Week 11 – Update from Unit Coordinator
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 10 – Update from Unit
Coordinator
Deakin University CRICOS Provider Code: 00113B
OnTrack: Extension Request
2
• Please do not abuse the support provided in this unit.
• E,.g., I have other assignments, I need more time I started task last night… →
Deakin University CRICOS Provider Code: 00113B
OnTrack updates
3
• Check your OnTrack account regularly.
Deakin University CRICOS Provider Code: 00113B
OnTrack: Portfolio Submission
4
This is a simple process that you will need to
complete by 26 September 2021 11:59 PM
after having completed all tasks for your target
grade.
NOTE: before you submit Task 11.1P, wait for
the feedback on the other submitted tasks. All
the submitted tasks should be marked as
complete before you submit task 11.1P.
Deakin University CRICOS Provider Code: 00113B
• Held during the day and time specified on examination timetable
• Online Exam through the Unit Site
• Open book
• Short answer + scenarios covering the Pass-level tasks, and Lecture content
• Advice on how to best prepare in Week 12’s lecture
Final Exam – Hurdle, 20%
5
(Updated due to COVID-19 crisis)
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 10
Deakin University CRICOS Provider Code: 00113B
Wireless Network Security: An Overview
7
Topics,
Deakin University CRICOS Provider Code: 00113B
Wireless Networking Components
8
Wireless medium
Endpoint (or client): mobile phones, tablets, laptops, wireless sensors, Bluetooth devices
Accesspoint: cell towers, Wi-Fi hotspots, wireless access points to wired LAN/WAN
Wireless medium: the transmission medium
Deakin University CRICOS Provider Code: 00113B
Understanding the terminology: Wireless vs WLAN vs WiFi
9
Deakin University CRICOS Provider Code: 00113B
Wireless Communications
10
• Transmission of data without the use of wires
• Few cm to several km
• US Federal Communications Commission (FCC) regulates the use of the radio spectrum
• 9kHz to 300Ghz – https://en.wikipedia.org/wiki/Radio_spectrum
• The Australian Communications and Media Authority (ACMA) do the similar things in Australia.
• Parts of the radio spectrum are allocated for different applications
• Some parts are sold or licensed to operators
• Some parts are free
https://en.wikipedia.org/wiki/Radio_spectrum
Deakin University CRICOS Provider Code: 00113B
Wireless Communications
11
The Laws of Radio Dynamics:
Higher frequency radios =
Higher data rates =
shorter transmission range
Higher power output = increased range,
but lower battery life
Deakin University CRICOS Provider Code: 00113B
Advantages & Disadvantages
12
• Makes communication possible where cables do not reach (or, costly to reach? ☺)
• Convenience & efficient
• The air medium is open to everyone
• The boundaries of a transmission cannot be confined (shared and unbounded medium of
transmission)
• WLANs are now expected in many locations such as office buildings, hotels, airports, etc. (now even on
planes)
Growth in popularity/usage = more of interest to attackers -> greater risk
Deakin University CRICOS Provider Code: 00113B
WLAN (A Wireless Local Area Network)
13
Ethernet
AP
Ethernet
AP
Ethernet
AP
Internet
• AP: Access Point
• All Wireless LANs operate on the Physical and Data Link layers of the OSI model,
(i.e., layers 1 and 2).
• All Wi-Fi systems use these layers to format data and control the data to conform
with IEEE 802.11 standards.
• Commercial name of the protocol IEEE 802.11
• It is one of the most ubiquitous wireless networks
• Home Networks
• Enterprise Networks
• Communication is based on frames
• Essentially is sequence of bits
• 802.11 defines the meaning
• Vendors implement the protocol
• 2.4Ghz and 5Ghz WiFi
• (simple comparison: https://www.howtogeek.com/222249/whats-the-difference-
between-2.4-ghz-and-5-ghz-wi-fi-and-which-should-you-use/ )
• Range depends on transmission power, antenna type, the country, and the environment
Deakin University CRICOS Provider Code: 00113B
WiFi (802.11)
14
https://www.howtogeek.com/222249/whats-the-difference-between-2.4-ghz-and-5-ghz-wi-fi-and-which-should-you-use/
Deakin University CRICOS Provider Code: 00113B
Channels
15
• The equipment (e.g., network router) can be
set in only one channel at a time
• Each country has its own rules
• Allowed bandwidth
• Allowed power levels
• Stronger signal is preferred
Extra reading: https://en.wikipedia.org/wiki/ISM_band
Read about simplified discussion on the importance of 2.4Ghz planning
Deakin University CRICOS Provider Code: 00113B
Basic Service Set (BSS) – Building Block of WLAN
16
• BSS is the building block of a WLAN
• A BSS consists of a wireless stations (STA)
and maybe an Access Point (AP), which
provide a connection onto a fixed
distribution system such as an Ethernet
network.
• The STAs execute the same Medium Access
Control (MAC) protocol and use the AP as
the interface to communicate with each
other (STAs do not communicate without
going through the AP).
Deakin University CRICOS Provider Code: 00113B
Deployment Architectures
17
Extended Service Set (ESS) / Infrastructure Independent Basic Service Set (IBSS) /P2P/Ad-hoc
STA: wireless STAtion
BSS: Basic Service Set
ESS: Extended Service Set
IBSS: Independent Basic Service Set
Deakin University CRICOS Provider Code: 00113B
Frame Types
18
• A frame is a MAC Protocol Data Unit (MPDU). MAC stands for Medium Access Control, which is one
of the three layers in the IEEE 802.11 Protocol Stack
• As mentioned, communication is based on frames. There are 3 types of frames:
• Management frame: Management frames cover initialization, maintenance, and finalization of a
connection to a wireless network.
• Control frame: Used to acknowledge when data frames are received.
• Data frame: Frames that contain data (i.e., use for encapsulation of information).
Deakin University CRICOS Provider Code: 00113B
Beaconing
19
• The AP advertise their presence
• Once every 100ms
• They transmit a message of type Beacon
• It contains information such as the name of the network (SSID), MAC address, and data rates.
• All information is transmitted in cleartext.
See: https://en.wikipedia.org/wiki/Beacon_frame#/media/File:802.11_Beacon_frame.gif
Deakin University CRICOS Provider Code: 00113B
WEP Authentication in IEEE 802.11b
20
• Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE 802.11b for providing a
WLAN with a level of security and privacy comparable to that of a wired network.
• WEP assumes all STAs share a secret key. WEP authentication, as illustrated above, is for the STA to prove
that it possess the shared key (i.e., that it is legitimate device.
• WEP has many weakneses: 1) Key management is not specified in the WEP standard, 2) The Initialization
Vector (IV) is Too Small, 3) The Integrity Check Value (ICV) algorithm is not appropriate, 4) WEP’s use of
RC4 (a stream cipher) is weak, and 5) Authenitcation message can be forged.
Deakin University CRICOS Provider Code: 00113B
WPA in IEEE 802.11i
21
• Wi-Fi Protected Access (WPA) was
developed to address the weaknesses of
WEP. The latest version is WPA2.
• WPA uses Advanced Encryption
Standard (AES) – a Block cipher
Deakin University CRICOS Provider Code: 00113B
IEEE 802.11i Phases of Operation
22
Client AP
Authentication
Server Server
1. AP uses Beacons or Probe Responses to advertise its
existence for the client STA to identify and associate
with.
2. The client STA and the AS prove their identities to
each other throuth the AP. AP does not invovle in the
authentication, but simply pass frames.
3. the AP and the client STA perform operations to cause
the key to be generated and distributed to both sides.
4. Data frames are exchanged between the client STA
and the server STA through the AP. Encryption is applied
to the data transfer between the client and the AP only.
So the security is not end-to-end.
5. At the end of the communication, secure connection
between the client and AP is terminated.
Deakin University CRICOS Provider Code: 00113B
Securing Wireless Networks
23
• Over the course of history, radio frequencies have been enormously vulnerable to
eavesdropping and manipulation.
• ASSUME: Everything you say on a wireless network is going to be heard and potentially
manipulated by your adversaries.
Deakin University CRICOS Provider Code: 00113B
• Unauthorized Rogue Access
• Eavesdropping
• Authentication Attacks
• Encryption Cracking
• DoS Attacks
• MAC Spoofing
• Wireless Hijacking
802.11 Security Risks
Deakin University CRICOS Provider Code: 00113B
Unauthorized Rogue Access
25
• E.g. the corporate WLAN is an authorized wireless portal to network resources.
– What is there to prevent an individual from installing their own unauthorized wireless portal onto the
network backbone??
– In fact, it is not uncommon for a company to have a wireless network installed and not even know about
its existence!!!
Rogue access point or rogue device:
• A rogue access device is any WLAN radio that is connected to the wired infrastructure but is not under the
management of proper network administrators
• A rogue device is any unauthorized WLAN portal to network resources
Deakin University CRICOS Provider Code: 00113B
Unauthorized Rogue Access
26
AAA Server: is a server program that
handles user requests for access
to computer resources and, for
an enterprise, provides
Authentication, Authorization,
and Accounting (AAA) services.
The AAA server typically
interacts with network access
and gateway servers and with
databases and directories
containing user information.
The current standard by which
devices or applications
communicate with an AAA
server is the Remote
Authentication Dial-In User
Service (RADIUS).
Remote Authentication Dial-In User Service (RADIUS) is a client/server
protocol and software that enables remote access servers to
communicate with a central server to authenticate dial-in users and
authorize.
LDAP Server (Lightweight
Directory Access Protocol):
LDAP is a software protocol
for enabling anyone to
locate organizations,
individuals, and other
resources such as files and
devices in a network,
whether on the public
Internet or on a corporate
intranet.
Deakin University CRICOS Provider Code: 00113B
Rogue Devices
27
• Ad Hoc Wireless Network (independent basic service set (IBSS)):
• Example scenario:
– an employee will have a laptop or desktop plugged into the wired network via an Ethernet network card. On that same
computer, the employee has a Wi-Fi radio and has set up an ad hoc Wi-Fi connection with another employee.
– an intruder might access the Ad Hoc wireless network and then potentially route their way to the Ethernet connection and
get onto the wired network.
Deakin University CRICOS Provider Code: 00113B
Rogue Devices
28
• Wireless Printer:
– Many printers now have 802.11 radios with ad hoc mode.
• Example attack scenario:
– Attackers can connect to these printers using the printer manufacturer’s administrative tools, downloadable from the
company’s website.
– Using the same tools, attackers can upload their own firmware to your printer, thus allowing them to bridge the wired
and wireless connections of your printer to gain access to your wired network, without the use of an access point. [Many
wireless camera security systems can be breached in a similar manner.]
Deakin University CRICOS Provider Code: 00113B
Who is Responsible?
29
• Usually, not hackers. Actually, the “trusted” individuals such as users/employees/etc..
• Rogue devices are even found in server rooms!!
• A cheap WiFi access point or router can be plugged into a live data port. The rogue access point is a potential
open and unsecured gateway straight into the wired infrastructure that the company wants to protect.
• Reminds you of which security principle from Week 1 ?
Deakin University CRICOS Provider Code: 00113B
Rogue Prevention
30
• Endpoint WLAN security software can also be installed on WLAN client devices to prevent bridging
between the two radio interfaces.
• Mac Address Filtering
• Wired Port control:
• A wired 802.1X/EAP solution is an excellent method for preventing rogue access.
• A rogue device cannot act as a wireless portal to network resources if the rogue device is plugged
into a managed port that is blocking upper – layer traffic (remember Network Layers from Week 4?).
• Wireless intrusion detection system (WIDS/WIPS) is used to detect/prevent potential rogue devices.
• The most common method of rogue containment uses a known Layer 2 DoS attack against the rogue
device as a countermeasure. (contained, located and removed.)
• WIPSs can determine that the rogue AP is connected to the wired infrastructure and may disable the
managed switch port that is connected to the rogue AP. (port suppression)
Deakin University CRICOS Provider Code: 00113B
Eavesdropping
31
• WLAN communications between two 802.11 radios can be overheard by any third-
party 802.11 station on the same frequency channel.
• The RF medium is half-duplex, and therefore a shared medium, only one 802.11 station can
transmit at any given time. However, any 802.11 radio within listening range can monitor any
active 802.11 transmissions.
• WLAN communications can be monitored via two eavesdropping methods: casual
eavesdropping and malicious eavesdropping
Deakin University CRICOS Provider Code: 00113B
Wardriving
32
• Casual eavesdropping is typically considered harmless and is also often referred to as wardriving.
• Wardriving is strictly the act of looking for wireless networks, usually while in a moving vehicle using
a laptop or smartphone.
• Wardriving software are known as WLAN discovery tools.
– Purpose? as mentioned, finding open WLAN networks
– NetStumbler, Airmon-ng (part of Aircrack-ng) are among popular tools for this (know another?)
• Wardriving is not a crime.
– Because this is an inherent and necessary function of 802.11
– The majority of wardrivers are not hackers intending harm but rather simply wireless users wanting
temporary, free Internet access.
Deakin University CRICOS Provider Code: 00113B
Eavesdropping: Active and Passive Scanning
33
• The client station transmits management frames known as probe requests
• The access point then answers back with a probe response frame that basically contains
all of the same Layer 2 information that can be found in a beacon frame
In passive scanning, the client station listens for 802.11 beacon
management frames that are continuously sent by the access points.
Deakin University CRICOS Provider Code: 00113B
Eavesdropping: Active Scanning
34
– the client station transmits management frames known as probe requests
– The access point then answers back with a probe response frame that basically contains all
of the same Layer 2 information that can be found in a beacon frame
– Remember what beacon frame includes? (see slide with title Beaconing)
– This information may be used as part of an attack against the access point or users
connected to it.
Deakin University CRICOS Provider Code: 00113B
Malicious Eavesdropping
35
• Unauthorized use of protocol analysers (e.g., Wireshark) to capture wireless communications
is typically considered illegal. (Remember Task 1.4P)
• A protocol analyser can also be used as a malicious listening device for unauthorized
monitoring of 802.11 frame exchanges.
• Most countries have laws making it illegal to listen in on any type of electromagnetic
communications, including 802.11 wireless transmissions.
Do you think WIDS/WIPS will be able to detect a protocol analyser used in malicious
eavesdropping? Why?
Deakin University CRICOS Provider Code: 00113B
Eavesdropping Risks
36
Deakin University CRICOS Provider Code: 00113B
Eavesdropping Prevention
37
• To protect your information: Encryption
– Encryption provides the data privacy necessary to protect the upper layer
payload of 802.11 data frames (layer 3-7).
• To prevent anyone other than intended recipients from hearing your
transmissions:
– RF shielding to stop transmissions from exiting or entering your building
o Mylar films can be placed on all of your windows → stopping signals
o Special paint or wallpapers to create a Faraday Cage
▪ is an enclosure made of a wired mesh or other conductive
material to contain electric fields such as RF signals. Faraday
shields can be built into the walls of buildings, but the
construction costs are very high.
• There is virtually no way to protect layer 1 and 2 data from eavesdropping
– To prevent some Layer 2 wired leakage, we highly recommended that you
disable Layer 2 discovery protocols.
Faraday cage for
a smart meter!
Deakin University CRICOS Provider Code: 00113B
DoS Attack Against WLAN
38
• A DoS attack against a WLAN (client or station) is an attack that effectively disables the
WLAN.
• For mission-critical systems, this is a serious security concern. If the WLAN goes down, any
application or network resource being accessed through the WLAN is no longer available.
• DoS attacks can be targeted against the entire WLAN or can be targeted against individual
access points or individual WLAN clients.
Deakin University CRICOS Provider Code: 00113B
Layer 2 DoS Attack
39
• A wide variety of Layer 2 DoS attacks exist that are a result of tampering with 802.11 frames and retransmitting
them into the air. The most common involves spoofing disassociation or deauthentication management frames.
• An 802.11 deauthentication frame is a notification and
not a request.
• If a station wants to deauthenticate from an AP, or an
AP wants to deauthenticate from stations, either
device can send a deauthentication frame.
• Because authentication is a prerequisite for
association, a deauthentication frame will
automatically cause a disassociation to occur.
• Deauthentication frames can easily be spoofed.
• A deauthentication attack can be launched against a
single or multiple devices
Deakin University CRICOS Provider Code: 00113B
Spoofing deauthentication frames
40
• An attacker simply observes the MAC addresses of client stations and access
points using a protocol analyzer.
• The attacker then uses a hex editor to edit a previously captured deauthentication
frame.
• The attacker then retransmits the spoofed deauthentication frame repeatedly.
• The station that receives the spoofed deauthentication frame thinks it is coming
from another legitimate station and disconnects at Layer 2.
Deakin University CRICOS Provider Code: 00113B
MAC Spoofing
41
Remember MAC Address from Week 4?
• MAC filters are configured to apply restrictions that will allow traffic only from specific client
stations to pass through. These restrictions are based on their unique MAC addresses.
• E.g. MAC spoofing can often be achieved in the Windows operating system by simply editing
the wireless card’s MAC address in Device Manager (or, edit registry)
Deakin University CRICOS Provider Code: 00113B
MAC Spoofing
42
• One place where a MAC spoofing attack is still used with great effect is at public-access WLAN
hotspots.
• A MAC piggy-backing attack: circumvent the hotspot captive portal login requirements.
• Captive portal authentication solutions are usually the only security provided for public-
access WLANs and hotspots
• Use WLAN protocol analyser to determine which stations are passing data frames through
the AP, indicating the captive portal has approved their MAC addresses to do so.
• Then the attacker clones the MAC address of a station passing data through the AP onto
their wireless card. The attacker can then connect to the AP and pass data as well because
the AP and its captive portal believe the attacker is an approved device.
Deakin University CRICOS Provider Code: 00113B
Wireless Hijacking
43
Wireless hijacking, better known as evil twin attack.
• The attacker configures AP on a laptop, effectively turning a Wi-Fi client card into an access
point (AP).
• The AP on the attacker’s laptop is configured with the same SSID that is used by a public-access
hotspot (an evil twin AP).
• The attacker then sends spoofed disassociation or deauthentication frames, forcing client
stations associated with the hotspot access point to roam to the evil twin access point (i.e. the
attacker has effectively hijacked wireless clients at layer 2).
• The evil twin AP will typically be configured with a Dynamic Host Configuration Protocol (DHCP)
server available to issue IP addresses to the clients. (i.e. attacker will have hijacked the client
stations at layer 3)
– E.g. during the process of connecting to the evil twin, fall victim to the DHCP attack, an
attack that exploits the DHCP process to dump root kits or other malware onto the victim’s
computer in addition to giving them an IP address as expected.
Deakin University CRICOS Provider Code: 00113B
Wireless Hijacking
44
• The attacker may also be using a second wireless card to
perform Man In the Middle Attack (MITM):
– The second WLAN card is associated with the
original access point as a client (i.e. bridged)
– the traffic is then routed from the evil twin AP
through the second Wi-Fi card, right back to the
original access point from which the users have just
been hijacked.
• The attacker can therefore sit in the middle and execute
peer-to-peer attacks indefinitely while remaining
completely unnoticed.
Deakin University CRICOS Provider Code: 00113B
Not just WiFi
45
regional
metropolitan area
campus-based
in-house
vertical
handover
horizontal
handover
• Integration of heterogeneous fixed and mobile
networks with varying transmission
characteristics
Deakin University CRICOS Provider Code: 00113B
Not just WiFi – Vehicular Ad hoc NETwork (VANET)
46
Roadside
base station
Inter-vehicle
communications
Vehicle-to-roadside
communications
Emergency
event
• Communication: typically over the Dedicated
Short Range Communications (DSRC) (5.9 GHz)
• IEEE 802.11p: applications such as toll collection,
vehicle safety services, and commerce transactions
via cars
Deakin University CRICOS Provider Code: 00113B
Why Vehicular communication?
47
Combat the awful side-effects of road traffic
In the EU, around 40’000 people die yearly on the roads; more than 1.5 millions are injured
Traffic jams generate a tremendous waste of time and of fuel
Most of these problems can be solved by providing appropriate information to the driver or to the
vehicle
Deakin University CRICOS Provider Code: 00113B
Security Challenges of VANET
48
• Bogus Traffic Information
• Disruption of road network/traffic movement
• Cheating with identity, speed, location
• Jamming
• Location/privacy issues
• Security requirements:
• Sender authentication, Verification of data consistency, Availability, Non-repudiation,
Privacy, Real-time constraints
Deakin University CRICOS Provider Code: 00113B
Not just WiFi – 802.15: Personal Area Network (PAN)
49
• less than 10 m diameter
• replacement for cables (mouse, keyboard, headphones)
• ad hoc: no infrastructure
• master/slaves:
slaves request permission to send (to master)
master grants requests
• 802.15: evolved from Bluetooth specification
• 2.4-2.5 GHz radio band
• up to 721 kbps
M
radius of
coverage
S
SS
P
P
P
P
M
S
Master device
Slave device
Parked device (inactive)P
Deakin University CRICOS Provider Code: 00113B
Internet of Things (IoT)
50
Prediction by Statista: Number of IoT device will exceed 75 billion by the year 2025
Deakin University CRICOS Provider Code: 00113B
What does Internet of Things (IoT) involve?
51
Deakin University CRICOS Provider Code: 00113B
Information a Hacker could obtain from an IoT device
52
Usage pattern
Usage pattern
Deakin University CRICOS Provider Code: 00113B
Security of Internet of Things (IoT)
53
https://www.theguardian.com/technology/2016/oct/26/ddo
s-attack-dyn-mirai-botnet
The Guardian reported on 01/28/2018:
“Fitness tracking app Strava gives away location of
secret US army bases”
Smart Toy: Best Inventions 2015
by TIME Magazine hacked.
Junia Valente et al, “Security & Privacy in Smart Toys”, IoT S&P@CCS 2017: 19-24
https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
Deakin University CRICOS Provider Code: 00113B
Security of Internet of Things (IoT)
54
James R. Clapper
Ex-Director of National Intelligence
”America’s greatest threat is the
Internet of Things”
Feb 9, 2016
http://www.popsci.com/clapper-americas-greatest-
threat-is-internet-things
http://www.popsci.com/clapper-americas-greatest-threat-is-internet-things
Deakin University CRICOS Provider Code: 00113B
Key IoT Security Challenges
55
Low powered Limited computing capabilities mean difficulty implementing security controls (e.g.
encryption).
Standards and regulation Lack of government regulation and standards mean most are not designed with
security in mind.
Lifecycle management Keeping devices up to date is not something that is currently well managed,
leading to security vulnerabilities potentially remaining unpatched
indefinitely.
Transport protocols The sheer number of emerging connection protocols makes them difficult to manage
and secure.
Physical access Devices are increasingly unlikely to be located in physically secure sites,
significantly increasing the opportunities for attackers to compromise their
integrity.
Number of devices IoT deployments are largely uncontrolled environments (in the context of security)
where the number of devices grows exponentially, making it extremely challenging
for cyber security teams to govern and manage.
Availability and
continuity
Devices are often designed without alternate options to maintain availability of both
functionality and connectivity in the event of failure.
Deakin University CRICOS Provider Code: 00113B
Six Principles of IoT Security Architecture
56
Deakin University CRICOS Provider Code: 00113B
Further Reading
www.iiconsortium.org/IISF.htm
57
• More about IoT security:
• [Chapter 21] Introduction to Computer Networks and Cybersecurity, Wu/Irwin
• [Chapter 8] Coleman, David D., et al. CWSP Certified Wireless Security Professional Official Study Guide:
Exam PW0-204. John Wiley & Sons, 2010.
http://www.iiconsortium.org/IISF.htm
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), and Dr. Nicolas Courtois (University College London, UK).
58