Wireless networking is becoming more popular every
day. This rather new technology requires new security measures.
In wired networks an attacker needs to be physically connected,
for example, directly to a hub/switch, or thru remote access, to
be able to try and gain access to network resources or intercept
network traffic. In a wireless network anyone with a notebook and
a wireless network card can intercept traffic using publicly available
tools, given they are in range of a wireless access point. Before
discussing the primary vulnerabilities in wireless networking technologies,
we'll first go through the popular wireless networking standards
The IEEE 802.11 standard defines the MAC and Physical layer
specifications for Wireless LANs. The 802.11 standard was completed
in 1997, but went through several changes until it was finalized
in 1999. All 802.11 wireless devices today are based on the 1999
standard. The MAC layer specifications are concerned with how the
network devices access the media, in this case a frequency in the
RF spectrum. The Physical layer specifications in 802.11 define
standards for three different radio technologies: DSSS, FHSS, and
IR (InfraRed). The data rates supported by the 802.11 standard are
1 and 2 Mbps. 802.11 uses the 2.4 GHz frequency band.
Two years later, the IEEE approved two new standards, based on the
802.11 equipment, but with additions to the physical layer specifications.
These are the 802.11a and 802.11b standards.
The first wireless networking products that became widely available
are based on the extended IEEE 802.11b standard. Because of the
availability and affordability of 802.11b equipment has become popular
particularly in SOHOs. According to the standard, 802.11b provides
data rates of 5.5 and 11Mbps, and is backwards compatible with the
1 and 2 Mbps data rates of 802.11. An organization called Wireless
Ethernet Compatibility Alliance (WECA) is concerned with the compatibility
of 802.11b equipment from different manufacturers. When products
based upon the 802.11b standard pass the compatibility tests performed
by WECA, they will be given the Wi-Fi (Wireless Fidelity) logo.
802.11b uses the 2.4 GHz frequency band.
It took several years before a wide range of products based upon
the 802.11a standard became available. When they finally did in
2002, more companies became interested in wireless networking. The
primary reason for this, is that the 802.11a standard increases
the maximum data throughput to 54 Mbps. However, 802.11a is not
compatible with 802.11, 802.11b, or 802.11g because it uses the
5 GHz frequency band. 802.11a also uses a different modulation scheme
(OFDM) than 802.11 and 802.11b.
The 802.11g standard also allows data transfer rates up to 54 Mbps,
but is backward-compatible with with both 802.11 and 802.11b, supporting
both their data rates (1, 2, 5.5, and 11) and modulation scheme
(QPSK). 802.11g also supports the modulation scheme used by 802.11a
(OFDM), but is not compatible with 802.11a because 802.11g uses
the 2.4 GHz frequency band.
The term 802.11x is sometimes used to refer to
the entire group of 802.11 WLAN standards of which some are still
under development. It includes the standards outlined above, as
several others addressing the need for speed, region specific regulations,
and security. Check out the 802.11
Alphabet Soup for more details. Do not confuse 802.11x with
802.1x, which will be discussed in other TechNotes. The latter is
an authentication protocol that provides authenticated access to
802.11 wireless networks and to wired Ethernet networks. 802.1x
minimizes wireless network security risks and uses standard security
protocols, such as RADIUS.
The following tasks are examples of minimal security
measures that should be taken in most 802.11 based wireless networks:
- Change the default SSID in access points to
something that does not reflect anything obvious such as the organization’s,
building's or street's name.
- Disable sending the SSID in the AP's broadcast
beacon. This prevents showing the SSID to unauthorized wireless
- Configure strong administrative passwords, and
if possible, turn off remote administration features.
- Locate the AP in an area where the signal will
not be picked by unauthorized clients. If possible, limit the
AP's service area by reducing its power.
- Reserving MAC addresses (in DHCP or an AP)
to require a valid MAC address for clients is not a secure solution
on itself because MAC addresses can be spoofed easily and are
send in clear-text even when WEP encryption is enabled.
- Consider disabling the AP's DCHP feature and
assign static IP addresses to all wireless clients.
- Implement a firewall and intrusion detection
system between the wireless and wired networks.
- Enable WEP (Wired Equivalent Privacy). Although
it doesn't provide very strong security, it should be enabled
nevertheless. Use 128-bit WEP encryption keys and rotate the keys
often. Don't rely on WEP as your only means of encryption.
- Use VPN technology, such as IPSec or L2TP. Note:
the use of a VPN will greatly decrease the throughput of a wireless
- If available, use WPA (Wireless Protected Access)
with TKIP in place of WEP.
- When possible, use the 802.1X port-based authentication
protocol in combination with EAP (Extended Authentication Protocol)
to negotiate an authentication method, such as username and password
logon or the use of smartcards, and for example, a RADIUS server.
WEP (Wired Equivalent Privacy)
The WEP protocol is part of the 802.11 standard and is developed
to increase wireless LAN security. As its name implies, WEP is an
effort to provide privacy in wireless networks similar to privacy
in wired networks. As mentioned at the beginning of this TechNote,
intercepting traffic (eavesdropping) on a wireless network is very
easy, hence it is essential that the traffic is encrypted.
When a station powers up, and attempts to establish a wireless connection,
it will first be associated with an access point. When
the station is associated, it will attempt to authenticate itself
to the access point. The IEEE 802.11 standard provide the following
two types of authentication:
- Open System Authentication -The client broadcasts
its MAC address to identify itself, an AP replies with
an authentication verification frame. Although its name implies
differently, no actual authentication occurs when Open System
Authentication is used.
- Shared Key Authentication - The client will
be authenticated only if it is configured with a preshared key.
This means that the same key must be configured on both the client
station and the AP. The AP sends a challenge text to the client
requesting authentication, which is encrypted using WEP and the
shared key at the client and send back to the AP where it is decrypted
again to see if it matches the original challenge.
The key used for authentication, can also be used
for data encryption using WEP. Although this produces a significant
amount of overhead, which can be disastrous on low-speed wireless
networks such as 802.11b, it should be enabled nevertheless. When
WEP data encryption is enabled, secret shared encryption keys are
generated based on the the used by the source station and the destination
station to alter frame bits" frames send between two wireless
WEP uses an RC4 cipher and a 64 or 128-bits WEP key to encrypt the
data payload of frames. This WEP key is a combination of a 24-bit
initialization vector (IV) and a 40 or 104-bits secret key. The
secret is the key typically configured manually in wireless network
cards and access points. One of the main reasons WEP offers rather
weak protection is that the IV is also exchanged in clear-text.
Another issue with WEP encryption is that the 802.11 standard does
not provide dynamic key management and key renewal. This means that
stations and access points must be manually configured with a static
secret key, which can be a tedious job in large environments. Some
manufacturers of wireless networking products do include support
for centralized key management, either per session or per packet.
Especially the latter produces a lot of overhead.
The IEEE 802.11i workgroup is working on a new version of the current
WEP security standard that will bring greater security to wireless
networks through improved encryption, key distribution, authentication,
and a range of other features appropriate to wireless networks.
WEP2 includes support for the use of 802.1X authentication protocol,
an improved key distribution system and stronger encryption by using
AES (Advanced Encryption Standard) instead of RC4.
WAP (Wireless Application Protocol)
WAP is a protocol developed for use with wireless devices such as
mobile phones and PDAs. These devices have a so called microbrowser
allowing them to display WML (Wireless Markup Language)
pages. WML is similar to, but more limited than HTML.
The following diagram shows the WAP programming model:
A client does not communicate with a content server directly. Instead,
it connects to a WAP gateway that is responsible for encoding and
decoding requests from the client and responses from the server.
The gateway is also responsible for WML Script compiling
(a JAVA-like language) and end-user authentication. The gateway
server is typically located at the operator providing the mobile
Similar to the TCP/IP stack, WAP is a suite of protocols providing
different functions on separate layers. The most important protocol
for CompTIA's Security+ exam is the Wireless Transport Layer Security
protocols, which resides at the Security layer of the WAP protocol
WTLS (Wireless Transport Layer Security)
The WTLS protocol provides privacy, data integrity and authentication
security services between a mobile device and a WAP gateway. It
is used for establishing an encrypted connection preventing data
from being tampered with or forged without the two parties becoming
aware of it. It is also used for providing authentication services
by using digital certificates. WTLS is based upon the Transport
Layer Security (TLS) protocol, which is in turn derived from the
Secure Sockets Layer (SSL) protocol. WTLS is optimized for use with
narrow-band low speed connections and low memory devices. It also
supports dynamic key refreshing ensuring the session key used to
encrypt the data is updated frequently.
WTLS secures the connection between the client and the gateway.
The gateway decrypts the data and encrypts the data again using
SSL/TLS to connect to the content server, as depicted in the following
The most vulnerable part of this system is the WAP gateway performing
the translation between WTLS and SSL traffic. For a few milliseconds
the information resides in clear-text in the server's memory, this
is often referred to as the WAP gap. Because of this vulnerability,
it is imperative that additional layers of security are implemented
to protect the WAP gateway from being compromised. Examples are
hardening of the gateway server's OS, firewall protection, and disabling
remote administration functions. It is also important that the translation
process occurs as quickly as possible, reducing the period of time
the data is in its decrypted form.
The latest version of the WAP specification, version 2.0, does not
require a WAP gateway, because the client can connect directly to
the application server using HTTP. Nevertheless, WAP gateways are
still commonly used for other reasons such as improved performance
and backward compatibility.
A site survey is too often described as an attack where an
attacker gathers information about your wireless network, while
a site survey will usually be conducted by the people responsible
for designing or maintaining the network. A site survey is an analysis
of the network and its environment and including the following tasks:
- Measure and establish the coverage of APs to
decide the best positions for APs.
- Validate if there should be some sort of external
boundary protection in place around the perimeter of the office
- Validate that there are no rogue APs or APs
from neighboring offices that might interfere.
- Identify sources of natural and man-made interference
that may degrade the performance of a wireless network.
There are several tools that can aid in the process
of performing a site survey, some of the most important being RF
spectrum and protocol analyzers. The same tools are also used by
attackers to gain important information about a target network,
such as SSIDs, MAC addresses, protocols being used.
Wireless networks are susceptible to all attacks
that wireless network are, including DoS, DDoS, spoofing, Man-in-the-Middle,
hijacking, and port scanning. Besides the most common attack on
wireless networks, eavesdropping, and the issues with WEP,
the following are some other vulnerabilities typical for wireless
Man-in-the-middle attacks - Wireless networks are
particularly vulnerable to man-in-the-middle attacks for the same
reasons that make eavesdropping so easy. As little as a laptop and
two wireless network cards can be used to reroute and capture traffic
without a user even knowing it.
War driving - An activity that owes its
name to something that hackers used to do frequently in the old
days, called war dialing. They would dial random phone
numbers to check if there's a modem on the other end. War driving
refers to driving around with a powerful antenna on the car, connected
to a notebook and use a wireless sniffer, such as NetStumbler, to
listen for wireless network traffic.
Jamming - A type of DoS attack whereby
a the attacker uses an RF signal generator to cause an unusually
high noise level effectively disabling the use of an access point.
Bluetooth devices by their nature can effectively jam 802.11 networks.
in the WTLS
WEP: Concepts and Vulnerability
- Throughout this document I assumed 802.11 based networks are running
in infrastructure mode.
- Most of the details in this document are beyond the scope of the
Security+ exam. For the exam you will need to focus on the general
concept, when to use what, and basic operation.
- As security is one of the most evolving parts of wireless networking,
some of the details in this document may become outdated.
- The first revision of the Security+ exam (SY0-101) contains information
current as of late 2002. Many of the newer developments in wireless
technology described in this TechNote will appear in the next revision
of the Security+ exam.