Wireless Threats

7/28/2010 9:24:47 AM
Wireless Threats
By default, wireless network traffic is unbounded, unauthenticated, and unencrypted. Without any additional protection, wireless network traffic can be intercepted anywhere the wireless waves can be detected, recorded, and manipulated.

In the author's opinion, most active Wi-Fi networks have been detected by an unauthorized outsider, and many of them have been compromised. Too many wireless network operators don't think they will ever be attacked. There are even dozens of online Web sites dedicated to listing active Wi-Fi spots. Some budding computer security consultants, hungry for work and with questionable ethics, search for and break into unsecured Wi-Fi networks as a way of gaining new business. Rogue war drivers even have their own map symbols ( so that roaming Wi-Fi searchers can find active Wi-Fi locations. The main wireless vulnerabilities are:

  • Eavesdropping

  • Unauthorized access

  • Bypassing of traditional defenses

  • Malware injection

  • Denial of service attacks


Wireless networks are most at risk from unauthorized eavesdropping. Unlike wired networks, which require the intruder to be physically joined to the network, unprotected wireless networks can be intercepted from distances moderately far away from the source.

Sniffing wireless networks only requires that the listener have a wireless network card and the appropriate software. Specialized wireless locating programs, such as NetStumbler (see Figure 1) can be used to locate, identify, and categorize wireless networks. Other programs such as Airsnort or Wire-shark ( can easily sniff the traffic and break down the various frame types and functionality. Any plain-text information and passwords can easily be seen in the network packet traces.

Image from book
Figure 1: Network stumbler in action

Most readers might think that the typical 802.11 network can only be listened into from a few hundred feet away (, but 802.11 traffic has been successfully sent over 125 miles ( between the source and destination. While these wireless records don't normally occur with traditional 802.11 equipment, an attacker with a small investment in equipment can listen into wireless networks up to a mile away.

Using standard equipment, wireless hackers can drive (war driving) in a neighborhood or business area and find zones to hundreds of vulnerable networks. Wireless hacking is so widespread and well known that a parked driver working intently on their laptop is likely to be suspected as a wireless hacker by the regular police. It doesn't take a special degree to hack or to get caught.

Most wireless network access points function in "hub mode" meaning that any packet information sent to and from the access point is readable by any other listener. Most wireless users don't know this. An attacker can glean passwords, password hashes, application fingerprinting, host IP addresses, machine names, and more.

Unauthorized Access

It is also very common for intruders to gain unauthorized access. They may want to access and attack existing wired servers or simply use the company's wireless network as an entry point for free Internet access. Nearly every reader probably has a story of a friend (or themselves) using a neighbor's wireless Internet access without their authorization. Many courts have ruled that unauthorized use of a person's wireless network is illegal, but at times the access may even be unintentional. Unfortunately, many of our computers will connect to whatever unsecured wireless network they can find first, and the average user doesn't know enough about wireless networks to be able to differentiate between the correct and incorrect networks.

Intruders using unauthorized wireless access points have used those networks to attack other computers, to download child pornography, and criminal activities. When the authorities trace back the malicious behavior, the attack trail ends at the wireless network. It is usually difficult to impossible, without appropriate logging being enabled first, to track down the intruder.

Bypassing of Traditional Defenses

In the corporate environment, wireless networks are often less secure, both inbound and outbound, than their wired counterparts. If wireless networks do not have the same protection, they can be used to bypass the company's normal computer security defenses. Users denied access to particular functionality could turn to the wireless network to bypass firewalls, proxy filters, and other implemented mechanisms. A wireless user's computer could become compromised and offer an exploit avenue to the malware or remote hacker.

Malware Injection

Malware and hacking tools can also be injected into wireless network streams. For example, many worms work by using broadcast protocols or by randomly generating new target IP addresses. A wireless intruder could sniff a wireless network, learn the involved IP addresses, and then generate a network packet containing the MS-Blaster ( worm that targets an unprotected computer. Once the MS-Blaster worm has infected one host, the worm itself will continue searching for new victims. MS-Blaster is one example, but literally thousands of malware infections and tools can be injected into a wireless network stream.

Even worse, prior to Vista, Windows had an insecure behavior that made wireless injection easy. If your legacy computer normally connects to a preferred wireless network, but then is unable to connect (for example, corporate laptop wireless user now working in an airport) to that wireless network, it will then create a random wireless network name (SSID) and place itself in infrastructure mode, advertise its presence using beacon packets, and readily accept incoming connections from other unauthenticated nodes. Yes, that's right. If your legacy Windows computer can't find its preferred wireless network, it will create its own insecure Wi-Fi network, advertise its presence, and allow other computers to attach to it.

While the new connecting, unauthorized user, doesn't have immediate access to your computer's hard drive or data contents, it is as if they are on the same (wired) network. They can try to break into your computer using all the normal remote Windows hacking tricks, sniff data, port scan your computer, and inject malware as discussed previously. Luckily this behavior is fixed in Windows XP Pro's Wireless Client Update for Windows XP with Service Pack 2 and Windows Vista. XP Pro, with the added client, will use a 128-bit protection key and enable the strongest security protocol available on the wireless network adapter. Vista doesn't allow inbound connections, period!

Denial of Service Attacks

Wireless networks are traditionally unstable by nature. They ebb and flow, losing and gaining signal strength as conditions and external influences dictate. Unprotected wireless networks are unauthenticated by default, and easy to jam or interrupt. First, there are a myriad of ways to interrupt Layers 1 and 2 on a wireless network. Anyone can send a wireless jamming signal that could take down your wireless network until the source is identified (not easy to do) and removed.

Second, several tools, such as Void_11 and WAN_jack, actually inject rogue traffic to intentionally kick legitimate nodes off of Wi-Fi networks. This can be done simply to deny legitimate service, although it is often done to force significantly more re-connection traffic, which results in more wireless traffic, which leads to faster encryption compromises. If you have ever been involved in a wireless denial of service compromise, they can be frustrating to eliminate. Often, the attacker will stop the DoS attack tool just when you are getting close to identifying the malicious node's location, stopping the investigation in its tracks without any possible recourse or continuation until the next attack.

All of these attack types are possible because wireless networks are unauthenticated and unencrypted by default.

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8