Hello aspiring ethical hackers. In this article, you will get a deep understanding of Wireless security. In our previous articles, readers have learnt how to crack WEP, WPA, WPS. This article is like a prequel to those articles. Before going deep into understanding wireless security, let us give you a brief history into Wi – Fi.
History of Wi-Fi
Wi-Fi is the name given to a family of wireless network protocols, based on the IEEE 802.11 family of standards. These are commonly used for local area networking of devices and also for Internet access. Simply put, this allows nearby digital devices to exchange data using radio waves. No need to mention what these devices are.
The beginning of Wi – Fi happened in the form of ALOHAnet which successfully connected the Great Hawaiian Islands with a UHF wireless packet network in 1971. ALOHA net and the ALOHA protocol in fact were precursors of Ethernet and 802.11 protocols.
After another 14 years, in 1985 a ruling by the U.S. Federal Communications Commission released the band for unlicensed use. These frequency bands are the 2.4 gigahertz (120 mm) UHF and 5 gigahertz (60 mm) SHF radio bands. These frequency bands are the same ones used by equipment such as microwave ovens, wireless devices etc.
The first version of the 802.11 protocol was released in year 1997 and provided speed up to 2 Mbit/s. The 802.1a came as an improvement over the original standard. It operates in 5 GHz band, uses a 52-subcarrier orthogonal frequency-division multiplexing (OFDM) and has speed of mid 20 Mbit/s. This was replaced with 802.11b protocol in 1999 and this had 11 Mbit/s speed. It is this protocol that would eventually make Wi -Fi popular.
In the same year, a non-profit association named Wi-Fi Alliance was formed which restricted the use of the term Wi-Fi Certified to products that successfully complete interoperability certification testing. By 2017, the Wi-Fi Alliance had more than 800 companies from around the world and shipped over 3.05 billion Wi-Fi enabled devices by year 2019.
The first devices to use Wi-Fi connectivity were made by Apple which adopted this option in their laptops. 802.11g was adopted to the 802.11 specification in year 2003. It operated in the 2.4 GHz microwave band and provided speed upto 11 Mbit/s. Another standard was adopted in year 2008, named 802.11n which operated in both 2.4 and 5 GHz and had a linkrates 72 to 600 Mbit/s. This standard was also known as WI-Fi 4.
Similarly, 802.11ac, 802.11ax and standards were also adopted later which further improved speed and performance of Wi -Fi. Now, let us learn about some terms that frequently occur regarding wireless.
Terminology Of Wi-Fi
Wireless Access Point (WAP): A Wireless Access Point (WAP), commonly known as Access Point (AP) is a networking hardware device that allows other Wi-Fi devices to connect to it. This Access Point allows wireless devices to connect to wired devices and generally provides internet. Mostly the Access Point is a Wi -Fi Router.
Wireless Client: A Wireless Device that connects to the Wireless Access Point to access internet is known as a Wireless Client. Ex : all the devices that connect to a Wi- Fi Router.
Wireless Local Area Network (WLAN) : The Computer Network comprising of the Wireless Access Point and two or more Wireless Clients is known as Wireless Local Area Network. This is a LAN but without wires.
Service Set Identifier (SSID) : A Service Set Identifier (SSID) is the name of the Wireless network. Normally, it is broadcast in the clear by Wireless Access Points in beacon packets to announce the presence of a Wi -Fi network. The SSIDs can be up to 32 octets (32 bytes) long. For example, SSID in our first wireless hacking article is “Hack_Me_If_You_Can”.
Extended Service Set Identifier (ESSID): An Extended Service Set Identifier (ESSID) is a wireless network created by multiple access points. This is useful in providing wireless coverage in a large building or area in which a single Access Point (AP) is not enough. However, this appears as a single seamless network to users. The name is same as SSID.
Basic Service Set Identifier (BSSSID): Previously our readers learnt that every hardware device in computing is hardcoded with a MAC Address. A BSSID is the MAC address of the Access Point.
Channels: Readers have learnt that Wi- Fi operates in the frequency range of 2.5GHz and 5GHz. These frequency bands are divided into smaller frequency bands which are known as channels. Usually, these channels are of width 20MHz. The 2.5 GHz range is divided into 14 channels each spaced 5Mhz apart to avoid interference and disturbance. Similarly, The 5GHz band is divided into 24 channels.
In our First wireless hacking attack, the channel of our Access Point is 1.
Beacons: Beacons are one of the management frames in IEEE 802.11 based WLANs. A Beacon Frame contains all the information about the network and is transmitted periodically to announce the presence of a wireless LAN and to synchronize the members of the WLAN.
Signal Strength : Wi-Fi signal strength refers to the strength of the Wi-Fi network connection. The correct way to express Wi-Fi signal strength is mW but it is also very complex. So for simplicity, the signal strength is expressed in as dBm, which stands for decibels relative to a milliwatt.
dBm works in negatives. For example, change the values here. -34 is a higher signal than -64 or -94 because -80 is a much lower number.
Data: Data needs no explanation.
Encryption: Encryption refers to the Wi fi Encryption protocol used for security. There are three types of wireless encryption protocols at present. Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access Version 2 (WPA2). More about them soon.
Authentication: The authentication method used by wireless clients to authenticate with wireless access point. More about it soon too.
Cipher : Ciphers are standard security. ciphers are part of Wi-FI security to enhance the security of wireless networks. Example WPA can use either CCMP or TKIP ciphers.
Wardriving: Wardriving is the act of searching for wireless networks while moving on a vehicle using a Wi – Fi enabled device like laptop or a smart phone. The term War driving originated from the term wardialing, the method which was popularized by a character played by Matthew Broderick in the film WarGames. There are other variants of Wardriving like Warbiking, Warcycling and Warwalking which are similar to wardriving but use other modes of transportation.
Wi -Fi Security
Wired Equivalent Privacy: Wired Equivalent Privacy (WEP) is the first security algorithm for IEEE 802.11 wireless networks that was introduced as part of the original 802.11 standard ratified in 1997. As its name implies, the intention was to provide data confidentiality equivalent to that of a traditional wired network. WEP was the only encryption protocol available to 802.11a and 802.11b devices as these were built before the WPA standard was released. WEP was ratified as a Wi-Fi security standard in 1999. The first versions of WEP used only 64-bit encryption as U.S.A restricted export of cryptographic technology.
WEP uses the Rivest Cipher 4 (RC4) for confidentiality and the Cyclic Redundancy Check (CRC) 32 checksum for integrity. RC4 is a stream cipher known for simplicity and speed.
Standard 64-bit WEP uses a 40 bit key which is concatenated with a 24-bit initialization vector (IV, remember something) to form the RC4 key. A 64-bit WEP key usually has a string of 10 hexadecimal (base 16) characters (0–9 and A–F). See Image below.
Each character in the key represents 4 bits. 10 digits of these 4 bits each give 40 bits. When we add 24-bit Initialization Vector to this 40 bits, complete 64-bit WEP key is produced. Some devices also allow the user to enter the key as 5 ASCII characters (0–9, a–z, A–Z), each of which is turned into 8 bits using the character’s byte value in ASCII. However, this restricts each byte to be a printable ASCII character, which is only a small fraction of possible byte values, greatly reducing the possible keys. After USA lifted restrictions on export of cryptographic technology, 128bit WEP key came into existence.
Each digit is of 4 bits. 26 digits of these 4 bits each give 104 bits. When we add a 24-bit IV to this 104 bits produced the complete 128-bit WEP key. Most devices allowed the user to enter 13 ASCII characters as WEP key.
Although some vendors made 152-bit and 256-bit WEP systems also available, 128 bit WEP was widely used.
Authentication System of WEP
WEP uses two methods of authentication.
1. Open System authentication
2. Shared Key authentication.
1. Open System Authentication
In Open System authentication, the WLAN client that wants to connect to a Access Point doesn’t need any credentials during authentication. Simply put, no authentication occurs. Subsequently, WEP keys are used for encrypting data frames. At this point, the client needs to have correct WEP key.
2. Shared Key Authentication
In Shared key authentication, authentication takes place in a four-step challenge-response handshake :
Step 1: The client sends an authentication request to the Access Point.
Step 2: The Access Point replies with a clear-text challenge.
Step 3: The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request.
Step 4: The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply.
After the authentication and association is successful, the pre-shared WEP key is also used for encrypting the data frames using RC4. Although Shared Key Authentication appears secure than Open System Authentication, it is actually vice versa.
Weak Security Of WEP
WEP uses RC4 which is a stream cipher. Hence the same traffic key cannot be used twice. It is due to this purpose that WEP uses Initialization Vectors (IVs). But the problem is WEP uses 24 bit IVs for both 64 bit and 128 bit key. This 24bit IV is not long enough to ensure non-repetition on a busy network. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5,000 packet -s. So WEP key in a busy network can be easily cracked since it has lot of traffic.
Attackers can even create fake connections ( to generate more traffic and then crack the WEP key. As we have seen in this article, the more IVs we captured the faster it is to crack WEP and it usually takes only minutes to crack the WEP key with besside-ng tool. That’s all in our Part 1 of Understanding wireless security. In Part 2 of this article, readers will learn about WPA / WPA2.