Security Threats and Risks Associated with Wireless Networks

Low deployment costs make wireless networks attractive to users. However, the easy availability of inexpensive equipment also gives attackers the tools to launch attacks on the network. The design flaws in the security mechanisms of the 802.11 standard also give rise to a number of potential attacks, both passive and active. These attacks enable intruders to eavesdrop on, or tamper with, wireless transmissions.

"Parking Lot" Attack

Access points emit radio signals in a circular pattern, and the signals almost always extend beyond the physical boundaries of the area they intend to cover. Signals can be intercepted outside buildings, or even through the floors in multi-storey buildings. As a result, attackers can implement a "parking lot" attack, where they actually sit in the organisation's parking lot and try to access internal hosts via the wireless network.

If a network is compromised, attacker has achieved a high level of penetration into the network. They are now through the firewall, and have the same level of network access as trusted employees within the corporation.

An attacker may also fool legitimate wireless clients into connecting to the attacker's own network by placing an unauthorised access point with a stronger signal in close proximity to wireless clients. The aim is to capture end-user passwords or other sensitive data when users attempt to log on these rogue servers.

Shared Key Authentication Flaw

Shared key authentication can easily be exploited through a passive attack by eavesdropping on both the challenge and the response between the access point and the authenticating client. Such an attack is possible because the attacker can capture both the plaintext (the challenge) and the ciphertext (the response).

WEP uses the RC4 stream cipher as its encryption algorithm. A stream cipher works by generating a keystream, i.e. a sequence of pseudo-random bits, based on the shared secret key, together with an initialisation vector (IV). The keystream is then XORed against the plaintext to produce the ciphertext. An important property of a stream cipher is that if both the plaintext and the ciphertext are known, the keystream can be recovered by simply XORing the plaintext and the ciphertext together, in this case the challenge and the response. The recovered keystream can then be used by the attacker to encrypt any subsequent challenge text generated by the access point to produce a valid authentication response by XORing the two values together. As a result, the attacker can be authenticated to the access point.

Service Set Identifier Flaw

Access points come with default SSIDs. If the default SSID is not changed, these units can easily be compromised. In addition, SSIDs are sent over the air as clear text if WEP is disabled, allowing the SSID to be captured by monitoring network traffic. For some products, even when WEP is enabled, management messages containing the SSID will still be broadcasted in clear text by access points and clients, making it possible for an attacker to sniff SSIDs and gain access to the wireless LAN.

The Vulnerability Of Wired Equivalent Privacy Protocol

Data passing through a wireless LAN with WEP disabled (which is the default setting for most products) is susceptible to eavesdropping and data modification attacks. However, even when WEP is enabled, the confidentiality and integrity of wireless traffic is still at risk because a number of flaws in WEP have been revealed which seriously undermine its claims to security. In particular, the following attacks on WEP are possible:

1. Passive attacks to decrypt traffic based on known plaintext and chosen ciphertext attacks;
2. Passive attacks to decrypt traffic based on statistical analysis on ciphertexts;
3. Active attacks to inject new traffic from unauthorised mobile stations;
4. Active attacks to modify data; or
5. Active attacks to decrypt traffic, based on tricking the access point into redirecting wireless traffic to an attacker's machine.

ATTACK ON TEMPORAL KEY INTEGRITY PROTOCOL (TKIP)

The TKIP attack uses a mechanism similar to the WEP attack that trying to decode one byte at a time by using multiple replays and observing the response over the air. Using this mechanism, an attacker can decode small packets like ARP frames in about 15 minutes. If Quality of Service (QoS) is enabled in the network, attacker can further inject up to 15 arbitrary frames for every decrypted packet. Potential attacks include ARP poisoning, DNS manipulation and denial of services.

Although this is not a key recovery attack and it does not lead to compromise of TKIP keys or decryption of all subsequent frames, it is still a serious attack and poses risks to all TKIP implementations on both WPA and WPA2 network.