the attack hits everyone. Such attacks are made obsolete by the authentication attack previously mentioned for much less money.
I hope that after reading this article you not only know a bit more about the holes in WiFi but that there are patches for most of those holes. The real problem is getting people to apply those patches.
Happy Hacking~!
Leave a Reply
You must be logged in to post a comment.