Skip to main content

Wireless & Cellular Networks

Wireless Networks

  • Li-Fi: Uses light for communication, boasting speeds that surpass Wi-Fi.

  • Zigbee: A low-energy wireless protocol tailored for IoT devices.

  • Satellite: Leverages orbiting satellites for communication.

Zigbee Personal Area Network (PAN)

  • Description: A short-range wireless PAN technology tailored for automation, machine-to-machine communication, remote control, and IoT device monitoring.

  • Security Features:

    • Supports both centralized and decentralized security models.
    • Relies on securely transmitted symmetric keys (typically encrypted in-transit).

  • Potential Vulnerability: During the pre-configuration phase, there's a brief window when a single key might be transmitted without protection.

  • Use Cases: Commonly found in IoT and smart home hubs (Amazon Echo, Philips Hue Lights)

Bluetooth & IEEE 802.15

Definition: Bluetooth falls under the IEEE 802.15 standard, commonly known as a Personal Area Network (PAN).

Usage:

  • Bluetooth connects devices such as cell phone headsets, mice, keyboards, GPS, and many other gadgets.
  • Bluetooth has historically been a target for various exploits, making it a significant wireless security concern. Bluetooth's many vulneraries can be seen with a quick "Bluetooth exploit" Google search.

Connection Setup:

  • Devices connect via pairing, where a primary device scans for other devices on the 2.4GHZ radio frequency.

  • Pairing typically uses a 4-digit code. This is not primarily a security feature, but rather to prevent accidental connections.

Mobile System Attacks: Bluetooth Vulnerabilities

Bluejacking (Annoyance)

Definition: Bluejacking is akin to a digital prank, similar to the real-world "ding-dong-ditch."

How it works:

  • Tech-savvy individuals push unsolicited messages to other Bluetooth users within proximity.

  • The intent is often to annoy or playfully engage them.

  • This exploits a loophole in Bluetooth's messaging options.

Bluejacking is more about mischief than causing harm.

Bluesnarfing (Data Theft)

Definition: A serious threat where unauthorized users wirelessly connect to early Bluetooth devices to illicitly access and manipulate data.

How it works:

  • The attacker stealthily connects to the device without the owner's knowledge.

  • Once connected, they can download and even alter data.

Bluesnarfing directly jeopardizes user data and privacy.

Bluebugging

Definition: A more advanced form of Bluesnarfing where attackers gain comprehensive remote control over a Bluetooth device.

How it works:

  • The attacker exploits vulnerabilities to control various features and functionalities.

  • This can involve activating microphones, using the phone as a surveillance tool, or manipulating device settings.

Bluebugging provides attackers with an alarming amount of control over the victim's device.

SSID Broadcast

Definition: The SSID (Service Set Identifier) is the name of a wireless network.

  • Broadcast Mechanism: Wireless networks periodically announce their SSID using a beacon frame.

    The beacon frame regularly advertises the network's SSID.

  • Automatic Detection: When the SSID is broadcast, any device with an "automatic detect" setting can discover and potentially connect to the network.

  • Hidden SSID: Concealing the SSID is a technique known as "security through obscurity." While it might deter casual users, the SSID can still be detected via client traffic by those who know how to look.

TKIP (Temporal Key Integrity Protocol)

Definition: TKIP was introduced as a safer alternative to WEP without necessitating hardware replacements.

  • Implementation: Incorporated into the 802.11 standard under the designation "WPA" (Wi-Fi Protected Access).

While TKIP/WPA was an improvement over WEP, it was later surpassed by more secure protocols.

CCMP (Counter Mode with Cipher Block Chaining Message Code Protocol)

Definition: Developed to succeed both WEP and TKIP/WPA, offering a more robust encryption method.

  • Technical Details: Utilizes the AES encryption algorithm with a 128-bit key.

  • WPA2: Introduced CCMP as its encryption scheme, based on AES. Marked a significant improvement over WEP and WPA.

    WPA2 with CCMP/AES became the gold standard for Wi-Fi security.

Authentication Protocols

1. EAP (Extensible Authentication Protocol)

Definition: An authentication framework rather than a fixed protocol.

Features:

  • Provides flexibility, allowing integration of new authentication methods without replacing existing connection technologies.

    Think of EAP as a framework that accommodates various authentication mechanisms.

  • Its extensibility enables the addition of new authentication capabilities to existing hardware without major changes.

2. PEAP (Protected EAP)

Definition: An enhanced version of EAP, providing additional protection.

Features:

  • Encapsulates various EAP methods within a TLS (Transport Layer Security) tunnel, ensuring secure communication.

PEAP offers increased security by wrapping EAP methods in a protective TLS layer.

3. LEAP (Lightweight EAP)

Definition: Cisco's version of EAP, introduced as an alternative security measure for WPA.

Features:

  • Served as Cisco's response to TKIP for WPA.

  • It was introduced before TKIP became a standard in the 802.11i/WPA2 system.

Though LEAP was an interim solution, it had known vulnerabilities. Use more modern and secure methods.

MAC Filtering

Definition: A security mechanism that allows or denies network access to wireless clients based on their MAC addresses.

Key Features:

  • Authorized List: Wireless Access Points (WAPs) maintain a list of permitted MAC addresses, ensuring only authorized devices can connect.

  • Information: Even if a device knows the SSID, it cannot access the network without a MAC address on the approved list.

  • Enhanced Security: MAC filtering adds an extra layer of protection by ensuring only pre-approved devices can join the network.

While effective, MAC filtering is not foolproof. Attackers can spoof MAC addresses.

Captive Portals

Definition: A web page displayed to newly connected users before they are granted broader access to network resources.

Features:

  • Redirection: Newly connected clients are automatically redirected to the captive portal page.

  • Access Control: Often used in public Wi-Fi hotspots (like hotels, airports, or cafes) to ensure users accept terms of service, enter login credentials, or make payments before accessing the internet.

  • Example: A page that appears when you connect to a public network is typically a captive portal.

  • Additional Security: Helps network administrators control user access, monitor activity, and protect network resources.

Wireless Technologies

Wireless Standard Frequency Maximum Data Rate Description
IEEE 802.11 (original) 2.4 GHz 2 Mbps Initial Wi-Fi standard from 1997
IEEE 802.11a 5 GHz 54 Mbps Early high-speed standard
IEEE 802.11b 2.4 GHz 11 Mbps Popular early standard, superseded by 802.11g
IEEE 802.11g 2.4 GHz 54 Mbps Backwards compatible with 802.11b
IEEE 802.11n 2.4 GHz & 5 GHz 200+ Mbps MIMO tech for increased speeds
IEEE 802.11ac 5 GHz 1 Gbps Widely adopted for high-speed networks
IEEE 802.11ax (Wi-Fi 6) 2.4 GHz & 5 GHz 10 Gbps Next-generation Wi-Fi with improved efficiency

Antennas

Antenna Direction Description Commonly Used For Picture
Monopole Omnidirectional Single pole antenna. Can send and receive signals in all directions perpendicular to the line of the antenna. Mobile communication, car radios.

3-Wi-Fi-Antenna-3058774973.jpg
Panel (Patch) Directional Flat directional antenna for specific indoor directions. Indoor wireless access points where directed coverage is needed.

[426-PW] Digital Antenna 426-PW 850-2400 MHz Multi-Band Panel Antenna.jpg
Dipole Omnidirectional Antenna with two poles. Provided with most wireless routers and APs. Generates powerful signals in restricted space. General purpose wireless coverage in homes and small offices.

image.png
Loop Omnidirectional An antenna made from a loop of conductor with spacing to its center. Shortwave radios, RFID, some TV antennas.

MegaLoop-FX-active-loop-ring-1071589450.jpg
Cantenna Directional A highly directional waveguide antenna made from an open-ended metal can. DIY projects for boosting Wi-Fi signals, especially for long-range Wi-Fi.

b980e0aad7639113719c07f091d3517d-320-80.jpg
Yagi Directional High-gain directional antenna with a dipole, reflector, and multiple directors. TV receptions and long-distance point-to-point links.

blackhawk-log-periodic-antenna-yagi.webp
Parabolic Directional Dish-shaped antenna that focuses RF energy into a narrow beam. Used for long distances and/or weak sources.  Satellite communications and long-haul microwave links.

Powertec-ultraband-parabolic-grid-antenna-3g-4g-5g-600-to-6500MHz-high-gain-510x510.webp

Cellular Networks

  • 4G: Represents the fourth generation of mobile network tech.

  • 5G: Offers quicker data transfer rates compared to 4G.

There are notable security concerns with 5G fallback, identified below. 

5G Cellular

Features

  • Performance: Offers faster data transfer speeds and reduced latency compared to previous generations.

  • User Identification:

    • While both 4G and 5G devices can utilize eSIM technology, which is essentially a digital SIM embedded in devices, the way these devices communicate with networks differs. In 5G, there is an improved and more secure identification process.

    • Instead of constantly broadcasting a permanent identifier (IMSI in 4G), 5G uses a Subscription Permanent Identifier (SUPI) which can be concealed when transmitted. This concealed version, called Subscription Concealed Identifier (SUCI), provides better security and privacy.

eSIM is a physical change (embedded SIM) in the device, while SUPI and SUCI are part of 5G's protocol to enhance privacy.

Security Enhancements

  • Air Interface Threats:

    • 5G introduces mechanisms to combat threats like session hijacking.

    • By encrypting the user’s identity (using SUCI), potential interception or tracking becomes more difficult.

    "Specific methods used in 5G to address air interface threats would be a good deeper dive for understanding."

  • 5G Versions

    • NSA (Non-Standalone) 5G: Initially, many carriers adopted NSA 5G, which leans on 4G for control signaling. It's a transitional approach.

    • SA (Standalone) 5G: Fully independent of older architectures and considered more secure. You can tell if you are using NSA or SA if your device falls back to 4G

  • Diameter Protocol: This protocol is critical for authentication, authorization, and accounting (AAA).

    warning Given its pivotal role in network operations, it's a potential target for attackers who wish to disrupt or gain unauthorized access.

Concerns

  • Legacy Issues: Operating alongside older technologies (3G/4G) means that vulnerabilities from those generations might be targeted in 5G, especially in NSA scenarios.

  • IoT and DDoS: With a vast number of IoT devices set to use 5G, the risk of large-scale DDoS attacks grows.

    A high number of connected devices implies a broad attack surface. If multiple devices get compromised, they can collectively launch massive DDoS attacks.

  • Transition: The reliance on 4G core in NSA 5G will diminish as more infrastructure is upgraded and more users adopt pure 5G devices.

Back to top