Introduction This is the last article in the Wireless series. Just to remind you, the
first article introduced the reader to the Wireless world and discussed Wireless
devices and protocols. The second article went deeper into Wireless networks,
provided general info on WLAN and discussed IEEE standards for them. This article
deals with WLAN security, explains the most common attack techniques and
introduces some useful tools.

Overview

Few words on Wireless network topology. Each Wireless network has two major
components, either stations (STA) or access points (AP). Wireless network operates
in one of two modes: ad-hoc (peer-to-peer) or infrastructure mode. In the ad-hoc
mode each client (STA) communicates directly with other clients within the network.
In the infrastructure mode each client (STA) sends its communication requests to a
central station, which is the Access Point (AP). The access point acts as an Ethernet
bridge.

A client and an access point must establish a relationship prior to exchanging data.
Once established the client-access point relationship could be in any of the
following three states:

1. Unauthenticated and unassociated

2. Authenticated and unassociated

3. Authenticated and associated

The exchange of “real” data is only possible in the third state. Until then the parties
communicate using management frames. Access point transmits beacon
management frames at fixed intervals. Client receives this frame and starts
authentication by sending an authentication frame. After successful authentication
the client sends an association frame and the access point responds with an
associated response frame.

Wireless Networks Security Mechanisms

The 802.1 standard for wireless networks provides several mechanisms for achieving
secure network environment. This section explains five widely used mechanisms.

# Wired Equivalent Protocol

Wired Equivalent Protocol, or WEP, was first designed by the authors of the 802.1
standard. WEP was designed not to provide a secure network protocol similar to
IPSec, but rather to provide an equivalent level of privacy. WEP aims to provide
security by encrypting data over radio waves. WEP is used to prevent unauthorized
access to the wireless network. WEP is disabled by default. If it is turned on any
outgoing package is encrypted and packed.

The WEP protocol relies on a secret key that is shared in a basic BSS (Basic Set
Service). This key is used to encrypt data packets before they are transmitted, and
an integrity check is run on them. WEP uses the RC4 algorithm, which is a stream
cipher. A stream cipher expands a short key into an infinite pseudo-random key
stream.

WEP Encipherment Algorithm

* Plaintext message is run though an integrity algorithm to produce integrity check
value, also known as ICV. The 802.11 standard specifies the use of CRC-32.

* The integrity check value is appended to the end of the plaintext message.

* 24-bit initialization vector (IV) is generated and the secret key is concatenated to
it. Then it is used to generate a seed value for the WEP pseudo-random number
generator (PRNG).

* PRNG outputs a key sequence.

* The data is encrypted by XORing with the key sequence generated.

* The IV is appended in the clear to the protected frame (with the ciphertext) and
transmitted.

The algorithm involved in deciphering can be easily guessed from the above
algorithm. The IV is used to elongate the life of the secret key.

WEP uses a RC4 key stream; therefore it uses a 64-bit key to generate it, which is
XOR'ed to the data/ICV combination, 24-bits IV. The secret key is 40-bits long.

# WEP 2

The IEEE proposed changes to the WEP protocol in 2001, after many flaws had been
discovered in the original one. The new version, WEP2, has increased the IV space
from 24 bits to 128 bits and provides Cerberus V Support, though problems haven't
disappeared (discussed later). Complete support for the entire WEP2 has yet to be
achieved.

# Open System Authentication

Each Wireless network has two authentication systems. Open system authentication
is the first one and default authentication protocol for 802.11. The name implies
that this system authenticates anyone who requests authentication (like a root
account with null password). WEP is not helpful, since experiments have shown that
the authentication management frames are sent in the clear even if WEP is enabled.

# Access Control List

This security feature is not defined in the 802.11 standard, but it is used by vendors
to provide better security in addition to the standard security methods. Access
Control List is based on the client’s wireless Ethernet MAC address (unique for each
NIC). The access point can limit the clients using the network by using the ACL. If a
client's MAC address is listed, then he is permitted access to the network; if not,
then access to the network is denied.

# Closed Network Access Control

This feature allows an administrator use either an open network or a closed
network. Open network means that anyone is permitted to join the network, while in
closed network, only clients that know the network name, or SSID, can join. The
network name acts as a shared key.

Wireless Networks Attacks

Most of you will probably find this section more interesting, since it explains
common attack techniques that are used to compromise wireless networks, stealing
bandwidth and just for having fun. If you have a wireless network nearby or you live
in a place where wireless technology is widely used, any of the attack techniques
described below will have 98% success.

Attackers target Wireless networks since about 95% of all networks are completely
unprotected. The current standard (802.11b) grants bandwidth of up to 11 MBps. If
attacked Wirelesses network uses default settings there will be no cap set on
bandwidth, which means the attacker can have complete access to the capacity. You
can find a very convincing example at Neworder -
http://neworder.box.sk/newsread.php?newsid=3899.

# Access Point Spoofing & MAC Sniffing

Access control list lists provide a reasonable level of security when a strong form of
identity is used. Unfortunately, this is not the case with MAC addresses. MAC
addresses are easily sniffed by an attacker since they must appear in the clear even
when WEP is enabled. Further more, wireless cards permit the changing of their MAC
address via software. An attacker can use those "advantages" in order to
masquerade as a valid MAC address by programming the wireless card, and get into
the wireless network and use the wireless pipes.

Spoofing MAC address is very easy. Using packet-capturing software, an attacker can
determine a valid MAC address using one packet. If the wireless card firmware
allows changing the MAC address, then he is done.

If an attacker holds wireless equipment nearby, and he/she is near a wireless
network, he will be able to perform a spoofing attack. To perform a spoofing attack,
an attacker must setup an access point (rogue) near the target wireless network or
in a place where a victim may believe that wireless Internet is available. If the
rogue's signal is stronger than the signal of the real access point, then the victim's
computer will connect to the attacker's access point. Once the victim has
established a connection, the attacker can steal his password, network access,
compromise his/her computer etc. This attack is used mainly for password
acquisition.

# WEP Attacks

Plaintext Attacks

In this attack, the attacker knows the plaintext message and has a copy of the
ciphertext. The missing piece is the key. In order to get the key, an attacker would
send a target system a small part of data, and then capture the data that is sent to
the destination. Once the attack captured the data, he got the IV. Now, he can
simply run a dictionary attack to find the key.

Another plaintext attack reveals the key stream using a simply XOR. If an attack
has the ciphertext and the plaintext, he can XOR the ciphertext and get the key
stream. The attacker can use the key stream with the right IV, to inject packets into
the wireless network without authenticating o the access point.

Cipher stream Reuse

This problem allows an attacker to recover the key stream from a WEP packet
(encrypted packet). The WEP cipherment algorithm declares small space to the
initialization vector, using this flow an attacker can capture key streams by sending
packets with various IV. Later, the attacker can decrypt the encrypted message
using by XORing with the plaintext message (Note that the attack must have both
ciphertext and plaintext). Later, when authentication data traffic though the
network, the attacker would be able to intercept it, and using the key stream(s) the
attacker can recover it to plaintext.

Fluhrer-Mantin-Shamir Research

This research project was released a year ago (August 2001) by Scott Fluhrer of
Cisco Systems, Itsik Mantin and Adi Shamir of the Computer Science Department of
The Weizmann Institute in Israel. The project is dealing with weaknesses in the Key
Scheduling Algorithm (KSA) of RC4. This group discovered two weaknesses in the
KSA. The attack technique, which is described in their research paper, cracks keys of
both WEP (24 bit long) and WEP2 (128 bit long). Adam Stubblefield or Rice
University and John Loannidis and Aviel Rubin of AT&T Labs approved this attack
technique later. Once the attack was approved, two new tools become available to
the public (air snort and WEPCrack). Their source code, though, was never released
to the public.

# Man-in-the-middle attacks

Most of the attacks in this category are based on ARP poisoning, or cache poisoning.
Basically, ARP spoofing is a method of exploiting the interaction of IP and Ethernet
protocols. Since, this article is not about ARP protocols, or ARP attacks, I'll describe
shortly the attacks and the purpose.

The attacker combines an access point with a virtual private network server of the
same type as the one on the target network. When a user tries to connect to the
real server, the spoofed server sends a replay back, leading the user to connect to
the fake server.

This type of attack is complex to be explain in this article, though you can find good
articles about ARP poisoning at www.ebcvg.com

# Low-Hanging Fruit

A wireless attacker would probably start with this attack, since most wireless
networks are completely unprotected (they use open system authentication), and
moreover, WEP is not present by default.

All an attacker needs to attack such a system is a wireless card and a scanner (see
at the end of this article). An attacker scans for open access points that allow
anyone to connect, and then connects to the access point. Attackers use it to have
free Internet access, launching a blind attack (attacking a third party) etc.

Securing Wireless Networks

Wireless network has become very popular among companies, because it allows
employees to access the wired network (WLAN) from any place thus granting
roaming ability. New technologies usually fail to provide decent security level -
Wireless is not an exception. This section describes the most common ways to
improve security of a Wireless network.

# MAC Address Filtering

This method uses a list of MAC addresses of client wireless network interface cards
that are allowed to associate with the access point. If there are several access
points, the list should be available on all access points, which the client can be
associated with. Administrators should take care that the list is "up-to-date".
Though this method is vulnerable (see above), it is widely used to secure wireless
networks.

# WEP

As was stated above, WEP provides a certain level of data encryption for
communication between clients and access points. Still, WEP should be enabled,
because there is no need to make it easier for attacker to compromise the network.
Once again, this method is vulnerable to different kind of attacks.

# SSID (Network ID)

The first attempt to secure wireless network was the use of Network ID (SSID).
When a wireless client wants to associate with an access point, the SSID is
transmitted during the process. The SSID is a seven digit alphanumeric ID that is
hard coded into the access point and the client device. Using SSID, only those
clients, who hold the correct Network ID, are allowed to associate with the access
point. With WEP enabled, the SSID is transmitted in encrypted form, but if an
attacker has a physical access to the device, he/she can determine the SSID, since
it is stored in clear text.

Once the SSID is compromised by an attacker, the Wireless network administrator
must assign a new SSID manually.

# Firewalls

Using a firewall to secure a wireless network is probably the only security feature
that will prevent unauthorized access. As mentioned below, the access to the
network should be done via IPSec, secure shell or VPN. Thus, the firewall should be
configured to allow only IPSec or secure shell traffic. A illustration of an access to a
wired network form a wireless network:

1. The wireless client authenticated and associates with wireless access point. For
better security, the access point should be configured to filter MAC addresses.

2. The access point sends a request to the DHCP server. The server assigns the
client a network address.

3. Once the network address is assigned, the wireless client is now at the wireless
network. In order to access the wired network, it either sets up an IPSec VPN Tunnel
or uses secure shell.

It is important to configure the firewall to accept only secure connections, all other
connect should be denied.

# Access Points

Access points can accommodate MAC filtering and should be configured to do so,
though MAC addresses can be spoofed (see above). Administrators should take care
that the AP is located in a secured place, so unauthorized physical access will be
permitted.

Configuring AP is done via telnet, web browser or SNMP. It is recommended to allow
configuration only via telnet session, and block all other ways.

# Design Considerations

Before taking any implementation to secure a wireless network, it is important to
properly design the network. A properly designed network can eliminate some risks
associated with wireless networks. Some tips for proper design:

1. Protect wireless networks with VPN or access control list.

2. Access points should not be connected to the internal wired network even if WEP
is enabled.

3. Access points should be never placed behind a firewall.

4. Wireless clients are allowed to access the network though a secure shell, IP-Sec
or virtual private network. These provide user authorization, authentication and
encryption - secure your network.

Links -------

WEPCrack - http://www.ebcvg.com/download.php?id=1083

NetSumbler(windows) - http://www.ebcvg.com/download.php?id=1084

Airsnort - http://www.ebcvg.com/download.php?id=1085

Wireless Access Points and ARP Poisoning -
http://www.ebcvg.com/download.php?id=1158

Best Practices for Deploying Wireless LANs -
http://www.ebcvg.com/download.php?id=1160

Danny aka Dr.T (admin@ebcvg.com), www.ebcvg.com, July 2002