wifi_vilnerabilities

8/14/2019 Wifi_vilnerabilities

1/18


2/18

Device Theft

Device theftis just as it sounds, the physical theft of the device by an attacker. Fortu-

nately, this is not a concept new or unique to wireless devices or systems, so the need

for protection of wireless devices and systems against physical theft is intuitive to

device and system manufacturers. Unfortunately, devising devices or systems resistantto theft is very difficult.

Several mitigations can be employed to minimize the threat. We will not spend

much time stating the obvious, such as locking and alarming rooms that house

equipment.

The Man in the Middle

The attacker, by interjecting herself between the user and the server, accomplishes the

well-known man-in-the-middle network attack. This interjection is done by gaining

physical access to the logical or physical path between the user and the server, such assitting at the user or servers access point to the network. Alternatively, this can be

used to spoof the user to the server and the server to the user. In both scenarios, the

attacker has complete access to the communications between the user and the server.

War Driving

In the 1980s, malicious types began war dialing, calling phone numbers at random in

an attempt to locate unprotected modems and gain access to networks. The early

2000s version of war dialing is war driving, roaming around with a laptop, wireless

NIC, and an antenna and attempting to gain access to wireless networks. As we havediscussed, the vast majority of wireless networks deployed do not use WEP or use

WEP without implementing RSAs Fast Packet Keying solution to (more or less) secu-

rity. With a $100150 wireless NIC set in promiscuous mode and a cheap parabolic

grid antenna from Radio Shack, hackers have gained access to thousands of wireless

networks across the United States. In populated areas, war drivers have used simple

GPS applications in combination with the wireless NIC and antennae and have suc-

cessfully mapped the location of thousands of wireless networks to which they can

gain access. No esoteric software or hardware is required. A software application

calledAirSnorthas the ability to analyze the intercepted WEP traffic and, after collect-

ing enough data, even determine the root password for the wireless system.

Denial of Service

Denial of serviceis a class of attacks that take many forms, from subtle to obvious. An

obvious denial of service attack against a wireless system would be to sever the coax

cable on the tower between the transceiver and the antenna. This definitely would

deny service to anyone wanting to use that particular tower. A more subtle attack

188 ANALYZE ATTACKS AND VULNERABILITIES


3/18

would be to tie up the system with service requests or to spread a bogus e-mail such

as New and Destructive Virus, explaining that you should e-mail everyone you know

so that they can protect themselves. The desired result is that the system becomes so

bogged down with these e-mails that legitimate traffic cannot be accommodated.

Another popular denial of service attack is the Please help, my child is dying. Ane-mail is sent saying that someone, usually a hapless child, is suffering from a terrible

affliction. The e-mail goes on to say that a corporation has agreed to provideXamount

for every e-mail it receives regarding this child, so please forward this e-mail to every-

one you know so that this child can be saved. The desired result is to overwhelm the

corporations servers and cause them to crash.

The DoCoMo E-Mail Virus

As of the writing of this chapter, there have been two similar virus attacks against

Japans DoCoMo cellular system. These attacks are viruses that can be downloaded

into multifunction cellular phones. The viruses cause the users phone to automatically

dial a number, such as 911, tying up both the cellular and 911 systems. With little imag-

ination, you can see how this type of activity can have far-reaching and dire conse-

quences.

Vulnerabilities and Theoretical Attacks

Identifying vulnerabilities is a difficult process because you are looking for what might

occur and trying to anticipate how an attacker could attempt to exploit the system. The

process is a dual-mode analysis in which you are examining potentially vulnerable

areas while anticipating theoretical attacks. Based on the success or failure of these

theoretical attacks, the particular component or resource is identified as vulnerable.

Recall that you are not making any determination at this point about the practicality

of an attack or the development trade-offs necessary to protect or mitigate the vulner-

ability.

To begin the examination of vulnerabilities, you begin at the top of the targets list

and place yourself in the malicious roles identified earlier. You then create theoretical

attacks to which these targets would be vulnerable. Experience and knowledge of the

systems inner workings are crucial if you are to have any expectation of identifying all

its potential vulnerabilities. If you are examining an existing system, this requirementmay lead you to utilize the developers to conduct the vulnerability analysis. This is

acceptable as long as the team is evenly weighted with those who were not involved

with the development. The reason is, developers know what they were trying to

accomplish, and they may make assumptions about how the system functions or

responds under certain circumstances. Further, developers know how the system was

intended to function, but most attacks attempt to cause the system to function in a

manner in which it was notintended.

VULNERABILITIES AND THEORETICAL ATTACKS 189


4/18

Vulnerabilities of the Wireless Device

Similar to identifying targets, you begin at the highest levels and work your way down

to the lower functional levels of the system. In general, the lower functional levels

require more detailed knowledge, for you to analyze and for an attacker to exploit.

However, with any generality, there are always exceptions, particularly with exploits.Once identified by someone with knowledge, even the lower-level functional levels

can be successfully exploited by others with less technical expertise. We discuss this in

greater detail throughout the remainder of the chapter, looking at specific examples.

Suffice it to say that for this analysis, you must try to be as thorough as possible to

ensure that the system is fully protected. You begin by looking at the targets identified.

The Wireless Device Itself

The vulnerability, loss, or theft of this particular target is not new to wireless. Loss or

theft of personal items has been a concern since our ancient ancestors first grasped theconcept of personal property as they huddled around fires in caves. The vulnerability

of wireless devices is that they can be misplaced by users or taken by malicious users.

User Interface

The user interface should be examined in its two parts: the physical interface and

access to the user interface. These two have different issues that should be acknowl-

edged for completeness of your risk assessment.

The Physical Interface

The physical interface is vulnerable to environmental factors such as water, shock, andabrasionfor example, dropping the device in a puddle or spilling coffee on the

device, dropping it off a table, having it slip out of the users hands, having the device

slide across a rough surface, and having someone sit on or drive over the device.

Access to the User Interface

The user interface is vulnerable to environmental factors that cause inadvertent

inputfor example, a cellular phone in someones purse being bumped and activated

when an object inside the purse depresses the Send key.

Offline Functions

Personal Data on the PDA

Here is where things become more interesting. You examine each of the malicious

roles separately to ensure that you cover all the possible vulnerabilities. Again, this is

not guaranteed. To ensure a systems security, you must review the vulnerabilities in

light of new known attacks, updated information on the system, or new theoretical

attacks.



5/18

Malicious Device Support Personnel

Personal data stored on the device is vulnerable to malicious device support personnel

when the device is taken in for upgrades, maintenance, or repair. These support per-

sonnel may have access to manufacturer bypass and diagnostic codes, equipment, or

utilities that give them access to personal data stored on the device.Poor or inexperienced device support personnel may inadvertently leave the

device in a security bypass or diagnostic mode that leaves personal data vulnerable.

Malicious App Developer

Malicious application developers can create a virus or Trojan Horse(a program that, in

addition to providing an overt useful function, performs a covert activity, usually mali-

cious) utilities or programs that allow access to personal data on the PDA.

Poor or inexperienced application developers may not take appropriate security

measures regarding their particular application, such as not clearing buffers and over-

writing data elements, leaving personal data vulnerable during transit.

Malicious App Support Personnel

Malicious application support personnel may dupe the user via social engineering to

provide access, or information necessary for access, to personal data under the aus-

pices of assisting with an application issue. Alternatively, malicious app support per-

sonnel may enable debug or other diagnostic switches within the software, disabling

security mechanisms present in the device or software.

Poor or inexperienced app support personnel may inadvertently leave debug or

diagnostic switches enabled following a support activity, rendering the personal data

vulnerable.

Malicious User

Personal data is vulnerable to a malicious user who has gained access to the device.

Recall that malicious user is a catchall term encompassing a variety of activities.

Although this simple statement is adequate for describing the vulnerability, the com-

plexity of the role becomes important and should not be forgotten when generating

mitigations and protections or performing the security-functionality trade-offs. For ex-

ample, a malicious user may pose as a member of one of the legitimate functional

roles and become the functional equivalent of one of the malicious roles just dis-

cussed.

Corporate or Third-Party Information

From a vulnerability perspective, no distinction exists between corporate and third-

party information and personal data. There may be some distinction when it comes to

the security-functionality trade-offs. For example, a device manufacturer may be will-

ing to limit some functionality to ensure the protection of the users personal data but

may decide that the same trade-off for corporate data is unnecessary because its obli-

gation ends with the user.



6/18

Online Functions

Personal Data Being Sent

This target is personal data as it is in transit. You will notice that all the previous roles

are present, with the addition of a few others because of the datas increased exposure

during transport.

Malicious Wireless Service Provider (WSP)

Your first thought may be, How could a WSP be malicious? In general, WSPs are not.

They are in the business of providing wireless services, so performing any untoward

activity would be counterproductive. However, consider the following example, based

on the office complex scenario introduced in Chapter 1, Wireless Technologies.

Suppose that AdEx Inc., as a courtesy to its clients, offers wireless access through

its network. NitroSoft is visiting AdEx for a presentation of a proposed new marketing

campaign. During breaks in the presentation, the NitroSoft representative sends and

receives e-mail via his wireless PDA. This information is related to the campaign,

including price limits and current bids from other representatives attending similar pre-

sentations around the country. The connectivity is much appreciated by the Nitro-

Soft representative because he can discreetly communicate the current status to his

NitroSoft co-workers to ensure that NitroSoft receives the best marketing campaign for

the money.

What the NitroSoft representative doesnt know is that someone from the AdEx IT

staff is monitoring the NitroSoft representatives communications and relaying any per-

tinent information to AdExs marketing staff so that they will be well informed of her

feelings about the presentation, any misgivings she may have, what NitroSofts bottom

line will be, and possibly what the bidsare from other marketing firms.In this example, is AdEx just doing smart business? After all, AdEx owns the wire-

less connectivity hardware, and by extension, everything it transports. Or is AdEx a

malicious WSP? Unless AdEx had the NitroSoft representative sign an agreement to

access its wireless network and this agreement contained a waiver granting AdEx

access to anything transmitted over the network, we would vote for the latter. There-

fore, personal data transmitted by the device may be vulnerable to a malicious WSP.


Personal data transmitted by the device can be made vulnerable by malicious device

support personnel when the device is taken in for upgrades, maintenance, or repair.These support personnel may have access to manufacturer bypass and diagnostic

codes, equipment, or utilities that allow them to bypass security features, leaving per-

sonal data transmitted by the device vulnerable.

Poor or inexperienced device support personnel may inadvertently leave the

device in a security bypass or diagnostic mode that renders personal data vulnerable

during transit.



7/18

Malicious WSP OMS Personnel

Personal data transmitted by the device is vulnerable to malicious WSP OMS personnel

who have access to the WSP transceiver and wireless network equipment.


Malicious application developers may create a virus or Trojan Horse utilities or pro-

grams that cause the transmitted data to be vulnerable. An example would be an

encryption utility containing nonunique or known keys. To the user, the data appears

encrypted, but it is readily accessible to unauthorized individuals who know the key.

Alternatively, an e-mail utility may send a blind copy of every message sent or re-

ceived by the device to a predefined address.


measures regarding their particular application, rendering personal data vulnerable

during transit.

Malicious App Support PersonnelMalicious application support personnel may coerce the user via social engineering to

provide access, or information necessary for access, to personal data under the aus-

pices of assisting with an application issue. Alternatively, malicious app support per-

sonnel may enable debug or other diagnostic switches within the software, disabling

security mechanisms present in the device or software.


diagnostic switches enabled at the conclusion of a support activity, rendering the per-

sonal data vulnerable during transit.

Malicious UserPersonal data is vulnerable to a malicious user who has access to, or has built a

receiver that can monitor, the transmission of the PDA and can reconstruct the data

transmitted and received. Again, a malicious user can assume any of the preceding

malicious roles to gain access necessary to exploit a vulnerability.

Corporate or Third-Party Information Being Sent

As with offline functions, from a vulnerability perspective there is no distinction

between corporate or third-party information and personal data in transit.

User Online Activities, Usage Patterns, Location and Movement

This category can be considered a subset or equivalent to user personal data as far asvulnerabilities are concerned. The difference lies in how this type of information can

be protected, which we discuss in Chapter 12, Define and Design.

Access to Network and Online Services

As used here, access to network and online services means the use of the device

or information on the device to gain access to network and online services. This



8/18

distinction separates it from similar activities occurring against the service provider,

which we will discuss shortly.


User network and online services access credentials are vulnerable to device supportpersonnel who have access to the device for upgrade, maintenance, or repair pur-

poses. Device support personnel may have access to manufacturer bypass and diag-

nostic codes, equipment, or utilities that give them access to network and online

services access credentials on the device.


User network and online services access credentials are vulnerable to WSP OMS per-

sonnel when this information is received and processed by the WSP equipment. The

user may also be coerced into providing network or online access credentials to WSP

OMS personnel.


User network and online services access credentials are vulnerable to applications that

can copy and store, or forward, these credentials to the developer.

Malicious User

Access to network and online services are vulnerable to a malicious user. A malicious

user may gain access to the device and retrieve network and online services creden-

tials, to be used on another device or at a later time. A malicious user may monitor

transmissions, discussed under Malicious User for personal data being sent to obtainnetwork and online services credentials. Again, a malicious user can assume any of the

preceding malicious roles to gain access necessary to exploit a vulnerability.

Transceiver

The Transceiver Itself

Malicious Device OMS Personnel

The transceiver is vulnerable to manipulation or modification by malicious deviceOMS personnel.

Malicious User

The transceiver is vulnerable to manipulation or modification by a malicious user. For

example, this may be done to assist a man-in-the-middle attack.



9/18

Vulnerabilities of the Service Provider

The Transceiver Itself

When we use the term transceiverin regard to the service provider, we are consider-

ing a transceiver system consisting of the antenna array, tower, coax, transceiver, and

switching equipment.


The transceiver is vulnerable to manipulation or modification by malicious device

OMS personnel.

Malicious User


example, this may be done to deny service to areas or individuals at crucial times.

The Transceiver Services


The transceiver services are vulnerable to manipulation or modification by malicious

device OMS personnelfor example, granting network access to unauthorized users

by providing maintenance or diagnostic access credentials to these unauthorized

users.

Malicious User


example, a malicious user may obtain access credentials to utilize the service without

paying for the privilege.

Access to Its Subscribers


The service provider is vulnerable to WSP OMS personnel who can grant access to the

network, and thereby its subscribers, for spam or other unsolicited purposes.

Malicious Corporate/Private Servers

The service provider is vulnerable to malicious corporate or private servers that access

the service provider to deliver advertising, marketing, or other spam to the serviceproviders subscribers.

Malicious Corporate/Private Server OMS Personnel

The service provider is vulnerable to malicious corporate or private server OMS per-

sonnel who utilize authorized servers to perform unauthorized access to subscribers.



10/18

For example, service provider subscribers receive stock quotes as part of their service

plan. OMS personnel with access to the quote server that provides this service could

alter the server to deliver anything in addition to, or in place of, the stock quotes.

Malicious Content ProvidersThe service provider is vulnerable to malicious content providers who use the service

provider resources to spam or otherwise deliver their payload to the subscribers.


The service provider is vulnerable to malicious app developers who include back

doors or Trojan Horse utilities or programs that the service provider uses. These app

developers can then use the privileged access available to their legitimate applications

to obtain illegitimate access to the subscribers.


Service provider subscribers are vulnerable to malicious application support personnel

who enable debug or other diagnostic switches within the software, disabling security

mechanisms that protect access to the subscribers.


diagnostic switches enabled at the conclusion of a support activity, rendering corpo-

rate proprietary data and resources vulnerable on the network server.

Malicious User

The service provider is vulnerable to malicious users gaining network access to allow

them access to the service providers subscribers, either by these malicious users act-

ing in one of the preceding roles or by exploiting a vulnerability in the overall service

providers system.

Transceiver

Recall that there were no targets for the transceiver beyond those identified for the

higher-level functional block.

Administrative Server

Byadministrative server,we are referring to the billing, maintenance, and support sys-tems associated with keeping the wireless infrastructure functional.

User-Specific Data

User-specific data is information such as credit card numbers, address, finances, call

and access log information that resides on the administrative server.



11/18


User-specific data resident on the administrative server is vulnerable to malicious WSP

OMS personnel who exploit their system access to gain access to user-specific data.

Malicious App DeveloperUser-specific data resident on the administrative server is vulnerable to malicious app

developers who include back doors or Trojan Horse utilities or programs that the ser-

vice provider uses. These app developers then use the privileged access available to

their legitimate applications to obtain illegitimate access to user-specific data.


User-specific data is vulnerable to malicious application support personnel who

enable debug or other diagnostic switches within the administrative server software

that disable security mechanisms.


diagnostic switches enabled at the conclusion of a support activity, leaving the user-

specific data vulnerable on the administrative server.

Malicious User

User-specific data resident on the administrative server is vulnerable to malicious

users gaining access to the service providers network and thereby accessing user-

specific data. The service providers network access may be obtained by these mali-

cious users acting in one of the preceding roles or exploiting a vulnerability in the

overall service providers system.

Corporate Proprietary Data and Resources

Corporate proprietary data and resourcesrefer to information resident on the admin-

istrative server that provides network details, fraud detection scheme information, and

the like.


Corporate proprietary data and resources resident on the administrative server are vul-

nerable to malicious WSP OMS personnel who exploit their system access to gain

access to corporate proprietary data and resources.

Malicious App DeveloperCorporate proprietary data and resources resident on the administrative server are vul-

nerable to malicious app developers who include back doors or Trojan Horse utilities

or programs that the service provider uses. These app developers can then use the

privileged access available to their legitimate applications to obtain illegitimate access

to corporate proprietary data and resources.



12/18


Corporate proprietary data and resources are vulnerable to malicious application sup-

port personnel who enable debug or other diagnostic switches within the software

that disable security mechanisms present in the network server.

Poor or inexperienced app support personnel may inadvertently leave debug ordiagnostic switches enabled at the conclusion of a support activity, leaving corporate

proprietary data and resources vulnerable on the network server.

Malicious User

Corporate proprietary data and resources resident on the administrative server are

vulnerable to malicious users gaining access to the service providers network, and

thereby access to corporate proprietary data and resources. The service providers net-

work access may be obtained by these malicious users acting in one of the preceding

roles or exploiting a vulnerability in the overall service providers system.

Network Server

User-Specific Data

User-specific data is information such as credit card numbers, addresses, and data such

as e-mail and Web traffic that transits the network server.


User-specific data transiting the network server is vulnerable to malicious WSP OMS

personnel who have access to the network server.


Malicious application developers can create virus or Trojan Horse utilities or programs

that cause the transit data to be vulnerable. An example would be a network routing

utility containing code that routes a copy of the transit data to the app developer.


measures regarding their particular application, rendering user data vulnerable during

transit.



enable debug or other diagnostic switches within the software that disable security

mechanisms present in the network server.


diagnostic switches enabled at the conclusion of a support activity, leaving the user

data vulnerable during transit of the network server.



13/18

Malicious User

User-specific data is vulnerable to a malicious user who has access to, or has assumed

one of the preceding roles to get access to, the network server.

Corporate Proprietary Data and ResourcesMuch the same as for the administrative server, corporate proprietary data and

resourcesrefer to information resident on the network server. We are referring to the

system that connects the service providers transceivers to the remainder of the wired

world.


Corporate proprietary data and resources resident on the network server are vulner-

able to malicious WSP OMS personnel who exploit their system access to gain access




vulnerable to malicious app developers who include back doors or Trojan Horse utili-

ties or programs that the service provider uses. These app developers can then use the

privileged access available to their legitimate applications to obtain illegitimate access




port personnel who enable debug or other diagnostic switches within the software

that disable security mechanisms present in the network server.


diagnostic switches enabled at the conclusion of a support activity, leaving corporate

proprietary data and resources vulnerable on the network server.

Malicious User


vulnerable to malicious users gaining access to the service providers network, and

thereby access to corporate proprietary data and resources. The service providers net-

work access can be obtained by these malicious users acting in one of the preceding

roles or exploiting a vulnerability in the overall service providers system.

Vulnerabilities of the Gateway

Thegatewayis functionally not much more than a server that performs processing to

convert Web traffic to a form compatible with the wireless device. You will notice that

the vulnerabilities listed mirror those for the administrative and network servers. The

Web server and backend server also have similar vulnerabilities. Therefore, we will not



14/18

cover the vulnerabilities for the Web server and backend server. Further, no additional

vulnerability is associated with having those servers linked to a wireless system (with

the exception of no longer needing physical access) than to a totally wired system.

The Physical Gateway

Malicious OMS Personnel

The gateway is vulnerable to manipulation or modification by malicious OMS

personnel.


The gateway is vulnerable to malicious app developers who include back doors or

Trojan Horse utilities or programs that the gateway uses. These app developers can

then use the privileged access available to their legitimate applications to obtain illegit-

imate access to gateway services.


The gateway is vulnerable to malicious application support personnel who enable

debug or other diagnostic switches within the software that disable security mecha-

nisms present in the gateway.


diagnostic switches enabled at the conclusion of a support activity, leaving the gate-

way vulnerable.

Malicious User

The gateway is vulnerable to manipulation or modification by a malicious user

who has assumed one of the preceding roles or has otherwise gained access to the

gateway.

User-Specific Data


User-specific data transiting or resident on the gateway is vulnerable to malicious WSP

OMS personnel who have access to the network server.

Malicious App DeveloperMalicious application developers can create virus or Trojan Horse utilities or programs

that cause the user-specific data to be vulnerable.


measures regarding their particular application, rendering user-specific data vulnera-

ble during transit or storage on the gateway.



15/18



enable debug or other diagnostic switches within the gateway software that disable

security mechanisms.

Poor or inexperienced app support personnel may inadvertently leave debug ordiagnostic switches enabled at the conclusion of a support activity, rendering the user-

specific data vulnerable during transit or storage on the gateway.

Malicious User

User-specific data is vulnerable to a malicious user who has access to, or has assumed

one of the preceding roles to get access to, the gateway.

User Data


User data transiting the gateway is vulnerable to malicious OMS personnel who have

access to the gateway.



that cause the user data to be vulnerable.


measures regarding their particular application, rendering user data vulnerable during

transit of the gateway.


User data is vulnerable to malicious application support personnel who enable debug or

other diagnostic switches within the gateway software that disable security mechanisms.


diagnostic switches enabled at the conclusion of a support activity, rendering the user

data vulnerable during transit of the gateway.

Malicious User

User data is vulnerable to a malicious user who has access to, or has assumed one of

the preceding roles to get access to, the gateway.

Corporate Proprietary Data and Resources


Corporate proprietary data and resources on the gateway are vulnerable to malicious

OMS personnel who have access to the gateway.



16/18



that cause the corporate proprietary data and resources to be vulnerable.


measures regarding their particular application, leaving corporate proprietary data andresources vulnerable on the gateway.



port personnel who enable debug or other diagnostic switches within the gateway

software that disable security mechanisms.


diagnostic switches enabled at the conclusion of a support activity, rendering the cor-

porate proprietary data and resources accessible from the gateway vulnerable.

Malicious User

Corporate proprietary data and resources are vulnerable to a malicious user who has

access to, or has assumed one of the preceding roles to get access to, the gateway.

Third-Party Data Transiting the Gateway


Third-party data transiting or resident on the gateway is vulnerable to malicious OMS

personnel who have access to the gateway.



that cause third-party data to be vulnerable.


measures regarding their particular application, rendering third-party data vulnerable

during transit or storage on the gateway.


Third-party data is vulnerable to malicious application support personnel who enable

debug or other diagnostic switches within the gateway software that disable security

mechanisms.Poor or inexperienced app support personnel may inadvertently leave debug or

diagnostic switches enabled at the conclusion of a support activity, rendering third-

party data vulnerable during transit or storage on the gateway.

Malicious User

Third-party data is vulnerable to a malicious user who has access to, or has assumed

one of the preceding roles to get access to, the gateway.



17/18

Vulnerabilities of the Web Server and

the Backend Server

The Web server and backend server have nearly identical vulnerabilities as those iden-

tified for the gateway. Because we are concentrating on the wireless aspects of secu-

rity, we will not explicitly go through the exercise of listing the vulnerabilities of thesetwo functional blocks. Keep in mind that although the vulnerabilities may be identical,

the protections or mitigations chosen can differ considerably because of the analysis of

likelihood and the functionality trade-offs considered.

It should be clear that when you have identified the targets and roles, stating the

vulnerabilities becomes simple. It should also be obvious how these vulnerability

statements can be easily modified to become requirement statements.



18/18

wifi_vilnerabilities

Documents