Security of Wireless LANs
Background information

In a normal, wired Ethernet LAN, Cat5 cable connects each station to a hub, along which data is sent as electrical pulses. In a wireless LAN (WLAN) the cables are replaced with a radio channel and the hub is replaced with an access point. (basically, a hub with a radio transceiver and Ethernet uplink) Each client, be it a laptop, desktop, or even handheld devices, has a radio Network Interface Card that it uses to send data on the designated band. The original IEEE 802.11 standard of 1997 transmits at 2.4 GHz with a bandwidth of <2Mbps. Two years later in 1999, the IEEE approved a new standard, 802.11b, which allowed for greater bandwidth (11Mbps). There are now several variations on this standard, using different frequencies and achieving even higher bandwidths. The necessary components for accessing a WLAN are nothing more than a laptop and a properly configured radio NIC.

As you can imagine, on a poorly configured wireless network, gaining unauthorized access can be a trivial task for a determined attacker. By design, there need be no physical connection between clients and access points to the network, only that the attacker be in the physical area capable of receiving transmissions. (See Phat_Penguin's thread on war chalking: ) Often, the range of a WLAN access point extends beyond the desired area, like the inside of a building. Unlike in a wired LAN, unauthorized traffic cannot be denied by hiding wires or locking a building. The reachable area surrounds an access point in a sphere, so unless an access point is in the exact center of a spherical room (not likely!) there will be areas outside of the building where it is possible to connect.

Known Weaknesses in WLANs

There are seven classes of well-documented, widely discussed risks (or attacks depending on which side of legality you are) They are as follows:
1 Insertion
2 Interception/monitoring
3 Jamming
4 Client to client
5 Encryption attacks <----main focus
6 Misconfigurations
7 Brute force password attacks

1 Insertion

This is a type of attack where an unauthorized device is connected to the WLAN. Access points can be password protected, that is a client must provide a password to connect to the WLAN. By default, access points do not require a password, and it must be configured by an administrator. Otherwise an attacker with a widely available wireless client card can connect to the access point by setting the client to connect to an access point. This is where the RADIUS protocol comes into play. The Remote Authentication Dial-In User Service (RADIUS see RFC 2138 and 2139) provides security for security information. Confusing? Ya, kind of. It basically centralizes authentication procedures to a single server, thus securing security. The best way to limit who has access to the WLAN is to use a RADIUS server to limit access to only those devices with registered MAC numbers on their network cards.

2 Interception

To receive data from a wireless network, the attacker must be in the area around the access stream. The limit for 802.11b is approximately 300 ft. (90m) However an antenna can be used to increase the reception ranges, so the 300 ft limit only applies to off the shelf retail products. An attacker can monitor all packets that are broadcast, similar to a wired network station in promiscuous mode. An added danger to an misconfigured network where an access point is connected to an Ethernet hub, rather than a switch is that all traffic on the Ethernet would subsequently be broadcast. In addition, an attacker could configure his computer to behave like an access point. This would cause legitimate users to connect to the access point clone. The unknowing users would then enter any usernames and passwords needed to access the real network, but this data would be sent to the attacker, who could then use it to log into the target network.

3 Jamming

The WLAN is inherently susceptible to denial of service attacks, as it operates on the 2.4GHz band, the same as some cordless phones, baby monitors and other wireless devices. These devices can interfere with and degrade the radio signal to the point where communication is impossible.

4 Client to Client

It is possible for wireless clients to communicate directly with one another, bypassing the access point. This means that each user must be protected against traditional TCP based attacks if they are running any services like web, IRC or FTP servers.

5 Encryption attacks

WLANs by default send data in plaintext, but can be configured to use encryption a la WEP. The Wired Equivalent Privacy algorithm uses symmetric encryption decryption. This is where the same private key is used to encrypt and decrypt the data. The algorithm is a simple one involving the bitwise or function. (XOR)

XOR truth table

a | b | a XOR b
0 | 0 | 1
0 | 1 | 0
1 | 0 | 0
1 | 1 | 1

Using analysis, if a XOR b = 0 then 0 XOR b = a, similarly if a XOR b = 1 then 1 XOR b = a. This is the principle behind the symmetric conversion. The key that is shared between everyone receiving WEP encrypted data is used to form a pseudorandom key stream which is used to encipher the plaintext. The resulting ciphertext is then transmitted. At the other end, the same key stream is XOR¡¦ed with the ciphertext to reveal the plaintext. Here is a short example:

Plain text: 1011100110111100100100000011101000101110011011
Key stream: 0100010101000101010001010100010101000101010001
Cipher text: 0000001100000110001010101000000010010100110101

By XORing the ciphertext with the key stream, the original message is revealed. In this example, the key (01000101) is 8 bits long. In the 802.11b standard, there are two possible key lengths, 40 bit and 128 bit.

In order for an attacker to recover the plaintext, a statistical analysis of packets encoded with the same key stream is done. After recovering two packets with the same key stream, it is very hard to determine a pattern, but as more and more packets are retrieved, it becomes more and more practical to decode. WEP has a defense against using the same key stream. In creating the key stream, initialization vectors are used to create variety based on the same short key. The initialization vector is a 24 bit field in each packet sent. Even if every initialization vector were used before recycling through them, it would only take ~5 hours on a 11Mbps line before all combinations had been exhausted, and previously used keystreams would reappear. This is not even the worst part. According to the 802.11b standard, the default setting is NOT to change the initialization vector, so ALL keystreams would be the same. These are some very serious weaknesses in the WEP algorithms, which would only deter amateur attackers with no clue anyway!

6 Misconfigurations

Many systems are sold and shipped in insecure configurations to emphasize ease of deployment. Some configurations that must be changed for even basic security:
The Server Set ID (SSID) ¡V a keyword that is used to verify users before they connect to an access point. The client SSID must be the same as the access point SSID for the connection to be made. The SSIDs for access points need to be changed upon implementation in a network, as the default settings are easy to compromise. It only takes a quick google search to find a list of default SSIDs.
Storage of SSID and WEP key
In some systems (eg, 3com) the default setting is to have the SSID and the WEP key stored in windows registry, with no encryption. Others encrypt the WEP key but most leave the SSID in plaintext in the windows registry.
Implement WEP
WEP is by default on many systems turned off. The possible keys are of 40 and 128 bits, the latter being slightly more secure. Both are still vulnerable to the attacks stated above.

7 Brute Force Attacks

A brute force attack or even a dictionary based attack can be used to determine the SSID in order to access data from an access point. The access points by default use the same password, so access to one is the same as access to all areas of the network.

For more information see the following sites:

Thanks for reading the tut, it turned out a bit longer than I thought it would, but if it were shorter, details would have had to be left out. This was my first tut, but I do plan to write another on the iostream class in c++. Well, until next time