Wi-Fi Monitoring Overview

Summary

Excerpt From wi-fi vulnerabilities part 1 Webinar
Find Out More About Wi-Fi Monitoring from CTO Dr. Brett Walkenhorst.
In the video, CTO Dr. Brett Walkenhorst discusses the threat category of monitoring in Wi-Fi networks, explaining how attackers can gather information from openly available packets, including beacons, probe requests, and four-way handshake packets. Learn more below on the vulnerabilities of open networks and poorly configured networks to eavesdropping attacks.

Video Transcript

So at this point, let's dive into the monitoring threat category. There are packets that contain information that's openly available. All you need to do is listen. You don't have to authenticate anything. You just have a device that is capable of receiving and demodulating Wi Fi packets, and you listen.

So beacons and pro packets are at the top of that list. There's also utility from a hacker's perspective in listening to and recording those four way handshake packets that I described, those EA poll messages. But primarily, I'm gonna focus on the first set, the discovery type, because they contain a lot of useful information that people wanna monitor before they attempt to launch something more sophisticated.

But in addition to that, in addition to just gathering intel, networks that don't use encryption are vulnerable to a direct attack using just a monitoring device. So if I'm listening to an open network, basically, I can hear all of the payload that anyone is saying, and I don't even have to be on the network.

So all of that is wide open. Now, hopefully and this is just one of the reasons that we don't wanna use open networks. But, hopefully, if you are gonna use an open network, you're gonna at least use VPN to obscure the payload information. And at the very least, make sure that you're not conducting any transactions over HTTP, which would mean there's no application layer security.

In addition, open networks are more susceptible to evil twin attacks. So if you have a system for monitoring the Wi Fi in your area, folks talk about a technique or methodology rather called war driving. This is the idea where I'm gonna take my monitoring system out on the road.

I'm gonna drive around in a vehicle. I could load it in a backpack depending on my use case. But, basically, I'm just gonna wander around, and I'm gonna gather information as I go. So maybe I'm casing an area, a facility that I'm targeting, and I'm just gonna see what's out there.

So I'm gonna wander around for some amount of time and gather what I can, and then I'll go back to my little cave and I'll analyze that data that I've collected and decide how I want to go about attacking whatever target that I'm after. There's lots of hardware and software that's available to do this kind of thing.

And as I think I've mentioned, the most attacks begin with monitoring. So this is often step one. So all these packets that you can sniff have useful information. I've mentioned the value of the discovery packets. There's data like network names, MAC addresses, encryption device capabilities. And and one more thing that that turns out to be pretty useful for various reasons is clients' preferred networks.

So a client, when you join a network, your device is most likely capturing the information associated with that network in some list that it maintains. This is it's its preferred networks list. And it retains certain information that allows you to seamlessly reconnect the next time you're in the vicinity of that network.

Well, you recall that there's two types of probe requests. One is called a directed probe request, and that's the kind that says, hey. Is network x y z out there? I know network x y z. Are you there? And if network x y z is there, they'll respond.

Well, if I'm out there monitoring, well, guess what? I I getting all that information. I'm getting your direct appropriate requests that are sharing with me everybody that's in your p and l. So anyone that you've connected to that you haven't cleared out of that list, there's the potential for your device to be advertising the fact that you once connected to those networks, especially if it's SSID has something specific that would allow me to identify a specific location like Austin Convention Center or something like that, then I know exactly where you were.

That may not be a big deal, but it's that kind of information that's being flowed out that an attacker can use potentially to identify certain things about pattern of life of a device and, ultimately, perhaps, even identify a person as associated with that device. Now that's a bit of a stretch with just p and l's alone, but you get the idea that there's information being flowed out that can potentially compromise you in some way and can give the attacker some additional information that allows them to properly vector their attack.

Okay. So what's the impact of all this? Well, as I indicated, the direct impact from monitoring alone isn't typically a big deal, but it's positioning an attacker to conduct a more effective attack down the road as there's a lot of useful information here. There's MAC addresses, capabilities, encryption type, and, of course, the attacker's device that they're using to monitor most likely has a GPS chip on it.

So they're logging their position along with that, and all that stuff is available to them to tease out and figure out what's going on and and what they wanna do. So there's lots of good information that comes from that. Open networks, poorly configured networks, network topology, resources, etcetera.

A direct impact can be, as I've mentioned, from open networks, especially data compromise can be achieved immediately via eavesdropping. So it's never as simple as it sounds, but there is the potential for that to occur. So what can we do? I mean, this is the first threat category that I'm talking about.

The impact doesn't truth is for this threat category of monitoring, there's not a lot you can do. You can't really stop people from finding out about your network. What you can do, you can try to clean that up a little bit. Like, you're you can clean up your p and l, your preferred networks list.

But that's just one small piece of the puzzle. An attacker can still get a lot of information, and there's really not much you can do because this is the classic functionality versus security tug of war that we always play. The functionality is these devices work because they can find each other.

We cannot eliminate the discovery portion of the sequence because then nothing's working. So that has to be there. And because clients that have no prior authentication to some network have the ability to find that the network is there with the potential to join it, that's the functionality we want.

By definition, anybody can then see it. Right? So if you are if you're a monitoring system, you're gonna see that stuff too. So there's really nothing we can do about it if we want the functionality that we've come to appreciate. It would be a huge paradigm shift to try to take this away from these hackers.

But you can do some things to try to to make yourself not such an easy target. And this is all the same bread and butter security one zero one type stuff that you've probably heard many times. So I'm not gonna belabor this too much, but just simple things like use good encryption, use strong passwords, change the default SSID, disable WPS.

I know I haven't described all that in detail, but, you know, just clean up that stuff. Don't make yourself a target by positioning yourself as an easy attack. And then another one that you probably hear all the time, just keep devices up to date with software and firmware updates.

But, you know, just good advice, good security hygiene. Keep your devices up to date.