The truck, bedecked with antennae, was parked 20 feet from the corporate office. Nearby, Tim O’Neill, a Wi-Fi geek and investigator, hooked up his Riverbed AirPcap® tool to a directional Yagi antenna, pointed it at the truck, and then sent the data to his Wireshark® protocol analyzer. The readings went wild.
With O’Neill’s help, law enforcement eventually discovered that the man in the truck had been running an illicit server using the innocent business’s network, acting as a clearing house for several types of highly illegal content — all right under IT’s noses.
Needless to say, this sparked a revolution in the company’s wireless security practices. They now follow strict rules concerning wireless access points, and perform frequent audits of their wireless (RF) environment. Mapping the previously invisible network with AirPcap let them tune their Wi-Fi to have a very defined radiation structure, such that almost no signal escapes the building and no aberrant access (hot spots) are allowed in the corporate environment.
Wi-Fi security with Wireshark and AirPcap
This anecdote, of which O’Neill has many, illustrates the powerful security benefits of pairing Wireshark with AirPcap. Wireshark, for example, recently made the cut in Tripwire’s “Top Five Hacker Tools Every CISO Should Understand.”
And you may recall Wireshark expert Laura Chappell’s strong AirPcap recommendation. AirPcap lets you capture wireless packets for rapid, comprehensive analysis. It is the only Microsoft Windows–based wireless capture device fully integrated with Wireshark and Riverbed SteelCentral Packet Analyzer.
O’Neill says that, “AirPcap lets you look at everything going on in the air, particularly in the communications arena of Wi-Fi. With that capability I can literally see everything — passwords, credit cards, you name it. It could be used for malicious ends, but I find it an indispensable tool for protection and for interception of criminal behavior.”
Search, find, and deploy
According to O’Neill, computer criminals constantly scan and probe Wi-Fi networks looking for vulnerabilities. But the good guys almost never go to half as much trouble to monitor their “radio-frequency worlds.”
Wi-Fi is everywhere these days, making it an extremely juicy target for the bad guys. They don’t even need to be inside your building to capture data or gain full access to your servers. And don’t get O’Neill started on the dangers of open Wi-Fi hotspots in public places like cafes.
Businesses, he says, arguably have the most to lose from malicious intruders, and should be taking proactive, defensive action every day. “Monitoring is an imperative. If you’re not protecting your business assets with tools like AirPcap, it’s like forgetting to put glass in your windows. You’re not going to have a safe environment.”
Wi-Fi security tips to know and love
O’Neill is quick to share several key Wi-Fi-based security tips:
- Periodically change passwords and make them strong. No kidding, right? Sure, but does your IT department do it often enough, or at all? O’Neill notes that given enough time and effort, any encryption is breakable. Changing access codes sends would-be intruders back to square one.
- Make it harder for the bad guys. Here’s a simple but effective tip. If most employees are gone by 8 p.m., then turn off all Wi-Fi access points from 9 p.m. until morning. “That limits the time hackers have access. And if you turn it off when they’re in the process of running algorithms against your Wi-Fi to break the encryption, they must start over.”
- Most importantly, says O’Neill, always map your RF environment. Take a laptop with AirPcap and tour the building and stroll the parking lot. Scan all channels. If your access points are saturating the outside world then you need to reign them in. The ethereal nature of Wi-Fi makes it easy to forget that RF exhibits very concrete and predictable behaviors, to which AirPcap can open your eyes. “If you can’t see it, you’ll never know something’s wrong, much less fix it, or prepare for the next hack.”
The perfect RF toolkit
So what would you find in O’Neill’s ideal RF-monitoring tool kit? First, invest in a high-quality Yagi directional antenna so you can pinpoint and focus on the radiation sources. Second, download and learn how to use Wireshark because, “you need to be able to capture, see, and read network data and Wi-Fi physical layers.” Third, O’Neill recommends getting a real Ethernet tap, just in case you need to capture wired traffic too. And last but not least, AirPcap. “The AirPcap tool is the top, and in my humble estimation, the only access card you need for studying Wi-Fi environments. It’s helped me and other investigators, I don’t know how many times.”
He calls this a fundamental toolkit, and regularly recommends it in his law enforcement trainings. O’Neill also has two fantasy additions: MetaGeek WiSpy and Riverbed SteelCentral Packet Analyzer.
“In the lawful intercept world,” O’Neill says, “I don’t know how you could be a good cyber-investigator, corporate-forensics person, or cyber-security specialist without these tools. I don’t know how I would react if someone said they didn’t need it.”
So consider yourselves warned. Should you ever call in O’Neill to consult on wireless security, don’t cast any sidelong glances at those three AirPcap devices slotted into his multi-channel aggregator/hub. Well, you could, but don’t hold us responsible for what might happen.
Tim O’Neill’s recommended reading:
- “Wi-Fi Roaming Analysis with Wireshark and AirPcap”
- “Baselining a Smart Phone Using Wireshark”
- “Sharkfest 2013 – Inside the TCP Handshake”
Also check out Tim O’Neill’s website lovemytool.com for articles on Wireshark, network management, and monitoring.