Seven Security Problems of 802.11 Wireless
Pages: 1, 2

Problem #5: MAC Spoofing and Session Hijacking

802.11 networks do not authenticate frames. Every frame has a source address, but there is no guarantee that the station sending the frame actually put the frame "in the air." Just as on traditional Ethernet networks, there is no protection against forgery of frame source addresses.

Attackers can use spoofed frames to redirect traffic and corrupt ARP tables. At a much simpler level, attackers can observe the MAC addresses of stations in use on the network and adopt those addresses for malicious transmissions.

To prevent this class of attacks, user authentication mechanisms are being developed for 802.11 networks. By requiring authentication by potential users, unauthorized users can be kept from accessing the network. (Denial of service attacks will still be possible, though, because nothing can keep attackers from having access to the radio layer.)

The basis for the user authentication mechanism is the 802.1x standard ratified in June 2001. 802.1x can be used to require user authentication before accessing the network, but additional features are necessary to provide all of the key management functionality wireless networks require. The additional features are currently being ironed out by Task Group I for eventual ratification as 802.11i.

Attackers can use spoofed frames in active attacks as well. In addition to hijacking sessions, attackers can exploit the lack of authentication of access points. Access points are identified by their broadcasts of Beacon frames. Any station that claims to be an access point and broadcasts the right service set identifier (SSID, also commonly called a network name) will appear to be part of an authorized network.

Attackers can, however, easily pretend to be an access point because nothing in 802.11 requires an access point to prove it really is an access point. At that point, the attacker could potentially steal credentials and use them to gain access to the network through a man-in-the-middle (MITM) attack.

Fortunately, protocols that support mutual authentication are possible with 802.1x. Using methods based on TLS, access points will need to prove their identity before clients provide authentication credentials, and credentials are protected by strong cryptography for transmission over the air.

Related Reading Building Wireless Community Networks Implementing the Wireless Web By Rob Flickenger

Session hijacking will not be completely solved until the 802.11 MAC adopts per-frame authentication. Until that point, if session hijacking is a concern, you must deploy a cryptographic protocol on top of 802.11 to protect against hijacking.

Problem #6: Traffic Analysis and Eavesdropping

802.11 provides no protection against attacks that passively observe traffic. The main risk is that 802.11 does not provide a way to secure data in transit against eavesdropping. Frame headers are always "in the clear" and are visible to anybody with a wireless network analyzer. Security against eavesdropping was supposed to be provided by the much-maligned Wired Equivalent Privacy specification.

A great deal has been written about the flaws in WEP. It protects only the initial association with the network and user data frames. Management and control frames are not encrypted or authenticated by WEP, leaving an attacker wide latitude to disrupt transmissions with spoofed frames.

Early WEP implementations are vulnerable to cracking by tools such as AirSnort and WEPCrack, but the latest firmware releases from most vendors eliminate all known attacks. The latest products go one step farther and use key management protocols to change the WEP key every 15 minutes. Even the busiest wireless LAN does not generate enough data for known attacks to recover the key in 15 minutes.

Whether you rely on WEP solely, or layer stronger cryptographic solutions on top of it is largely a question of risk management. The latest product releases have no known vulnerabilities. While that is some comfort, the same claim could have been made in July 2001 before release of the current generation of WEP-cracking tools. If your wireless LAN is being used for sensitive data, WEP may very well be insufficient for your needs. Strong cryptographic solutions like SSH, SSL, and IPSec were designed to transmit data securely over public channels and have proven resistant to attack over many years, and will almost certainly provide a higher level of security.

Problem #7: Higher Level Attacks

Once an attacker gains access to a wireless network, it can serve as a launch point for attacks on other systems. Many networks have a hard outer shell composed of perimeter security devices that are carefully configured and meticulously monitored. Inside the shell, though, is a soft, vulnerable (and tasty?) center.

Wireless LANs can be deployed quickly if they are directly connected to the vulnerable backbone, but that exposes the network to attack. Depending on the perimeter security in place, it may also expose other networks to attack, and you can bet that you will be quite unpopular if your network is used as a launch pad for attacks on the rest of the world. The solution is straightforward in theory: treat the wireless network as something outside the security perimeter, but with special access to the inside of the network. Although security diligence is time consuming, so is being sued.

Conclusion

Although wireless LAN security can seem challenging because of the press it has generated, most of the challenges can be addressed by reasonable security precautions. Network designs will, of course, continue to be affected by the development of new technologies and user demands.

The next wave of wireless LANs is likely to be driven by mobility. 802.11 provides link-layer mobility. Users can move transparently within an IP subnet with no effect on their applications or connection. Once you leave the cozy confines of a single network segment, though, all bets are off. For now, I'll leave mobility to the realm of new technology that is just over the horizon, as well as the network engineers who will need to make sense of it when it arrives.

Matthew Gast works in the Office of the CTO at Trapeze Networks, where he works on product architecture and industry standards. He is a voting member of the IEEE 802.11 working group, and serves as chair of 802.11 Task Group M. At the Wi-Fi Alliance, he chairs the Wireless Network Management marketing task group and the Security technical task group. In 2007, Matthew was a founder of the OpenSEA Alliance, a group which supports the development of open-source network security solutions. He currently serves on the engineering steering committee and on the organization's board of directors.

Related Reading 802.11 Wireless Networks: The Definitive Guide Creating and Administering Wireless Networks By Matthew Gast

O'Reilly & Associates published 802.11 Wireless Networks: The Definitive Guide by Matthew Gast in April, 2002.

You can also look at the Full Description of the book.

For more information, or to order the book, click here.

Return to the Wireless DevCenter.

One report after another suggests that otherwise respectable large developer organizations are leaving their wireless networks wide open. How are you handling security? (Feel free to use a pseudonym, and remember to post from your Yahoo account.) :)
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 3 of 3.

• 8 Problems
  2003-01-29 03:50:27  anonymous2 [Reply | View]
  
  
  This is an excellent reference, however I feel the list should probably have an entry titled "Problem 8... Physical Securities".
  
  What we are largely seeing in the world of WiFi's is much the same technological response to the issue of securities as occurred with the implementations of analogue, then digital, then GSM mobile telephony. The primary threat for WiFi users is not from roof-born hackers using high-power encryption tools and coffee-can high-gain
  directional antennas... the most significant threat is that someone will break your car window and steal your WiFi enabled laptop complete with
  loaded passwords and WiFi entry scripts.
  
  The lesson (hard learnt) by our Telco's after investing $billions in security algorithms, is... why would a criminal go to all the trouble to
  hack a network when they can simply steal a mobile phone? - This is why so much effort has recently gone into installing unique ID's into every phone and sim-card to track physical thefts.
  
  WiFi's are no different, and as computerised access devices become smaller and easier to steal, the highest risk to these networks is that someone will simply steal an access device (no technical expertise or special tools required). Physical security has become the issue of the day (lock-up your Laptops!!).
  

• admin
  2002-11-14 08:10:42  anonymous2 [Reply | View]
  
  
  unix

• Captive Portals.
  2002-06-05 15:11:24  Schuyler Erle | [Reply | View]
  
  
  We just use a captive portal like NoCatAuth on the community network to protect access. Even in open mode, it can still provide a splash page and require a user to accept a "terms of use" before granting access to the network.