152

Is it possible that someone made an attack (DoS or something else) to my Wi-Fi router (without knowing of the password) and make my router's signal unavailable?

1) How it can be done?

2) What are remedies?

T.Todua
  • 2,677
  • 4
  • 19
  • 28
  • 22
    Start doing arc welding right next door. I've lost two good RC planes due to this (modern RC equipment also run on 2.4GHz like Wifi but obviously with different protocols since RC only need around 3kbps of data transfer to function) – slebetman Nov 28 '16 at 09:29
  • 4
    http://superuser.com/questions/637594/why-does-my-microwave-kill-the-wi-fi or it could be a faulty microwave – Journeyman Geek Nov 28 '16 at 14:20
  • 2
    There **is** an Android application (https://play.google.com/store/apps/details?id=com.wifikill.techbrain) that *claims* to maliciously disconnect other wifi deviced by sending a killer packet, as described in the accepted answer. I have tried it personally but did not manage to get accurate results – usr-local-ΕΨΗΕΛΩΝ Nov 28 '16 at 16:50
  • 3
    fairly possible using kali linux http://kansara744.blogspot.in/2015/05/wifi-network-jammer-using-kali-linux.html – GorvGoyl Nov 30 '16 at 08:54
  • 4
    I had a 2.4GHz phone that would always knock my devices off the network when it was in use. – rtaft Nov 30 '16 at 17:18
  • 2
    @rtaft I once had a microwave which would do the same thing. – Michael Nov 30 '16 at 23:35
  • We have two wifi providers in town and I know one presonally since we've been little brats. They do that to themselves when one of them places somewhere a receiver that makes the other's receivers lose coverage. They even buy cheap equipment with directional antennas and leave them flooding the other equipment. I hear lots of the stories of who did what to whom and why, with what result. Recently he said you can even kill cellular carrier signal with wifi. – Kitet Dec 01 '16 at 18:37

7 Answers7

286

There's a lot of ways you can attack a WiFi without knowing any passwords:

  • Physical layer attacks: Simply jam the frequency spectrum with your own signal. That signal might just be noise, but it might also be a WiFi of your own under heavy load, with the nodes in that WiFi being configured not to play nice with others. (depending on the WiFi chipset, that can be extremely easy) Spectrum can only be used once!
    Tool: noise source (e.g. Gunn Diode, SDR device), or normal AP
  • Electromagnetic sledgehammer: EMI gun. Take microwave oven oscillator, attach directive antenna, pray you don't cook someone's (your) brain, and point in the rough direction of the access point. Poof! Microwave ovens operate in the 2.4 GHz band, and thus, antennas of Access Points are picking up exactly that energy.
    Tool: Microwave oven, some sheet metal, lack of regard for other people's property and own health, or extended RF knowledge
  • MAC and Network layer attacks: Especially for networks using WEP (noone should be using this anymore, but sadly...) it's easy to forge what is called deauthentication packets – and thus, to throw out stations from your WiFi.
    Tool: Aircrack-NG's aireplay
  • Targetted jamming: As opposed to simply occupying the channel with noise or your own WiFi, you can also build a device that listens for typical WiFi packet's beginnings (preambles), and then, just shortly, interferes. Or just sends fake preambles periodically, or especially when it's silent. That way, you can corrupt selected packets, or fake channel occupancy.
    Tool: Commodity off-the shelf SDR
  • authentication attacks: at some point, even "proper" clients for your WiFi need to register with the WiFi. That mechanism can of course be forced to its knees by simply sending hundreds of authentication requests every second, from randomly generated MAC addresses, or even from MAC addresses of clients you know (by observation) exist. There's no solution to the problem for the AP – either it succumbs to the overload of auth packets, or it starts blocking out legitimate users.
    Tool: your network card, 10 lines of bash scripting
  • Man-in-the-Middling / access point spoofing: With anything short of WPA(2)-Enterprise, nothing proves that the access point calling itself "Toduas AP" is actually your Access Point. Simply operating a slightly higher-powered access point with the same ID string and, if necessary at all, a faked AP MAC address (trivial, since just a setting), will "pull" clients away from your access point. Of course, if the spoofing Access Point doesn't know the password, users might quickly notice (or they don't); however, noticing things don't work is nice, but doesn't help them.
    Tool: a random normal access point

You have to realize that it's a privilege, not a right, to have your WiFi use a channel. WiFi happens in the so-called ISM bands (Industrial, Scientific, Medical usage), where operators of transmitters don't have to have an explicit license. That means it's OK for everyone to use that spectrum, as long as they don't intentionally harm other devices and are not easily damaged by interference.

So, it's absolutely legal for someone to operate a high-definition digital camera stream that occupies the whole WiFi channel. That will effectively shut down your WiFi.

If you need something that no-one can mess with, wireless is, by definition, not the way to go.

Aaron Hall
  • 159
  • 1
  • 1
  • 9
Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
  • 43
    Another physical layer attack: Pull the plug or throw the breaker. Most WiFi routers don't have an UPS :-) – Bergi Nov 26 '16 at 17:35
  • 5
    @Bergi good point! Yeah, physical access is trump. Always. And in the RF sense, physical access is "being close enough". – Marcus Müller Nov 26 '16 at 17:36
  • 8
    Cisco wireless LAN controllers have a "contain" function that also does the deauthentication packets, but it uses its array of skinny APs to bombard the "malicious rogue SSID" systematically. The legitimate use is to stop a malicious AP being used in a corporate environment. Ruckus and HP wireless controllers definitely have this too. – Criggie Nov 26 '16 at 20:36
  • 12
    It doesn't even need to be intentional. A cheap microwave with barely-adequate shielding can jam wifi entirely by accident. – Mark Nov 27 '16 at 03:48
  • 4
    ... microwave ovens can DoS wifi??? That could explain the intermittent wifi in my flat close to meal times... gotta ask the neighbours how old is their oven... – Bakuriu Nov 27 '16 at 19:00
  • @Bakuriu Kind-of. I had to wire the house of a colleague recently because it was cheaper than replacing his microwave. There's a lot of crap operating on that frequency and a microwave does it with a lot more power than your router. Keep in mind a CE router outputs usually 100mw EIRP max and an FCC one 1W EIRP max. A microwave trumps that a couple of hundred times. – Mast Nov 27 '16 at 20:53
  • I suppose you could also have your AP shrouded by a Faraday shield, but that would require some laxity on your part. – mckenzm Nov 28 '16 at 01:41
  • 31
    @Bakuriu Obligatory: https://xkcd.com/654/ – chrylis -cautiouslyoptimistic- Nov 28 '16 at 03:11
  • 1
    I know you said "especially", not "exclusively"... but deauth attacks aren't any easier on WEP are they? I thought they're most commonly associated with WEP because it's a common step in WEP cracking, but if your only aim is to prevent usage, WEP vs WPA makes no difference, right? – detly Nov 28 '16 at 11:23
  • 2
    Another idea: Carefully assemble a directional antenna in such a way that it will concentrate a disrupt WiFi signal, attach it to another router operating at the same frequency, channel and channel bandwidth, and point it to the target router. See [here](https://www.reddit.com/r/lifehacks/comments/1r5axx/reflect_the_wifi_signal_back_to_you_if_your/cdjxi1p) for the basics. WiFi deals poorly with interference. I have just tested this, with good results; used a parabolic surface, about 30cm diameter. – Marc.2377 Nov 28 '16 at 17:54
  • 3
    Don't forget there are legitimately licensed users on those bands as well, such as ham radio operators and radiolocation. Licensed use is very rare, because of all the interference, and hams like their wifi too, but they can legally transmit a much more powerful signal than the average consumer router. – Karl Bielefeldt Nov 28 '16 at 17:58
  • 6
    Another physical layer attack: smash the access point with a hammer until it's not an access point anymore (or just up and steal it from wherever it is). – Zach Lipton Nov 28 '16 at 23:08
  • The EM sledgehammer brings up a new threat that a mom can throw at their children. "Stop playing those internet games or I'll nuke the lazanga!" – LukStorms Nov 29 '16 at 14:00
  • @ZachLipton: A more elegant physical layer attack: drop a Faraday cage around the AP. – Peter Cordes Nov 29 '16 at 14:45
  • As noted in another comment, many manufacturers--besides just Cisco--provide some form of "Rogue containment" or "Rogue management" or the like. Sadly, the definition of "Rogue AP" ends up essentially being "any wifi station that isn't yours." Those who don't understand this can cause unintentional mayhem. – Nanban Jim Nov 29 '16 at 20:54
  • @mckenzm a Faraday shield around your AP will protect your AP from the microwave... and your WiFi clients. A better option would be a Faraday cage around the microwave. – Doktor J Nov 30 '16 at 03:38
  • @Doktor I actually meant to mean that the Faraday shield would contain the AP and nobble it, in the same way one might spray paint a security camer lens.. – mckenzm Nov 30 '16 at 08:45
  • 4
    "Take microwave oven oscillator, [...] Tool: [...] lack of regard for [...] own health." Yep. And not just because of the potentially harmful microwave radiation. Note that microwave magnetrons frequently contain potentially dangerous levels of beryllium oxide, which is quite fragile and can easily be turned into airborne (poisonous) dust if you're not careful with it. – Periata Breatta Nov 30 '16 at 18:54
  • @PeriataBreatta not going to lie, had fun last week with a microwave oscillator and cavity, into which can shoot a single corn, hold it there by an constant airflow, and wait half a second, and then get it blown back out, because its surface suddenly increased due to becoming popcorn. – Marcus Müller Dec 01 '16 at 01:52
  • Just to point something out regarding your legality, wi-fi exists within your own building and property. If someone else is using a super-strong signal and perpetually blocking your own personal wi-fi on your property, then you should have a right to make them stop in some way. After all, while you do not have a right to the channels you have a right for their signals to not be infringing onto your property in a disruptive manner. They are operating their device and it's signal is coming onto *your* property causing *you* problems. How is that not grounds to sue or declare it a nuisance? – user64742 Dec 03 '16 at 21:49
  • The only thing a person has a right to do with signals is to project them over their own personal property within reason (obviously signals cannot be easily restricted) meaning that they shouldn't be causing interference foe people not on your property (and especially not after moving through several walls between your's and your neighbors houses). Maliciously or unintentionally blocking someone's wi-fi connection to the point that it is unusable violates their rights to do what they wish on their own property. – user64742 Dec 03 '16 at 21:51
  • 1
    @TheGreatDuck spectrum is nothing you own. Property laws hence don't apply. That's different from a tree's branches hanging over your grounds. You're allowed to do whatever your license says. Property boundaries play no role. – Marcus Müller Dec 03 '16 at 21:55
  • 1
    @MarcusMüller Nobody ever said anything about a license. The person asked whether a residential homeowner can just break open a microwave for instance and jam their neighbors wi-fi 24/7 and deny them access to the internet **on purpose** (and methods to do so). Even if it were by accident, I see no reason whatsoever why you would not be able to force them to shut down the jamming device, especially if it were done out of malice. – user64742 Dec 03 '16 at 21:58
  • That's undeniably true, but it has nothing to do with then disturbing equipment *in your property* with a device running *on their property*. It's because it's illegal to abuse the spectrum. – Marcus Müller Dec 03 '16 at 22:02
  • Aside from the sabotage criminal aspect in here, it would be just as illegal to do it in the center of your 900 square kilometer piece of desert! – Marcus Müller Dec 03 '16 at 22:03
  • And now that there is Krack. – Denis Nov 01 '17 at 13:06
  • @Qwertylicious ... which is an attack against secrecy in Wifis, but by no means a method to bring down a Wifi, so totally unrelated. – Marcus Müller Nov 01 '17 at 13:16
  • hmm sorry @marcus. True. – Denis Nov 01 '17 at 13:18
  • Any updates in relation to the 5GHz Wireless? – bug-a-lot Jun 20 '18 at 07:32
  • you mean WiFi in the 5 GHz band, @bug-a-lot? no, that's just the physical layer. everything but the frequency is the same. – Marcus Müller Jun 20 '18 at 07:49
  • Well, the "microwave" attack vector would be out of the picture, wouldn't it? – bug-a-lot Jun 20 '18 at 07:56
  • no, realistically not. On one hand, every Wifi device I know that supports 5 GHz has an antenna that receives *both* 2.4 GHz and 5 GHz (or two antennas), and the energy would still suffice to fry things. Even if it didn't, you need to realize that the let's say 800 W (59 dBm) that a microwave oven can output is a *tiny bit higher* than even the strongest signal that your receiver needs to deal with (assuming 100% of the energy from transmit into receive, that'd be 100 mW, ie. 20 dBm, that is, nearly a factor of 10000 less), or *extremely* much more than the minimum power. – Marcus Müller Jun 20 '18 at 08:01
19

There are devices that you can buy that will 'jam' a Wi-Fi signal and make it unusable.

Also Wi-Fi has different 'channels' that they can be set to run on. If your Wi-Fi is running on a channel that is saturated due to lots of other Wi-Fi devices around you using the same channel then the performance of your connection will degrade the further you are from the device.

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50
Winter Faulk
  • 291
  • 1
  • 3
  • 3
    Competing APs is the most likely answer. – schroeder Nov 26 '16 at 08:52
  • 6
    @schroeder AFAIK the frequencies are not even reserved for WiFi, so there could be equipment communicating over the same channel with protocols that do not resemble WiFi. There could even be analogue communication on the same frequency. – kasperd Nov 26 '16 at 11:30
  • 2
    @kasperd you're right. This is just the ISM band. Anyone is allowed to use it, without a license. The example from [my answer](http://security.stackexchange.com/a/143608/123514) actually stems from the experience, that up until relatively recently, a lot of analog video cameras basically did PAL (I'm in Europe :) ) at 2.4something GHz, instead of the usual TV channels. And let me tell you, cheap video transmitters aren't especially nice to the spectrum. – Marcus Müller Nov 26 '16 at 12:19
  • 1
    @kasperd - Yup. In my house the microwave oven does it every time. If he's got a nearby neighbor using the microwave (or perhaps even someone in his own house) this could be happening unwittingly. – T.E.D. Dec 01 '16 at 01:23
  • @T.E.D. highly unlikely. A microwave shouldn't be traveling through 4-7 feet of walls and siding to completely block the wi-fi to the point that it is 100% unusable. – user64742 Dec 03 '16 at 21:54
  • @kasperd my comment was in reference to the Answer which starts off with specialised devices to buy. Inadvertent frequency conflicts is more likely than a targeted attack. – schroeder Dec 04 '16 at 10:43
9

I have used cloning of ESSID and BSSID to do this (set BSSID with ifconfig wlanX hw ether xx:xx:xx:xx:xx:xx. Even if you don't output more power to the clients than their own AP, it will cause problems. Eventually they will notice that there's an AP with the same name of course.

Aireplay-ng deauth is more useful. If you are not interested in using too much time on this, use mdk or wifite which automate it. Mdk has whitelist/blacklist functionality for client link layer addresses.

Edit: The deauth attack is clearly visible with tcpdump's '-y foo' - unfortunately I don't remember the flag off-hand. You may need to set RFMON first (with e.g. airmon-ng check kill ; airmon-ng start wlanX $channel).

On OpenBSD it is '-Y IEEE802_11', on Linux it is similar.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user400344
  • 863
  • 5
  • 9
8

Duration attack.

You set the duration field in frames to the maximal value and possibly use low data rate (duration is expressed as data units, not time), this forces the AP and other clients to honor your transmission time, do that often enough and the network will be badly impacted.

There is no simple defence against this kind of attack/misbehaviour.

The first generations of apple mobile products used to do that by mistake (aka a bug)

Rsf
  • 198
  • 6
  • That only works for clients already logged in. – Marcus Müller Dec 04 '16 at 13:48
  • I am a bit rusty, but afaik stations must honor other station's NAV authenticated or not, see: http://sysnet.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-html/aio.html "it is worth noting that RTS, CTS and ACK frames are not authenticated in any current or upcoming 802.11 standard" – Rsf Dec 05 '16 at 11:38
  • ah! yeah, that kinda makes sense for a well-behaved station. – Marcus Müller Dec 05 '16 at 11:41
3

As Sane already mentioned, you can interrupt the certain frequency on which the router and the devices are listening. Every channel has its own frequency, but depending on the quality of the router and the WLAN standard there is something called crosstalking.

This makes it really hard to focus one specific device. Cheap jammers will work more like a machine gun in the hands of an ape instead of a precise sniper rifle used by Simo Häyhä. So be careful what you're doing due to legal consequences...

Peter Mortensen
  • 877
  • 5
  • 10
licklake
  • 1,032
  • 1
  • 9
  • 22
3

There are really only 3 channels of interest on 2.4GHz band - 1, 6, 11. If you have highpower APs ( can be done with USB wifi cards at 1 watt ) and saturate them with traffic ( pingflood broadcast address, looped endless transfers of random data w e.g. netcat ) other APs in the vicinity will be disrupted, or perform very poorly. This is not illegal. The 5GHz band which is used in 802.11n etc. doesn't have the range or wall-punching power to prevent this.

user400344
  • 863
  • 5
  • 9
  • 2
    It's actually likely to be illegal in many places. Intent does matter. I am guessing that's the reason why another answer mentions a high-res camera feed, which could at least provide some plausible deniability. – Relaxed Feb 06 '17 at 16:51
  • It is not illegal to run 3 wifi networks which are completely saturated. It is not possible to determine if these networks are legitimate or not. Attaching directional antennas to them and pointing these away from your property, or exceeding legal wattage, maybe, sure, respectively. I do not particularly condone such baboonery, but proving intent is impossible. It is more likely that someone may ask you to dampen your emissions somewhat, but you cannot be forced to comply with a request to stop legal use of radio spectrum. – user400344 Feb 06 '17 at 16:59
0

Yes. Using aireplay-ng someone could send deauth packets to all of the clients connected to an AP, these deauth packets trick devices into thinking they come from the router. This causes clients to be disconnected from the router, although devices tend to connect back automatically, if the attacker keeps on sending these packets they could “jam” your WiFi AKA keep on causing devices to disconnect.

CoderPE
  • 126
  • 1
  • 9