Wireless Intrusion Detection Systems (WIDS)

In a traditional, hard-wired network, the only way in is through the Internet-facing router. Most modern networks, though, include 802.11 wireless access points (APs). If they aren't well-secured, or if there are unauthorized APs on the network, they can open the systems to intruders.

With wireless access, there's no firm boundary between the inside and outside. Other tenants in an office building could be in range. A spy could set up an inconspicuous wireless relay outside a building. Anyone who gets past the AP's security is inside the network.

To counter this risk, networks deploy Wireless Intrusion Detection Systems (WIDS). In many ways they perform the same functions as regular intrusion detection systems, while adding wireless-specific functionality.

Risks specific to wireless

All APs should, of course, use WPA2 with strong passwords. A very common mistake is to put up the password in a place where visitors can see it. It's convenient, but it's really bad security. The APs should receive and install all available firmware updates, especially patches against the KRACK vulnerability. Administrative access needs to be locked down; the account name and password should be changed from the defaults.

A common risk is unauthorized access points. It isn't hard for an employee to plug in a personal AP on the local wired network for convenience. They might do it to connect a phone to the network — which is a security risk in itself. Some "smart devices" set up their own APs by default, and if no one changes the defaults, it's likely they have poor security, or none.

A rogue relay set up nearby could impersonate the SSID of a legitimate access point and pass data through, sending another copy of the traffic to its owner, allowing for the collection of credentials, which can then be used in a phishing attack. It has to match the real AP's password to do this successfully, but if it can, most users won't recognize it as a fake. They'll connect to it automatically if it has the strongest signal on that SSID.

The basics of WIDS

WIDS is actually a broader concept than catching break-in attempts. It also includes verifying the access points that are on the network, identifying any that shouldn't be there or have security issues, and detecting attacks on APs/clients.

A well-run network has an inventory of all authorized devices. This lets a network scan and identify any rogue devices. "Rogue" here means simply that the device wasn't approved, not necessarily that it's hostile. Network sniffing tools will probe all IP addresses and identify authorized and unauthorized ones.

Network monitoring over TCP/IP doesn't always reveal which devices have Wi-Fi capability, and it won't catch relays that aren't directly on the network, so over-the-air sniffing is necessary as well. Such sniffing will identify any APs within range and check if they have weak security.

Then we come to intrusion detection in the narrower sense. Intrusion attempts include password guessing, WPS breach attempts, and packet flooding. Detection methods are like the ones used in standard intrusion detection systems, except that they operate at all network layers from 1 (physical) up and include the special risks of wireless access. Regular intrusion detection operates on Layer 3 and higher.

Fingerprinting in a more sophisticated WIDS can be done at multiple layers. For example, at the physical/MAC layer it make sure the modulation scheme is standards-compliant and not trying to exploit idiosyncrasies in chipsets. In addition, it can can perform fine-grained analysis and comparison of capabilities advertised by an AP that a user commonly has no view into.

Rogue access points

Rogue access points can be malicious or merely unauthorized, but either way they pose a risk. The ones which people install for their own convenience may not use WPA2 or, if they do, use good passwords. They could have configuration issues, such as easy access to the administrative account from within the network or even over the Internet. If malware infects any device on the network, it could search for wireless routers and try to change their administrative settings.

Some smart (IoT) devices set up their own access points for convenience of installation. If no one has configured them or they aren't configurable, they might be open to access by anyone and create a hole in the network. Once they're discovered, it may be possible to configure them securely or disable them.

Malicious access points need to be connected to the network somehow. An employee working as someone's spy can do it without much trouble. Such APs are often devious enough to evade casual detection. Some will spoof the MAC address of a legitimate access point when transmitting malicious traffic.

A relay doesn't need to be physically connected to the network if the security of an authorized access point has been compromised. If passwords aren't protected, this isn't very hard. A relay can look on a casual scan like an AP that belongs to somebody else. Good software tools are necessary to separate the unwelcome devices from the legitimate ones by fingerprinting devices.

Unsecured access points

Access points may be legitimate but poorly secured. Open APs with no encryption are a serious risk, and it's vital to make sure none have been set up that way by accident. Others may use WEP or the original WPA, which provide very weak security. They may use WPA2 but have weak passwords.

Other intrusion paths

While 802.11 (Wi-Fi) is the most common form of wireless network access, other protocols are widely used and have their own risks. Bluetooth has a shorter range but can be a vector for intrusion.

At RSA this year more than a few people claimed that they were secure from RF attacks, but when questioned they could not articulate how they are doing this, and some didn’t understand there are other frequencies to secure other than 2.4 GHz.  

Some IoT devices use industry standards, such as many LPWANs, or custom RF protocols. A comprehensive WIDS solution needs to address all RF data communications.

WIDS tools

Tools are available for sniffing the RF traffic in their range and identifying devices. They range from free, open-source ones to sophisticated, commercially supported ones. Using them allows the discovery of rogue devices as well as attempts to break security. They log information and may issue an alert when discovering a breach attempt.

Kismet is a wireless network detector which is primarily intended for 802.11 but can be expanded to other protocols. It has multiple uses, including identification of all devices within range or monitoring a single one. Using it for intrusion detection requires an appropriate setup, and installation is complicated.

Netstumbler was once well regarded as an scanning tool, but it hasn't been maintained in many years. Its last release was in 2004.

Commercial tools, including Bastille's, provide a supported WIDS with a convenient user interface

Bastille monitors the RF-spectrum from 60 Mhz to 6 Ghz, covering a wide range of RF-enabled devices from IoT, through cell phones and hotspots all the way up to rogue Wi-Fi and other RF potential threats.

A network security system has to include wireless intrusion detection if it's going to protect the network effectively from the growing number of unauthorized RF-enabled devices that enter your organization’s airspace everyday.

Learning more

Many tools are available for detecting wireless devices, but not all of them do a good job. Creating a complete map of Wi-Fi and Bluetooth devices in an area requires the most advanced techniques available. To find out more about RF security, look through Bastille's white papers and webinars.