Security of wireless networks
WiFi
It used to be common to have unencrypted WiFi networks. An open WiFi network is convenient, for example, for tourists and visitors, but it can also introduce risks for both network providers and users. Nowadays the access to most WiFi networks is protected by a password. However, some of the public WiFi networks can still be accessed without a password. Such convenience also brings along risks, which we are going cover next.
Providers of the open network
Attackers may misuse an openly or anonymously accessible network to anonymously carry out cyberattacks, download illegal software and write offensive comments. Moreover, the network connection provider (owner of the access point) may be held responsible. For example, it used to be that in Germany, the network owner was liable for everything that happened in the network and thus, there were only a few open WiFi networks in Germany.
There are two possible solutions, either identifying network users or limit their access to the network. The former requires deploying a user authentication system, while the latter involves protecting the network with a password.
First, the network provider must change the administration password of the router to prevent an attacker from accessing and re-configuring the router. Secondly, the network password itself must be secure enough.
Open network consumer
If open WiFi consumers do not use extra measures (e.g. VPN) to protect themselves, they leave the security up to the (web) service provider. While there are still some services not supporting TLS, these are becoming rare.
Unless the user is sure that TLS is used, it should be asssumed that the traffic in an open network may be readily available for others to watch. In an open wifi network anyone can monitor the wifi traffic see what others are doing and even store their communication data.
If the connection is not encrypted, an open network consumer may inadvertently reveal usernames and passwords, session cookies, private information, communication partners. However, even if TLS is used in an open wifi network, it is still possible to monitor the metadata, which can reveal the domains that are being visited along with the amount of exchanged data.
Attacker in an open network
A passive attacker can listen in to the communication of the network users and save the communication data for later use (be it encrypted or not). An active attacker may try to take over user sessions (if TLS is not used) or alternatively an attacker may create a new open wifi network and carry out a man-in-the-middle attack by luring users into connecting to it.
WiFi security
Security protocols
In an unencrypted WiFi network, it is possible to listen in to others' communication. Hence, depending on whether TLS is used, either the data or metadata should be considered to be public. It is possible to prevent metadata from being leaked in an unencrypted WiFi network by using a VPN. However, in that case, the VPN provider gets access to the metadata.
Next, we give a brief overview of different WiFi encryption standards:
WEP (Wired Equivalent Privacy) is the first WiFi security protocol from 1999 and it uses 64-bit or 128-bit keys to encrypt the traffic. WEP has many security issues that enable an attacker to gain access to the network in only a couple of minutes. Even if the protocol would not contain vulnerabilities, then it wouldn't be safe to use the 64-bit version of WEP. Of the 64 bit, only 40 bits are used for the key, and 24 bits are used for the initialization vector (randomness). Thus, it would be possible to find the key by using a brute force attack that tries all possible combinations.
WPA is a WiFi security protocol used since 2003 and is meant to replace WEP. WPA (Wi-Fi Protected Access) uses 256-bit keys to encrypt the traffic and also incorporates integrity validation to protect against data packet modifications (WEP didn't have that). Unfortunately, the key integrity protocol TKIP used in WPA has security issues, and so TKIP has been deprecated since 2009. If possible, use AES-based integrity protocol instead. The latter is usually branded as WPA2.
WPA2 is an enhanced version of WPA that uses AES-based integrity protocol. WPA2 has been supported on wireless routers manufactured since 2006. WPA2 is considered secure only in case a secure password is used. Companies that need a higher security level should use the enterprise version of WPA2. In the enterprise version, authentication is done through a separate keyserver and therefore, there isn't a shared password. WPA2 Enterprise is used by Eduroam. It is more difficult to attack WPA2 Enterprise version but it might still be possible under some circumstances: Attacking WPA2 Enterprise.
If possible, use WPA2 security when configuring your wireless router. If WPA2 is not supported by the router or some devices connected to the network, you may also use WPA, but with AES instead of TKIP. Do not use WEP, as this is considered insecure. Using a weak password makes it easy to attack the wireless network, e.g., bachelor students learn how to break WEP, WPA & WPA2 (in case a weak password is used). Running the attacks in the lab will take around 1.5 hours.
In October 2017, a key reinstallation attack (codenamed KRACK) was published against WPA2 (and also WPA). This attack allows an attacker to strip WPA2 encryption and, depending on the network configuration, also modify or inject packets. As the issue comes from the WPA2 protocol specification itself, all correct implementations of the protocol stack are vulnerable. The WiFi client firmware has to be patched by the respective hardware or software vendors to mitigate this attack. WiFi access points are not affected if they are not acting as clients (e.g. in repeater mode or mesh networks).
WPA3 was announced in 2018 and is supposed to replace WPA2. WPA3 is designed to increase security compared with WPA2 by strengthening the key exchange phase and by introducing forward secrecy. Products that want to participate in the Wi-Fi CERTIFIED program have to support WPA3 starting from July 1, 2020. However, it will take years to replace and upgrade the hardware that currently only supports WPA2. Thus, WPA2 can not be easily replaced by WPA3 in the coming years.
Changing network name (SSID)
It is important to change the default name (SSID) of your wireless network. Based on the default SSID, an attacker may learn the manufacturer and model of your wireless router and can use device-specific security issues to attack your network.
Moreover, SSID is used as a salt for generating access keys in many home routers using WPA or WPA2. Hence, using a common SSID makes brute-forcing the network access key easier as the corresponding hash value tables are precomputed for known salts (SSID-s). For example, for Thomson routers given by Elion to its customers, it is possible to learn the default "unique" password by knowing the default network name (SpeedTouchXXXXXX or ThomsonXXXXXX).
WPS
An encrypted WiFi connection is secure only if a secure (for example, a 20-symbol randomly generated) password is used. However, users usually do not know how to configure their wireless router, and it is cumbersome to enter a long password in client devices, especially on smart devices. Wi-Fi Protected Setup (WPS) was meant to make using secure passwords more convenient.
One way how WPS was implemented is that there is a sticker on the wireless router with a PIN code printed on it. Upon inserting this PIN code into a client device, the device was able to ask the router for the secure WPA(2) password itself and use it for communication.
However, a practical brute-force attack for guessing the PIN code was published in 2011. The attack was simplified by the fact that according to the WPS protocol, the 7-digit PIN code was verified by the router in two independent parts. Hence, an attacker could avoid guessing the 7-digit code (10,000,000 possibilities) and was instead able to guess a 4-digit code (10,000 possibilities) and a 3-digit code (1,000 possibilities) independently. Trying all the possible 11,000 codes was doable in an hour. If the WPS PIN was known, it was possible to ask for the router's real password (no matter how secure) from the router.
WiFi configuration steps
- change the administration password (and username, if possible)
- change the wireless network name (SSID)
- enable WiFi encryption, WPA2 if possible (or WPA3 if you only have newer client devices)
- enable firewall
- disable WPS (it may also be branded with other names, e.g. QSS)
Spoofing attacks
SSID spoofing (also known as: SSID Stripping, Evil Twin) is a technique for creating a fake access point (AP) with the same name of a legitimate AP. This technique is usually used in public places like cafes and libraries with free internet APs. People who have used these APs, have them stored in their smartphones or laptops. Whenever they are within the range of the AP, their devices connect to the AP automatically. If fake AP's signal is stronger than legitimate AP's signal, the device will automatically connect to the fake AP, which has the same name (SSID) as the legitimate AP. It allows an attacker, who controls the fake AP, to eavesdrop on wireless communications. The following blog post describes how the attack works and what can be done to defend against such attacks: How to identify and prevent evil twin attacks (2020).
MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed. However, many drivers allow the MAC address to be changed. Additionally, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any reason like anonymization, identity theft etc. For example, iOS devices generate a new MAC for each WiFi network: Use private Wi-Fi addresses on iPhone, iPad, iPod touch, and Apple Watch.
Mobile communication
In the 2nd generation mobile network (GSM), the A5/1 algorithm is used to encrypt the communication. A5/1 was developed in the 1980-s and was kept secret until 1994. The full specification of the algorithm was published only in 1999 by reverse-engineering the protocol. When creating the GSM standard, a decision was needed to be made whether the communication should be protected with strong or weaker encryption to allow the governments to listen in to the communications. The end result of this discussion is not known, but it is known that the algorithm in question was created in two versions: a general standard A5/1 and a weakened A5/2 used for export outside Europe.
By now, both of the algorithms are known to be insecure. In 2006, GSMA deprecated A5/2 in GSM phones. In 2007, 3GPP decided that A5/2 must not be supported in new phones as the more secure A5/1 is widely used.
There are many attacks published against A5/1: https://en.wikipedia.org/wiki/A5/1#Security. The interesting ones are the attacks starting in 2007 that use pre-computed data. For example, in 2008, a huge look-up table (3 TB in size) was created that, in theory, allows to listen in to phone communication and SMS messages in real-time. An attacker would have to find the correct key in the look-up table to crack the encryption, but this should take no more than a couple of minutes. Importantly, the look-up tables were not published at that time.
These look-up tables were published by Chris Paget and Karsten Nohl in 2009 as a result of the project "A5/1 Cracking Project" (https://srlabs.de/bites/decrypting-gsm/). Using these tables (if they are published in full), it should be possible to crack 2G communication in real-time. Carrying out such an attack is not very expensive, although it requires special radio transmission equipment. It is important to note that even 3G and 4G users may not be protected as the phone may fall back to a 2G network if the 3G or 4G signal is weak. Moreover, in some networks, phone calls are by default carried over a 2G network (3G and 4G may be for data only).
From the documents leaked by Edward Snowden in 2013, it became apparent that the NSA can crack the A5/1 algorithm and listen in to GSM communication. The article "Archaic but widely used crypto cipher allows NSA to decode most cell calls" gives a more thorough overview of the topic. In this article, Nohl estimates that cracking a newer A5/3 is 100,000 times harder than cracking A5/1. If this estimate is correct, it might be possible to listen in to A5/3 but only in a targeted manner as it is more resource-intensive.
Many of the security issues originate from the devices being backward compatible with 2G, which enables downgrade attacks. Thus, to increase the security level 2G should be turned off in your device (this might result in the loss of being able to communicate in certain conditions when 4G or 5G is not available). However, it turns out that turning of 2G is non-trivial and was only recently made available in both Android and iOS. Since Android 12 it is possible to turn off 2G: EFF praises Android’s new 2G kill switch, wants Apple to follow suit. In iOS there is no direct option for turning off 2G, but this can be achieved by activating the Lockdown Mode. Lockdown Mode has been available since iOS 16 and starting from iOS 17 Lockdown Mode disables 2G (2023).
In case you want to read more about the GSM network, then you can find some extra information from the following links:
- Eavesdropping on GSM: state-of-affairs (2010)
- On cellular encryption (2014)
- GSM authorization/encryption steps (2017)
Tracking
Mobile phones are constantly sending small requests to the closest cellular towers (base stations) to check if the signal is still there. The user is identified by the use of international mobile subscriber identity (IMSI), which is included in the request. IMSI is assigned to each SIM card, and thus it can be linked to the user who owns the SIM card. IMSI usually consists of 15 digits. The first three represent country code, the next 2-3 digits represent the mobile network, and the rest of the code is used to identify the subscriber in the mobile network.
IMSI catchers
Some law enforcement agencies use special devices that act as base stations. These fake base stations are often called IMSI catchers. They are used to track mobile devices by intercepting requests that contain an IMSI. The description of how IMSI catchers function is described in EFF's report: Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2019)
Step 1
Step 2
In addition, the mobile device also sends out a temporary mobile subscriber identity (TMSI). As the user moves, the phone connects to new base stations, and this leaves logs, which can be used to triangulate and geographically track the user. Furthermore, the fake base stations could be used to intercept calls and SMS messages. This is possible due to the fact that while using 2G, the mobile phones do not authenticate the base station, i.e., the base station does not prove to the phone that it is authentic.
Routing of calls
Another weak spot in the architecture of mobile networks is the way how calls are routed internationally. This is done using a protocol called signaling system (in the case of 2G and 3G). Currently, the 7th version of this protocol is used, and it is called SS7. Due to the weaknesses in the protocol, it can be used to track users and also to intercept calls and SMS messages. To do that, an attacker would have to access any carrier network, but access to SS7 can be legally bought. In the spring of 2017, the vulnerabilities in SS7 were used to intercept SMS messages for two-factor authentication. You can find more info about the attacks and SS7 from the following links.
In the case of 4G, Diameter protocol is used for roaming. However, it has its own security issues as described in: Diameter vulnerabilities exposure report (2018). In addition, in many networks, only data is sent over 4G, and phone calls and SMS are still transmitted over 3G (and thus SS7).
- After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts (2017)
- SS7 hack explained: what can you do about it? (2017)
- You Can Spy Like the NSA for a Few Thousand Bucks (2017)
- Fixing the Cell Network Flaw That Lets Hackers Drain Bank Accounts (2017)
- How spies can use your cellphone to find you – and eavesdrop on your calls and texts too (2018)
- A letter by Ron Wyden to US Senate about the problems of SS7 (2018)
- Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts (2019)
Network configuration
An overview of the security of GSM networks is given in "Mobile networks differ widely in security, none protect well in all dimensions". Based on published information, there is a map concerning the security of GSM networks: https://gsmmap.org/. The collected data is also used to automatically generate reports about the security of mobile networks in different countries. The following reports about the Estonian mobile networks were automatically generated by gsmmap project:
- Report about the security of Estonian mobile networks (2013)
- Report about the security of Estonian mobile networks (2014)
- Report about the security of Estonian mobile networks (2015)
- Report about the security of Estonian mobile networks (2016)
- Report about the security of Estonian mobile networks (2017)
- Report about the security of Estonian mobile networks (2018)
Similar reports can be found about other countries by modifying the name of the country in the URL of the linked reports.
Further reading
- WiFi
- Security of mobile networks
- Recent research papers
- Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (CCS, 2017)
- Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE (USENIX, 2019)
- Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation (USENIX, 2021)
- Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G (2023)