T 5.138 Attacks on WLAN components
Security deficiencies in wireless communication, in individual WLAN clients, in access points, or in the distribution system can lead to attacks being successful. In this case, internal data can be read or changed, but WLAN components can also be manipulated so that they in turn can be used as points of entry for attacks on other network and network components.
Intentionally interfering with the wireless network
A WLAN can be deliberately disrupted by operating sources of interference, also referred to as jammers. This can lead to the complete failure of a WLAN and therefore represents a denial-of-service attack at the physical level. The source of interference, when it has sufficient transmitting power, can also be located outside of the area in which the WLAN is used.
Simulating a valid authentication
An attacker could record, analyse, and then resend certain control and management signals to simulate a valid authentication of a WLAN component in the WLAN, and therefore obtain unauthorised access to the WLAN.
Simulating a valid access point
A man-in-the-middle attack can be performed by smuggling access points into a WLAN from the outside (also referred to as "cloning" or an "evil twin"). To accomplish this, an additional access point can be installed near a client. If this access point provides the WLAN client with a higher transmitting power than the real access point, then the client will use it as its base station when mutual authentication is not enforced. Furthermore, the official access point may be disabled by a denial-of-service attack. The users then operate in a network that only pretends to be the target network. This makes it possible for an attacker to listen in on communications.
Poisoning or spoofing methods can also simulate a false identity for an attacker or redirect the network traffic to the systems of the attacker, meaning the attacker can intercept and control communications.
Compromising the distribution system
In addition to connecting an outside access point, it is also possible to compromise the distribution system by inserting an external hub or switch between the access point and distribution system, provided that this area is accessible.
By connecting a protocol analyser, all communication between the access point and distribution system can be recorded. Furthermore, using corresponding tools, an active attack on the infrastructure or on a client of the associated access point can be performed. "Breaking" the WLAN encryption is not even necessary in this case since data is transmitted completely unencrypted in the LAN section of the distribution system when no encryption mechanisms are used at the application level or protocol level, for example using VPN technologies.
Attacks on WLAN clients
When a client connects to a WLAN, there are additional threats to the local data on the client. On one hand, attacks could be carried out on WLAN mechanisms, but also on any vulnerabilities of the operating system used. A client manipulated in this manner can lead to the compromising of the entire WLAN, and in the worst case, of the entire IT infrastructure of the organisation.
When data is transmitted in unencrypted form in the WLAN, an attacker can also easily listen in on communications if the data is easily exploitable, as is the case with VoIP voice data, for example.
The inadequately planned use of a WLAN client in a wireless network which is not trustworthy (for example a hotspot or ad-hoc network) entails additional dangers. Examples of some of these dangers are listed in the following:
- With the help of spoofing tools, an attacker could install tools on the client of a WLAN user to compromise the network.
- An attacker could examine the vulnerabilities of the network services and functions on the client and exploit them under some circumstances. This could then enable the attacker to access the computer if unsuitable passwords are selected or the personal firewall is not configured properly.
Attacks on access points
Attacks can also be performed over the clients on other WLAN components, and therefore on the connected network. If there are no security mechanisms for mobile components and transmission standards or they are poorly configured, then attackers could exploit this to gain unauthorised access to the internal network of a government agency or company. Every additional component integrated into a network creates additional network access points which are sometimes difficult to control. Every network connection available has the potential to be misused to eavesdrop on the network.