How insecure Wireless really is…

Author: Martin Voelk
December 9, 2014

Forget anything you have heard about Wireless Security. In our Wireless Penetration Tests we are able to break into 95% of all tested systems. Why? Because there are so many attack vectors against Wireless Networks.

WEP Encryption

WEP Encryption = No encryption. Breaking a WEP key with or without clients is a matter of minutes.

WPA/WPA2 PSK

Capturing the 4 way handshake is a matter of minutes. Having a 34 Gbyte dictionary along with pre-computed rainbow tables of several hundreds of Gigs and Cloud based Crackers gives a success chance of 80%. The remaining 20% are in one or the other way crackable through a social engineering attack where users simply enter their key into a real looking authentication portal. Once the key has been obtained, the possibilities for further attacks are unlimited.

Client Side Attacks

Corporate and private user devices will connect to Evil Twin APs set up by the attacker. This time the goal is to infect the client browsers with malicious malware which in turn provides the attacker with full control over the victim machine.

Man in the Middle Attacks

Fake Hotspots which look legitimate to capture credentials such as emails and passwords, credit card information or PayPal logins. Thereafter any user activity is captured (Websites visited, credentials entered, images browsed). Even SSL connections are being broken by SSL strip where the attacker proxies the SSL connection to an HTTPS website and the user gets simply presented everything in clear text.

Denial of Service

Wireless Jammers are becoming cheaper and cheaper. They can be bought in China and ship without any problems to any country. The chinese companies label it as Access Point and shipping goes through without any problem. The high end boxes cost like $200 each, are twice the size of a cigarette box and come with power packs. Those Jammers block Cell, Wifi and GPS in their vicinity. Imagine 10 of those strategically placed at a competitor office! Many look like air refreshening devices.

Attacks against RADIUS / Corporate Wifi 802.1x

Attacked simulates the Radius server. Users enter credentials. Challenges are captured and can be decrypted, username comes in clear text. This works well because the full mutual client/server authentication circle is often not implemented by default.

Think again if the vendors tell you about great Wireless Security. It’s not that great after all….

Share