Security Report: Identifying & Mitigating Wi-Fi Eavesdropping
As much as we enjoy our interminable connectivity over Wireless networks, it is almost inevitable that ‘Wi Fi Eavesdropping’ is a potential threat to any wireless network. The advantages that a Wi Fi network offers over a wired one in an office setup, like enhanced mobility, increased responsiveness, better guest access, effortless network expansion has been instrumental in the acceptance of this new technology. But, with the ever increasing number of cyber-attacks that is being recorded all around each year, a hack into the wireless network can be a detrimental blow to the company’s reputation and it is of paramount importance to setup a secured and apparently ‘hack-free’ Wi Fi network in this office space, or any other place for that matter. For setting up a secured network, it is indispensable to understand the threats and vulnerabilities that are attached to it.
Risks attached to Wi Fi Eavesdropping
A Threat is a potential danger that has the ability to cause harm and inflicting damage and disruptions into an information system which can lead to loss and theft of data and subsequent repercussions. A Vulnerability is a loophole or an inadequacy in the system that a threat can materialize for its illicit intentions .
In a modern wireless network, the most imminent threat comes from Eavesdropping/Wireless Hacking which is unintended interception of data and digital communication . All it requires is a skilled hacker with a laptop that is connected through a wireless network adapter running on promiscuous mode which has the propensity to intercept network packet from any network address within the wireless network coverage area and a software competent of eavesdropping over Wi Fi . Once a hacker illegitimately penetrates into the network, the vulnerabilities can expose risks that can range from:
- Access to Files
- Access to Login credentials including passwords
- Back Door Entry
- Denial of Service [DoS/DDoS] attacks
- Contravention of data privacy laws
- Zombie Attacks
Common Methods/Processes of Wi-Fi Eavesdropping
It is evident that an unsecured hacked wireless network can damage the financial and legal status of a company and can incur irrevocable damage to its position and reputation in the industry. Illicit attacks are mainly made on the internal protocol stacks and it is important to understand the algorithms used in Wi Fi networks and the attacking techniques.
- WEP or the Wired Equivalent Privacy generally runs on a 40-bit key which is 8 characters long and a 24-bit vector. Rivest Cipher 4 is used for confidentiality and Cyclic Redundancy Check 32 for integrity. There is an inordinate probability of the key being repeated every 5000 packets and hence once sufficient data packets are hacked and accumulated, breaking this key can be plain-sailing. Even a 128–bit key of a WPA transmission system is subject to ready decryption with the aid of modern hacking tools.  A few published methods of attacks on WEP and WPA are listed below:
- FMS Attack
- KoreK Attack
- Chopchop Attack
- Fragmentation Attack
- PTW Attack
- Google Replay Attack
- Coolface Attack
- Beck & Tew’s improved Attack
- Ohigashi Mori Attack
- Michael Attacks
- The Hole 196 Vulnerability
- Dictionary Handshake Attack
- Wireless Networks are also vulnerable to DoS and DDoS attacks which a perpetrator can readily execute by authenticating, de-authenticating, associating or dissociating floods between the user and the Wireless Access Point . Once the devices in the network are de-authenticated, they will try and auto-connect to establish the Pairwise Transient Key using the Four Way Handshake. A rouge AP can record this data in the form of a hashed password that can subsequently be decrypted by using a Rainbow Table attack that can reverse cryptographic hash functions.
Figure 1. Diagram of a De-Authentication Attack 
- Hackers can also find a way through a wireless network by implementing the MITM [Main in the Middle] method . A rogue Access Point tries to circumvent into the transmission impersonating to be a legitimate AP with the intention of disrupting a digital communication process and gathering sensitive network packets. A minimalistic diagram is furnished below for reference.
Figure 2. Diagram of a MITM Attack 
- The final blow to the coffin comes from multitudinous hardware and software tools that are readily available in the market that facilitates Wi Fi eavesdropping and makes it a rather easy affair. A fabricated Prism2 Network Adapter running on a promiscuous mode or a powerful Waveguide directional Antenna can intercept wireless traffic from a considerable distance . A few software tools that are more commonly used for Wi Fi eavesdropping and Network Troubleshooting are  :
- Cain & Abel
- Fern WiFi Cracker
- CommView for WiFi
A Brief History of Network Eavesdropping and Lessons Learnt from them
To understand the genesis of a network attack, the thing that BlockTech needs to consider is the stake of the company. Being a financial service provider, a full breach in the wireless network can reveal and expose sensitive information like user name, address, telephone nos, E-Mail address and in worst case scenario, Bank A/c Numbers and Credit Card details. This could eventually lead to lawsuits and a whole lot of other Data Privacy and Security issues.
- The Google Wi Fi Sniffing Case
The Internet giant Google Inc. was under the legislative radar for being a Wi Fi sniffer (a colloquial term used mainly to refer to entities who engage in Wi Fi eavesdropping). In 2012, A Federal Communications Commission (FCC) revealed a document which apparently disclosed for the first time that the software operating in the Google Street View mapping cars were actually fabricated to collect Wi Fi payload data  and it’s been speculated that the data collected had been even transferred to a certain Oregon Storage Facility. This, under any circumstance is a direct violation do the Data Protection Act and is as malicious as any other Wi Fi eavesdropping instance, however this time it’s the general population in the receiving end rather than an organization with tons of data. Considered to be the biggest wiretapping program in the United States, Google defended their position in court with the argument that encrypted Wi Fi capturing is not considered to be wiretapping and hence further pleaded the High Court to move the case to Supreme Court.  Google, experts argue has unknowingly opened gates for hackers to eavesdrop into public Wi Fi network for extracting sensitive information like Credit Card Nos. etc.
IT professionals, on a regular basis use the similar technology to collect packet data in order to secure company networks and unlike Google which never did use data it collected, IT professionals analyze the data collected from Wi Fi networks to identify vulnerabilities and design mitigation techniques to safeguard the company’s security system.
- The Dyn Inc. Wi Fi Breach
A few years later, in October, 2016, Dyn Incorporated, an Internet performance management and Web application security company experienced a massive Wi Fi breach which temporarily managed to handicap thousands of websites and left customers fleetingly oblivious and stranded. This sophisticated and potentially fatal attack was recognized with an unusually elevated bandwidth against their Domain Name System platform in several regions across the globe that is conventionally associated with network breaches closely followed by extensive flooding of TCP and UDP packets in port 53 and various source IP addresses. This sudden and unanticipated traffic obliged the Dyn Network Management Team to initiate Incident Response Protocol that consists of an Automated Response technique and a State-of-the-Art mitigation tactic which involves shaping of incessant abrupt traffic incoming from unknown sources, manipulating any-cast policies and rebalancing the traffic, internal filter application and implementation of scrubbing services. The attack momentarily waned off but soon after a couple of hours a second attack was recorded which was concomitant to the first one but was more globally diverse. However, an already alert mitigation team were easily able to bypass the breach and finally by the end of the day the Dyn professionals were successfully able to normalize the proceedings. Subsequent investigation revealed ‘Mirai Botnet’ as the source of the illegitimate and malicious traffic and it was established that the impact was exacerbated by generating recursive DNS retry traffic .
Although on both these instances, a degree of volatility and vulnerability can be inferred in the domain of security of IoT [Internet of Things] devices, it is quite evident that a prompt and sophisticated Mitigation and Incident Response setup can eventually elude an ignominious incident.
Identifying & Mitigating Wireless Network Hacking
Under current circumstances, BlockTech should initiate necessary steps to refabricate the current WLAN which is still operational on a WEP and immediately replace it with a relatively modern setup as detailed in the following discussion. Being a financial company, protecting the user data, which contains sensitive financial information, should be top priority and the present system is clearly incapable of doing so. It should be brought into the attention of the Board and the Management that this primitive system not only puts the user computers [PC and Laptops] at risk but also the database and servers of BlockTech are vulnerable and exposed to network breaches. The following sections in this report will aim to explain an Intrusion Prevention System that should ideally be able to identify and mitigate any risk in course of time and secure the database of the company from breaches and hacks. It would also establish a risk mitigation technique against Wi-Fi eavesdropping that is an exponentially growing threat in the world of cybercrimes.
In an effort to re-instate a sound and secured WLAN in the organization, it is important to set the basics right before digging deep into the exclusivity of technology. A modern and avant-garde WLAN should comply the following:
- While setting up a Wireless Router, the password should be changed from the default password for basic security and the password chosen should be abstract and cryptic.
- Every user computer should be equipped with a strong firewall which should ideally block a simple network trespassing.
- The default SSID name should be changed upfront and SSID Broadcasting should be tuned off to prevent data packets from being easily intercepted
- DHCP or Dynamic Host Configuration Protocol should be disabled and manual IP address should be assigned in each user PC that will in turn facilitate restricted access to the router.
- Needless to say, all WEP systems should be replaced with latest WPA2 systems which uses a more robust 128-bit encryption key that is relatively harder to crack .
Securing the network against Wi Fi Eavesdropping
As the Chief Security Officer, formulating and designing a sophisticated Intrusion Prevention System [IPS] is incumbent and mandatory which will protect the WLAN system of BlockTech from future threats like a Denial of Service Attack, or a Man in the Middle Attack or maybe a properly executed Mac Spoofing Attack. Theoretically, an IPS is a network security gadget that overviews and scans network traffic with an ability to detect malicious activities and acts in real time to mitigate any illegitimate activity in the transmission network. It integrates the potential of a firewall and an Intrusion Detection System [IDS] and can prohibit malicious packets of data on detection. Although there are certain challenges in assembling an IPS for a WiFi network, once installed an efficient IPS should serve the following functions :
- Should be able to automatically detect and classify WLAN threats.
- Should be able to evaluate an attack and recognize and attack plan
- Should be able to actively and promptly respond to an ongoing or potential attack by deploying its protocols.
A framework for a well-organized Wireless IPS with an inbuilt Incident Response Engine [IRE] is furnished herewith for reference and action:
Figure 3. A Wireless IPS with IRE 
As can be inferred from Figure 3, this tailor made WIPS consists of the following components, each categorically instated to serve a specific function.
- The Honeypot Network is a False AP which is designed to capture a hacker’s attention and trap them while they attempt to penetrate the Wi-Fi network .
- The Packets Capturing Agent is modified to capture all 802.11 packets and use the collected information to analyze and evaluate the prospect of a threat.
- The Plan Recognition Server is equipped with IRE and will able to initiate any mitigation or emergency protocol automatically by evaluating the incoming traffic.
- The Management Console is capable of sending information within the system to alert against malicious activities and should, if necessary under extreme circumstances, disconnect the network and take it offline to stop an ongoing threat.
- The Information Database is the storehouse for all the 802.11 packets of data.
The Incident Response Engine [IRE]  is the Central Executive and the most integral part of the WIPS and carries out a series of functions according to a programmed flowchart. Based on the data packets captured in the Honeypot, the IRE will automatically evaluate and classify the data as legitimate or malicious. Accordingly, the IRE will initiate subsequent actions. In case of a hack detection, the IRE will activate the Management Console to send alert responses and carry out other adaptive actions according to the protocol . Unlike a wired network, to understand the genesis and intention of a wireless network breach is tricky and the IRE will automatically detect the intention of the perpetrator and act accordingly.
All said and done, it should also be realized that no matter how full-proof a system is, it should have the flexibility to evolve and adapt to the changes in the environment and technological advances. The cyber criminals are constantly evolving and formulating new and modern techniques to penetrate security systems and as a CISO it is imperative to think ahead and evolve so that an installed prevention system is always equipped and ready for future attacks.
With the advancement in technology and dependence on WLAN’s for business proceedings, BlockTech, being a key market player should be on top of their game when it comes to Information Security and Assurance. It is of utmost importance to create and maintain a sophisticated Intrusion Prevention System against network breaches and although it is being conjectured that a Wi-Fi system, even with all its modern updates, is weak and hack-prone, setting up an efficient counter-attack strategy and system like the one mentioned in this report will definitely save the day for the company and be highly remunerative in the long run. As the CISO, it is also necessary to create a ‘worry-free’ atmosphere, in regards ‘data breaches’ and as a part of the fraternity, it is time to collectively dissipate the commonly circulating quote ‘FEAR IS IN THE AIR’
 G. Chen, H. Yao and Z. Wang, “Research of wireless intrusion prevention systems based on plan recognition and honeypot,” 2009 International Conference on Wireless Communications & Signal Processing, Nanjing, 2009, pp. 1-5.
 Vinjosh Reddy, S & Sai Ramani, K & Rijutha, K & Mohammad Ali, Sk & Pradeep Reddy, CH. (2010). Wireless hacking – a WiFi hack by cracking WEP. V1-189 . 10.1109/ICETC.2010.5529269.
 Matthieu Caneil & Jean-Loup Gilis, “Attack against the WiFi protocols WEP and WPA” Oct-dec, 2010, https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf
 Martin Beck and Erik Tews. “Practical attacks against WEP and WPA”. In Proc. of ACM WiSec Conf., pages 79–86, Mar. 2009.
 Fadi Farhat, University of Windsor, “Eavesdropping Attack over WiFi”,web2.uwindsor.ca/courses/cs/aggarwal/cs60564/…/FadiFarhatAssignment2,doc.
 Harpreet Passi, ”Top 15 Prominent Wireless Hacking Tools to watch out for in 2018”, https://www.greycampus.com/blog/information-security/top-wireless-hacking-tools
 Anita Campbell, “Hack-Proof Your Company’s Wi-Fi”, https://www.inc.com/comcast/hack-proof-your-companys-wifi.html
 Scott Hilton, Dyn Analysis Summary of Friday October 21 Attack”, https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
 David Kavets, 2012 https://www.wired.com/2012/05/google-wifi-fcc-investigation/
 Kevin Poulsen, 2014 https://www.wired.com/2014/04/threatlevel_0401_streetview/