This section is segmented in accords to each of the eight known WLAN attacks [3][10]:
2.4.1 WarDriving
Fig. 4 Wardriving map of Taipei City
The term “Wardriving” is first coined by Pete Shipley[28]. It is an act of scanning for unsecured wireless networks with a mobile device and tools (e.g. NetStumbler &
MACStumbler) that detects AP signals while driving around in a vehicle. At the same time, a GPS (Global Positioning System) device is mapping out the potential attack point (AP’s coordinates). Possible threats about War Driving include: unauthorized network access, packets sniffing, virus implanting, jamming and etc.
2.4.2 Encryption attacks
As mentioned earlier, 802.11 uses WEP to improve WLAN security. WEP is based on RC4 algorithm and serves to encrypt data. However it is recently found ineffective because skilled hackers can deduce WEP key by collecting packets that may together reveal traits about the key.
Fig. 5 Screenshot of Airsnort wepcracking tool
2.4.3 Interception and unauthorized monitoring of wireless traffic
As in wired networks, it is possible to intercept and monitor network traffic across a wireless LAN. The attacker needs to be within range of an access point (approximately 300 feet for 802.11b) for this attack to work, whereas a wired attacker can be anywhere where there is a functioning network connection.
Wireless Packet Analysis: a skilled attacker captures wireless traffic using techniques similar to those employed on wired networks. Many of these tools capture the first part of the connection session, where usually includes authentication data. An intruder can then access WLAN and issue unauthorized commands in the name of the victim.
Broadcast Monitoring: from time to time, inappropriate topology significantly weakens WLAN security. If an access point is connected to a hub rather than a switch,
any network traffic across that hub are broadcasted out over the wireless network. In other words, an attacker, as one of the recipient, would be able to obtain sensitive data without even trying.
Access Point Clone (Evil Twin) Traffic Interception: an attacker deceives legitimate wireless clients into connecting to the attacker’s faked AP with a stronger signal in close proximity to wireless clients. Users attempt to log into the substitute servers and unknowingly give away passwords and similar sensitive data.
2.4.4 Brute force attacks against access point passwords
Most access points use a single key or password that is shared with all connecting wireless clients. Brute force dictionary attacks attempt to compromise this key by methodically testing every possible password. The intruder gains access to the access point once the password is guessed.
In addition, passwords can be compromised through less aggressive means. A compromised client can expose the access point. Not changing the keys on a frequent basis or when employees leave the organization also opens the access point to attack.
Managing a large number of access points and clients only complicates this issue, encouraging lax security practices.
2.4.5 Insertion attacks
Insertion attacks are based on deploying unauthorized devices or creating new wireless networks without going through security process and review.
Unauthorized Clients: It occurs when an attacker tries to connect a wireless client to an access point without authorization. Since WLAN does not constraint users to physical connection ports, users are able to access the AP anywhere when its security
setting is switched off.
Unauthorized or Renegade Access Points: An organization may not be aware that internal employees have deployed wireless capabilities on their network. This lack of awareness could lead to the previously described attack, with unauthorized clients gaining access to corporate resources. Organizations need to implement policy to ensure secure configuration of access points, plus an ongoing process in which the network is scanned for the presence of unauthorized devices.
2.4.6 Jamming
Jamming is considered to be a type of denial of service on WLAN. Traditional DoS attacker floods target with tremendous amount of bogus traffics to bring down its performance and keep it from operating normally. Jamming occurs when WLAN hackers corrupting the signal until the wireless network ceases to function using certain equipment and tools to flood the 2.4 GHz frequency.
In addition, any devices that operate on the 2.4 GHz band can disrupt a wireless network using this frequency. These denials of service can originate from outside the work area serviced by the access point, or can inadvertently arrive from other 802.11b devices installed in other work areas that degrade the overall signal.
2.4.7 Client-to-Client attacks
Two wireless clients can communicate directly to each other, bypassing the access point. Users therefore need to defend clients not just against an external threat but also against each other.
Wireless clients running TCP/IP services such as a Web server or file sharing are open to the same exploits and misconfigurations as any user on a wired network. A
wireless device floods other wireless client with bogus packets, creating a denial of service attack. In addition, duplicate IP or MAC addresses, both intentional and accidental, can cause disruption on the network.
2.4.8 Misconfigurations
Occasionally negligence is the main cause of assaults. Many people take convenience for granted, and actually deploy WLAN without taking security into account. For instance, organizations tend to use default settings. Also, administrator needs to configure each individual AP based on its physical location and purpose.