This document provides an introduction to Wi-Fi networking concepts including: - A brief history of internet development leading to Wi-Fi technology. - Explanations of Wi-Fi spectrum bands and wireless networking standards. - Security risks associated with open and unencrypted Wi-Fi networks. - Tools that can be used to analyze wireless network traffic and identify vulnerabilities. - Best practices for securing wireless networks through encryption, segmentation, and other methods.

1. All Things Wi-Fi
A brief intro to amazing and fun things

2. Hi there!
• Keya Lea Horiuchi
• Engineer at AppliedTrust
• Previously worked in education and
digital design (films and websites)
• Technician License, amateur ham
radio (KE0IXW)

3. What we’ll cover
• Some internet history, Wi-Fi and
Frisbees analogy
• 2.4/5.0 GHz Spectrum
• IEEE 802.11 wireless networks
• War driving
• Kismet, iwlist - SSIDs, channels, encryption,
and more
• Open Wi-Fi!
• Data you’re leaking
• What’s the harm? Wireshark
• Enterprise/home network segmentation,
VLANs

4. In the beginning
• ARPANet
• Univ. of California, Los Angeles
• Univ. of California, Santa Barbara
• Univ. of Utah
• Stanford Research Institute
https://personalpages.manchester.ac.uk/staff/m.dodge/cybergeography/atlas/arpanet2.gif

5. NSFNET
Woot! T1!

6. https://www.wired.com/2015/06/mapping-the-internet/

8. https://www.flickr.com/photos/opengridscheduler/16267326303
At the endpoints, your data (business and personal) often travels the last hop through the air via radio
frequencies.
!
Wireless Access Point (WAP)

9. How important is Wi-Fi?
http://www.linksys.com/us/home-wifi-internet-speed-evolution/

10. https://www.fotolia.com/p/205411074
This is your data.

11. It is assumed that Wi-Fi data will reach the intended
recipient, with the confidentiality of the data intact.
http://kids.britannica.com/comptons/art-184125/A-man-throws-a-frisbee

13. Why doesn’t Wi-Fi
always work?
And what could possibly go wrong?
Everybody’s using it.
Does this mean it’s secure?
No.
It’s inherently risky because of the open nature of the medium.

14. Wi-Fi congestion at home/work
• Half-duplex, not full-duplex
!
• Can only send or receive, not
send and receive
!
• An upper limit of client devices
that can utilize the WAP
• CSMA/CA: Carrier Sense
Multiple Access /Collision
Avoidance; can’t detect a
collision. Relying on an ACK for
every frame processed.
http://www.linksys.com/us/home-wifi-internet-speed-evolution/

15. Wi-Fi interference 2.4 GHz
http://www.popularmechanics.com/technology/gadgets/how-to/a11792/how-to-fight-rf-interference-with-your-gadgets/
BLUETOOTH

17. http://www.linksys.com/us/home-wifi-internet-speed-evolution/

18. http://www.gettyimages.co.uk/detail/news-photo/washington-dc-hoping-to-set-a-world-record-for-the-most-news-photo/515586344#8211986washington-dc-hoping-
to-set-a-world-record-for-the-most-discs-picture-id515586344

19. Breaking it down
https://uwaterloo.ca/information-systems-technology/services/eduroam/campus-wi-fi-infrastructure-and-quality-assurance/factors-affecting-wi-fi-service

20. 3 ISM bands allocated
• 900 MHz — maybe more use soon
• 2.4 GHz — better range, lower data rate
• 5 GHz — less range, higher data rate, greater
attenuation
• Wi-Fi is a small portion of the communication that
takes place over the airwaves/radio frequencies
(Industrial, scientific, and medical)

22. war driving
What the heck?

23. –Wikipedia, February 12, 2017
“The act of searching for Wi-Fi
networks by a person or moving
vehicle using a portable computer,
smartphone, or PDA.”

24. It’s a competition! Most points wins!
• All data will be submitted in Kismet log.
• All logs must contain real SSIDs/format detected.
• All logs must have an accurate GPS location (A USB GPS is less
than $20; feel free to compete if you can't get one, but you won't be
officially ranked.)
• Must be present in parking lot by the time the stop signal is given.
• Parking-lot lightning round
• Road hog — Collect the most total BSSIDs: 5,000 points
• Hacker — Connect to the judges’ Wi-Fi: 5,000 points points
• Scoring
• WEP — 50 points
• Unencrypted — 10 points
• WPA — 5 points
• WPA2 — 1 point
• Shared ISP BSSIDs — 1 point

25. http://www.ampedwireless.com/learningcenter/default2.html

26. Wi-Fi Encryption
WEP - Wired Equivalent Privacy!
Security algorithm, provide confidentiality similar to that of a wired network. Standard 1997, by 2000 vulnerabilities being
identified. Uses a stream cipher, RC4 and short IV (initialization vector) that is reused. Encryption key does not change.
WPA - Wi-Fi Protected Access!
IEEE announced in 2003 that WEP has been replaced by WPA. An intermediate step to deal with the insecurities within
WEP. TKIP (temporal key integrity protocol) that dynamically generates a per packet key.
WPA 2 - 2004!
Supports CCMP (computer mode cipher block chaining message authentication code protocol) allows AES (advanced
encryption standard). This should be used.
WPS - Wi-Fi Protected Setup Alternative key distribution, allows to devices to communicated and share, but when
implemented introduces a vulnerability that allows a remote attacker to identify the PIN and use it to recover the WPA/WPA2
password. Should be turned off.
WPA Enterprise - WPA-802.1X incorporates RADIUS authentication / EAP

29. CCMP — Counter Mode Cipher Block Chaining Message Authentication
Code Protocol
•An encryption protocol based on the Counter Moe with CBC-MAC (CCM) of the AES
$ iwlist scanning

31. 5 GHz

34. Antennas — size matters

35. Insert Kismet working and shot of car
Time to look at a Kismet log?
http://developers-club.com/posts/100503/

37. What to do with this data?

38. WAPs around our area

39. Unencrypted, open networks have steadily gone down from 60% to ~6%.

40. Tune Wi-Fi signal
War-driving results illustrate the importance of tuning the strength of
a Wi-Fi signal. If those signals had been properly tuned, they
wouldn’t be broadcasting past the boundary of the building.

41. http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/prod_white_paper0900aecd806a1a3e.html
Antenna placement

42. Placement of WAPs
http://www.cisco.com/c/en/us/td/docs/wireless/technology/ap1000/deployment/guide/hah_apdg/dg10ic.html

43. Network Segmentation
Virtual Local Area Networks restrict access to internal data
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
• Guest network
• Certain applications -> certain databases
• Presentations in certain rooms

44. Disclaimer and respecting stuff
This is a good time to talk about legalities, rights and privacy
issues.
One needs to have permission to access networks that are
meant to be private.
Be cognizant of the data you’re broadcasting and be aware of
what others can see. This is for your home WiFi as well as
personal/business devices.
BYOD, don’t have time to cover in detail can be a portal into
various networks.

45. Guest/open networks

46. See who’s online

47. A word on devices
• They’re programmed to be
helpful.
• They remember Wi-Fi networks
you’ve previously connected to.
• If Wi-Fi is on, the device is always
attempting to be connected. In
this process, packets are being
sent in plaintext that identify
where you’ve been (work,
schools, places visited on
vacation, etc.)

51. – What’s the right thing to do?
“Hmmm. Now that’s a dilemma.”

52. Aircrack-ng suite
Monitor mode
• Only Wi-Fi possible to
see all the packets, then
inject packets into the
stream to spoof others.
• RFMON (Radio
frequency monitor mode
– airmon-ng & airodump-
ng for packet injection
Handy for crackin’ WEP.

53. # airmon-ng start wlan0mon
# airodump-ng - - bssid 14:D6:4D:29:45:A1 - - channel 11 - - write wep-crack
wlan0mon
# aireplay-ng -3 -b 14:D6:4D:29:45:A1 -h 00:42:4b:ec:54:b3 wlan0mon
(-3 is for arp replay, -b BSSID target, -h MAC address being spoofed)

54. Wi-Fi Pineapple
https://wifipineapple.com/

55. – or using elevated permissions when they aren’t needed?
“What’s so bad about using open Wi-Fi?”
Insert image of shark
http://beforeitsnews.com/animals-pets/2012/10/should-sharks-swimming-near-popular-
beaches-be-killed-2443944.html
Promiscuous mode
• Wired/wireless Ethernet, sniff
packets that aren’t meant for
you. Need physical access,
or associate with network.
Monitor mode
• Only Wi-Fi possible to see all
the packets, then inject
packets into the stream to
spoof others.
• RFMON (Radio frequency
monitor mode – airmon-ng,
airodump-ng and aireplay-ng
for packet injection

56. Plaintext versus encrypted traffic
!
5 tabbed windows open
• Encrypted Google search
• Web surfing
• Plaintext WordPress login packet
capture
Demo

58. Internet Security Research Group
!
•Site hosted on DigitalOcean
•Cron script renews every 60 days
•Issues using a CDN like CloudFlare

59. So close!
!
Wi-Fi is inherently insecure.
Take offensive steps: encrypt, tune devices, audit

60. Wi-Fi audits

61. purple frisbee
www.funnyanimalsite.com%2Fpictures%2FFlying_Dog.htm
Take steps to guard your data and ensure it’s reaching the intended recipient.

62. No time to get to the internet of things, but
there are similar concerns.

63. Take-aways
• Change default user names and passwords.
• Clean up your Wi-Fi broadcasts on personal devices/remembered
networks.
• Be mindful of what is passed over unencrypted, open networks.
• Use strong encryption: WPA2 (uses AES) & TLS 1.2 (no WEP/WPA,
SSL-any version, or TLSv1.0 if possible).
• Lock down internet-of-things devices.
• Use the principle of least privilege.

64. Questions?
Thank you!