When we think of denial of service (DoS) attacks we tend to think of the massive, distributed denial of service (DDoS) attacks run by botmasters to target big corporations, networks, and high-profile E-commerce websites.
Wi-Fi-enabled 802.11 security cameras come with a noticeable vulnerability. A single attacker can disable our Wi-Fi camera network with a de-authentication packet, creating a non-persistent denial of service attack and taking our cameras offline.
This vulnerability exists because the packet headers are unencrypted and contain the address of the access point and the Wi-Fi cameras. As part of the Wi-Fi protocol, an access point can send a de-authentication frame that tells clients that they are no longer allowed to connect to the network. These de-authentications are sent for a variety of reasons, including resource exhaustion, authentication failure, or network failure.
A targeted DoS attack at your Wi-Fi camera network continuously sends de-authentication packets to the cameras at which point they disconnect from the network. The attack continues as the cameras try to unsuccessfully re-authenticate with the access point. The result is a successful DoS attack on your Wi-Fi camera network.
This is a non-persistent attack because once the attack stops, the clients can reconnect to the access point. Unfortunately, unless both the access point and client support the secure 802.11w or WPA 3 standards, there is no defense for this DOS attack on your wireless camera network.
There are three steps to a Wi-Fi de-authentication exploit: Scan, Select, and Attack. This example will walk us through the steps. We will use the following tools available in our home lab network:
Kali Linux — Kali comes preconfigured with all the tools we need for this demonstration
Alpha Networks AWUS036ACH — A Wi-Fi adapter that supports Monitor mode and packet injection. You will need a wireless network adapter that allows for packet injection and monitor mode since you’ll need to be able to scan the area to locate the device you wish to disconnect. You’ll also need to send packets that pretend to be from the access point to which the device is connected.
Wi-Fi Cameras — Our home lab uses Netgear Arlo Wi-Fi cameras that connect directly to a 2.4 GHz network. Any camera system that uses the 2.4 GHz network is vulnerable to this attack.
Our Arlo camera network is online, all cameras are enabled and transmit a video feed.
Select your network card with the iwconfig command.
Kill any processes that might interfere with the aircrack-ng suite. You can do this with the airmon-ng check kill command.
The airodump-ng command is a passive Wi-Fi recon tool. This command scans the area for access points and any clients that may be connected to them. When we run the command on our test network, we can see the Arlo access points because, like most users, we left them set at the default device name. This makes our scan much easier as we know exactly which device to attack.
# airodump-ng wlan1
The scan identifies ARLO_VMB_1627059967 as the access point to which the Arlo Wi-Fi cameras connect. From this information make note of the BSSID number (10:DA:43:B1:F2) as we need to provide this address in the next step.
Once we’ve identified the access point to which the Wi-Fi cameras connect, we can send de-authentication packets to those cameras. The following command starts the DoS attack on our Wi-Fi camera network.
# aireplay-ng --deauth 0 -a 10:DA:43:B1:B6:F2 wlan1
The results of the de-authentication attack are immediate. Our Wi-Fi camera network is quickly taken offline and remains offline until the attack stops.
If your cameras are using the 2.4 GHz network, there is little defense against this attack. Alternatives are to use a system that both the access point and client support the secure 802.11w or WPA 3 standards or an Ethernet-based solution that connects the cameras directly to the network.