Minimizing WLAN Security Threats

By Jim Geier

September 05, 2002

Most wireless LANs do not invoke adequate security measures to guard against attacks. Learn what security threats exist for wireless LANs as the basis for deploying effective security measures.

Because they use radio waves, wireless LANs are open to hackers trying to access sensitive information or spoil the operation of the network. In fact, most wireless LANs don't implement any form of reliable security, enabling access to just about anyone. I've proven that by driving around several large cities recently and using 802.11 packet sniffing tools to detect wireless LANs. I found that many major corporations, retail stores, airports, and homes are wide open.

Spread spectrum not very secure

Several of the 802.11 wireless LAN standards (including 802.11b) use spread spectrum, a modulation technique developed during the days of World War II to keep enemy forces from jamming radio communications and radio-guided missiles. When wireless LANs first began to appear in the early 1990s, vendors touted the inherent security of wireless LANs because of the use of spread spectrum technology. Some wireless LAN vendors today still advertise the security that spread spectrum provides.

 Spread spectrum in general is capable of changing the "spreading codes" in a secretive way, which makes it nearly impossible for someone to decipher the signal's intelligence unless they know the code. The problem, however, is that the 802.11 standard clearly describes the spreading codes publicly so that companies can design interoperable 802.11 components. As a result, a hacker only needs an 802.11-compliant radio NIC as the basis for connectivity, which obliterates the security benefits of spread spectrum.

SSIDs are useless

The 802.11 standard specifies the SSID (service set identifier) as a form of password for a user's radio NIC to join a particular wireless LAN. 802.11 requires that the user's radio NIC have the same SSID as the access point have to enable association and communications with other devices. In fact, the SSID is the only "security" mechanism that the access point requires to enable association in the absence of activating optional security features.

The use of SSIDs is a fairly weak form of security, however, because most access points broadcast the SSID multiple times per second within the body of each beacon frame. A hacker can easily use an 802.11 analysis tool (e.g., AirMagnet, Netstumbler, or AiroPeek) to identify the SSID. In addition, Windows XP does a great job of "sniffing" the SSID in use by the network and automatically configuring the radio NIC within the end user device.

Some network administrators turn off SSID broadcasting (which deletes the SSID from the beacon frames), but a hacker can still sniff the SSID from frames that stations use when associating with an access point. They just have to wait until someone associates or re-assoicates (e.g., when roaming) with the network.

Aside from sniffing the SSID, many wireless LAN administrators make it even easier by using the vendor's default SSIDs, which are pretty well known. For example Cisco uses tsunami and most other vendors use the name of their company as the default SSID. Just do some war driving, and you'll see that this is true.

DHCP hurts security

Even if an intruder is capable of associating with an access point by using the correct SSID, they must often have an applicable IP address before they can directly access resources (user PCs, servers, etc.) on the network. Many wireless LANs, though, use DHCP (dynamic host configuration protocol) to automatically assign IP addresses to users as they become active. With DHCP enabled, a hacker receives an applicable IP address just as other legitimate users do. This provides freedoms to the hacker you'd rather not share.

For example, you may be sitting at an airport using a public wireless LAN. Someone associated to the same wireless LAN can easily use Windows to see other users (i.e., you) connected to the network. If you have file sharing turned on, the other person can click on your device and drill down to your documents folder and open or copy files to their laptop. This is a serious problem that many end users overlook, especially when operating from home and public networks.

Man-in-the-middle attacks

Through the use of an 802.11 analyzer, a person can monitor 802.11 frames sent over the wireless LAN and easily fool the network through various "man-in-the-middle" attacks. You can view the frames sent back and forth between a user's radio NIC and access point during the association process. As a result, you'll learn information about the radio card and access point, such as IP address of both devices, association ID for the radio NIC, and SSID of the network.

With this information, someone can setup a rogue access point (on a different radio channel) closer to a particular user to force the user's radio NIC to reassociate with the rogue access point. Because 802.11 doesn't provide access point authentication, the radio NIC will happily reassoicate with the rogue access point. Once reassociation occurs, the rogue access point will capture traffic from unsuspected users attempting to login to their services. Of course this exposes sensitive user names and passwords to a hacker who has an interface with the rogue access point.

Someone can also use man-in-the-middle techniques using a rogue radio NIC. After gleaning information about a particular wireless LAN by monitoring frame transmissions, a hacker can program a rogue radio NIC to mimic a valid one. This enables the hacker to deceive the access point by disassociating the valid radio NIC and reassociating again as a rogue radio NIC with the same parameters as the valid radio NIC. As a result, the hacker can use the rogue radio NIC to steal the session and carryon with a particular network-based service, one that the valid user had logged into.

Problems with WEP

On 802.11 networks, you can enable WEP (wired equivalent privacy), which encrypts the body of each frame. This is supposed to keep hackers from viewing sensitive e-mails, user names and passwords, proprietary documents, etc. As discussed in a previous tutorial, hackers can fairly easily decode WEP-encrypted information after monitoring an active network for less than one day.

Consequently, don't depend on WEP for protecting sensitive information. The use of WEP in most cases, nevertheless, is better than no encryption at all, especially if you deploy a mechanism to change the WEP key often (see related tutorial).

Denial of service attacks

Another form of security attack is denial of service. In this case, the hacker might not steal any information. They just keep users from accessing services, either to gain some sort of competitive advantage or just have some devious "fun."

A mischievous person can use a wireless client to insert bogus packets into the wireless LAN with the intent of keeping users from getting access to services. A brute force way of doing this is to setup a relatively high power signal generator to produce enough RF interference to block other radio NICs from accessing the medium. The 802.11 MAC Layer is fairly polite and avoids transmitting when it senses other RF activity. This gives the intruder enough control to keep users from accessing network services for an indefinite period of time.

Other more eloquent methods for denying service include fooling valid radio NICs with fake 802.11 frames. For example, someone could setup their radio NIC (or 802.11 frame generator) to send a continuous stream of CTS (clear-to-send) frames, which mimics an access point informing a particular radio NIC to transmit and all others to wait. (CTS is part of 802.11's RTS/CTS function.) The radio NIC being given permission to transmit could be a fictitious user. As a result, the legitimate radio NICs in end user devices will continually delay access to the medium.

The bottom line

As you can see, there are many wireless LAN security issues that require attention. If and how you handle these problems depends greatly on your security requirements. In some cases, you might want to keep the network as open as possible and only protect files on user PCs. Most other scenarios, however, will likely need much more. It's possible to make wireless LANs very secure, as we'll discuss in a future tutorial. Stay tuned!

Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book Wireless LANs (SAMs, 2001), and regularly instructs workshops on wireless LANs.

Join Jim for discussions as he answers questions in the 802.11 Planet Forums.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.