1
00:00:01,370 --> 00:00:07,710
Let's briefly discuss the working principles of wireless LANs set up a connection with an access point

2
00:00:08,120 --> 00:00:15,760
need to determine a channel number which is the frequency of our access point ready access points by

3
00:00:15,760 --> 00:00:18,390
share one channel at a time.

4
00:00:18,390 --> 00:00:23,750
This means that there has to be a supplementary mechanism to identify and correctly associate the AP

5
00:00:24,960 --> 00:00:28,870
This can be provided by service that identifiers as society's

6
00:00:32,100 --> 00:00:36,080
an SS ID is the name of a wireless local area network.

7
00:00:36,330 --> 00:00:42,130
Its not a mechanism for authenticating wireless clients its a standard defined mechanism that allows

8
00:00:42,130 --> 00:00:47,510
a client to uniquely identify an access point for connection.

9
00:00:47,520 --> 00:00:54,170
This implies that SS IDs have to be public can't be encrypted or secured in any other way.

10
00:00:55,390 --> 00:00:58,500
If they were they wouldn't deliver the functions defined in the standard

11
00:01:02,930 --> 00:01:04,240
is quite pointless to turn off.

12
00:01:04,250 --> 00:01:12,620
SS ID broadcasting and as we will soon discover you can't simply turn it off if you wanted to secure

13
00:01:12,620 --> 00:01:16,170
your home VLAN by turning off SSI broadcasting.

14
00:01:16,580 --> 00:01:20,990
This could lead to the computers of your users to automatically try to connect to all access points

15
00:01:20,990 --> 00:01:23,030
that are available in a given area.

16
00:01:26,340 --> 00:01:31,860
As an access point is not broadcasting its name the client will actively send requests to available

17
00:01:31,900 --> 00:01:40,120
APC's for their IDs this action which is complemented by sending certain authentication data during

18
00:01:40,120 --> 00:01:47,040
the probing is it disabling that as the Sardi broadcast can lower the overall network security.

19
00:01:47,140 --> 00:01:50,380
It will definitely not work to tighten the security in any way.

20
00:01:53,870 --> 00:01:58,460
Turning off the broadcasting doesnt mean in this case that it will be harder for intruders to connect

21
00:01:58,460 --> 00:01:59,560
to your network.

22
00:02:01,400 --> 00:02:08,890
Its a behavior that can actually actively compromise a wife find outward We'll look into this more closely

23
00:02:09,820 --> 00:02:13,130
wireless client configuration is relatively easy to set up.

24
00:02:15,460 --> 00:02:16,690
We're all operating systems.

25
00:02:16,690 --> 00:02:22,660
It's enough to simply choose an available access point and a creator or a graphic interface will set

26
00:02:22,660 --> 00:02:23,750
up the connection.

27
00:02:25,370 --> 00:02:30,380
Configuration can be as easy as submitting a password provided that the authentication is based on a

28
00:02:30,380 --> 00:02:31,810
pre-shared key mechanism

29
00:02:39,090 --> 00:02:41,850
to facilitate connecting to a network even further.

30
00:02:41,940 --> 00:02:45,610
The Wi-Fi protected set up WPX protocol was developed

31
00:02:48,450 --> 00:02:53,940
at this stage access point protection is essentially safeguarding the external register opin

32
00:02:57,320 --> 00:03:03,350
setting up a connection is only possible if you provide the correct external register when the key is

33
00:03:03,350 --> 00:03:06,790
usually printed by a manufacturer on a sticker on the device.

34
00:03:08,560 --> 00:03:11,920
This helps to automate the configuration and launch of the devices.

35
00:03:16,360 --> 00:03:22,690
The problem turned up in December 2011 it transpired that an access point could be made to disclose

36
00:03:22,690 --> 00:03:29,960
information on its number answering in an external or a pin query and access point reports which half

37
00:03:29,960 --> 00:03:34,300
of the submitted pin is invalid.

38
00:03:34,330 --> 00:03:37,680
Note that the last digit of the number is its checksum.

39
00:03:37,750 --> 00:03:39,320
This is not a secret.

40
00:03:39,550 --> 00:03:42,100
You can extract a checksum from the known information

41
00:03:44,750 --> 00:03:45,510
like this.

42
00:03:45,530 --> 00:03:51,430
The pin length is even more reduced being able to separately attack the two halves allows for a greater

43
00:03:51,430 --> 00:03:56,120
chance of cracking the pin than in the case of having to determine the entire number at a time.

44
00:03:57,610 --> 00:04:04,320
The complexity of computing is worlds apart for both instances the first part of the number requires

45
00:04:04,320 --> 00:04:08,300
as many as 10 to the fourth power attempts to be successfully cracked.

46
00:04:09,440 --> 00:04:13,920
Because of the checksum determining the other half requires only tend to the third power in terms

47
00:04:17,880 --> 00:04:20,780
access points and force No-Limit of failed attempts.

48
00:04:22,960 --> 00:04:26,050
Even if a client is submitting a wrong external registrar open.

49
00:04:26,050 --> 00:04:29,480
Over and over again it won't provoke a reaction.

50
00:04:30,960 --> 00:04:32,980
Yeah people still give out hints.

51
00:04:33,280 --> 00:04:39,210
For example by telling the client that the first half of the pin is incorrect This means that a successful

52
00:04:39,210 --> 00:04:46,350
attack requires only a degree of patience depending on the connection rate it usually takes up to several

53
00:04:46,350 --> 00:04:48,560
minutes to crack an external registry pin

54
00:04:54,350 --> 00:05:00,670
once an attacker has determined the number you can connect to an access point and be granted admin status.

55
00:05:00,690 --> 00:05:03,470
This means that it can change access point configuration

56
00:05:06,060 --> 00:05:11,670
Unfortunately not all access point manufacturers took steps to solve this problem or took them too late.

57
00:05:12,970 --> 00:05:17,800
Not all of them disabled this feature that as you've seen allows attackers to effectively determine

58
00:05:17,800 --> 00:05:21,850
external registry Krans.

59
00:05:22,090 --> 00:05:25,970
What can we do as users to enhance the security of our home networks.

60
00:05:27,110 --> 00:05:33,570
Since this is a problem that relates mostly to home networks we need to disable the Wi-Fi protected

61
00:05:33,570 --> 00:05:39,650
set up entirely or taking a few minutes to manually configure access points.

62
00:05:39,660 --> 00:05:42,470
We do a lot to improve the security of our networks.