By Lisa Phifer
802.11b wireless LANs can be easier to deploy and less expensive than traditional wired networks, but they are also inherently less secure. Service providers considering 802.11b for public access broadband or fixed wireless Internet access should appreciate the risks associated with this emerging technology.
Ethernet NICs broadcast packets over a physical medium—coaxial cable, unshielded twisted pair, fiber. Wireless NICs broadcast spread-spectrum radio signals over the air. Both are vulnerable to unauthorized use and eavesdropping, but there’s an important difference. Wireless LANs can be tapped passively, without physical access or sophisticated equipment. All an attacker needs is an inexpensive wireless NIC and a tiny bit of know-how.
In an 802.11b Basic Service Set (BSS), a wireless access point (AP) acts as a bridge for a set of associated stations—PCs outfitted with wireless NICs. Wireless LANs can optionally be secured with measures defined by the Wired Equivalent Privacy (WEP) standard. WEP was designed to provide confidentiality for 802.11 networks, similar to that of wired networks. WEP authenticates stations seeking to join a BSS. Unfortunately, analysis performed by researchers at Intel, Berkeley, University of Maryland and elsewhere has shown WEP to be fundamentally flawed.
Wireless access points and stations exchange management frames to associate with each other. Access points may periodically transmit beacon frames containing a unique identifier for the BSS, known as a service set identifier (SSID). Stations also transmit probe frames to find access points. When a station find an access point, it initiates an association and proposes an authentication method.
The default method, Open System Authentication, actually provides no authentication at all. In Open System Authentication, any station is permitted to join the BSS.
If the station proposes Shared Key Authentication, the AP generates a random 128-bit challenge. The station returns the challenge, encrypted with a shared key—a “secret” configured into both the station and AP. The AP decrypts the challenge, using a CRC to verify its integrity. If the decrypted frame matches the original challenge, the station is considered authentic. The challenge/response handshake is repeated in the opposite direction for mutual authentication.
Unfortunately, an attacker who captures these frames possesses the plaintext, ciphertext, and the initialization vector (IV) used to turn the plaintext into ciphertext. Because WEP uses RC4 encryption, this is enough information to derive the RC4 keystream—the stream of bits XORed with plaintext to generate ciphertext. Knowing a legitimate IV and keystream lets the attacker successfully respond to any future challenge, without knowing the actual shared key. The attacker has a free pass to join the wireless LAN.
Guarding the gate
Authentication must be combined with access control measures that permit or deny traffic from a particular station. To be effective, access control must be based on a value that is not easily spoofed.
Some access points can be programmed with a MAC address Access Control List that permits a specific group of stations and blocks unauthorized stations from associating with the AP. Unfortunately, MAC addresses are easy to sniff because they are transmitted in plaintext. All an attacker needs to masquerade, as a legitimate station is a wireless NIC operating in promiscuous mode for capture, with a configurable address to enable spoofing.
Some stations can be programmed with an SSID they must present in order to associate with an access point. Unfortunately, because SSID is broadcast in plaintext in many 802.11b frames, it also easy to sniff and spoof.
Another technique is to combine station-level authentication with user-level authentication for tighter access control. In this case, the station user actually logs into the wireless network by supplying a username/password that the AP can check against a RADIUS server—similar to traditional Internet access. Effectiveness depends upon the authentication method used and whether it requires confidentiality.