The object of this research is to discover and map unauthorized wireless network access points from a drone (UAV) in critical infrastructure. From the time the hypothesis was set up, it presents the processes, the measurement results, and IT security suggestions through the design of the system, the execution of the measurements. During the research, I designed a system for capturing and mapping Wi-Fi signals of the 2.4 GHz and 5 GHz wireless range then convert it to map view.
Keywords: wireless security, Wi-Fi, wireless network, warflying, cybersecurity, critical infrastructure, drone, UAV.
The development of wireless communication began to take a new direction in the years after the turn of the millennium, with the advent of portable devices with the ability to communicate wirelessly. At the same time, the black hat “professionals” of the industry evolved, initially testing the vulnerabilities of the systems and then eventually exploiting and selling illegally obtained information. The WPA2 security protocol released in 2004, has become vulnerable today what was discover in 2017 and called the WPA Key Reinstallation Attack (KRACK) vulnerability, which provides easy access to a network. The WPA1 and WPA2 protocols have been previously vulnerable, but that new vulnerability introduced in 2017 will shorten the attack time and require no special implementation.1
In the last five years, micro UAV devices – commonly called drones – have taken a new direction, due to advances in technology and lower prices for components. Today these devices can be purchased and built using various designs at the cost of a few hundred US dollars. These devices used by a large number of people for different purposes – from agriculture, photography, video, parcel delivery to lifesaving defibrillator delivery. Anyone may use these devices. Currently, the use of there devices is unregulated and carries various risks. The drones were used for Mexican drug smuggling2, carried unauthorized landing in the White House garden, inflicted personal injury in a triathlon event when crashed into a racer3, and even had a built-in gun.4
Wireless network vulnerabilities
The current 15-year-old deprecated WPA2 protocol and KRACK vulnerabilities, the Wi-Fi Alliance, announced in early 2018 the WPA3 (Personal, Enterprise) encryption protocol, which could solve a problem that has existed for years as WPA2 could be broken earlier by various methods, such as a dictionary-based attack. Additional security updates include the new protocol, Simultaneous Authentication of Equals (SAE), replacing the PSK used in the WPA2- Personal protocol. This technology can protect against dictionary attacks when an attacker tries to guess a possible password using a dictionary database. However, the same researcher team who found the KRACK vulnerability found several vulnerabilities in WPA3 and called the method ‘dragonblood’.5
The research is based on wardriving vulnerability testing, which is a way to discover and test wireless networks. When they are in a car, they map a specific area and analyze the data traffic on the networks there, using specific software and individual antennas to identify vulnerabilities in the system. Micro UAVs, a type of civilian drones that have become common in recent years, can be used to map larger areas, both vertically and horizontally. This possibility also increases the efficiency and speed of the system compared to car measurements, so this type of measurement is called ‘warflying’.6
PENETRATION TESTING AND EXAMINATION WITH A DRONE
One part of IT security audits is vulnerability testing, which includes wireless networks. On these occasions, logical, physical, and human vulnerabilities are also examined. In most cases, both sides may be involved in a possible attack, so the most technologically advanced means should be employed. Testing wireless networks can be divided into several parts, including network devices, wireless standards, security protocols, and the human factor. Vulnerability testing in the selected wireless network can be the following scope.
- Check the complexity of the password;
- Check encryption protocol;
- Captive Portal vulnerability;
- Measure and verify user security awareness.
Designed and build wireless detection system
When designing the system, the key consideration was to keep the weight loaded on the drone low in order to maximize flight time and range. The planning period took approximately two months, followed by four weeks until the final concept and technical equipment were fully assembled. During the development of the system, I used my previous scientific work in this field and also relied on the relevant literature.
I started designing the system for the Pineapple Tetra and Nano devices used in my previous research, as these devices can be used as complete infrastructures. They have built-in 2.4GHz and 5GHz antennas, are capable of site survey mapping, DeAuth connection interrupts the attack, WPS anti-encryption scanning and also serve as a false access point (Rogue AP).
Warflying research also requires GPS coordinates to be used to map the approximate location of Wi- Fi networks. I built the system on a Raspberry Pi 3 Model B with an Adafruit Ultimate GPS built-in panel so that I could record GPS signals separately from the drone. In terms of software, Kismet has been selected, which can process GPS signals received through UART and assign it to the discovered networks in a database. The warflying system that I have designed and built shown in Figure 1.
Most Wi-Fi vulnerability scans are passive, so they do not affect business, so the user does not detect the attack. This methodology makes these types of tests effective and covered. Communication over wireless networks is encrypted, but specific data may be accessed, such as SSID (1), BSSID (2), encryption and authentication type (3), operating frequency (4), manufacturer type (5), operating channel number (6), the number of connected client devices (7), the number and size of through packets since the software launched (8, 9), as shown in Figure 2. This information is visible even if the SSID is hidden.6
Figure 3 illustrates the interface through which each module communicates. Each type is marked with a separate color indicating the direction of the stream and the type of cable. The figure also shows a 7” touchscreen display introduced into the system for portability and ease of use. However, due to weight loss in flight, it is not included in the box.
Software components and mapping and drone
The data collected by Kismet (SSID, BSSID, number/ name of clients, GPS coordinates, type of encryption) had to be converted into a database file format (DBL); firstly using a target program called GISKismert followed by KML (Keyhole Markup Language) – based markup language. Google Maps, Earth map software can easily map and display shapes in space; in this case, the names of Wi-Fi networks in Figure 4. The full MAC address is hidden because of privacy.
Figure 5 shows the system I built, loaded onto a 1000mm diameter Vespadrones XYRIS type six-rotor drone, and capable of lifting around 3000g load. The 820g system could easily take off and fly with it. A DJI Wookong-M type system controls the drone. There are several wireless systems on the drone that is responsible for the control, telemetry, and transmission of camera images. These systems operate at 2.4GHz and 5.8GHz but do not interfere with the measurement due to adaptive frequency modulation.
ANALYSIS AND EVALUATION OF TEST RESULTS
Based on the results and experiences recorded during the testing, I developed a system of criteria where I presented the results and observations. Trials were conducted in various ways and locations, including on land and air, on foot, by train, and by drone.
1st laboratory test
The 10dBi 2.4GHz omnidirectional antenna was first tested in Figure 6. The measurement was needed to correct previously experienced errors and to refine the operation.
Testing time: 10th October 2018
Location: Budapest, Hungary
Results: Acknowledgments to the more powerful antenna, the system detected nearly 180 networks after powering on, increasing to 260 by the end of the measurement.
Comment: Given that the device was in a static position, GPS coordinates were not recorded.
1st Warwalking – testing on foot
I tested the system while walking down the street, shown in Figure 7. It was necessary to check the system on the move and correct any issues up to the drone measurements.
Testing time: 12th October 2018
Location: Budapest, Hungary
Results: Wireless network data was collected only around the point of origin, due to some software settings being incorrect.
Comment: Given that the low-power 5dBi antennas were installed and the sampling time was set close to 5 minutes, the measurement was unsuccessful, and GPS coordinates were not correctly recorded
1st Warflying – testing on drone
Figure 8 shows that we mounted the system onto the drone and taken off successfully from the first time.
Testing time: 15th October 2018
Location: Budapest, Hungary
Results: The device was successfully mounted onto the drone, utilizing a paper platform for the GPS antenna, and successfully taken off. Wireless networks and GPS coordinates in the vicinity were also successfully recorded.
Comment: At this trial stage, the remote-control function for the measuring system has not been developed yet, so it was essentially a “blind” test. After landing, I had the opportunity to analyze the data.
2nd Warwalking – testing on foot
After processing the previous failed warwalking measurement data, I recalibrated the system, and the larger CYBERTEAM ProEter 10 EP1058 10dBi antenna was included in the backpack with the 2.4GHz Alfa AWUS036NEH Wi-Fi card. By introducing a Remote Access (TeamViewer) software into the system, I did require to bring a display with me. I was able to control the system from a mobile phone, which allowed me to monitor the results continuously – see Figure 9.
Testing time: 20th October 2018
Location: Budapest, Hungary
Results: Due to the powerful omnidirectional antenna and the 2.4GHz Wi-Fi card, the system has seen a much more comprehensive range of wireless networks, so nearly 2,674 networks have been captured in a 30-minute walk.
Comment: Previously, I set the sampling to one second; the incoming data set overloaded the Raspberry Pi’s memory, so it stopped intermittently. After restarting, it resumed operation and recorded networks in its vicinity. Due to interruptions, there are sections on the map with no data recorded.
I made a statistical statement from 2674 wireless network points (see Figure 10), which is not representative but illustrates the distribution of different types of encryption applied by users and the channels on which the access points operate. Remarkably, the operating channel influences the exact frequency at which the network device operates. Thus, if two devices running on the same channel are close to each other, interference occurs, and performance is reduced, meaning that the upload and download speeds are slower.
Figure 10 shows that the use of channels 1, 6 and Figure 11 is outstanding because on most devices these channels are preset, and the standard provides three non-overlapping channels that are 25MHz wide, so there is no overlap between them do not interfere with each other.
Figure 12 shows data recorded during the measurement based on the encryption methods used and configured at the respective network access points. Analyzed results mean that both standards are enabled on the device so that older WPA1-compatible devices can connect to the network. Further testing is required to determine what type of device connected to the network. However, this is not part of current research.
2nd Warflying – testing on drone
The second drone measurement was carried out at a critical infrastructure site of MVM BSZK Ltd with their permission. During the trial, wireless signals and networks radiating from the building and its surroundings were mapped. Also, it was a test AP in the building, and the part-task was a penetration testing (see Figure 13).
Testing time: 24th October 2018
Location: Budapest, Hungary
Results: The system successfully captured and found a test network called “Alar42”; is has also successfully captured the WPA handshake from it because there were two devices connected to the network, and there was a de-authentication attack against them. Also, the local Wi-Fi network and traffic have been successfully recorded.
Comment: To control the Raspberry Pi on the fly and track data online, an Apple iPhone 7 was built into the box and shared the LTE connection with the Raspberry Pi via Wi-Fi. So, it can be remotely and accessed via TeamViewer, and the device became controllable.
Summarizing the results of measurements at different times, locations, and methods, it can be clearly stated that various network vulnerabilities can be exploited, causing severe damage to both corporate and a private network. In the scenario, where placed in a backpack or smaller drone, the device can be used to walk/fly into an office building at any time, where it can act with malicious intent without any obstructions.
The range of the system can be further increased by using more powerful directional antennas and by using additional batteries. The latter is inefficient for drone use as it adds extra weight, which reduces flight time and range. Thus, in this case, the best options should be taken into consideration, so that the flight time and distance of the drone could increase. The vulnerability of WPA2 KRACK mentioned above can easily allow an attacker to gain unauthorized access to a victim’s network, where it can cause severe physical and material damage.
CYBERSECURITY SOLUTIONS AND AWARENESS SUGGESTIONS
There are many solutions available in the industry to protect against unauthorized access to wireless networks and false access points, but these systems require significant design and financial effort. Examples of such systems are the Wireless Intrusion Detection and Prevention System (WIDS / WIPS) or wireless intrusion detection and prevention system. Its scalability extends from a simple software solution to a multi-site company. From simple crawling to troubleshooting, they can protect a company’s wireless network. To be able to perform their duties 24/7/365, and to make sure the system itself functions effectively, the company also needs to rely on a security operation center (SOC) and continuously analyze, monitor and manage potential incidents.
SOC consists of sensors and a central management system that requires to upload the installed access points used by the company – by location, SSID, and MAC address. Sensors applying to the system continuously monitor the environment, and if an unregistered device is activated, they send an alarm to the control panel. 9
A more straightforward way to defend the network is to reduce the signal strength of Wi-Fi hotspots in office buildings and properly position antennas to prevent signals from being transmitted outside the building. In this case, the chances of two-way communication also reduced, so even though the attacker’s antenna capacity is stronger, APs inside the building will not be able to communicate outside. It also includes shading the signs to prevent it from leaving the building. The Faraday cage is the best solution for this, as it prevents radio signals from entering the room or building.10
This solution to prevent the warflying attacks would be to regulate and monitor the use of drones since the attacker would not be able to enter and fly into the company territory without permission. The WPA3 encryption protocol is also a solution for wireless network security and designed to prevent dictionary-based attacks, improve the previously described KRACK attack, and change the complexity of passwords. However, there are simpler and cheaper methods that do not substitute a high level of protection but can increase prevention rates and reduce risk. Such an approach can improve users’ security awareness, which is a reliable and educational process for the company and can save a company millions on state-of-the-art security equipment, especially if it is used and operated by unqualified people.
FUTURE AND CONTINUE RESEARCH
As a continuation of the research, the main goal is to improve and optimize the system. Given that there is a need to determine the location of wireless networks, the next step of the research is to better define Wi- Fi signals and reduce system size. For this purpose, the aim is to integrate the GPS module with the 3G capable phone, which I would like to replace with a specially designed GPS / LTE module. Reducing the overall weight of the system is also a matter of more straightforward option; removing the cover elements or replacing individual components.
I also want to process the measurement data that has not done yet. I am also planning on upgrading the drone, and build a smaller and faster version, instead of the current six-rotor version of 1 meter in diameter, that can approach the object almost imperceptibly. System automation is also one of the long-term goals, such as pre-programmed flight path, drone induction charging, and wireless signal processing and automatic transmission to a control center. From more accurate localization, I plan to develop several solutions, including the classical GPS-based triangulation and the strength of the signals to determine where precisely the unauthorized device is. Also, I would like to take further trials to assess the vulnerability of different wireless systems analyzing the data.
In my view, the research mentioned above has proven that inadequately protected wireless systems are a threat to a company. Without proper security protocols, updates, and protection, an attacker could quickly gain access to a system network, which could cause severe material and physical damage. Data integrity may be compromised if data become modified without the knowledge of the user or the company.
In the course of my research, I processed and utilized secondary source technical and scientific literature on the vulnerability and security of wireless networks. I have described various hardware and software-based wireless vulnerability testing systems and methods that I have used to implement the system.
I designed, built and refined the individual compact solution that allows me to perform various measurements on wireless networks, while on the move – on land, on water, or even in the air. Among other things, this can be used to map these networks in a specific area. Wi-Fi security protocol can also be used for scanning and user security awareness. ■
- D. J. Fehér and B. Sándor, “Effects of the WPA2 KRACK Attack in Real Environment,” presented at the 2018 IEEE 16th International Symposium on Intelligent Systems and Informatics (SISY), 2018, pp. 000239–000242.
- D. Stephen, “Drones become latest tool drug cartels use to smuggle drugs into U.S.,” The Washington Times. [Online]. Available: ttps://www.washingtontimes.com/ news/2017/aug/20/mexican-drug-cartels-using-drones-to-smuggle-heroi/. [Accessed: 08-May-2019].
- D. Lee, “Athlete injured after drone crash,” BBC News, 07- Apr-2014.
- V. News, “Teen Who Created Drone-Mounted Gun Arrested After Assaulting Cops,” Vice, 24-Jul-2015.
- M. Vanhoef and E. Ronen, “Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-PWD,” in IEEE Symposium on Security & Privacy (SP), 2020.
- S.-P. Oriyano, CEH certified ethical hacker study guide: version 9. Sybex, 2016.
- K. Sankar, Cisco wireless LAN security. Cisco Press, 2005.
- F. D. János and N. H. P. Dai, “Security Concerns Towards Security Operations Centers,” presented at the 2018 IEEE 12th International Symposium on Applied Computational Intelligence and Informatics (SACI), 2018, pp. 000273– 000278.
- D. D. Coleman, D. A. Westcott, and B. E. Harkins, CWSP Certified Wireless Security Professional Study Guide: Exam CWSP-205. John Wiley & Sons, 2016.
- D. D. Coleman and D. A. Westcott, CWNA Certified Wireless Network Administrator Official Deluxe Study Guide: Exam CWNA-106. John Wiley & Sons, 2015.
ABOUT THE AUTHOR
Barnabás Sándor is a Safety Technology Engineer and Certified Ethical Hacker. He works as a cybersecurity researcher, Ph.D. student, and lecturer at Óbuda University. Besides the academic part, he works at NETLOCK Ltd as an IT Security Officer, responsible for the company’s cybersecurity strategy and operation. His main research interests are the security and vulnerabilities of wireless networks and the protection of IoT devices in smart cities. His mission is to design and build secure systems and to make wireless technology more secure. He has several ongoing research projects on the subject.
Education and Research Areas: Wireless Security, Blockchain Technology, Vulnerability Management
Publication date: March 2020.
Download the article as a PDF: Warflying Barnabás Sándor, Óbuda University article – Cyber Security Review online March 2020