Wi-Fi and OPSec
Posted by: c3lt1c
September 1, 2015
It would be reasonable to assume that a vast majority of home internet users have some kind of wireless accessibility for their network of computers, tablets, printers, TVs, etc. In the past, wireless was seen as a convenient, yet risky solution for larger corporations and government entities – When weighing accessibility against security, the former would most definitely win any given battle. As network technologies bring advancement to the common workplace it appears that accessibility may have won the war. That’s not true – instead we could say that a ceasefire has been drafted. It’s becoming more and more possible to provide accessibility AND security.
Let’s take a look at the original wireless infrastructures: most began with complete insecure wide open systems, whose role was literally to provide Layer 2 wireless access to a network and nothing else. If you wanted security, you would be forced to implement some 3rd party policing to already connected clients – This was less than ideal, since physically gaining access to an inside network is probably the hardest task that attackers undertake. Then WEP was provided, which was a bit better – let’s face it: something is better than nothing. The problem with WEP was that it necessitated passwords to be transmitted in plain text; easy pickings for anyone monitoring the frequency.
First, I want to say that wireless is not really the best option when wired is available (especially when lurking on the DarkNet). There is exception to this: if you are out in public making an effort not to use TOR from home, then this risk can be well worth it; however you should be using VPN, as well as TOR when using wireless in public or at home. By design, Wireless is so much more susceptible to infiltration. To potentially infiltrate wireless traffic you need to be in range and have the capability to listen, collect and eventual decrypt that traffic. The following decrypts depict the basic steps that can be used, by neighbors, war-drivers or anyone else, to infiltrate a wireless network:
FIGURE 1A – STEP 1: By broadcasting your SSID, you’re letting the world know that you have a wireless network, and this is its name
FIGURE 1B – STEP 2: Once an attacker targets your SSID they can inject data which severs your connection to the wireless access point. By doing this an attacker knows that you will either manually re-authenticate within a few minutes or else your PC will do this automatically within seconds. The attacker will be simultaneously listening for this while severing the connection
FIGURE 1C – STEP 3: The attacker will leave this monitoring session going for a short time, or perhaps a long time to ensure that they capture the required 4-way handshake. Attackers can periodically check the still growing pcap files for the 4-way handshake using Wireshark.
FIGURE 1D – STEP 4: Once the attacker has your 4-way handshake the real work begins. Although your key has been collected, it has been encrypted. When using WPA2 (recommended) your key has been encrypted using a hash that takes many things into consideration such as your SSID name, key length and key complexity.
FIGURE 1E – STEP 5: in the days of WEP a Brute Force Dictionary attack was often all it took to crack a password; but with the new complexities inherent in WPA & WPA2 crackers are finding quicker and more sophisticated ways to crack more sophisticated encryption. One popular method is Rainbow Tables – rather than parsing the characters while cracking, Rainbow Tables can be pre-built based on letters, numbers, uppercase, lowercase and length (among others). Crackers with powerful GPUs (video cards) are now able to harness their power and make short work of this
As you can see it’s not particularly hard for a knowing party to collect your encrypted pre-shared key (PSK) so it’s VERY important that you use a long, intricate key. This will be the difference between an attacker gaining access to your network, or giving up when it’s taking too long.
For a wired connection, someone would have to physically splice into the fiber, copper, etc. to gain the same advantage. Wireless infiltration is not only dangerous because people might crack your network – an attacker or LE could perform a “Man-in-the-Middle” attack. This involves intercepting, monitoring or even changing packets sent from point A before they reach point B. So what are the dangers here? Someone might “listen in” on your traffic; or (LE) setting up a honeypot and posing as your destination. What if a major Intelligence Agency has a suspicion that you’re using DNMs and have paid to set up a site that looks and acts exactly like Agora? You’re in shit, that’s what. If they know enough they could even play Man-in-the-Middle with traffic before it even hits the internet (never mind your ingress TOR node). This is sometimes referred to as a “honeypot”. A honeypot will be used to collect data and even be geared to catch you “in the act”. Honeypots are most often fake websites (or fake servers in reality) which mimic your destination and can come in all shapes and sizes. The same can be done with a wireless router or access point.
It’s actually quite easy to set up wireless access point as a honeypot. First you start with some kind of custom firmware (this can be done using DDWRT or Tomato). Someone could probably do this with the stock firmware of any wireless router, but custom firmware provides infinitely more options. That’s not to say that DDWRT or Tomato Router condone or facilitate a wireless honeypot; and honestly I doubt that was ever their intention. An easy honeypot can be made by setting up a wireless device with identical settings to an adjacent network and then logging authentication attempts. Attackers will easily identify your network’s SSID and encryption/authentication methods if the target network SSID is broadcasting. The only thing that they won’t have is the key; and that’s precisely the point of this.
So the honeypot would have a wireless SSID using an identical SSID name, encryption and authentication methods. The TX (transmit) power might also be boosted to provide a stronger signal; which an unknowing victim might deem more attractive. “Ooh, this one has 5 bars when the other one has only 4. My router must have had an upgrade!”. Many of us tech-savvy types would know right away that something is fishy. Unless you have a wireless repeater in your home, there’s absolutely no reason you should be seeing your SSID broadcast twice – ALWAYS keep that in mind.
The aim is for the unsuspecting user to mistake the honeypot for their own wireless at some point in time. Logging would be activated and login attempts (including password) would be logged locally on the device or directed to a syslog. The victim, confused, will continually input the password over and over again trying to authenticate the what they think is their network.
FIGURE 2A – Honeypot
So what does this mean for you and how should you protect yourself? Let’s start with some basics for Wireless Security – Many of you might know to do these, so this is for those who do not. The first thing you want to do is tackle the “ease of use” features like WPS and SSID Broadcast. WPS, which stands for Wi-Fi Protected Setup, provides an easy way for non-technical people to push a big button, produce a pin and use said pin to connect to wireless. I’m surprised by the amount of people I visit who, when asked for the home’s wireless key, shrug their shoulders. Ok, so maybe you have a phenomenally long intricate key and just don’t have it memorized? No, these people couldn’t even tell you where to find it and are likely still using the default password put in place by the ISP. Can anyone say Rainbow Tables? Maybe you can say it but don’t know what it is, but we can get to that later. If enabled, WPS can EASILY be exploited (more easily thank cracking a captured WPA key), so TURN IT OFF.
Another simple way to mitigate attacks on your wireless network: don’t let people know it’s there! Sure if someone knows their stuff they’re going to find you either way, but if some beginner is sitting trying to crack your WLAN using their built-in Intel interface, not broadcasting your SSID is going to make things a bit harder for them. By the way, wireless password interception doesn’t take special gear or even special skills really. It takes a bit of Linux knowledge, a live CD/DVD distro, and a wireless interface capable of packet injection (available for about $30). As mentioned above, disable “SSID Broadcast” and know your SSID’s name and password so that you can provide these to people you do want on your network.
Besides hiding your SSID your best defense with your wireless network is in your security protocols. You should be using nothing less than WPA2-Personal when it comes to encryption and authentication methods. I won’t go into gory details but you want to ensure that you’re using WPA2 authentication with AES encryption (often notated as WPA2-AES). WPA2 has advantages over WPA, and AES encryption is superior to DES or TKIP. WPA2-AES can still be monitored and collected as demonstrated in FIGURES 1A – E, however the key will be much more difficult to crack. How difficult? Much of that depends on you.
For example, in my region one of the major ISPs provide you with a modem/wireless router combo box as a courtesy. As another courtesy they will preconfigure an SSID and “complex” key for you to use and note this information on the bottom of the device. At one time they were deploying these wireless routers with WPS enabled, but it seems they have finally realized the risk. These techs will always follow an SSID naming convention where the words are always the same followed by a unique number: WLANNET276, WLANNET277, etc. as an example (I will not list the actual convention here). When an attacker sees this, they instantly know who your provider is and what hardware you’re using for wireless access and routing. They will know that this piece of hardware comes with WPS (maybe still enabled depending on when it was deployed or last updated); and they will also know that this particular ISP ALWAYS provides a randomly generated pre-shared key that consists of 10 digits and only numbers. A 10 digit random number poses a lot of possibilities indeed, but it’s not so out of reach if you know how to leverage your GPU to create a rainbow table. You can tell the application to create a rainbow table using 10 digits ALL numbers and plug in the SSID name to anticipate the salted hash. Once these options are selected, a list of every possibility will be generated and saved to a table for later use. The list will take a long time to create, however once its complete it can be executed against an encrypted 4-way handshake fairly fast.
So what’s my point here? Don’t just settle for the SSID and password your ISP has created – Recreate your own SSID, but more importantly, choose a new password that is nothing like the ISP’s standard. Use uppercase, lowercase letters, numbers and special characters; Or even better, create a phrase/sentence using symbols and numbers to replace letters. Generally, the longer and more nonsensical it is, the better. A dictionary attack can identify the word “password”; however it will not be able to identify “P@$$w0rD”. A list was recently released identifying the world’s most popular SSID names and passwords. These SSID names and passwords were then used to create massive Rainbow Tables. Since these tables are already built, the bulk of the work has been completed for anyone using them….for uh ‘testing only’ of course. If you happen to be one of the people using an SSID and/or password from the list, then your network security has just become a joke.
So now that I’ve thoroughly scared you, what else can you do to protect yourself using wireless? Ideally we would all be set up to use WPA2-Enterprise authentication. Most of you have seen the option and probably wondered what it is. Rather than using a pre-shared key, which is transmitted to the wireless access point, this option doesn’t use a pre-shared key at all. It can be set up to check against a separate server/database and determine if your credentials are valid. Probably the most popular application of this involves an Active Directory server and domain. If you’re using wireless on a proper domain with domain controllers, groups policy, user accounts, etc. you can set up your wireless to use your domain credentials. This method is much safer since you are not sending a key across the airwaves and both your computer and user credentials must belong to the Active Directory Users and Groups within the domain.
You could also use the WPA2-Enterprise option with a RADIUS server and/or RSA tokens. Most of us do not have the infrastructure, resources or even the know-how to set this all up. Although there are cheap ways of doing this at home: such as setting up an old PC as a Linux server with domain services; or perhaps setting up an old PC as a simple RADIUS or TACACs server. Again, even this will take knowledge, time and patience. If you’re not able or interested in this level of security, then what other recourse do you have? Do your research and purchase yourself a good VPN service. If you’re running a VPN client from your PC, then the tunnel session is originating from your PC, not your router (at the edge of your network). This means that you will be provided some added security from your PC to your own router on your internal private network.
The same principal applies when using wireless in a public area; possibly the most important time to use VPN. Most public Wi-Fi setups these days are using a Guest Portal configuration, rather than sharing the key with everyone that walks in. The portal simply proxies your web session making you agree to terms and conditions; then depending on where you are, you still might have to authenticate (like hotels); but if you’re in a coffee shop there will likely be no authentication involved. Because a web proxy is being used to redirect your web traffic (port 80, 443 or 8080) to this portal that means its occurring at the Application Layer of the OSI model. Depending on the setup, this means that your lower level network protocols Data (MAC Address) and Network (IP) traffic is still up for grabs. Just like at home, initiating a VPN tunnel from a client on your computer will provide you with a virtually impenetrable barrier.
These days everyone wants to use wireless everywhere and as mentioned before it’s a matter of convenience. A study released by PEW Research says that as of May 2013 63% of adult cell phone owners use that phone online and 34% of cell phone internet users go online almost exclusively with their phones. PCs are obviously not the only risk associated with wireless. I see more and more questions on the Reddit Agora subweb asking about performing DarkNet Market related tasks on a smartphone. Even though many VPN providers support iPhone & Android clients now, I would advise against DNM activity on your smart phone. Your smart phone will have GPS; your smartphone has a distinct SIM card linked to only you; and finally smart phones run highly customized operating systems which are quite often proprietary, locked down and tough to manage privacy (yes even Android). For DNM activity its best to stick with a VM like Qubes or a live distro like Tails. If your VM doesn’t support your VPN provider’s custom client then use the generic VPN setup in your operating system to run OpenVPN or a similar flavor (yes all of the major OSes have this option).
Thought your home’s wireless was safe? Now you know better. This is not meant to be a scare tactic or deterrent from using wireless, but simply an attempt to educate. To drive home the key points one more time: avoid wireless if you can – plug in. If you have to use wireless, make sure you’re using strong authentication and encryption: WPA2-AES or WPA2-Enterprise. Use a strong diverse pre-shared key (if you have to use a pre-shared) key and last but not least always use VPN on wireless. It doesn’t matter if you’re at home or in public – a WLAN is possibly the most important connection to use VPN. But that doesn’t matter because you always use VPN right? Just remember the more you (and others) use VPN, the safer it becomes. Don’t just use VPN when you want to hide what you’re doing – use it all the time. The same rule should be applied to TOR. I hope that I haven’t scared you all into selling your wireless routers. Be smart and be safe!
Updated: 2015-09-01