10.10.1999
Miika Komu, Tero Nordström
Computer Science
Helsinki University of Technology
miika@iki.fi
tenordst@cc.hut.fi
The purpose of this document is to discuss about the security flaws in wireless local area networks without dwelling any deeper into spesific implementations. Basic knowledge of wireless LANs is aquired to fully grasp this document. We will concentrate on IEEE 802.11 standard of wireless LANs and use it as a security model in our discussions.
The term 'wireless networking' is usually understood as 'unsecure and unreliable' but it is essentially as safe as ordinary wired LAN and it provides stabile connections. The transmitted data is protected with encryption at low level (making it somewhat secure than wired LAN) and some level of authentication is required. Still, there are some major vulnerabilities that could be exploited, that are quite the same as in wired LANs:
2.2 Physical level vurnerabilities
2.3 Higher level vurnerabilies
People generally assume that the biggest security hole in wireless communication is that the data is transmitted trough air, thus allowing an intruder to catch the data with a receiver from a distance. Well, it is true that an intruder can catch the data, but the data he/she receives is either encrypted or sent in spread spectrum.
The other mistake that people do, is to assume that a regular, wired LAN is safer than an wireless LAN. Wired LANs radiate some energy which can be intercepted with a radio receiver from a distance, and besides that, you can easily split up a physical wire from a building and join the new ends with a device that captures the uncrypted network traffic [1,5]. In wireless LANs, the data is encrypted at low level before it is sent to destination. Still, the data could be 'sniffed' in higher levels, but not in lower levels as in wired LANs. If one must be totally paranoia about the safety of the transmission media (as in military purposes), one can use an infrared LAN, which is propably the safest of all the used transmission mediums [4].
In the following chapters we'll introduce an international standard, IEEE 802.11 [2], and discuss about the vurnerabilities and strengths in it. We'll leave OpenAir 2.4 standard [6] and ETSI's HIPERLAN [3] out of the discussion to allow us to concentrate on the subject instead of just comparing different standards. IEEE 802.11 has a lot of common with OpenAir, but the greatest difference is perhaps the lack of interoperability between different vendors in IEEE 802.11.
IEEE 802.11 actually is the wireless version of the IEEE 802.3 wired ethernet. It uses infrared, frequency hopping spread spectrum radio (FHSS) or direct sequence spread spectrum radio (DSSS) to transmit data at physical level [1,2,4,5].
Data security is an optional functionality of of the Media Access Control sublayer [4,6] and the functionality is called Wired Equivalent Privacy (WEP) [1,5], but it doesn't supply an end-to-end privacy (WEP offers privacy just between stations). WEP suggest RC4 as the cryptomethod, but other methods can also be used. WEP decrypts only the actual data and leaves headers (source and destination addresses) intact. Authentication is handled with Extended Service Set ID (ESSID) [5] by using challange-response authentication scheme.
Frequency-hopping spread spectrum means that the data is sent in short sequences in different frequences [1,5]. Only the transmitter and receiver know the frequency pattern. If this is implemented in pure hardware, the pattern can be repeated over some short time. An intruder, who knows what he/she is looking for, might exploit this vulnerability. On the other hand, a software driven hopping generator might allow longer patterns and make the system less vurnerable to attacks at physical level. Nevertheless, this method makes it very difficult to block the data traffic by sending junk data on channels e. g. in military purposes [1] and data can be reliably send in case of some interference from electronic devices in civilian purposes.
Direct sequence spread spectrum radio generates a bit pattern for each bit that is transferred [4], making error correction without retransmission possible. The main concern here is to provide error correction, leaving the method vurnelable to physical level intrusion.
Narrowband technology (communication trough a fixed radio frequency) is not included in IEEE 802.11, propably because it is quite easy block and there is no low level privacy.
One of the concerns in wireless LAN (as well as in wired LAN) is that the source and destination addresses are not encrypted, even if the data is encrypted [2]. An intruder can see the direction and the amount of the data traffic and make some conclusions of that. Also, the data is only encrypted only between stations [2,4], not on end-to-end basis, which could be exploited if the intruder already has access on the network.
The key management is left to the network operator [2], which could be a good or bad thing, depending on the operator. Neverthless, it is implemented in a non-standard way, which adds the workload of the operator and the workload of the possible intruder (security by obscurity). Also, one of the common pitfalls is that if one has access to the network, he/she really has access to the entire network (poor user authentication). The access barriers inside the network have to be implemented in other ways.
A wireless LAN isn't still safe even if it has low level encryption. The data could be sniffed in a higher level by some one, who has already access to the network. LANs are usually connected to the Internet and without any firewalls [1] there is no real security. A wireless LAN shares the same vulnerabilies with ordinary, wired LAN [1,5].