Community News csm21 Security

Wi-Fi Insecurity

By Leonardo Lanzi, coordinator of the GARR-CERT

Hi, probably you’re reading this while connected to your home wireless network and you already followed the “10+1 best tips to protect your home Wi-Fi”, or something very similar (the order could be different):

  1. Change default user name and password [of your router/access point admin account]
  2. Turn on the strongest encryption [WPA3, on newer devices]
  3. Use a VPN [to reach your network from outside, or your office from home]
  4. Change the default ESSID (the name of your Wi-Fi), and make it “hidden” [it’s only one click away]
  5. Disable WPS (Wi-Fi Protected Set-up) authentication [another one click away]
  6. Turn off Wi-Fi when you’re not at home [yes, but.. oh no! IoT, sensors etc. you can’t]
  7. Keep your router software up-to-date [your ISP does it, probably, or you should do it yourself if you bought it autonomously]
  8. Use a firewall, the built-in one, or even an additional device [nice idea!]
  9. Place the router away from windows [it’s placed where the cable/fibre enters home, you cannot do much]
  10. Enable MAC address filtering [annoying, but ok, you did it]

10+1) Disable remote log in & administration [wait a minute , what about VPN at step 3?].

After all that work, what could go wrong?
If you’re a Jedi Master in security, I am afraid you have already left.
For everyone else..

How it started

Cybersecurity faces periodically some old problems; if you wait enough, you’ll encounter the same threats every 10-20 years, possibly under a new dress: this is what happens with Wi-Fi.

At the beginning of the internet, cabled networks used a “shared medium”, even after the IP was chosen among the other protocols. For example, in the 10base2 world, the RG58 coaxial cable connected each host by means of a T-connector; in other words, all of the hosts’ data shared the same cable and each host was able to read all the traffic; the standard net device was the “hub”: all network traffic flowed through all of its ports.

Then, RJ45, switches, VLAN and so on appeared, leading to an increasing separation of the single host network traffic, and therefore to a better security for the transmitted data.

However, at the end of the 20th century, Wi-Fi came to life.

Radio waves at 2.4 or 5 GHz became a sort of shared medium among all the hosts connected to the W[ireless]LAN; simply, they fly all around. Its communication protocols improved in speed and also  security: the first kind of access was open, a.k.a. no-password at all to connect, then easily breakable (WEP), then more and more robust, namely WPA, WPA2, and recently WPA3; increasing numbers always recall a better than before idea. Despite that, after 20 years, the current wireless medium acts mostly like a hub: if you’re connected to a specific SSID wireless network, you can easily reach all the others network nodes, eventually also the cabled ones, especially in a home Wi-Fi environment.

SHALL WE PLAY A GAME?

You can take a different look at your home network.

It’s possible to check if someone is trying to force your Wi-Fi security, or if your devices are more or less vulnerable.

A group of nice people released Kali Linux: go to kali.org/get-kali/#kali-live, and prepare a bootable USB key with it [instructions are in the documentation]. Kali is one of the most complete distributions for penetration testing; once booted, you can focus on the Wi-Fi tools.

Since the Wi-Fi protocol supports various “modes”, the first thing to check is if your laptop Wi-Fi is able to switch to monitor mode, and at the same time be able to send packets; this is called injection – to feel more like a hacker. If not, it’s easy to find cheap USB Wi-Fi adapters ready for that. Search on, and find pages similar to miloserdov.org/?p=2196.

Kali documentation helps also on setting it up, and yes, open a terminal: from now on you’ll work on a command-line interface (a.k.a. CLI). A good thing is to promote yourself to the highest power admin-level, called “root”, to avoid the use of the annoying “sudo” command at each step; on the CLI, it is a # prompt.

Some home-made examples follows.

Shut-off normal network, check your equipment, start it, look around.

# airmon-ng check kill

# airmon-ng
PHY   Interface   Driver      Chipset
phy0  wlan0       rtl88x2bu   Realtek [...] RTL88x2bu […]

# airmon-ng start wlan0
PHY   Interface   Driver      Chipset
phy0  wlan0       rtl88x2bu   Realtek [...] RTL88x2bu […]
      (monitor mode enabled)

# airodump-ng wlan0mon

With this last command, you list all detected access points with its associated clients, on all possible radio channels, something like that (“personal” info like MAC addresses or full ESSID are partially erased):

In a few minutes, you can find for example if there is a rogue access point, i.e. an unauthorised device announcing the same SSID of another [authentic] network, usually to do bad things.

You could also catch stations trying to connect to your SSID, if it’s listed in the Probes column, but without association in the BSSID field:

If they are still there after a while, and the number of exchanged frames are increasing, well, it could simply be a typo in the Wi-Fi password field (ask family members, friends at dinner etc.), or it’s time to rise your DEFCON, your level of defence.

Trying to break yourself

If everything seems OK, you can do basic tests of the resilience of your devices. You can follow the previous steps and add successive attempts:

  • de-authentication, to force a new negotiation with your access point, while performing..
  • packet capturing, trying then to guess/break the shared key (Google for “hash cat”),
  • setting up a rogue hotspot, and see if your devices can be easily fooled, by ..
  • a rogue DHCP/DNS, to check if the hijacking of IP traffic toward an evil gateway could be an easy target.

All the previous single steps can be pretty automated by:
# wifite

A last tip

If you’re generally interested in securing your digital life at home, a complementary effort could be the acquisition and installation of a router that can be under your full control, using the ISP hardware as a simple point-to-point connection (usually by means of the WAN port on both devices). Just to name a very interesting and mature project, have a look at OpenWrt, openwrt.org.

And please don’t stop here, you’ve just started to be a CyberHeroAtHome!


About the author

Leonardo Lanzi

In May 2018 Leonardo Lanzi became the coordinator of the GARR-CERT. With a Master Degree in Physics and a Ph.D. in Computer Science, he has been the systems and network admin of the Department of Physics and Astronomy at the University of Florence where he has also been a lecturer in Computer Science.

Contact Leonardo at leonardo.lanzi@garr.it

 

Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber ​​Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://dev.connect.geant.org/csm2021