Wireless networking is becoming more popular
every day. This rather new technology requires new security
measures. In wired networks an attacker needs to be physically
connected, for example, directly to a hub/switch, or thru
remote access, to be able to try and gain access to network
resources or intercept network traffic. In a wireless network
anyone with a notebook and a wireless network card can intercept
traffic using publicly available tools, given they are in
range of a wireless access point. Before discussing the primary
vulnerabilities in wireless networking technologies, we'll
first go through the popular wireless networking standards
The IEEE 802.11 standard defines the MAC and Physical
layer specifications for Wireless LANs. The 802.11 standard
was completed in 1997, but went through several changes until
it was finalized in 1999. All 802.11 wireless devices today
are based on the 1999 standard. The MAC layer specifications
are concerned with how the network devices access the media,
in this case a frequency in the RF spectrum. The Physical
layer specifications in 802.11 define standards for three
different radio technologies: DSSS, FHSS, and IR (InfraRed).
The data rates supported by the 802.11 standard are 1 and
2 Mbps. 802.11 uses the 2.4 GHz frequency band.
Two years later, the IEEE approved two new standards, based
on the 802.11 equipment, but with additions to the physical
layer specifications. These are the 802.11a and 802.11b standards.
The first wireless networking products that became widely
available are based on the extended IEEE 802.11b standard.
Because of the availability and affordability of 802.11b equipment
has become popular particularly in SOHOs. According to the
standard, 802.11b provides data rates of 5.5 and 11Mbps, and
is backwards compatible with the 1 and 2 Mbps data rates of
802.11. An organization called Wireless Ethernet Compatibility
Alliance (WECA) is concerned with the compatibility of 802.11b
equipment from different manufacturers. When products based
upon the 802.11b standard pass the compatibility tests performed
by WECA, they will be given the Wi-Fi (Wireless Fidelity)
logo. 802.11b uses the 2.4 GHz frequency band.
It took several years before a wide range of products based
upon the 802.11a standard became available. When they finally
did in 2002, more companies became interested in wireless
networking. The primary reason for this, is that the 802.11a
standard increases the maximum data throughput to 54 Mbps.
However, 802.11a is not compatible with 802.11, 802.11b, or
802.11g because it uses the 5 GHz frequency band. 802.11a
also uses a different modulation scheme (OFDM) than 802.11
The 802.11g standard also allows data transfer rates up to
54 Mbps, but is backward-compatible with with both 802.11
and 802.11b, supporting both their data rates (1, 2, 5.5,
and 11) and modulation scheme (QPSK). 802.11g also supports
the modulation scheme used by 802.11a (OFDM), but is not compatible
with 802.11a because 802.11g uses the 2.4 GHz frequency band.
The term 802.11x is sometimes used to refer
to the entire group of 802.11 WLAN standards of which some
are still under development. It includes the standards outlined
above, as several others addressing the need for speed, region
specific regulations, and security. Check out the 802.11
Alphabet Soup for more details. Do not confuse 802.11x
with 802.1x, which will be discussed in other TechNotes. The
latter is an authentication protocol that provides authenticated
access to 802.11 wireless networks and to wired Ethernet networks.
802.1x minimizes wireless network security risks and uses
standard security protocols, such as RADIUS.
The following tasks are examples of minimal
security measures that should be taken in most 802.11 based
- Change the default SSID in access points
to something that does not reflect anything obvious such
as the organization’s, building's or street's name.
- Disable sending the SSID in the AP's
broadcast beacon. This prevents showing the SSID to unauthorized
- Configure strong administrative passwords,
and if possible, turn off remote administration features.
- Locate the AP in an area where the signal will not be
picked by unauthorized clients. If possible, limit the AP's
service area by reducing its power.
- Reserving MAC addresses (in DHCP or an
AP) to require a valid MAC address for clients is not a
secure solution on itself because MAC addresses can be spoofed
easily and are send in clear-text even when WEP encryption
- Consider disabling the AP's DCHP feature
and assign static IP addresses to all wireless clients.
- Implement a firewall and intrusion detection
system between the wireless and wired networks.
- Enable WEP (Wired Equivalent Privacy).
Although it doesn't provide very strong security, it should
be enabled nevertheless. Use 128-bit WEP encryption keys
and rotate the keys often. Don't rely on WEP as your only
means of encryption.
- Use VPN technology, such as IPSec or L2TP. Note: the use
of a VPN will greatly decrease the throughput of a wireless
- If available, use WPA (Wireless Protected Access) with
TKIP in place of WEP.
- When possible, use the 802.1X port-based
authentication protocol in combination with EAP (Extended
Authentication Protocol) to negotiate an authentication
method, such as username and password logon or the use of
smartcards, and for example, a RADIUS server.
WEP (Wired Equivalent
The WEP protocol is part of the 802.11 standard and is developed
to increase wireless LAN security. As its name implies, WEP
is an effort to provide privacy in wireless networks similar
to privacy in wired networks. As mentioned at the beginning
of this TechNote, intercepting traffic (eavesdropping) on
a wireless network is very easy, hence it is essential that
the traffic is encrypted.
When a station powers up, and attempts to establish a wireless
connection, it will first be associated with an access
point. When the station is associated, it will attempt to
authenticate itself to the access point. The IEEE 802.11 standard
provide the following two types of authentication:
- Open System Authentication -The client
broadcasts its MAC address to identify itself,
an AP replies with an authentication verification frame.
Although its name implies differently, no actual authentication
occurs when Open System Authentication is used.
- Shared Key Authentication - The client
will be authenticated only if it is configured with a preshared
key. This means that the same key must be configured on
both the client station and the AP. The AP sends a challenge
text to the client requesting authentication, which is encrypted
using WEP and the shared key at the client and send back
to the AP where it is decrypted again to see if it matches
the original challenge.
The key used for authentication, can also
be used for data encryption using WEP. Although this produces
a significant amount of overhead, which can be disastrous
on low-speed wireless networks such as 802.11b, it should
be enabled nevertheless. When WEP data encryption is enabled,
secret shared encryption keys are generated based on the the
used by the source station and the destination station to
alter frame bits" frames send between two wireless stations/APs.
WEP uses an RC4 cipher and a 64 or 128-bits WEP key to encrypt
the data payload of frames. This WEP key is a combination
of a 24-bit initialization vector (IV) and a 40 or 104-bits
secret key. The secret is the key typically configured manually
in wireless network cards and access points. One of the main
reasons WEP offers rather weak protection is that the IV is
also exchanged in clear-text. Another issue with WEP encryption
is that the 802.11 standard does not provide dynamic key management
and key renewal. This means that stations and access points
must be manually configured with a static secret key, which
can be a tedious job in large environments. Some manufacturers
of wireless networking products do include support for centralized
key management, either per session or per packet. Especially
the latter produces a lot of overhead.
The IEEE 802.11i workgroup is working
on a new version of the current WEP security standard that
will bring greater security to wireless networks through improved
encryption, key distribution, authentication, and a range
of other features appropriate to wireless networks. WEP2 includes
support for the use of 802.1X authentication protocol, an
improved key distribution system and stronger encryption by
using AES (Advanced Encryption Standard) instead of RC4.
WAP (Wireless Application
WAP is a protocol developed for use with wireless devices
such as mobile phones and PDAs. These devices have a so called
microbrowser allowing them to display WML (Wireless
Markup Language) pages. WML is similar to, but more limited
The following diagram shows the WAP programming model:
A client does not communicate with a content server directly.
Instead, it connects to a WAP gateway that is responsible
for encoding and decoding requests from the client and responses
from the server. The gateway is also responsible for WML
Script compiling (a JAVA-like language) and end-user
authentication. The gateway server is typically located at
the operator providing the mobile connection services.
Similar to the TCP/IP stack, WAP is a suite of protocols providing
different functions on separate layers. The most important
protocol for CompTIA's Security+ exam is the Wireless Transport
Layer Security protocols, which resides at the Security layer
of the WAP protocol stack.
WTLS (Wireless Transport Layer Security)
The WTLS protocol provides privacy, data integrity and authentication
security services between a mobile device and a WAP gateway.
It is used for establishing an encrypted connection preventing
data from being tampered with or forged without the two parties
becoming aware of it. It is also used for providing authentication
services by using digital certificates. WTLS is based upon
the Transport Layer Security (TLS) protocol, which is in turn
derived from the Secure Sockets Layer (SSL) protocol. WTLS
is optimized for use with narrow-band low speed connections
and low memory devices. It also supports dynamic key refreshing
ensuring the session key used to encrypt the data is updated
WTLS secures the connection between the client and the gateway.
The gateway decrypts the data and encrypts the data again
using SSL/TLS to connect to the content server, as depicted
in the following diagram:
The most vulnerable part of this system is the WAP gateway
performing the translation between WTLS and SSL traffic. For
a few milliseconds the information resides in clear-text in
the server's memory, this is often referred to as the WAP
gap. Because of this vulnerability, it is imperative
that additional layers of security are implemented to protect
the WAP gateway from being compromised. Examples are hardening
of the gateway server's OS, firewall protection, and disabling
remote administration functions. It is also important that
the translation process occurs as quickly as possible, reducing
the period of time the data is in its decrypted form.
The latest version of the WAP specification, version 2.0,
does not require a WAP gateway, because the client can connect
directly to the application server using HTTP. Nevertheless,
WAP gateways are still commonly used for other reasons such
as improved performance and backward compatibility.
A site survey is too often described as an attack where
an attacker gathers information about your wireless network,
while a site survey will usually be conducted by the people
responsible for designing or maintaining the network. A site
survey is an analysis of the network and its environment and
including the following tasks:
- Measure and establish the coverage of
APs to decide the best positions for APs.
- Validate if there should be some sort
of external boundary protection in place around the perimeter
of the office or building.
- Validate that there are no rogue APs or
APs from neighboring offices that might interfere.
- Identify sources of natural and man-made interference
that may degrade the performance of a wireless network.
There are several tools that can aid in the
process of performing a site survey, some of the most important
being RF spectrum and protocol analyzers. The same tools are
also used by attackers to gain important information about
a target network, such as SSIDs, MAC addresses, protocols
are susceptible to all attacks that wireless network are,
including DoS, DDoS, spoofing, Man-in-the-Middle, hijacking,
and port scanning. Besides the most common attack on wireless
networks, eavesdropping, and the issues with WEP,
the following are some other vulnerabilities typical for wireless
Man-in-the-middle attacks - Wireless networks
are particularly vulnerable to man-in-the-middle attacks for
the same reasons that make eavesdropping so easy. As little
as a laptop and two wireless network cards can be used to
reroute and capture traffic without a user even knowing it.
War driving - An activity that
owes its name to something that hackers used to do frequently
in the old days, called war dialing. They would dial
random phone numbers to check if there's a modem on the other
end. War driving refers to driving around with a powerful
antenna on the car, connected to a notebook and use a wireless
sniffer, such as NetStumbler, to listen for wireless network
Jamming - A type of DoS attack whereby
a the attacker uses an RF signal generator to cause an unusually
high noise level effectively disabling the use of an access
point. Bluetooth devices by their nature can effectively jam
in the WTLS
WEP: Concepts and Vulnerability
- Throughout this document I assumed 802.11 based networks
are running in infrastructure mode.
- Most of the details in this document are beyond the scope
of the Security+ exam. For the exam you will need to focus
on the general concept, when to use what,
and basic operation.
- As security is one of the most evolving parts of wireless
networking, some of the details in this document may become
- The first revision of the Security+ exam (SY0-101) contains
information current as of late 2002. Many of the newer developments
in wireless technology described in this TechNote will appear
in the next revision of the Security+ exam.