This document provides an overview of wireless networks and security. It discusses the evolution of IEEE 802.11 WiFi standards over time, including vulnerabilities in early versions like WEP. It also covers wireless topics like ISM bands, channel layout, modes, and common attacks against open or weakly encrypted networks. The document demonstrates wireless scanning and attacks. It introduces RF concepts like electromagnetic interference and TEMPEST attacks. Finally, it presents wireless security tools like Ubertooth, RTL-SDR, and HackRF.

1. WIRELESS NETWORKS AND SECURITY
Hakan Tolgay
hakan@hakantolgay.com

2. Who am I
 At Netas since 2008 and has experience on
 Wireline and wireless telephony networks
 VoIP - SIP systems
 VoIP platform security for federal and goverment projets
 Interested in
 Radio Frequesny (RF) stuff
 Physical security
 HAM Radio Operator (TB2THT)

3. Agenda
 Wireless networks today
 IEEE 802.11 – WiFi
 IEEE 802.11’s technology
 Vulnerabilities
 EM/RF leakİNG and tempest
 Tools

4. Wireless Networks Today
 In everywhere
 Mostly unecrypted
 Can be in any form, RF, light or sound

5. IEEE 802.11
 802.11 standart
 Uses unlicensed ISM spectrum which is provided by regulators
 WiFi frequencies: 2.4 & 5Ghz & 60Ghz (on 2016 non-IEEE)

6. ISM Bands for WiFi
 ISM (industrial, scientific and medical)
 902 - 928 MHz
 2.4 - 2.5 GHz
 5.725 – 5875 GHz

7. All ISM Bands
Frequency range Bandwidth Center frequency Availability
6.765 MHz 6.795 MHz 30 kHz 6.780 MHz Subject to local acceptance
13.553 MHz 13.567 MHz 14 kHz 13.560 MHz Worldwide
26.957 MHz 27.283 MHz 326 kHz 27.120 MHz Worldwide
40.660 MHz 40.700 MHz 40 kHz 40.680 MHz Worldwide
433.050 MHz 434.790 MHz 1.74 MHz 433.920 MHz
Region 1 only and subject to
local acceptance
(within the amateur radio 70 cm
band)
902.000 MHz 928.000 MHz 26 MHz 915.000 MHz
Region 2 only (with some
exceptions)
2.400 GHz 2.500 GHz 100 MHz 2.450 GHz Worldwide
5.725 GHz 5.875 GHz 150 MHz 5.800 GHz Worldwide
24.000 GHz 24.250 GHz 250 MHz 24.125 GHz Worldwide
61.000 GHz 61.500 GHz 500 MHz 61.250 GHz Subject to local acceptance
122.000 GHz 123.000 GHz 1 GHz 122.500 GHz Subject to local acceptance
244.000 GHz 246.000 GHz 2 GHz 245.000 GHz Subject to local acceptance

8. WiFi Legacy
 In 1991 AT&T begins working on a wireless technology called WaveLAN
 Now known as WaveLAN Classic
 Operated in 900 MHz Spectrum
 Developed in the Netherlands as a technology for wireless cashier systems
 Supported data rates of 1 and 2 MegaBits Per second

9. Wifi Since Then
 1997: 802.11-1997 «Legacy» 1-2 Mbps now obsolote
 1999:802.11a – 5Ghz 54Mbps
 Ortogonal Frequensy-Division Multiplexing
 Signal Range Lower, didn’t penetrate walls as well
 «Late to market»
 1999:802.11b – 2.4Ghz 11Mbps
 Nor-Ortogonal Frequensy-Division Multiplexing

10. Wifi Since Then
 2003: 802.11g 54Mbps
 Best of both world between A and G
 Uses 2.4GHZ (B) and OFDM (G)
 Problems in dense areas, only 3 non-overlapping
channels
 Adopred earlywith drraft specifications

11. Wifi «Now»
 2009: 802.11n
 Teoritical maximum speed of 600 Mbps
 Uses both 2.4 and 5 GHz bands
 40 MHz wide channels, double that 802.11g
 Backwards compatible 802.11g
 MIMO
 Multiple Input Multiple Output
 4 channels and 4 antennas
 Parallel operation

12. WiFi «Now»
 2012: 802.11ac
 Operates only on 5GHz frequency band
 Extended channel binding 80 and 160MHz
 More MIMO streams
 Upto 1300Mbps teoritical speed

13. WiFi in the Future
 2016:802.11ad
 Will operate only at 60GHz
 Transfer rate upto 7Gbps

14. Wifi Channles on 2.4GHz - 802.11b,g,n
 802.11b,g,n slice up their spectrum into channels
 802.11b(DSSS) 22MHz wide channles
 802.11g/n (OFDM) 20Mhz wide channels
 5Mhz Spectrum buffers for each channel
 Channels 1,6,11 and 14 are discrete

15. Channel Availability
 Noth America: Channels 1 – 11
 Everywhere else: 1 – 13
 Japan: Channels 1 - 14

16. Wifi Channles on 5GHz - 802.11a,ac
 All of non-overlapping channels
 802.11a,n 20/40 MHz wide channles
 802.11ac 20/40/80/160 MHz wide channles
 Use of TDWR channels are prohibited by regulators

17. Wifi Channles on 60GHz - 802.11ad
 The maximum bit-rate of a wireless channel is limited by its bandwidth.
 83.5 MHz spectrum in the 2.4 GHz
 0.55 GHz spectrum in the 5 GHz
 7GHz spectrum in the 60 GHz
 Total 4 channels each has 2.16 GHz bandwidth

18. Modes of WiFi
 Master – Access Point or Base Station
 Managed – Infrastructure Mode (client)
 Ad-hoc – peer-to-peer
 Mesh – Mesh cloud (planned ad-hoc)
 Repeater
 Monitor (promiscuous) - (DEMO)

19. Modes and capabilities of WiFi NICs
 Not all WiFi NICs are same - DEMO

20. TX power
 Limited based on counties law/regulations
 In Europe
 17dBm (or 50mW) TX power
 Max Equivalent isotropically radiated power (EIRP) 20dBm (or 100mW)
 Regulatory settings can be changed via kernel modification
 Also you can move your country to another one with better regulations - DEMO

21. WiFi Frames
 There are 3 main types of 802.11 Frame
 Control Frames
 Management Frames
 Data Frames

22. Control Frames
 Acknowledgement (ACK)
 Request to Send (RTS) frame
 Clear to Send (CTS) frame

23. Management Frames
 Beacons
 Probes
 Authentication frames
 Association frames

24. Beacons
 DEMO
 SSID Flood atack - DEMO

25. Probes

26. Authentication Frames
 Authentication
 Deathentication - DEMO

27. Comon Attacks and Vulnerabilities
 Open Networks
 Weak encryptions
 Weak designs – WPS

28. Open Networks
 No Encryption, everything is on the air - DEMO
 Easy for Man-in-the-middle atacks (MITM)
 Evil access points - DEMO

29. Weak encryptions – WEP (Wireless
equivalent Privacy)
 Part of the 802.11 specification
 Aims to make connection at least as secure as wired Connection
 Used to protect MAC Protocol Data Units (MPDU)
 802.11 describes WEP as having two main parts
 The first being the Authentication part
 The second being the Encryption part
 Mostly used until 802.11i
 Use RC4 algorithm for encryption which isn’t so secure
 Easy to break, less than 5 minuets

30. WPA & WPA2
 Dictionary attacks
 Known passwords

31. Weak designs
 WPS – WiFi Protected Setup
 WPS can be used in 3 ways
 WPS button press
 Client generated 8 digit pin
 Access point generated 8 digit pin

32. WPS vulnerability
 Almost always written on the AP/Router/Modem
 Pin is sent in two stage
 Only 11000 possiblty to try

33. EM/RF leaking & Tempest
 Leon Theremin - Video

34. The Thing - The Great Seal bug
 Designed by Léon Theremin
 Consisted of a tiny capacitive membrane
connected to a small quarter-wavelength
antenna

35. EM/RF leaking
 Every wire is an antenna
 Your screen and typing can be monitored even if you are not online

36. Tempest
 TEMPEST is a National Security Agency specification and NATO certification[1][2] referring to
spying on information systems through
 Radio or Electrical signals
 Sounds
 Vibrations

37. Tools
 Ubertooth
 RTL2832U – Realtek
 HackRF

38. Ubertooth
 A bluetooth sniffer
 Can also inject frames
 About 100$

39. RTL2832U - Realtek
 A USB2.0 dvb-t TV card
 Can operate as 25Mhz – 1.7Ghz Software Define Radio (SDR)
 Only10$
 DEMO (adsbsharp, adsbscope, hdsdr, GNU Radio Companion)
 What you can do with it

40. HackRF
 10MHz – 6GHz Transreceiver SDR
 Need HAM Radio Operator license
 About 350$
 What you can do with it

41. References
 http://www.scholartica.com/
 http://www.hak5.org
 http://wireless.kernel.org/en/users/Documentation/Bluetooth-coexistence
 http://www.tekgear.com/PDF/WHP-050004-1V0%20Bluetooth%20and%20802.11%20Coexistence.pdf
 http://www.freshpatents.com/Enhanced-2-wire-and-3-wire-wlan-bluetooth-coexistence-solution-
dt20070712ptan20070161349.php
 https://greatscottgadgets.com

42. Thank you