Use Our Offense to Inform Your Defense
Wireless network security assessments help an organization gain a clear understanding of the risks facing their information assets from an outsider's perspective – a measure of the publicly-accessible exposure that may be probed and attacked by passerby, proximate targeted attackers, or contractors and visitors. Common wireless network environments include WiFi connectivity for guests and internal users, Bluetooth personal area network (PAN) environments, and purpose-built 802.15.4 / ZigBee networks.
Whether a high-level overview or a thorough, in-depth review is desired, DISD works with your staff to produce prioritized findings, recommendations, and remediation or mitigation steps to fit your organization's profile.
DISD performs wireless network security assessments according to well-developed and refined methodologies, in order to provide thorough, accurate, and reproducible results. WiFi security testing typically begins with identification of accessible 802.11 networks, confirmation of target SSIDs, and identification of any rogue access points. Consultants determine the target network's BSSID, band, frequency, encryption, and authentication settings. DISD captures encrypted communications and client authentication traffic to aid in password guessing attacks, and utilizes automated software and high-power GPU clusters to efficiently attempt encryption key cracking. When successful, consultants decrypt captured traffic, gain access to the wireless network, and test segregation controls to the internal network.
Activities involved in a WiFi network penetration test include, but are not limited to:
Bluetooth security tests begin with spectrum analysis techniques to passively discover traffic indicative of Bluetooth transmissions. Active discovery techniques are used to locate devices in "discoverable mode", then enumerate these devices' addresses, names, and services. For "non-discoverable" devices, passive sniffing combined with brute-force techniques reveals device addresses. With knowledge of the device address, consultants connect to target devices to further enumerate details such as device class, features, Bluetooth specification, and protocol stacks implemented. Enumeration also reveals security protections such as encryption, authentication, and authorization. Traditional authentication pairing traffic is captured and subjected to offline brute-force attacks to identify the PIN value, and corresponding link key. This key value is used to connect to the target device (bypassing address-based authorization checks if necessary), and potentially decrypt captured network traffic. Susceptibility to denial-of-service and service degradation attacks can be measured. Further, input validation and fuzzing activities can be undertaken to test protocol and application robustness and fault tolerance. Depending on the target device profile, unauthorized access may be leveraged, for example, to inject or record audio to and from a headset device (HSP), download sensitive files (OPP/OBEX, FTP), or for other relevant actions.
Activities involved in a Bluetooth security assessment include, but are not limited to:
802.15.4 (including ZigBee-based) security tests begin with active discovery attempts to identify router and coordinator device addresses, PAN IDs, channels, and stack versions. Passive sniffing additionally locates end devices once an active channel has been identified. Enumeration of security protections around confidentiality and integrity, as well as discovery of application layer profiles follow. Traffic is captured and analyzed to verify the existence or lack of encryption. Where over-the-air key provisioning is utilized, plaintext keys are extracted. Attempts are made to replay captured traffic into the network. Provided physical access to a ZigBee device, consultants attempt to extract and analyze memory space, and search for stored encryption keys. With knowledge of the encryption key, consultants decrypt captured traffic, and modify selected packets for replay attempts. This key is also used to directly access the network in order to interact with and manipulate routers, coordinators, and end devices. Susceptibility to denial-of-service and service degradation attacks can also be measured, and fuzzing activities can be undertaken to test application robustness and fault tolerance.
Activities involved in a ZigBee security assessment include, but are not limited to:
DISD works with our customers to identify the goals of security assessments prior to testing, and is available to assist in remediation efforts upon request.
Contact Us to Learn More, or Receive A Quote.