Contact:[email protected]
http://www.tml.hut.fi/Studies/Tik-110.300/1999/Wireless/vulnerability_4.html
Known Vulnerabilities in Wireless LAN Security
11.10.1999
Asma Yasmin
Department of Electrical and Communication Engineering
Helsinki University of Technology
[email protected]
Abstract
Wireless Local Area Networks are becoming a respectable alternative in
indoor communications. It offers flexibility and mobility in networking
environments, as the user is not bound to a certain workplace anymore.
Wireless technology allows the network to go where wire cannot go.
Mobile workforce who require real time access to data benefit from
wireless LAN connectivity since they can access it almost any time any
place. Wireless LANs are also ideal for providing mobility in home and
hot spot environments. Unfortunately, disgruntled employees, hackers,
viruses, industrial espionage, and other forms of destruction are not
uncommon in today's Networks. This essay addresses the common
vulnerabilities to the security of the wireless LAN.
------------------------------------------------------------------------
--------
Contents
1. Introduction to Wireless Local Area Network
1.1 Wireless LAN Architecture
1.2 Benefits of Wireless Local
2. Known vulnerabilities in WLAN
2.1 Inherent flaws
2.2 Hackers, Virus, and Intruder
2.3 Distribution file and quality of password
2.4 Interception
2.5 Masquerading
2.6 A denial-of-service attack
2.7 Others
3. Conclusion
References
Further Information
------------------------------------------------------------------------
--------
1. Introduction to Wireless Local Area Network
Conventional Local Area Networks are fixed and deploy cables as physical
medium. They were developed for interconnecting computers to enable
sharing of resources, and to interconnect various organizations. LANs
are typically restricted in size and offer a maximum throughput from 10
Mbit/s to 100 Mbit/s. The increased use of mobile phones and laptop
computers has created a need for communication methods that would enable
a user to access network resources from anywhere and at anytime. Office
workers may spend a lot of their working time away from their desks, and
yet they need to access the network resources without physically being
at their desks. Due to bandwidth limitations and expensive technologies,
cellular data networks, such as Global Systems for Mobile Communications
(GSM), are not suitable for local area high speed data networking.
Various wireless LAN standards have been developed to address the needs
of mobile users [3].
1.1 Wireless Local Area Network Architecture
Due to its architectural inheritance, wireless LAN poses some intrinsic
security flaws. So It seems to me incomplete if something regarding the
wireless LAN architecture is not mentioned in this study before going to
discuss it's security vulnerabilities.
Figure 1.1 Wireless LAN Architecture
The wireless LAN consists of access points and terminals that have a
wireless LAN connectivity. Finding the optimal locations for access
points is important, and can be achieved by measuring the relative
signal strength of the access points. Placing the access points in a
corporation network opens an access way to the resources in the
intranet. With wired LANs an intruder must first gain physical access to
the building before she can plug her computer to the network and
eavesdrop on the traffic. The intranet is typically considered secure
even though employees can cause security breaches and data is
transmitted unencrypted. If the information transmitted in the
corporation network is extremely valuable to the corporation, the
wireless LAN interface should be protected from unauthorized users and
eavesdropping. The obvious way to extend the intranet with a wireless
LAN is to connect the access points directly to the intranet as
illustrated in Figure 1.1
The terminals that wish to join the wireless network need to know the
SSID (Service Set Identifier) string that identifies the network. When
the terminal enters the coverage area of an access point in that
network, it can start associating with an access point. The
authentication methods supported by the current 802.11 standard are Open
System and Shared Key. The Shared Key method requires that the WEP
algorithm be implemented on both the wireless terminal and the access
point. In the Open System authentication scheme, which is the default
scheme, a terminal announces that it wishes to associate with an access
point, and typically the access point allows the association. To
restrict access to a wireless network without WEP, most wireless LAN
product vendors have implemented an access control method, which is
based on blocking associations from unwanted MAC addresses on the access
points. The network interface cards have a 48-bit MAC address that
uniquely identifies them as defined in [IEEE802]. A list that contains
the MAC addresses of valid network cards can be defined in the access
points, and any terminal trying to associate with a card whose MAC
address is not on the list, is denied association and thus cannot use
the wireless LAN interface [2]
If no authentication or encryption methods are used, the WLAN can create
a security risk if the radio signals flow outside the office building.
An intruder who knows the SSID that identifies the WLAN, could configure
a device to operate on the same network and frequency as the access
points and gain access to the network if no MAC address blocking were
used. With proper tools she could eavesdrop on the data the other
legitimate users were transmitting. It is also possible to counterfeit
MAC addresses used on the network cards, so after learning an authorized
MAC address, an intruder could program her card to have the same MAC
address, and gain access to the wireless LAN. Using the cards at the
same time would of course lead to networking problems. To prevent
eavesdropping and unauthorized access to the WLAN, other security
measures should be implemented if the transmitted data is valuable to
the business.
1.2 Benefits of Wireless Local Area Network
Local Area Networks (LAN) have been used for interconnecting computers
and resources in various networking environments. Cables have typically
been used as the physical medium in these LAN environments. Sometimes it
may not be possible or practical to install cables, but network
connectivity is required. Using wireless connections allows portable
computers to still be portable without sacrificing the advantages of
being connected to a network. Furthermore, the increased use of mobile
phones and Personal Digital Assistant (PDA) devices is driving the
workforce towards a more mobile working environment. Due to bandwidth
limitations and expensive technologies, cellular data networks, such as
Global Systems for Mobile Communications (GSM), are not suitable for
local area high speed data networking. Wireless LANs provide the needed
mobility in these working environments, enabling a user to access the
network services away from the desk. Wireless LANs use electromagnetic
airwaves (radio or infrared) to communicate information from one point
to another without relying on any physical connection [3].
The widespread reliance on networking in business and the meteoric
growth of the Internet and online services are strong testimonies to the
benefits of shared data and shared resources. With wireless LANs, users
can access shared information without looking for a place to plug in,
and network managers can set up or augment networks without installing
or moving wires. If I want to mention more about the benefit, then the
support for mobility, easy installation, cost effectiveness and support
for novel applications will come first.
2. Known vulnerabilities in WLAN
2.1 Inherent flaws
Network Security is an important aspect in wireless LANs since it is
hard to restrict access to network resources physically, which can be
made with wired LAN by physical access control in the premises. Radio
signals can propagate outside office buildings depending on building
material and surrounding, thus it could be possible for an intruder to
access the wireless LAN outside the building for example from a nearby
parking lot. The intruder could then eavesdrop on the transmitted data.
This however, requires that the intruder obtain the network access code
to be able to join the wireless LAN. Ethernet 10Base-T cabling acts as a
remarkable antenna. Anyone with a strong motivation and a good antenna
can sit in the parking lot and pick up the wired Ethernet data packets
[1].
People might be satisfied and feel comfortable to a certain extends with
the security level intrinsic in wired LAN. But as soon as the data
packets are being transmitting through the open-air interface, there is
a necessity to think twice. In a wired LAN the devices need to be
physically connected to the network, but because of the wireless medium,
access in a wireless LAN cannot be physically restricted. In fact, any
network, including a wired LAN, wireless LAN, is subjected to
substantial security risks and issues, namely:
Attacks from within the networks user community
Unauthorized access to network resources via the wireless hardware
typically high capability receiver and antena.
Eavesdropping on the wireless signaling from outside the company or work
group. [5]
The biggest threat to a company's network comes from within the company
itself. In a wired LAN the devices need to be physically connected to
the network, but because of the wireless medium, access in a wireless
LAN cannot be physically restricted. So without the proper security
measures in place, any registered user of the network can access data
that he or she has no business accessing. Disgruntled current and
ex-employees have been known to read, distribute, and even alter,
valuable company data files.
2.2 Hackers, Virus, and Intruder
Another security hole is the growing use of the Internet. If users from
inside can get out to the Internet, then users from outside can get into
the own network if there is no proper precautions. And this applies not
only to the Internet, but also to any capabilities that allow users to
come in from the outside. Remote access products allows people to dial
in for their email, remote offices connected via dial-up lines, on-site
Web sites, and "Extranets" that connect vendors and customers to own
network which can make network vulnerable to hackers, viruses, and other
intruders.
2.3 Distribution file and quality of password
On the other hand, the user needs to have the file distributed when he
wants to access the Intranet. Typically, this distribution file would
reside on the hard disk of the user's personal laptop. The quality of
the password that opens access to the keys in the file, is essential to
the whole security of the system: if a malicious user finds out the
password and gains access to the distribution file, she can log on to
the server and thus create a tunnel to the intranet.
2.4 Interception
A kind of identity interception, in which the identity of a
communicating party is observed for a later misuse, or data interception
in which an unauthorized user is observing the user data during a
communication. This is an attack on confidentiality, and an example
would be where an attacker listens on the wireless - or wired - medium
and captures the transmitted data.
2.5 Masquerading
Masquerading takes place when an attacker pretends to be an authorized
user in order to gain access to information or to a system. An example
of this in a wireless LAN would be the case where an unauthorized user
tries to gain access to the wireless network.
2.6 A denial-of-service attack
A denial-of-service attack could be launched against a wireless LAN by
deliberately causing interference in the same frequency band the
wireless LAN operates. This would cause availability problems, keeping
the authorized users from using the network[4].
Due the nature of the radio transmission the wireless LANs are very
vulnerable against denial of service attacks. If attacker has powerful
enough transceiver, he can easily generate such radio interference that
our wireless LAN is unable to communicate using radio path. This kind of
attack can be done from outside of site, for example from a van parked
on the street or from an apartment in the next block. Equipment needed
to commit this kind of attack can be bought from any electronic store
with reasonable price and any short-wave radio enthusiast has the
knowledge needed to construct the equipment. The protection against this
kind of attacks is very difficult and expensive. The only total solution
is to have our wireless network inside of the faraday cage, but this is
applicable only in the very rare cases. But it is easy for authorities
to locate the transceiver used to generate interference, so the attacker
has limited time before the transceiver is found.
The user authentication in TWISS is based on public-key cryptography.
Each user has a public/private key pair, which is generated on the TWISS
server and then delivered to the user in a distribution file. The keys
in a distribution file are protected using a password that only the user
knows. The password is entered when logging locally to the TWISS client
in order to access the private key needed when logging on to the TWISS
server. As the user logs on to the TWISS server, the client and the
server negotiate a symmetric encryption/decryption key that is used for
data confidentiality during a single security connection.
2.7 Others
The wireless LAN could be used as a launch pad to the transitive trust
attack. If the attacker can fool wireless LAN to trust the mobile he
controls, then there is one hostile network node inside all firewalls of
enterprise network and it is very difficult to prevent any hostile
actions after that. This kind of attack can be done from outside of site
with standard wireless LAN hardware compatible with equipment. The only
real protection against this kind of attacks is the strong
authentication mechanism of the mobiles accessing the wireless LAN. The
discovery of the unsuccessful attacks must rely on the logging of
unsuccessful logging attempts, but it might be very hard to find out if
there has been a real attack attempt, because in the normal operation
there comes unsuccessful logon attempts due the high BER in radio path
and from mobiles that belongs to some other wireless LAN [4].
Two common encryption schemes, RSA and DES, are utilized in wireless LAN
systems. While providing enhanced security, these particular encryption
methods are not sufficiently strong against persistent attempts to
crack.
The other kind of transitive trust attack, special for wireless
networks, is fooling the mobile to trust the base controlled by attacker
as our base. When mobile is switched on it usually tries first to logon
the network with strongest signal and if that fails then the rest ones
in the order of the signal power. Now, if attacker has a base with high
transmission power, he may be able to fool our mobiles to try first to
logon the attackers network. Now there is basically two possibilities:
the attacker may let as to logon his network and make it pretend our
network and find out the passwords secret keys, etc. or the attacker may
just reject our logon attempts but record all the messages during the
logon process and find out the secret keys or passwords used in
authentication in our network by analyzing these messages. The former
case is very difficult to implement without very detailed information
about our network services and is probably detected very soon, but the
later one requires just standard base hardware, maybe with a special
antenna, compatible with our equipment, and is very difficult to detect,
because the mobiles do not usually report unsuccessful logon tries to
the upper layers and the are a lot of unsuccessful logon attempts even
in the normal circumstances. The only protection against these attacks
is an efficient authentication mechanism which allows the mobile
authenticate the base without any disclosure of the secret keys or
passwords it uses to logon our network [4].
The Infrastructure attacks are based on some weakness in the system: the
software bug, configuration mistake, hardware failure, etc. This kind of
situations will certainly occur in wireless LANs, too. But protection
against this kind of attacks are almost impossible - You do not know
about the bug until something happens. So the only thing to do is to
keep the possible damages as small as possible.
In the other hand the wireless LANs are not so vulnerable than the wired
LANs to the other kind of denial of service attacks. For example the
fixed LAN node can be isolated from the network by simple cutting the
wire, which is not possible in wireless environment. If attacker cuts
down the power of the whole site, then all wired networks are usually
useless, but the wireless LANs can be used in the ad-hoc configuration
with laptops or other battery powered computers.
The data security is accomplished by a complex encryption technique know
as the Wired Equivalent Privacy Algorithm (WEP). WEP is based on
protecting the transmitted data over the RF medium using a 64-bit seed
key and the RC4 encryption algorithm. WEP, when enabled, only protects
the data packet information and does not protect the physical layer
header so that other stations on the network can listen to the control
data needed to manage the network. However, the other stations cannot
decrypt the data portions of the packet.
3. Conclusion
The current wireless LAN standards offer very unsatisfactory level of
security and one could not truly trust them. When using products based
on these standards must the security issues been taken care in the upper
layers. A certain level of security is a must in most local area
networks, regardless of whether or not there are wireless segments. Even
wired networks are vulnerable to insider curiosity, outsider attack, and
wire-tapping. No one wants to risk having the LAN data exposed to the
casual observer or open to malicious mischief. The nature of the radio
communication makes it practically impossible to prevent some attacks,
like denial of service using radio interference. But if the data is very
confidential, safety-critical, such as that found on banking and
military networks, manufacturing or hospitals, then extra measures must
be taken to ensure privacy and safety.
References
[1] BREEZECOM Wireless Communications, Inc. : Network Security in a
Wireless LAN, 02.02.1999 [referred 10.10.1999]