Understanding the Threats
Introducing wireless networking into your organization opens the door to three new types of attacks on your network: war driving, direct hacking, and employee ignorance. Let me explain each of these in detail.
You know you've entered a new realm of network security when "driving" becomes one of the intrusion efforts. This term actually originated from the days of old, when a similar method known as war dialing was in place. In the 1980s, most businesses connected offices through dialup connections, typically using modems. War dialing would consist of a hacker randomly dialing through the phone number range in his local area (for example, setting up his modem to dial numbers 100-0000 through 999-9999 in the U.S.). The dialing itself was not the hacking attempt; rather, it was a scan for phone numbers responding to modem signals.
War driving uses a similar concept. An intruder mounts an 802.11-compatible wireless antenna on his vehicle and drives through the city, identifying available wireless networks. When combined with a Global Positioning System (GPS) device, war-driving software (such as KisMet or KisMac) can be very accurate in pinpointing the available wireless networks on a map of the city. When the intruder returns home, he can analyze the available networks and plot his next steps of attack.
Keep in mind that war driving can discover wireless networks even if they are encrypted, authenticated, and/or using a "hidden" (nonbroadcast) SSID.
The direct hacking effort typically begins after the war-driving scan of the area is complete. The intruder then identifies what network(s) he wants to attack. The hacking effort can come in many forms:
- Breaking into the WLAN: As soon as the intruder has identified available wireless networks, he can try to break the encryption and/or authentication system. Although this can be accomplished (with much effort) from the attacker's home, it is usually attempted within range of the wireless signal. For example, the attacker can sit in the parking lot and attempt to break into the building's wireless network. If he is successful, he joins the wireless network and begins scanning the internal network of your organization to find available resources.
- Decrypting data: Because wireless network communication is transmitted into the air, anything that your users access from a wireless device has the potential to be captured by an intruder's wireless sniffer software. If this data is sent unencrypted, the intruder can simply reassemble the packets to regenerate the original file (such as a Microsoft Word document, an Adobe Acrobat PDF file, or even a VoIP conversation). If the data is encrypted, the intruder captures the data and returns home to attempt to break the encryption keys. If he is successful, he can reassemble the original files and steal corporate data.
- Attempting a wireless DoS attack: The final effort that can be accomplished by direct hacking methods is to unleash a denial of service (DoS) attack on the wireless network. If the intruder is successful, the wireless access point that he attacks is rendered inoperable to your company. This type of attack is not as common in a WLAN environment, because most companies have not yet moved critical network services to the wireless network. The hacker's efforts would be seen as more of a temporary inconvenience than a major network issue.
Employee ignorance was the best term I could come up with for this category of security threat. Depending on the individual employee, I suppose you could substitute "insolence," "rebellion," or "stupidity" for the word "ignorance." Here's the concept: Your company policy dictates that you will not run wireless networking because of security threats. However, the "ignorant" employee has a laptop he really wants to use with wireless technology, which gives him the freedom to roam between areas while remaining connected to the network. The employee takes networking into his own hands and connects a low-end wireless access point to the network jack in his cubicle. With the click of a Cat 5 cable, your network security has been reduced to nothing, and a gaping hole into the network is now broadcast to the outside world. This same issue can occur even if your company provides a WLAN network and the user is just outside the range of the wireless signal. If appropriate detection measures are not taken, this massive hole in your network security can go undiscovered for months!