Security of wireless networks
"Open" WiFi is an unencrypted WiFi network. An open WiFi network is convenient for example for tourists and visitors but it can also introduce risks for both network providers and users.
Providers of the open network
Attackers may misuse an open network to anonymously carry out cyber attacks, download illegal software and write offensive comments. Moreover, the network connection provider (owner of the access point) may be held responsible. For example, it used to be that in Germany the network owner was liable for everything that happens in the network and thus there were only a few open WiFi networks in Germany.
There are two possible solutions, either identifying network users or limit their access to the network. The former requires deploying a user authentication system, while the latter involves protecting the network with a password.
First, the network provider must change the administration password of the router in order to prevent an attacker accessing and reconfiguring the router. Secondly, the network password itself must be secure enough.
Open network consumer
If an open WiFi consumer does not use extra measures (e.g. VPN) to protect himself, he leaves the security up to the (web) service provider. Unfortunately, there are still many services that do not use encrypted HTTPS connections.
Consequently, a user must assume that most of the traffic in an open network is readily available for others to watch. There is no privacy in an open network, anyone can see what others are doing and even store their communication data.
An open network consumer may inadvertently reveal:
- usernames and passwords
- session cookies
- private information
- communication partners
Attacker in an open network
A passive attacker can listen in to the communication of the network users and save the communication data for later use. An active attacker may take over user sessions or create his own open network, lure users to connect to it and carry out a man-in-the-middle attack.
Demo: Stealing HTTP cookies in an open network. We use an application called Cookiecadger to take over a user session in an unencrypted network. The demo illustrates that session cookies can be intercepted if the connection is not encrypted. However, in reality the majority of web sites use TLS and in these cases the sessions are safe.
In an unencrypted WiFi network it is possible to listen in to others' communication. Hence, the data exchanged in an open network should be considered to be public. An attacker could easily steal passwords, session cookies, etc.
Next, we give a brief overview of different WiFi encryption standards:
WEP (Wired Equivalent Privacy) is the first WiFi security protocol from 1999 and it uses 64-bit or 128-bit keys to encrypt the traffic. WEP has many security issues that enable an attacker to gain access to the network in only a couple of minutes. Even if the protocol would not contain vulnerabilities then it wouldn't be safe to use the 64 bit version of WEP. Of the 64 bit only 40 bits are used for the key and 24 bits are used for the initialization vector (randomness). Thus, it would be possible to find the key by using a brute force attack that tries all possible combinations.
WPA is a WiFi security protocol used since 2003 and is meant to replace WEP. WPA (Wi-Fi Protected Access) uses 256-bit keys to encrypt the traffic and also incorporates integrity validation to protect against data packet modifications (WEP didn't have that). Unfortunately, the key integrity protocol TKIP used in WPA has security issues and so TKIP is deprecated since 2009. If possible, use AES-based integrity protocol instead. The latter is usually branded as WPA2.
WPA2 is an enhanced version of WPA that uses AES-based integrity protocol. WPA2 is supported on wireless routers manufactured since 2006. WPA2 is considered secure only in case a secure password is used. Companies who need a higher security level should use the enterprise version of WPA2. In the enterprise version authentication is done through a separate keyserver and therefore there isn't a common shared password. WPA2 Enterprise is used by Eduroam. It is more difficult to attack WPA2 Enterprise version but it might still be possible under some circumstances: Attacking WPA2 Enterprise.
If possible, use WPA2 security when configuring your wireless router. If WPA2 is not supported by the router or some devices connected to the network, you may also use WPA, but with AES instead of TKIP. Do not use WEP, as this is considered insecure. Using a weak password makes it easy to attack the wireless network, e.g., the second year bachelor students learn how to break WEP, WPA & WPA2 (in case a weak password is used). Running the attacks in the lab will take around 1.5 hours.
In October 2017, a key reinstallation attack (codenamed KRACK) was published against WPA2 (and also WPA). This attack allows an attacker to strip WPA2 encryption, and depending on the network configuration, also modify or inject packets. As the issue comes from the WPA2 protocol specification itself, all correct implementation of the protocol stack are vulnerable. To mitigate this attack, the WiFi client firmware has to be patched by the respective hardware or software vendors. WiFi access points are not affected, if they are not acting as clients (e.g. in repeater mode or mesh networks).
Changing network name (SSID)
It is important to change the default name (SSID) of your wireless network. Based on the default SSID, an attacker may learn the manufacturer and model of your wireless router and can use device specific security issues to attack your network.
Moreover, SSID is used as a salt for generating access keys in many home routers using WPA or WPA2. Hence, using a common SSID makes brute forcing the network access key easier as the corresponding hash value tables are precomputed for known salts (SSID-s). For example, for Thomson routers given by Elion to its customers, it is possible to learn the default "unique" password by knowing the default network name (SpeedTouchXXXXXX or ThomsonXXXXXX).
An encrypted WiFi connection is secure only if a secure (at least 20-symbol randomly generated) password is used. However, users usually do not know how to configure their wireless router and it is cumbersome to enter a long password in client devices, especially in smart devices. Wi-Fi Protected Setup (WPS) is meant to make using secure password more convenient.
One common method how WPS is implemented is that there is a sticker on the wireless router with a PIN code printed on it. Upon inserting this PIN code to a client device, the device is able to ask the router for the real secure WPA(2) password itself and use it for the communication. A practical brute-force attack for guessing the PIN code was published on 2011. The attack was simplified by the fact that according to the WPS protocol, the 7-digit PIN code is verified by the router in two independent parts. Hence, an attacker can avoid guessing the 7-digit code (10,000,000 possibilities) and can instead guess a 4-digit code (10,000 possibilities) and a 3-digit code (1,000 possibilities) independently. Trying all the possible 11,000 codes is doable in an hour. If the WPS PIN is know, it is possible to ask for the real password (no matter how secure) from the router.
WiFi configuration steps
- change the administration password (and username)
- change wireless network name (SSID)
- enable WiFi encryption, WPA2 if possible
- enable firewall
- disable WPS (it may also be branded with other names, e.g. QSS)
In the 2nd generation mobile network (GSM) an A5/1 algorithm is used to encrypt the communication. A5/1 was developed in 1980-s and was kept secret until 1994. The full specification of the algorithm was published only in 1999 by reverse engineering the protocol. When creating the GSM standard, a decision was needed to be made whether the communication should be protected with a strong encryption or a weaker encryption that would allow the governments to listen in to the communications. The end result of this discussion is not known, but it is known that the algorithm in question was created in two versions: a general standard A5/1 and a weakened A5/2 used for export outside Europe.
By now, both of the algorithms are known to be insecure. In 2006, GSMA deprecated A5/2 in GSM phones. In 2007, 3GPP decided that A5/2 must not be supported in new phones as the more secure A5/1 is widely used.
There are many attacks published against A5/1: https://en.wikipedia.org/wiki/A5/1#Security. For us, the most interesting ones are the attacks starting in 2007 that use precomputed data. For example, in 2008 a huge look-up table (3 TB in size) was created that in theory allows to listen in to phone communication and SMS messages in real-time. To crack the encryption, an attacker would have to find the correct key in the look-up table, but this should take no more than a couple of minutes. Importantly, the look-up tables were not published at that time.
These look-up tables were published by Chris Paget and Karsten Nohl in 2009 as a result of the project "A5/1 Cracking Project" (https://srlabs.de/bites/decrypting-gsm/). Using these tables (if they are published in full), it should be possible to crack 2G communication in real-time. Carrying out such an attack is not very expensive, although it requires special radio transmission equipment. It is important to note that even 3G and 4G users may not be protected as the phone may fall back to 2G network if 3G or 4G signal is weak. Moreover, in some networks, phone calls are by default carried over 2G network (3G and 4G may be for data only).
From the documents leaked by Edward Snowden in 2013, it came apparent that NSA has the capability to crack A5/1 algorithm and listen in to GSM communication. The article "Archaic but widely used crypto cipher allows NSA to decode most cell calls" gives a more thorough overview of the topic. In this article Nohl comments that cracking a newer A5/3 is 100,000 times harder than cracking A5/1. Hence, most probably NSA also has the ability to listen in to A5/3 but only in a targeted manner as it is more resource intensive.
In case you want to read more about the GSM network, then you can find some extra information from the following links:
- Eavesdropping on GSM-communications (2010)
- On cellular encryption (2014)
- GSM authorization/encryption steps (2017)
Mobile phones are constantly sending small requests to the closest cellular towers (base stations) to check if the signal is still there. The user is identified by the use of international mobile subscriber identity (IMSI), which is included in the request. IMSI is assigned to each SIM card and thus it can be linked to the user who owns the SIM card.
Some law enforcement agencies use special devices that act like base stations. These fake base stations are often called IMSI catchers. They are used to track the mobile devices by intercepting requests that contain IMSI. In addition, the mobile device also sends out a temporary mobile subscriber identity (TMSI). As the user moves the phone connects to new base stations and this leaves logs, which can be used to triangulate and geographically track the user. Furthermore, the fake base stations could be used to intercept calls and SMS messages. This is possible due to the fact that while using 2G, the mobile phones do not authenticate the base station, i.e., the base station does not prove to the phone that it is authentic.
Another weak spot in the architecture of mobile networks is the way how calls are routed internationally. This is done using a protocol called signaling system (in case of 2G and 3G). Currently the 7th version of this protocol is used and it is called SS7. Due to the weaknesses in the protocol it can be used to track users and also to intercept the calls and SMS messages. To do that an attacker would have to access any carrier network but access to SS7 can be legally bought. In the spring of 2017 the vulnerabilities in SS7 were used to intercept SMS messages for two factor authentication, you can find more info about the attacks and SS7 from the following links. In case of 4G Diameter protocol is used for roaming. However, it has its own security issues as described in: Diameter vulnerabilities exposure report (2018). In addition, in many networks only data is sent over 4G and phone calls and SMS are still transmitted over 3G (and thus SS7).
- After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts (2017)
- SS7 hack explained: what can you do about it? (2017)
- You Can Spy Like the NSA for a Few Thousand Bucks (2017)
- Fixing the Cell Network Flaw That Lets Hackers Drain Bank Accounts (2017)
- How spies can use your cellphone to find you – and eavesdrop on your calls and texts too (2018)
- A letter by Ron Wyden to US Senate about the problems of SS7 (2018)
- Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts (2019)
An overview of the security of GSM networks is given in "Mobile networks differ widely in security, none protect well in all dimensions". Based on published information, there is a map concerning the security of GSM networks: http://gsmmap.org/. The collected data is also used to automatically generate reports about the security of mobile networks in different countries. The following reports about the Estonian mobile networks are automatically generated by the gsmmap project:
- Report about the security of Estonian mobile networks (2013)
- Report about the security of Estonian mobile networks (2014)
- Report about the security of Estonian mobile networks (2015)
- Report about the security of Estonian mobile networks (2016)
- Report about the security of Estonian mobile networks (2017)
- Report about the security of Estonian mobile networks (2018)
Similar reports can be found about other countries by modifying the name of the country in the URL of the linked reports.
- Mobile security