Developing a Systematic Process for Mobile Surveying and Analysis of WLAN security UNIVERSITY OF TURKU Department of Future Technologies Master of Science in Technology Thesis Networked Systems Security June 2020 Saku Lindroos Supervisors: D.Sc. (Tech) Seppo Virtanen D.Sc. (Tech) Antti Hakkala The originality of this thesis has been checked in accordance with the University of Turku quality assurance system using TurnitinOriginalityCheck service. UNIVERSITY OF TURKU Department of Future Technologies SAKU LINDROOS: Developing a Systematic Process for Mobile Surveying and Anal- ysis of WLAN security Master of Science in Technology Thesis, 109 p. Networked Systems Security June 2020 –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– Wireless Local Area Network (WLAN), familiarly known as Wi-Fi, is one of the most used wireless networking technologies. WLANs have rapidly grown in popularity since the release of the original IEEE 802.11 WLAN standard in 1997. We are using our be- loved wireless internet connection for everything and are connecting more and more de- vices into our wireless networks in every form imaginable. As the number of wireless network devices keeps increasing, so does the importance of wireless network security. During its now over twenty-year lifecycle, a multitude of various security measures and protocols have been introduced into WLAN connections to keep our wireless communi- cation secure. The most notable security measures presented in the 802.11 standard have been the encryption protocols Wired Equivalent Privacy (WEP) and Wi-Fi Protected Ac- cess (WPA). Both encryption protocols have had their share of flaws and vulnerabilities, some of them so severe that the use of WEP and the first generation of the WPA protocol have been deemed irredeemably broken and unfit to be used for WLAN encryption. Even though the aforementioned encryption protocols have been long since deemed fatally bro- ken and insecure, research shows that both can still be found in use today. The purpose of this Master’s Thesis is to develop a process for surveying wireless local area networks and to survey the current state of WLAN security in Finland. The goal has been to develop a WLAN surveying process that would at the same time be efficient, scalable, and easily replicable. The purpose of the survey is to determine to what extent are the deprecated encryption protocols used in Finland. Furthermore, we want to find out in what state is WLAN security currently in Finland by observing the use of other WLAN security practices. The survey process presented in this work is based on a WLAN scan- ning method called Wardriving. Despite its intimidating name, wardriving is simply a form of passive wireless network scanning. Passive wireless network scanning is used for collecting information about the surrounding wireless networks by listening to the mes- sages broadcasted by wireless network devices. To collect our research data, we conducted wardriving surveys on three separate occa- sions between the spring of 2019 and early spring of 2020, in a typical medium-sized Finnish city. Our survey results show that 2.2% out of the located networks used insecure encryption protocols and 9.2% of the located networks did not use any encryption proto- col. While the percentage of insecure networks is moderately low, we observed during our study that private consumers are reluctant to change the factory-set default settings of their wireless network devices, possibly exposing them to other security threats. Keywords: wireless networks, encryption, security, wardriving, wireless standard, IEEE 802.11 Table of contents 1. Introduction 1 1.1. WLAN security ............................................................................................ 2 1.2. Research questions ....................................................................................... 5 1.3. Study methodology and scope ...................................................................... 6 1.4. Thesis structure ............................................................................................. 7 2. Background 8 2.1. A brief history of wireless networking ......................................................... 8 2.2. ALOHAnet ................................................................................................... 8 2.3. Pure and slotted ALOHA ............................................................................. 9 2.4. The Ethernet and collision detection .......................................................... 10 2.4.1. Carrier-Sense Multiple Access with Collision Detection ............... 11 2.4.2. Carrier Sense Multiple Access with Collision Avoidance .............. 12 3. IEEE 802.11 Standard 14 3.1. Standardisation organisations ..................................................................... 15 3.1.1. The Institute of Electrical and Electronics Engineers ..................... 16 3.1.2. The Wi-Fi Alliance ......................................................................... 17 3.2. IEEE 802.11 1997 Legacy standard ........................................................... 18 3.3. 802.11 a and b amendments ....................................................................... 19 3.3.1. 802.11a ............................................................................................ 19 3.3.2. 802.11b ............................................................................................ 20 3.4. 802.11g ....................................................................................................... 21 3.5. 802.11n ....................................................................................................... 22 3.6. 802.11ac ...................................................................................................... 25 3.7. 802.11ax ..................................................................................................... 28 3.8. The new Wi-Fi Alliance 802.11 amendment naming system .................... 31 4. 802.11 WLAN Security 33 4.1. The basic principles of cryptography ......................................................... 34 4.1.1. Symmetric shared-key cryptography .............................................. 34 4.1.2. Asymmetric public-key cryptography ............................................ 35 4.1.3. Stream and Block ciphers ............................................................... 36 4.2. 802.11 security ........................................................................................... 37 4.2.1. Legacy 802.11 security ................................................................... 39 4.2.2. Wired Equivalent Privacy WEP ...................................................... 40 4.3. 802.11i security amendment, WPA-TKIP and WPA2 ............................... 44 4.3.1. WPA-TKIP ..................................................................................... 45 4.3.2. WPA2 CCMP/AES ......................................................................... 49 4.3.3. WPA-TKIP vulnerabilities .............................................................. 52 4.3.4. WPA password cracking and WPA2 vulnerabilities ...................... 53 4.3.5. 802.11 Denial of Service Attacks ................................................... 58 4.4. WPA3 ......................................................................................................... 59 4.4.1. WPA3 SAE handshake ................................................................... 60 4.4.2. Opportunistic Wireless Encryption OWE ....................................... 62 4.4.3. WPA3 vulnerabilities ...................................................................... 64 5. Research methodology 67 5.1. Wardriving .................................................................................................. 67 5.2. Operating system, software, and hardware for wardriving ........................ 70 5.2.1. Wardriving software ....................................................................... 71 5.2.2. Wardriving hardware ...................................................................... 73 5.3. Data sampling and analysis ........................................................................ 75 5.4. The legality of wardriving and the GDPR .................................................. 78 5.4.1. Wardriving and the GDPR .............................................................. 79 5.5. Ethics of wardriving ................................................................................... 82 5.5.1. Utilitarianism and Virtue ethics ...................................................... 83 5.5.2. Wardriving and Utilitarianism ........................................................ 84 5.5.3. Wardriving and Virtue ethics .......................................................... 85 6. Research findings 87 6.1. The three surveyed locations ...................................................................... 88 6.1.1. The industrial district ...................................................................... 89 6.1.2. The city centre ................................................................................. 90 6.1.3. The suburb ...................................................................................... 91 6.1.4. Use of encryption protocols in the three locations .......................... 93 6.2. The bigger picture of WLAN security practices ........................................ 95 6.2.1. Encryption protocol use .................................................................