This paper will examine the advantage and disadvantage of present and emerging wireless technologies based upon the experimental results and research carried out by different organization. It will also discuss the vulnerabilities issues related to each technologies and also possible remedies. This paper will mainly focus on recently used technologies such as Wi-Fi and emerging technology such as WiMAX.
The main objective of this paper will be to provide users with facts and figures regarding technologies they use and help them decide which one is better for them as well as help new wireless technologies developer to improve their technologies quality and reliability by examining the past trends and shortfall of each technologies. And provide users with high reliable and efficient wireless technologies.
Use of wireless can dramatically increase the productivity and efficiency of organizational staff by allowing them flexibility and mobility in their working environment. Not only for the organization but also the home users are greatly benefited from the development of wireless. Wireless has eased the difficulty of maintaining wired network throughout the buildings and homes in a cost effective way. Wireless is becoming more and more popular between people for the functionality it provides.
On the other hand wireless security risk has been dominantly concerning wireless developers to make it safe from some serious security risks. Wireless is more vulnerable to intruders than non wireless network because of the fact that wireless is open and only security that can be provided is by the use of security mechanism within the wireless technology. Existing wireless technologies such as Wi-Fi, Bluetooth are becoming more and more vulnerable to security attacks. New attacks against these technologies are always discovered or demonstrated in network world in regular basic. Although the researchers are working hard on making these existing safer, intruders and hackers is always one step ahead of finding loopholes behind these designs. Similarly emerging technologies such as WiMax are focusing on how to avoid these drawbacks found in previous wireless technologies in their design making it more secure and efficient for its users.
This paper mainly focuses on the wireless trends of present and future wireless standards including some case studies and threats associated with working in wireless environment. And the things one can to do to make its corporate and home wireless network safer and steps one can take to make its existing wireless network safer. Similarly this paper will also try to cover the issues that can be considered by wireless developers and researchers to make emerging wireless technologies more reliable and efficient. These improvements can lead to successful public acceptance and faster adoption.
Issues in Wireless Communication
More and more home users and business are shifting to wireless networking to carry on their daily task. Wireless networking has changed the way we work. In today's world, wireless is not only limited between connecting computers, laptops but also the various wireless devices ranging from PDAs , smart phones to security cameras, sensors and other different wireless enabled devices. And many of these devices are installed and used without enabling the inbuilt security features or considering potential damage it can do if its security features are compromised. So it is essential to follow some kind of security measure either technologically or policy wise to make wireless network secure and safe. When businesses implement wireless in their organization, one should clearly define the security measures it will take to make its network safe.
There are number of ways one can implement to secure its network. The most commonly used among those are based authentication, encryption mechanism. Most of the wireless standards follow these steps to make its wireless standards secure. But the problems with these mechanism used are they have some flaws which is used by hackers and intruders to get inside the wireless network and do unwanted things. Researchers have made many enhancements to these default security measures which include centralized authentication, use of VPN and dynamic key distribution.
However if well researched and choose the right wireless technology any organization or individual can take substantial benefits by protecting its network from unauthorized users and hackers.
Wireless Standards and its security mechanism
Understanding the security mechanism used by wireless technology can help users of all level to take preventive measure before hand and stay safe in the wireless world. As Wi-Fi (mostly used) and WiMAX (emerging) being two promising wireless technology in today's world, it is good to have some knowledge about standards and security mechanism used by it. Section below focuses on these two standards and security mechanism it uses.
Wi-Fi is a most commonly deployed wireless standard in today's world. It is based upon IEEE 802.11 standard.
It has many versions either developed as enhancement to previous version or designed for specific function. Mostly used in today's world are 802.11g and 802.11n. The main reason for its popularity is because, it is easy to implement, supports most of the wireless inbuilt devices and relative low cost of adapters. According to security point of view previous versions of 802.11 used WEP (Wired Equivalency Privacy) as a security mechanism to protect Wi-Fi connection from intruders. As WEP weaknesses are discovered and breached, developers developed more powerful security mechanism for Wi-Fi which includes Wi-Fi Protected Access (WPA) and Wired Equivalency Privacy 2(WEP2). WPA and WEP2 greatly increased the level of security on the Wi-Fi links. Though WEP2 and WPA have stronger security mechanism it is recommended to use it in conjunction with VPN (Virtual Private Network), Authentication Server, and other trusted third party tool for extra security. (Wi-Fi Alliance, 2003)
The key concept WPA follows for security are authentication and encryption
Though security features were enhanced, it is not flawless which provides attackers upper hand while dealing with security issue. So it is always good to have some other security measure in place if needed which will depend on individual organization and users to decide how much security they want for their network.
WiMAX is an emerging technology in wireless networking based on IEEE 802.16 standard. It was developed to provide high data rate, better security, scalability and mobility than other existing wireless standards. WiMAX has not yet been fully deployed in commercial sector because of number of reasons like it's quite new technology and major devices do not support protocols used by WiMAX. But its potential advantages are being realized and it is assumed that WiMAX will soon be dominant wireless technology in wireless networking world because of its potential applications. These applications can be as simple as providing wireless connection between two distant locations or using it as broadband access technology with mobility. Apart from these WiMAX can virtually support data rate of 70 Mbps over greater distance. Though WIMAX has many potential advantages it is not yet widely used because infrastructure needed for it has not yet been fully developed.
Though every possible effort is being made to make WiMAX secure, there still exists potential vulnerabilities and attack threats which will come into light after its commercial deployment. Till now developers and researchers are just speculating the threats WiMAX might have. But considering the fact that WiMAX is still under development phase, if well researched and implemented, it can be dominant wireless technology in coming days.
WiMAX security features are mostly implemented MAC layer. MAC layer is further divided into sub layers. The first sub layer is the Service Specific Sub layer (CS), second is Common Part Sub-layer (CPS) and third one being Security Sub-layer, each performing its designated task. The last layer is responsible for addressing the authentication, key establishment and exchange, encryption and decryption of data exchange between MAC and Physical layer. (Trung, n.d.) WiMAX uses Privacy and Key Management Protocol (PKM) for secure key management and exchange using Advance Encryption Standards. Though it uses most advance security feature it is still venerable to number of threats like jamming attack, scrambling attack, water torture attack, man in the middle attack etc. Discussion of these attack types is out of scope of this paper. Though it offers stronger form of security features than existing wireless standard, lot of work is still needed to be done to make it successful among other wireless standards.
Wireless network is said to be vulnerable when its performance is degraded due lack of security measures or when some unauthorized party or person get control the network. There can be number of reasons why the home wireless network or enterprise network becomes vulnerable. Wireless network becomes vulnerable to hackers and intruders when they can exploit the weakness and find loopholes by using different tools and techniques. Other aspects of wireless being more vulnerable than wired networks is because wireless network is always open, intruders can gain access to the network from anywhere as long as they can sense the wireless signals.
Though wireless are commonly protected by authentication and encryption techniques, the steps involved for these process can be used by attackers to crack down the security measures if not properly programmed. The main draw back with the existing wireless standards lies behind the fact that they are not well programmed. Apart from poorly designed standards other vulnerability issues arises from negligence while setting up network, insufficient knowledge about wireless network, poorly configured networks etc. while above mentioned issues can be overcome by proper planning while deploying wireless network. Other issues like poorly designed security features are always there for well trained intruders to get inside the network. The case studies in next section will try to provide some of the design issues related with the popular wireless standards such as Bluetooth and Wi-Fi.
Bluetooth Robustness Testing
Bluetooth is an open standards wireless standard which works in 2.45GHz band and can send and receive data up to 2 Mbps over a short distance. Though Bluetooth is designed with security features to block unauthorized interception, it has suffered many attacks from hackers in real world. Attack like bluejacking, bluebugging and Car Whisperer are common attacks against the Bluetooth enabled devices where attackers can gain control of Bluetooth enabled device or get important information from those devices. The first seen on Bluetooth was BlueSnarf attack where remote attacker steals information from Bluetooth device.
The test carried out by DEFENSICS testing has found a number of flaws in Bluetooth implementations. Bluetooth consists of number of profiles used on different Bluetooth enabled devices with operates on different layers of the protocol stack. The fig. below shows the profiles that Bluetooth works on.
Fig: Bluetooth Profile and Interface
The robustness testing performed by DEFENSICS on different Bluetooth device found that most of the devices crashed. The result of the testing ended up being totally corrupt.
These flaws in the Bluetooth devices are being mitigated by product manufacturer by releasing firmware upgrades that address new problems as they arise.
Wi-Fi Vulnerability Assessments (AirPort Scanning Report)
Wi-Fi is a wireless networking standard mostly used in a wireless LAN environment. As its popularity is growing and used in almost all business, hackers and attackers are also working hard to gain access to Wi-Fi networks. And other reasons why Wi-Fi networks can be vulnerable to attackers are because of poorly configure security measures.
Airtight network have published a report on Airport wireless network scanning which was conducted on 30 Jan 08 till 8 Feb 2008. These scan were conducted on 27 airports worldwide by scanning Wi-Fi signals for five minutes at random locations inside an airport. The data collected showed that critical airport systems were vulnerable to Wi-Fi threats. Study showed 80% of private network were either open or only used WEP. And only about 3 % of users use VPN to secure their network. The reason behind these security flaws were mainly due to insecure Wi-Fi practices such as devices used were with default configuration and most users used only hidden SSID to protect their data and network.
Fig: Wi-Fi Security Trends seen at researched Airport
After finding these alarming trends in use of Wi-Fi network AirTight solutions have found even in Airports Critical systems like customs and bagging system are vulnerable to attackers.
The benefits of wireless network have made WLAN a great success in public, private and enterprise sector. But these exponential growths of use of these networks have out run the security measure being developed and deployed. So in other to stay safe in the word of wireless networking it is good to be familiar with common wireless attacks and how it is done by attackers so that one can take necessary preventive measure before getting victimized.
Access control attacks
Access control attack attempts to penetrate a network by using wireless different access control approach.
Methods and Tools
Discovering wireless LANs by listening to beacons or sending probe requests, thereby providing launch point for further attacks.
DStumbler, KisMAC, MacStumbler, NetStumbler, WaveStumbler, Wellenreiter
Rogue Access Points
Installing an unsecured AP inside firewall, creating open backdoor into trusted network.
Any hardware or software AP
Ad Hoc Associations
Connecting directly to an unsecured station to circumvent AP security or to attack station.
Any wireless card or USB adapter
Reconfiguring an attacker's MAC address to pose as an authorized AP or station.
Bwmachak, changemac.sh, SirMACsAlot, SMAC, Wellenreiter, wicontrol
802.1X RADIUS Cracking
Recovering RADIUS secret by brute force from 802.1X access request, for use by evil twin AP.
Packet capture tool on LAN or network path between AP and RADIUS server
This attack attempts to intercept the data sent over wireless links.
Type of Attack
Methods and Tools
Capturing and decoding unprotected application traffic to obtain potentially sensitive information.
bsd-airtools, Ethereal, Ettercap, Kismet, commercial analyzers
WEP Key Cracking
Capturing data to recover a WEP key using brute force or Fluhrer-Mantin-Shamir (FMS) cryptanalysis.
Aircrack, AirSnort, chopchop, dwepcrack, WepAttack, WepDecrypt, WepLab
Evil Twin AP
Masquerading as an authorized AP by beaconing the WLAN's service set identifier (SSID) to lure users.
cqureAP, HermesAP, HostAP, OpenAP, Quetec, WifiBSD
Running a phony portal or Web server on an evil twin AP to "phish" for user logins, credit card numbers.
Man in the Middle
Running traditional man-in-the-middle attack tools on an evil twin AP to intercept TCP sessions or SSL/SSH tunnels.
These attacks are use to send fake controls, data frames to mislead the receiver.
Type of Attack
Methods and Tools
802.11 Frame Injection
Crafting and sending forged 802.11 frames.
Airpwn, File2air, libradiate, void11, WEPWedgie, wnet dinject/reinject
802.11 Data Replay
Capturing 802.11 data frames for later (modified) replay.
Capture + Injection Tools
802.11 Data Deletion
Jamming an intended receiver to prevent delivery while simultaneously spoofing ACKs for deleted data frames.
Jamming + Injection Tools
802.1X EAP Replay
Capturing 802.1X Extensible Authentication Protocols (e.g., EAP Identity, Success and Failure) for later replay.
Wireless Capture + Injection Tools between station and AP
802.1X RADIUS Replay
Capturing RADIUS Access-Accept or Reject messages for later replay.
Ethernet Capture + Injection Tools between AP and authentication server
These attacks are done to get identities of legitimate user and use those identities to gain access to the network.
Type of Attack
Methods and Tools
Shared Key Guessing
Attempting 802.11 Shared Key Authentication with guessed vendor default or cracked WEP keys.
WEP Cracking Tools
Recovering a WPA PSK from captured key handshake frames using a dictionary attack tool.
coWPAtty, KisMAC, wpa_crack, wpa-psk-bf
Application Login Theft
Capturing user credentials (e.g., e-mail address and password) from clear text application protocols.
Ace Password Sniffer, Dsniff, PHoss, WinSniffer
Domain Login Cracking
Recovering user credentials (e.g., Windows login and password) by cracking NetBIOS password hashes, using a brute-force or dictionary attack tool.
John the Ripper, L0phtCrack, Cain
VPN Login Cracking
Recovering user credentials (e.g., PPTP password or IPsec Preshared Secret Key) by running brute-force attacks on VPN authentication protocols.
ike_scan and ike_crack (IPsec), anger and THC-pptp-bruter (PPTP)
802.1X Identity Theft
Capturing user identities from cleartext 802.1X Identity Response packets.
802.1X Password Guessing
Using a captured identity, repeatedly attempting 802.1X authentication to guess the user's password.
802.1X LEAP Cracking
Recovering user credentials from captured 802.1X Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash.
Anwrap, Asleap, THC-LEAPcracker
802.1X EAP Downgrade
Forcing an 802.1X server to offer a weaker type of authentication using forged EAP-Response/Nak packets.
These attacks are done to block legitimate users from gaining access to their network.
Type of Attack
Methods and Tools
Physically removing an AP from a public space.
"Five finger discount"
Transmitting at the same frequency as the target WLAN, perhaps at a power that exceeds regulation Equivalent Isotopically Radiated Power (EIRP).
RF Jammer, Microwave oven, AP with Alchemy/HyperWRT firmware
Exploiting the CSMA/CA Clear Channel Assessment (CCA) mechanism to make a channel appear busy.
An adapter that supports CW Tx mode, with a low-level utility to invoke continuous transmit
802.11 Beacon Flood
Generating thousands of counterfeit 802.11 beacons to make it hard for stations to find a legitimate AP.
802.11 Associate / Authenticate Flood
Sending forged Authenticates or Associates from random MACs to fill a target AP's association table.
Airjack, File2air, Macfld, void11
802.11 TKIP MIC Exploit
Generating invalid TKIP data to exceed the target AP's MIC error threshold, suspending WLAN service.
File2air, wnet dinject
802.11 Deauthenticate Flood
Flooding station(s) with forged Deauthenticates or Disassociates to disconnecting users from an AP.
Airjack, Omerta, void11
802.1X EAP-Start Flood
Flooding an AP with EAP-Start messages to consume resources or crash the target.
QACafe, File2air, libradiate
Observing a valid 802.1X EAP exchange, and then sending the station a forged EAP-Failure message.
QACafe, File2air, libradiate
Sending a malformed 802.1X EAP Identity response known to cause some APs to crash.
QACafe, File2air, libradiate
How to stay safe in wireless world
Staying safe can be hard job in the wireless world. Threats can prove costly to an individual or an organization, so it is always better to take preventive measures before threat turns into attack. Though discussed preventive measures does not guarantee of hundred percent safe environments, it is always better to have something in place than to have nothing. These measures can give attacker or hacker hard time to gain their objective and at the mean time one can take other preventive measure if attacks can be detected. Below mentioned steps are generally made for 802.11 standards so all of them might not work for wireless standards like WiMAX. Here are some steps one can take to stay safe in wireless mainly WiFi network.
Always use strong encryption mechanism if possible eg. WEP2.
Do not give simple name for SSID as it can be captured in clear text if unencrypted and attackers can know where it is coming from.
Statically assign MAC address of devices to wireless adapters if possible so it is hard for attackers to gain access to one network.
If possible change encryption keys regularly.
Block beacon on wireless adapters if possible
Use VPN where possible
Use trusted third party tool for encryption and decryption in sending or receiving confidential data.
Use authentication server if possible
Wireless technologies are being deployed in almost every sector of life in today's world ranging from providing simple wireless connection to more complex applications. With this wide range of use and application, hackers and attacker are also being proactive to break into its security features and give network owners and its developers a tough time securing their network and technology respectively. The war between these two parties has given birth to more complex and advance security features in wireless standards. But to keep up with exponential growth in use of wireless, developers are still struggling to make their standards security loophole proof.
On the other hand the users of these wireless standards are also working hard to prevent their network from being compromised. As more and more applications are moving to wireless, there is an imminent need of reliable security features for wireless on which users can rely on. This can be a major thing that needs to be addressed by emerging wireless standard if they want to compete in the market. Finally it can be concluded that all existing wireless standards have some flaws somewhere that is being compromised by attackers. Hopefully future wireless technologies will be successful addressing these security issues.
Ujjwal Man Shrestha 2010. The author/s assigns the School of Computer and Security Science (SCSS) & Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. The authors also grant a nonexclusive license to SCSS & ECU to publish this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the authors.