Wireless networks are currently used in all sorts of places. It is an easy installation of a connection that is available to everyone (really everyone) in a given location, without the need to laboriously install cable distribution. So, almost perfect connection technology. But what are the threats thus especially real threats to this method of communication?
The first and basic problem of wireless technology is the actual transmission medium. Thanks to the transmission of electromagnetic
waves, anyone who can intercept the signal and has the appropriate technology to receive it is a possible recipient.
The only protection against unauthorized access to the network is thus only good quality cryptography.
Wi-Fi networks by generation occupy bands defined by IEEE standards. These are frequency areas around 2.4GHz,
5GHz, 6GHz and 60GHz. The bands 2.4GHz and 5GHz belong to the ISM (Industry, Scientific, Medical), i.e. frequencies freely
usable. Other technologies such as Bluetooth, microwave ovens and some other
technologies for LAN or PAN communication (PAN means Personal Area Network, usually wearable electronics) work on the frequency of 2.4GHz.
Frequencies around 2.4GHz are heavily absorbed by moisture. At 5GHz and 6GHz frequencies, absorption occurs by other
materials, such as masonry, but moisture again has the highest influence on attenuation. This is the effect of strong
dielectric relaxation of water molecules. In translation, water has its poles and tries to
adapt to the external electric field. Because it can't make it due to the high frequency, some of the energy is absorbed and used to overcome the bond
with other molecules, i.e. it warms up. For the frequency of 60GHz, the situation is different, here moisture doesn't matter.
Due to the high frequency, there must be direct visibility between the transmitter and receiver. However, because this frequency
is in the resonance band of the O2 molecule, there is a significant attenuation, up to 15dB/km.
For these frequency bands, transmission power is usually limited by local laws. The power is given as EIRP
(Equivalent Isotropically Radiated Power), the equivalent of uniformly radiated power by an omni-directional antenna.
However, the following rules usually apply:
In terms of throughput, it depends on the width of the channel itself, which can be several for a certain band. As a rule
the bands 20MHz to 150 Mbps, 40MHz to 300Mbps, 80MHz to 600Mbps and 160MHz to 1200Mbps are used.
This is a maximum throughput, not a stable speed.This throughput decreases with the number of networks on one
frequency. This is due to their mutual interference, as networks compete for these bands. Other throughput problems
occur inside a network, where access to the medium may be of interest to several clients at the same time.
And what exactly is the range for these frequencies? It depends not only on the transmitter power and antenna, but also on the antenna
of the receiver. Common pole antennas work at a distance of several tens of meters, theoretically up to lower units of hundreds
meters in open terrain. However, the directional antenna will have completely different characteristics, when it is possible to communicate
under suitable conditions even at a distance of 2.5 - 4km. In general, however, it is not possible to reach "beyond the horizon" by communications without an amplifier violating the norms (technical
due to interference and behavior due to common decency).
The advantage of physics is the possibility to calculate the data with a certain degree of accuracy. Strangely, the calculation is not
complicated, only several conditions need to be met. Here are a few steps that can better understand the influence of a particular
situation.
Transmitting power conversion
The power is given in W by default, but the transmitting power is usually in dBm. The given formula is used for converting between these
units. However, when converting, it is necessary to be careful and convert the power from W to mW, i.e. multiply by 1000.
P[dBm]=10⋅log10(P[mW])
Transmission Performance P[dBm]
Transmission Performance P[mW]
Vacancy attenuation
Although this does not seem to be the case, even the spread of free space creates a decay. As the distance increases, the strength of the signal decreases, engineering
the pouch claims approximately with a square of distance.
LFS[dB]=20log10⋅((4πdf)/c)
Distance d (km)
Transmission Frequency f (MHz)
Light speed c
Attenuation by obstacles
Here, modelling of the situation is necessary and simple patterns do not exist. Both attenuation and reflections affect signal propagation
and any diffraction patterns (composition of waves leading to amplification or attenuation). Therefore, they are usually only used
approximate values, or a specific situation needs to be measured. Some of the approximate values are given in the table.
Because it is a sample, not a complete list, it is necessary to find specific values. But in general,
that this attenuation increases with a higher frequency.
Obstacle | Approximate attenuation [dB] |
Glass (window) | 2-4 dB |
Wooden wall | 5-10 dB |
Drywall | 3-6 dB |
Brick wall | 8-15 dB |
Concrete wall | 15-30 dB |
Concrete wall | 20-40 dB |
Leafy tree (summer) | 10-20 dB |
Human body (2.4GHz) | td>3-6 dB |
Equation for calculation of power received (Pr)
Communication always exists between two or more points, i.e. between the recipient and the sender. They influence her
both transmitting power and gain of radiating or receiving antenna and of course attenuation on the way.
Pr=PTX+GTX+GRX−(LFS+LO)
Transmission antenna power PTX (dBm)
Transmission antenna gain GTX (dB)
Receiving antenna gain GRX (dB)
Free space attenuation LFS (dB)
Obstacle attenuation LO (dB)
Receiver sensitivity and antenna gain
By default, Wi-Fi devices have a sensitivity of -90dBm. But if they are complemented by a higher quality antenna,
their profit increases. That is, if I have a signal of -70dBm and current on a common antenna with 3dBi
I will replace the antenna with a new one, what will happen? If I replace the original 3dBi antenna with the 18dBi antenna, the receiver
instead of the original -70dBm it gets a signal equivalent to -55dBm. It is therefore a simple formula.
Effective sensitivity=ATX−GRX
Device Sensitivity GRX (dBm)
Receiving antenna gain GRX (dBi)
Searching for Wi-Fi networks in the area is not a problem. Even if they don't have a published SSID. Yet to this day
there are people who prefer to hide the network tag. It kind of reminds me of an ostrich trying
to hide its head in the sand, but standing on a concrete panel. Browsing the band and searching for networks has even become
fun, called WarDriving. The history of the term leads to films such as
War Games (War Games). Here, the main character accidentally connects to a system
controlling American missile defense instead of a school computer and nearly starts World War III.
Sometime after 2000, wardriving became fun for a certain group of IT enthusiasts, who began monitoring
available networks and their security. In most cities, maps were created, the authors exchanged positions
of transmitters with each other. Later, projects were created mapping these networks, which are gradually brought to the maps as
je Wigle.net, WiFiMap.io and others.
After all, other services are mapped in a similar way today. If you were interested in verifying
the availability of 4G or 5G networks, for example, in the Czech Republic it is possible to use CTU portal,
in England it is similar Signal checker, or worldwide
NPerf.
Although wardriving is now a bit of a historical turn-off, it is not quite dead. It can be run by anyone
who has a computer or mobile. Tools are available for mapping networks, such as NetStumbler,
Kismet, AirCrack-NG
and many others. These usually work under different operating systems (Android, BSD, Linux, OSX and Windows),
or there are substitutes for the operating systems. If someone in the vicinity uses Wi-Fi network mapping
and walks near your transmitter (access point), it will be mapped. Whether or not
SSID doesn't matter. It just doesn't have a name, but it transmits, therefore it exists.
In the case of detection, there are basically two ways to find out at least approximately the location of the transmitting point. The first
is to measure from several locations and to determine an approximate source based on the signal strength map. The second way is similar,
but to measure the exact time of transmission of certain signals. Given the distance from the transmitting point
and the need to achieve a certain accuracy, this means extremely accurate synchronization of time with an accuracy to the ns. This
allows to determine the location with an accuracy of 1m. In a similar way, it is possible to use three connected computers, where one
is shifted a little higher. This allows to determine the azimuth and elevation. Again, a good time source is required, this
accuracy is not easy to achieve. Therefore, it is usually sufficient to measure the signal strength
of a given network.
The actual method of communication is defined by the standards. It includes modulation of the transmitted signal, as well as frequency separation of individual communication channels within the bandwidth used. In Wi-Fi 6, collisions occurred due to random access to CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) media. Within standardization, efforts were made to solve this problem and limit the number of collisions by creating time schedules. Since Wi-Fi 6, frequency and time separation have been used, with time and frequency slots, so-called resource units, allocated according to the number of available stations. Outside these conditions, there are significant changes in communication using MIMO technology (Multiple Input, Multiple Output).
Standard | Tag | Year release | Band (GHz) | Channel (MHz) | Max. speed (Mbps) | Modulation | MIMO |
IEEE 802.11 | Wi-Fi 0 | 1997 | 2.4 | 22 | 2 | DSSS FHSS | Ne |
IEEE 802.11b | Wi-Fi 1 | 1999 | 2.4 | 22 | 11 | DSSS | Ne |
IEEE 802.11a | Wi-Fi 2 | 1999 | 5 | 5 10 20 | 54 | OFDM | Ne |
IEEE 802.11g | Wi-Fi 3 | 2003 | 2.4 | 5 10 20 | 54 | OFDM | Ne |
IEEE 802.11n | Wi-Fi 4 | 2009 | 2.4/5 | 20 40 | 600 | OFDM | MIMO 4 |
IEEE 802.11y | - | 2008 | 3.7 | 5 10 20 | 54 | OFDM | Ne |
IEEE 802.11ac | Wi-Fi 5 | 2013 | 5 | 20 40 80 160 | 6928 | OFDM | MU-MIMO |
IEEE 802.11ad | - | 2012 | 60 | 6757 | DMG | Ne | |
IEEE 802.11ax | Wi-Fi 6 | 2019 | 2,4/5 | 20 40 80 80+80 | 600–9608 | OFDMA | MU-MIMO 8 |
IEEE 802.11ax | Wi-Fi 6E | 2020 | 2,4/5/6 | 20 40 80 80+80 | 600–9608 | OFDMA | MU-MIMO 8 |
IEEE 802.11be | Wi-Fi 7 | 2025 | 2,4/5/6 | 80 80+80 160+80 160+160 320 | 1376–46120 | MU-MIMO 8 | |
IEEE 802.11bn | Wi-Fi 8 | 2028 | 2,4/5/6 | 100 000 | 100 000 |
Historically, a large number of algorithms have emerged for network login and communication encryption. Those protections were gradually broken and subsequently replaced by a more successful procedure. From today's perspective, such weak methods cannot be recommended. Currently the WPA3 algorithm is the solution, but it will have to be replaced within a few years. The reason is its insufficient protection against attacks using quantum computers. Still, I can't imagine when they would attack a Wi-Fi network using quantum computers paid off. But this is not a defense against a possible transition to newer technologies, it is this is only an argument for risk analysis.
Standard | Title | Release Year | WEP | WPA | WPA2 | WPA3 |
IEEE 802.11 | Wi-Fi 0 | 1997 | Yes | No | No | No |
IEEE 802.11b | Wi-Fi 1 | 1999 | Yes | Supplemented | No | No |
IEEE 802.11a IEEE 802.11g | Wi-Fi 2 Wi-Fi 3 | 1999 2003 | Compatibility | Yes | Supplemented | No |
IEEE 802.11n | Wi-Fi 4 | 2009 | No | Yes | Yes | No |
IEEE 802.11ac | Wi-Fi 5 | 2013 | No | Yes | Yes | Supplemented |
IEEE 802.11ax | Wi-Fi 6/6E | 2019 | No | Compatibility | Yes | Yes |
IEEE 802.11be | Wi-Fi 7 | 2025 | No | No | Yes | Yes |
IEEE 802.11bn | Wi-Fi 8 | 2028 | No | No | Unknown | Yes |
As you can see, over time there has been a change in mechanisms, with old and unsatisfactory ones being gradually replaced by newer ones. At the same time, there was a requirement to ensure backward compatibility for at least a limited period of time, due to investments by equipment manufacturers and a large number of installed products. Moving from day to day to newer algorithms simply was neither technically nor economically feasible, although it would have been desirable. But how are the different technologies safeguarded cryptographically? How is confidentiality and integrity ensured?
Mechanism | IV | Algorithm | Key Width | Control | Key Management |
WEP-64 | 24-bit | RC4-40 | 40-bit | CRC-32 | No |
WEP-128 | 24-bit | RC4 | 104-bit | CRC-32 | No |
WEP-152 | 24-bit | RC4 | 128-bit | CRC-32 | No |
WEP-256 | 24-bit | RC4 | 232-bit | CRC-32 | No |
WEP2 | 128-bit | RC4 | 128-bit | CRC-32 | No |
WPA-PSK | 48-bit | RC4 | 256-bit | MIC | 4-Way handshake |
WPA-TKIP | 48-bit | RC4 | 256-bit | MIC | 4-Way handshake |
WPA-EAP | 48-bit | RC4 | 256-bit | MIC | 4-Way handshake |
WPA2-PSK | 48-bit | AES-128 CCM | 128/192/256-bit | CBC-MAC | 4-Way handshake |
WPA2-TKIP | 48-bit | RC4 | 256-bit | MIC | 4-Way handshake |
WPA2-CCMP | 48-bit | AES-128 CCM | 128/192/256-bit | CBC-MAC | 4-Way handshake |
WPA2-EAP | 48-bit | AES-128 CCM | 128/192/256-bit | CBC-MAC | 4-Way handshake |
WPA2-GCMP | 48-bit | AES-128 GCM | 128/192/256-bit | GHASH | 4-Way handshake |
WPA3 | 256-bit | AES-128 CCM | 128/192/256-bit | CBC-MAC | WPA3-SAE |
WPA3 | 256-bit | AES-128 GCM | 128/192/256-bit | GHASH | WPA3-SAE |
Notes:
From the point of view of data confidentiality, probably the worst possible way to use WEP, WEP2, WPA or WPA-TKIP. These algorithms use
an old and vulnerable RC4 algorithm that is relatively easy to break with today's computers. Weaknesses of this algorithm
were already known since 2008 (eStream competition), the first effective methods of attack appeared around 2012 and in 2015 was
completely broken. Currently, WEP can be broken in under a minute, WEP2 in a matter of minutes. Newer WPA can be broken approximately
within 10 minutes, WPA2-TKIP under half an hour. For more information, I recommend the "RC4 No More"[1].
AES algorithm-based mechanisms are acceptable protection from the point of view of confidentiality of information, but for this it is necessary to provide
more information. The reason is the influence of authentication mechanisms that provide access to the network.
When configuring Wi-Fi networks, it is necessary to know the current attack methods to protect the networks. This allows corresponding how to defend the infrastructure from possible attack. This section describes possible attacks, but is not intended to give a completely exhaustive overview.
Attack Name | Attack | Standards Affected |
WEP cracking | Traffic decryption | WEP WEP2 WPA WPA2-TKIP |
WPA/WPA2 PSK brute-force | Obtain login credentials and decrypt traffic | WPA WPA2 |
KRACK | Traffic decryption | WPA2 |
kr00k | Traffic decryption | WPA2 |
PMKID attack | Getting login credentials and decrypting traffic | WPA2 |
FragAttacks | Handling traffic without knowing the password and decrypting traffic | WEP WEP2 WPA WPA2 WPA3 |
Deauthentication attack | Client Disconnect | WEP WEP2 WPA WPA2 WPA3 |
Evil Twin Karma | Obtaining login and decrypting traffic | WEP WPA2 WPA3 |
Dragonblood | Obtaining login and decrypting traffic | WPA3 |
WEP cracking
It exploits weaknesses in the RC4 and Initialization Vector (IV) encryption algorithm to decrypt traffic.
The protection is to migrate to WPA2 or WPA3, never use WEP, WEP2, WPA and WPA2-TKIP.
No other protection is possible. The attack can be carried out in the order of units of minutes [2].
WPA/WPA2 PSK brute-force
It is a dictionary attack on a pre-shared key (PSK) by capturing a handshake at WPA and WPA2. The solution
is to use strong passwords and migrate to WPA3-SAE [3].
KRACK (Key Reinstallation Attack)
It exploits the re-installation of a key during a 4-way handshake to decrypt traffic. It can be exploited
against WPA2. The solution is to migrate to WPA3, updating the device's firmware is only for the purpose
of making it harder for the attacker [4].
Kr00k
KRACK attack variant, it is a Wi-Fi chipset error by two manufacturers [5].
PMKID attack
Obtaining PMKID from a handshake and offline dictionary attack on a password. Affects WPA2 and the protection is both the use of strong
passwords and the transition to WPA3 [].
FragAttacks
Uses vulnerabilities in frame fragmentation and aggregation to inject malicious packets. Affects all devices
using WEP to WPA3 [7]. The protection is the firmware update.
Deauthentication attack
Sends fake deauthentication frames (logouts) to disconnect the device from the network. Affects all technologies,
the solution is to use 802.11w (Management Frame Protection) and to migrate to WPA3.
Evil Twin and Karma attack
This is the creation of a fake AP to eavesdrop or obtain login data. Because login
authenticates the client, not the server, it is difficult to prevent this attack and affects all technologies.
Certifying, using VPN over a Wi-Fi connection and migrating to WPA3 become a partial solution. Currently
it is possible to use the purchased PineApple device for this type of attack, or to create your own solution.
Dragonblood
Analyzes weaknesses in the UAE handshake WPA3 in order to allow offline attacks on passwords. Affects WPA3, the solution is to update
firmware and use strong passwords.
There are other attacks besides these attacks. Some target for example the initial client configuration, which is enabled by
WPS (Wireless Protection Setup). This is vulnerable if short or default PINs are used (see Reaver tool). Next
there is a set of attacks, which is named after the most common places where they can occur - cafe, cafe crack, caffé latte ....
According to current information, maintaining a certain level of Wi-Fi network security is very challenging. A well-managed
wireless network has minimal risks, yet there are some. Unlike metallic wiring, it is possible to
connect to the infrastructure remotely, in the order of hundreds of meters. The solution to this problem is both the use of
newer technologies that limit the signal outside the building, and tougher access control at the network level.
Several methods can be used for tougher network management. On the one hand, WPS shutdown, on the other hand, authentication
at the network level using IEEE 802.1X, and the separation of the wireless network from the rest of the infrastructure using a firewall.
As a last resort, VPN is used to bridge potentially dangerous infrastructure. This is, after all,
also recommended on public Wi-Fi hotspots as a safeguard against possible interception of communications.
Therefore, there must be an adequate risk analysis when Wi-Fi networks are used. There are situations where
an attack on infrastructure alone incurs higher costs than the potential gain for the attacker. But the decision rests with the owner
of the network. This article only serves to provide basic information about security.
1. Introductory Provisions
1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).2. Creation of a contract by signing up for a course
2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.3. Termination of the contract by cancellation of the application
3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.4. Price and payment terms
4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.5. Training conditions
5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.6. Complaints
6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.7. Copyright of the provided materials
7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.8. Liability
8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.9. Validity of the Terms
9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.Consent to the collection and processing of personal data
According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.Information about the records of access to the web presentation
This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.Information about contacting the operator of the site
The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.Information about the order form
In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.Information about the course completion document
Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.Rights of the personal data subject
The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.