FORESEC ACADEMY

FORESEC

FORESEC ACADEMY

What does wireless networking mean to you? To some it means complete and total mobility,
the freedom to make calls, send email or surf the Internet from anywhere in the world without
being chained to a wire. Perhaps you see it as a cost-effective way to extend your corporate
network or maybe as a way to increase productivity on the factory floor. Others see wireless
as an opportunity to take advantage of weak security measures for anonymous Internet
access, or to avoid the restrictions of your corporate firewall when attempting to exploit
servers and hosts.
Wireless is everywhere. Wireless is cool. Wireless is seductive. Wireless is dangerous.

FORESEC

FORESEC ACADEMY

Objectives
In this chapter, we cover an often misunderstood, if not overlooked aspect of deploying
and utilizing wireless networks: security. As an individual tasked with securing your
organization's resources, we present the key information elements that will allow you to
understand the risks and limitations of wireless networking. We discuss how wireless
networks are being used in enterprises today and some of the common architectures and
protocol implementations of wireless networking. We also review common misconceptions
about wireless security, the top 5 risks of wireless networks, and look at some
recommendations for planning a secure wireless LAN.

FORESEC

FORESEC ACADEMY

Popularity and Usage

Just how popular is wireless networking? Let's take a look at some recently published
figures:
The wireless gaming market is expected to exceed US $2.8 billion by 2006.
The number of mobile Internet users is expected to increase to 484 million by
2005.
The number of wireless phones in use worldwide is predicted to reach 1 billion by
the end of 2003.
Note: The following Web sites were used in researching market projections for wireless
networking:

http://www.ebizchronicle.com/backgrounders01/mar/wireless.htm

http://www.instat.com/rh/wirelessweek/newmk.asp?
id=157&SourceID=00000042000000000000

As you can see, the usage of wireless devices is expected to continue its dramatic growth
over the next several years. If you look at this surge in popularity from a marketing product life
cycle (introduction, growth, maturity, and decline) perspective, wireless has transitioned from
the introductory phase and is firmly entrenched in the growth cycle. The key indicators that we
are seeing a growth cycle for wireless networks are the emergence of competition, aggressive

FORESEC

FORESEC ACADEMY
marketing, and wider availability of products. Industry analysts have not predicted when we
can expect to see wireless devices enter the maturity phase, which means we will likely see a
myriad of product choices combined with lower prices for the foreseeable future. In other
words, sit back and enjoy the ride!
Wireless devices are not limited to just mobile computing. Think of just about any application
and chances are a wireless product exists today or will in the near future. Let's use the
restaurant industry as an example. Many restaurants now use a wireless device for taking
your order. Instead of writing down your request on a pad of paper, your waiter simply
punches a few buttons on his handheld device and the order immediately appears on a
screen in the kitchen. When it comes time to pay for your meal, the waiter can use this same
device to conduct your credit card transaction without having to walk over to a cash register.
Now that's efficiency!
Let's take efficiency a step further. If you have visited a fashion retailer lately, then you
have probably noticed the sales staff wearing wireless headsets. In an effort to enhance your
shopping experience and also decrease stock losses, the sales staff uses these headsets to
communicate with other areas of the store without ever leaving your side. They can check to
see if your size is available in the back room while remaining on the sales floor to thwart any
would-be shoplifters.
But wait, there's more! Auto racing has been using two-way radio communication for
years to allow the drivers to communicate with their pit crews. Now these teams have
deployed wireless sensors throughout the car that will communicate information such as
engine temperatures, tire wear, fuel usage, and speed back to the pit crew so they can make
more efficient use of their pit stops.
Cell phone usage has moved from analog-only services to digital networks that offer an
increasing array of service plans, choices, and availability. Even the lowly pager has been
given a breath of fresh air in recent years with the advent of text delivery (stocks, sports
scores, and so on) and two-way communication capabilities.

FORESEC

FORESEC ACADEMY

Wireless Advantages
Why wireless? Perhaps the better question would be, why not wireless? As we have shown,
freedom is the siren song of wireless networks. By itself, the ability to be completely mobile
while staying connected is a great reason to deploy wireless technologies, but there are other
compelling examples that also warrant attention.
Enabling connectivity where it simply was not possible before is a very attractive reason to
deploy wireless networks. Factories and warehouses are a prime example of wireless
technologies enabling extended connectivity. Before the viability of mobile computing, it would
have been a labor intensive, time consuming, and very expensive endeavor to wire a factory
floor for network connectivity. Another example would be to extend your network over
obstacles that make wire connections difficult, such as a temporary need to electronically
traverse an airport runway. For most organizations, wiring for connectivity within budget
simply might not be feasible. Using wireless technology, it is now simply a matter of installing
a few pieces of equipment. Networks can be extended, quite literally, in a matter of minutes.

FORESEC

FORESEC ACADEMY

Increased productivity and ease of use are obvious choices but should not be
underestimated. Users can be connected and mobile, meaning they can roam the building
with their laptop with little or no disruption in service. For example, Josephine User is
scheduled to give a presentation in the west conference room. Normally, she would have to
log off the network, shut down her machine and disconnect the network cable. This process
alone takes nearly five minutes, and she would then need to repeat it in reverse order after
she got to the conference room. It would be nice to simply pick up the laptop and move to the
conference room without having to log off and shut down. It also increases productivity in the
process!
Some companies are offering wireless access as a value-added service for their customers.
Want to check your email while sipping your mocha latte at the local coffee shop? Need to
dump some stock before getting on that plane? Not a problem! Airports, coffee shops,
shopping malls, and other areas where large groups of people gather are quickly realizing
they can add value or service to their customers at relatively little cost by installing wireless
access points to the Internet.
Finally, temporary networks, such as those used at exhibitions and conferences, are ideally
suited for wireless technologies. Because wireless networks require relatively few
components, they can be set up and torn down quickly. It is becoming increasingly rare to
attend a technical trade show or conference without being afforded some type of wireless
network access.

FORESEC

FORESEC ACADEMY

Vertical Markets
As the wireless market continues to grow and evolve, we are seeing targeted solutions for a
multitude of industries. Some of the biggest vertical markets include healthcare, financial,
academia, industrial, and retail.

Healthcare
Hospitals are constantly faced with the daunting task of lowering operating costs while still
giving their patients superior quality and personalized care. For many hospitals, fees for
services are pre-determined and are often less than the actual monetary amount needed to
recoup the cost of performing the service. It does not take a brain surgeon to figure out that
operating at a financial loss does not lend itself well to longevity in the marketplace. How can
hospitals lower their costs, attract more patients, and get those patients through the system
quickly while still maintaining a personal relationship? The answer to that question, as
evidenced by increased deployment in the healthcare industry, is wireless networks.
Hospitals are quickly realizing there is a huge ROI (Return on Investment) in being able to
leverage their backend databases, applications, and so on, in a mobile fashion. Doctors are
using wireless networks to access patient records, submit prescriptions to the pharmacy,
query databases, or even consult with other physicians. Traditionally, doctors and nurses
would jot down patient information on a chart and enter it manually into the system at a later

FORESEC

FORESEC ACADEMY
time. By enabling the nurse or doctor to enter that same information into a mobile device, the
administrative burden is lessened significantly.
This process also decreases the amount of time a patient spends in the hospital. For
example, a doctor might wish to discharge one of her patients at the start of her rounds.
Without wireless capabilities, she might not enter the discharge information into the
system until she completes her rounds two hours later; it could take another two hours to
be accessed by the patient's nurse, who is away from her floor terminal. Had the doctor
and nurse been equipped with wireless devices, the information would have been
communicated immediately, the patient discharged and that bed filled by another patient.
Not only did that four-hour time frame inconvenience the patient, but it also tied up a bed
that could have been used for another patient. In short, more patients equal more revenue.

Financial
The ability to access real-time information is critical to the success of a financial institution.
Stock markets are volatile, prices fluctuate and the success of a particular transaction is
based on the speed with which it occurred. Traders on the stock exchange are now using
wireless devices to update information in real time, rather than relying on frantic hand signals
from the trading floors and scribbled receipts.
In 1997, the New York Stock Exchange (NYSE) installed a wireless backbone that has helped
define the future of trading. Brokers are using PDA-like devices to send and receive orders,
view market data, and send instant messages to other areas of the exchange. Wireless
phones enable them to stay in constant contact with their partner firms, other brokers, or the
wired trade terminal. What this means is that a transaction can now happen from anywhere
on the floor without the broker being confined to a trading terminal or wired phone line.
Furthermore, the transactions are immediate and the need for paper receipts is eliminated.

Academia
A growing number of colleges and universities are installing wireless networks in classrooms,
libraries, and dormitories. This approach fosters greater student interaction, collaboration, and
research opportunities within the classroom setting. Imagine the chaos if students were
required to plug their laptops into a wired network several times a day from various points in
the campus environment. The amount of cabling it would take just to accomplish this for one
lecture hall could justify the ROI for installing wireless access points across the campus.
The wireless technology extends beyond the classroom setting. Students no longer need to
compete for the limited resources available at the campus computer labs. Rather, they can
access their data from just about any location on campus from the campus union, to the
library and even their own dorm room.

FORESEC

FORESEC ACADEMY
Industrial/Factory
Inventory tracking, quality assurance, and material management are just a few examples of
how wireless technologies have evolved in the industrial environment. Laptops can be
mounted on forklifts in a distribution center to communicate to the workers that products need
to be loaded onto trailers. Inventory can be tracked via wireless scanners as it moves through
an assembly line. Giving engineers the ability to track changes, production issues, or faulty
processes with handheld devices rather than pen and paper enhances quality assurance.

Retail and Restaurants

One of the primary applications used in the restaurant industry is for food orders being
transmitted to the kitchen via a handheld device. Customer service is also enhanced by the
usage of pen-based tablets by the hostess to track open tables and how many people are
currently on the waiting list. The goal is to move people through the restaurant quickly while
providing the best customer service possible.
Retail chains are migrating toward wireless networks to extend their point-of-sale (POS)
solutions. Companies can add more cash registers and communicate the POS data to a
central location without having to run cable to several locations throughout the store.

FORESEC

FORESEC ACADEMY

Wireless Architecture and Protocols

To gain a better understanding of the risks associated with wireless networks, it is important to
understand the various types of networks, including the architectures and protocols uses. We
review the two most common wireless network infrastructures and the three most common
wireless network protocols that are in use for data communication.

FORESEC

FORESEC ACADEMY

Ad-hoc Architecture
Utilizing an ad-hoc architecture, wireless nodes communicate directly with each other in a
peer-to-peer fashion, in a completely unstructured network. Also known as an independent
basic service set (IBSS), this architecture is the most basic form of wireless networking and is
best suited for small environments where scalability and security is not an issue. The ad-hoc
network is extremely useful for file sharing between nodes and group collaboration projects
that are temporary in nature.
Windows XP was the first Microsoft operating system to support the concept of ad-hoc
networking over wireless connectivity. The wide adoption of Windows XP has led to a greater
utilization of ad-hoc networking in temporary workgroups for file and information sharing.
However, this is not without its share of risks; Windows XP operating system vulnerabilities
can be exploited when connected to ad-hoc networks and when connected to the Internet.
Some vendors are utilizing ad-hoc networking for point solutions to solve specific problems.
InFocus, a company that produces image-projection equipment for use in presentations, has
developed a wireless extension to their popular projectors that allows users send their
material over an ad-hoc wireless network. This enables road-warriors to travel and give
presentations without needing extra cabling to connect the projectors to their laptop
computers.

FORESEC

FORESEC ACADEMY

Infrastructure Network Architecture

When utilizing an infrastructure network architecture, also known as a basic service set, one
or more wireless clients use an access point (AP) to connect to a wired network. An AP works
by forming an association with the wireless clients and then acting as a bridge between the
clients and the wired network. The AP is also responsible for performing network
synchronization tasks that allow the client to interact as if it were directly connected to the
wired network; this includes forwarding broadcasts to the wireless network and maintaining a
centralized timing mechanism for clock synchronicity.
The AP is also responsible for controlling access to the wireless medium. In an ad-hoc
infrastructure environment, each wireless device on the network is responsible for negotiating
and utilizing the wireless medium when sending traffic. In an infrastructure network
architecture, the access point is often tasked with delegating the authority to access the
network. This is implemented through request-to-send, clear-to-send protocols in which a
station identifies its need to use the network to send traffic, thereby causing the AP to stop
others from talking during that time.
Further, the AP is responsible for authenticating wireless clients and deciding whether a
particular client should be allowed to access the network. The process of authentication varies
with different protocols, but typically requires a challenge from an access point and a
corresponding response from the station that wishes to authenticate.

FORESEC

FORESEC ACADEMY

When participating in a group with other access points, also known as an extended service
set, the access point is responsible for communicating the status of associated connections to
other access points. This process facilitates the ability for a client to roam, or move about a
location, without losing connectivity to the wired network. When an access point shares
information about a client, such as authentication status to other access points, a client is not
required to repeat the authentication process when he connects to a different access point.

FORESEC

FORESEC ACADEMY

Wireless Application Protocol (WAP)

WAP is a communication protocol designed specifically to allow reduced-capability mobile
devices to access the Internet in a standardized manner. Mobile devices such as cell phones
and PDAs have limited display capabilities and simple user interfaces. They also have limited
processing power, battery life, and storage capabilities, and their ability to stay connected to
the network is inherently unreliable. The WAP protocol is designed to address these issues
and enable sophisticated data delivery to mobile devices.
WAP operates over a multitude of different wireless technologies:
Cellular Digital Packet Data (CDPD)
Code Division Multiple Access (CDMA)
Global System (GSM)
In July 2001, the WAP Forum (http://www.wapforum.org) formally approved WAP
Specification version 2.0. This version provides support for standard Internet protocols such
as IP, TCP, and HTTP, thus optimizing them for the wireless telecommunications environment.
Note: The WAP Forum has recently merged with the Open Mobile Architecture Initiative; their
new consortium is called the Open Mobile Alliance. You can find additional information at:
http://www.openmobilealliance.org/.

FORESEC

FORESEC ACADEMY
WAP provides a built-in security mechanism at the Transport Layer that is based on the
industry standard TLS (transport layer security), which is similar to the SSL protocol (Secure
Socket Layer). This mechanism permits a wireless client to establish an end-to-end secure
connection with an Internet server. It is important to note that security has been enhanced in
the new version of WAP, thereby solving a few problems that were present in the earlier
specification.

FORESEC

FORESEC ACADEMY

The "WAP Gap"

Before WAP 2.0 became available in late 2001, WAP users had to rely on the WTLS
(Wireless Transport Layer Security) protocol to provide a secure connection between wireless
clients and Internet Web servers. Besides the fact that WTLS suffered from a few problems
with its encryption mechanism, security professionals were worried about the so-called WAP
gap, which the previous slide illustrates.
The WAP gap problem arises because the mechanism used to encrypt data on the airwaves
is different from the encryption that Internet servers understand. Thus, a point of translation is
required - in this case, the WAP gateway. The gateway's job is to decrypt the WTLS
transmissions, and then re-encrypt them via TLS/SSL. The problem is that sensitive
information resides in the clear in the WAP gateway's memory for a short period of time. If an
attacker could take control of the gateway system, he would be able to access all of the
secure communications that traverse the network juncture. To compound the problem, the
wireless carrier usually controls the WAP gateway, meaning that the end user cannot gain
knowledge regarding the security that is in place at the gateway. The system requires that the
client implicitly trust that the WAP gateway is secure.

FORESEC

FORESEC ACADEMY

Protecting Gateways
The WAP 2.0 specification provides a solution to the WAP gap problem. The new
specification discards WTLS in favor of true TLS. This change means that the gateway no
longer has to act as a translator because Internet servers can interpret the TLS transmissions
directly. Because the PDA or phone supports TLS directly, it can securely communicate with
the destination server over TLS without having to translate information at an intermediary
WAP gateway. Although this is certainly good news, many industry experts believe it will take
some time before WAP 2.0 is fully deployed because the new standard is a radical departure
from the previous specification.
For those organizations that are not ready to make the leap to the new WAP 2.0 specification,
here are some suggestions for protecting the gateway:
Ensure that the WAP gateway never stores decrypted content on secondary media.
Implement additional security at higher protocol layers.
Secure the WAP gateway physically so that only administrators have access to the
system console.
Limit administrative access to the WAP gateway so it is not available to any
remote site that resides outside the firewall.

FORESEC

FORESEC ACADEMY
Disconnect WAP applications from the rest of the network.
Add WAP devices to your PKI infrastructure.

Additional Resources
Additional information on WAP can be found at the following sites:

http://www.wapforum.org

http://www.openmobilealliance.org/

http://www.zdnet.co.uk

http://www.freeprotocols.org/harmOfWap/wtls.pdf

FORESEC

FORESEC ACADEMY

Bluetooth
Bluetooth, which was first announced in 1998, promised to be an affordable, low power,
wireless solution that would allow virtually any type of wireless device, from cell phones to
PDAs, to communicate with each other using a common technology. For example, you could
use your cell phone to pull phone numbers from your PDA, or you could send documents
from your laptop to a remote printer without physically being connected. Many wireless
headsets for cell phones have adopted Bluetooth for wireless connectivity between an
earpiece and the cell phone.
Bluetooth is described as a Personal Area Network (PAN). It can be used to connect all your
personal devices at ranges of up to 30 feet, at a maximum speed of 1 Mbps. With no line-ofsight connectivity requirements, it is an obvious solution for short-term connectivity between
devices that might have a small form-factor and little battery power. With a high degree of
interference immunity because of the channel hopping mechanism used, Bluetooth is a
reliable connection method that is capable of supporting up to seven simultaneous
connections.
Declared dead on more than one occasion, Bluetooth technology has been an on-again/offagain technology. It is increasing in popularity for some devices, although it is far less utilized
than its IEEE cousin, the 802.11 protocol.

FORESEC

FORESEC ACADEMY

Bluetooth Security
Unfortunately, Bluetooth's flexibility is not without its limitations. Some analysts have likened
the security of Bluetooth devices to posting your social security number in a public chat room.
Essentially, communication between Bluetooth devices is easily deciphered, and security
experts have warned that sensitive data should never be sent across a link with such a weak
security mechanism.
Bluetooth security provides a simple means of authentication and data encryption while
communicating between devices. Authentication begins with a user selecting a personal
identification number (PIN) to authenticate other devices in the Bluetooth PAN. The PIN is
then entered manually into each device that needs to communicate with other Bluetoothcapable devices.
Bluetooth security relies on the secrecy PIN that the user selects, and on the link key that is
generated based on the PIN. The link key is used to generate the encryption key that protects
the data, and it can be used for authentication if the two devices wish to communicate again
at a later time. The link key is chosen in one of several ways, but the method that is used
most often is also the least secure. One of the device's unit keys is often used because it is
convenient, and it is perfect for those devices that have limited storage space or
computational power. The problem with this process is that the unit key method of
authentication is permanent, making decrypting communication between devices relatively
easy. For example, if User A communicates first with User B and then communicates with
User C, User B can decipher any communication between the devices because he already

FORESEC

FORESEC ACADEMY
knows the link key that is being used.

Bluetooth Security Issues

Bluetooth suffers from an inherently weak encryption algorithm that makes deciphering the
data encryption a relatively easy task. It is also important to note that Bluetooth is quite
susceptible to privacy exploits because the device address is always unique to the individual
user. In other words, after the device ID has been associated with a user, it is a trivial task to
log their activities.
Bluetooth devices require that the user enter a PIN (personal identification number) each time
he uses the device. Although this sounds like a good idea, there are several weaknesses with
this implementation. Many people use weak PIN numbers, such as "0000" or "1234," when
using their devices. Clearly, this is easy to guess - but even worse, Bluetooth uses the PIN to
generate initialization keys, which are used to protect data when the unit is used for the first
time. A weak PIN grants an attacker the ability to decrypt and potentially modify data that is in
transit between Bluetooth devices.
Taking this a step further, a user can easily become frustrated with the need to enter a PIN
each time he wants to use the device. In ad-hoc network configurations, the user must enter a
PIN for each and every device he wishes to communicate with, making usage a cumbersome
and awkward process. However, there is a beauty of a solution! Bluetooth devices allow the
user to store the PIN in the unit's non-volatile memory or on its hard drive. This relieves the
user from having to enter the PIN countless times, but more importantly, it bypasses the
reason for having a PIN in the first place. Any attacker who can obtain the device can

FORESEC

FORESEC ACADEMY
impersonate the user who owns the device.
Security researchers are picking up an increased level of interest in Bluetooth PANs. Tools
that can be used by an attacker to locate and circumvent the security of Bluetooth networks
include @stake's RedFang and the Shmoo Group's BlueSniff. Armed with these tools, it is
possible for an attacker to monitor telephone conversations, decrypt data and information,
and otherwise wreak havoc on Bluetooth connections.

FORESEC

FORESEC ACADEMY

802.11
The IEEE 802 Committee approved the 802.11 standard in 1997. This standard has several
key elements that make it the most widely adopted wireless LAN standard in use today:
Support for ad-hoc and infrastructure networks.
Accommodates roaming between multiple access points without losing
connectivity.
Supports large data packets through the use of fragmentation at Layer 2.
Provides reliable data delivery when experiencing interference due to a
requirement to positively acknowledge all data traffic received from an access point
or wireless station.
Builds on existing standards for data encapsulation (802.2 LLC).
Power conservation techniques extend the battery life of wireless devices.
Albeit weak, the IEEE 802.11 specification included a method for encrypting data
Using a shared secret and the RC4 encryption algorithm. Known as wired equivalent

FORESEC

FORESEC ACADEMY
privacy (WEP), this algorithm was the first IEEE standard to perform encryption and
authentication at the Data Link Layer.
The initial 802.11 specification branched into multiple specifications that utilize varying
technology for frequency modulation that would support varying data rates:
IEEE 802.11b 1999 - Supports a theoretical throughput of 11Mbps in the 2.4GHz
spectrum. Actual throughput for 802.11b networks is commonly closer to 6Mbps.
The 802.11b specification is widely adopted and is the most popular wireless
LAN protocol in use today.
IEEE 802.11a 1999 - Supports a theoretical rate of 54Mbps. Using the 5GHz
spectrum, the 802.11a specification was not widely adopted until 2003.
IEEE 802.11g 2003 - Supports a theoretical rate of 56Mbps using the same
frequency as 802.11b. Designed to boost the speed of networks running in the
2.4GHz band, 802.11g suffers from many drawbacks in speed and performance
when used in conjunction with 802.11b devices.
The IEEE wireless LANs specifications are available at
http://standards. ieee.org/getieee802/802.11.html.

FORESEC

FORESEC ACADEMY

WEP Security Issues

A general lack of successful attempts to secure 802.11 networks has made it difficult for
administrators to protect their wireless networks. Attackers armed with the knowledge of
common vulnerabilities in 802.11 networks are readily attacking 802.11 networks. These
attacks are being launched to grant unauthorized access to wireless networks, to perform
denial-of-service attacks, and to collect sensitive information from private networks.
The wired equivalent privacy (WEP) algorithm was included in the IEEE 802.11 and later
specifications to provide data confidentiality on wireless LANs. The 802.11-1997 specification
introduced WEP as an implementation of the RC4 encryption protocol, the same encryption
protocol used by the SSL and TLS protocols. WEP is based on a pre-shared secret that is
common to all stations that participate in the same wireless network. In this implementation,
an administrator would visit workstations that wanted to communicate on the wireless network
and manually configure them with the same shared secret. The access points and clients
would use the shared secrets to encrypt and decrypt data that was sent on the wireless
network.
The utilization of shared secrets in this fashion was flawed from its inception. A shared
secret is not one that remains a secret for long - it became common for nearly all users to
know the shared WEP secrets to configure their own workstations to join the wireless
network. The 802.11 specification never included a of rotating the shared secrets on a
wireless network, so many networks continued to use the same shared secret for all of their

FORESEC

FORESEC ACADEMY
wireless clients. The inability to easily change the WEP keys on all workstations became an
even more daunting problem as the utilization of wireless networks continued to grow and
more people depended the shared secret configured on their workstation.
Unfortunately, WEP proved to have another insufferable flaw in its implementation; Fluhrer,
Mantin, and Shamir first reported this flaw in their paper, Weaknesses in the Key Scheduling
Algorithm of RC4. Their paper identified a method by which an attacker could recover the
shared secret from nothing more than the encrypted data collected from a wireless network.
Shortly after the paper was published, tools were released that would recover the secret WEP
key used on a network after collecting millions of packets from a wireless network. The
process of recovering a WEP key in this fashion commonly took days or weeks on a network
that had little or moderate traffic levels.
Tools used by attackers to recover shared WEP keys on a network include WEPCrack,
AirSnort, and dwepcrack. These tools are written for Linux or BSD systems. Although quite
effective for attacking wireless LANs utilizing the WEP algorithm, they required a dedicated
attacker with patience to recover the shared secret WEP key from a wireless network.
Recent attack tools against WEP have been developed to make the process of recovering
WEP keys and attacking wireless networks even faster. Tools such as wnet/reinj and
WEPWedgie accelerate the process of collecting packets from a wireless network, often
resulting an attacker's ability to recover a shared secret from a network using WEP in one
hour or less.
Recognizing that the WEP algorithm was an insufficient method of protecting wireless
networks, the IEEE and IETF have been working on developing alternate solutions to protect
wireless LANs.

FORESEC

FORESEC ACADEMY

Improved 802.11 Security

Recognizing that the WEP encryption protocol was insufficient to protect wireless networks,
the IEEE formed the 802.11i committee, also known as the Task Group i (TGi). This IEEE
committee was tasked with designing two solutions for securing wireless networks: one that
could be retrofitted into existing hardware, and a second design that would be a completely
secure solution that required new hardware for implementation. The TGi committee has been
working on the 802.11i specification since 1998, but has yet to reach a completed document
for implementation.
Although the 802.11i committee developed new standards for securing wireless LANs, the
802.1x committee adapted their specification for network authentication to provide generic
support for protocols to authenticate users before using the wireless LAN, and to automate
the process of using dynamic WEP keys that rotate on a regular basis. The 802.1x
specification opted to allow standards-based implementations of extensible authentication
protocols (EAP) to be used in conjunction with network authentication. Various organizations
have worked with the IETF to develop standard EAP types for wireless networks. Some of
these EAP types include EAP-MD5, EAP/TLS, PEAP, and TTLS. Some proprietary EAP
methods, such as the Cisco LEAP authentication protocol, were also developed.

FORESEC

FORESEC ACADEMY

IEEE 802.1x authentication requires three components:

Supplicant: Client software that is used to communicate with various EAP types
to authenticate users.
Port Authentication Entity (PAE): An 802.1x-compliant device, such as a switch
or access point, that is capable of communicating using various EAP types to
enable network access only after successful authentication.
Authenticator: A RADIUS server that communicates with the PAE to authenticate
or de-authenticate users.
With these components, wireless LAN administrators can implement the various EAP types to
control authentication and improve WEP security with dynamic keying on their
wireless networks.
Unfortunately, the 802.1x authentication mechanism, while doing a good job of only granting
access to users who have successfully authenticated to the wireless network, still relies on
the WEP protocol for data encryption. Even though it uses dynamic WEP keys to encrypt the
data, it is still possible to circumvent this level of security by abusing weaknesses in WEP.
Risks to an enterprise using any of the mentioned EAP types include unauthorized network
access, potential for recovering dynamic WEP keys and decrypting confidential data, and a
vulnerability to DoS attacks.
In March 2003, the Wireless Fidelity group (WiFi), a group previously committed to
interoperability testing between manufacturers of wireless access points and cards, decided
to take a pre-release draft of the 802.11 specification and standardize the portion of the
standard designed to improve the existing hardware's security. Dubbed the WiFi Protected
Access specification I (WPA-I), this new method for securing wireless networks uses a
combination of 802.1x for network authentication and an encryption method called the
temporal key integrity protocol (TKIP) to encrypt, validate, and secure the transmission of
data over a wireless network. A few months later, manufacturers began shipping wireless
equipment that was WPA-I compliant.
The TKIP algorithm included methods to ensure that no data was improperly retransmitted on
a network, that it uses rotating keys for the encryption of data, and that it implements a
message authenticity check and per-packet key mixing. Although it is a significant
improvement over previous attempts to secure wireless networks, the TKIP algorithms also
has known flaws in message integrity checks and its ability to prevent unauthorized access by
knowledgeable attackers. These flaws will likely start to make headlines as tools for
circumventing the security of WPA-I networks are written and released.

FORESEC

FORESEC ACADEMY
The second portion of the 802.11i specification uses the new government encryption standard
AES to provide confidentiality of data on a wireless network. The TGi group has yet to
complete the specification for this upcoming standard, but it appears that this method of
protecting wireless LANs will be strong, but difficult to implement because it requires the
replacement of 100% of the existing wireless LAN equipment.

Common Misconceptions
When developing or assessing wireless security solutions, administrators often have
misconceptions about the specifics of wireless network security. This section identifies and
clarifies general, technical, and risk-related misconceptions.

FORESEC

FORESEC ACADEMY

General Misconceptions
I don't need to worry about security because we aren't using wireless for sensitive
data.
This is probably the most common misconception about wireless LAN security. Many
organizations have installed wireless LANs for collaboration in small workgroups, for limited
deployment to meet specific job functions, or simply to experiment with the technology.
Typically deployed with their factory default configuration settings, these networks are often
the most vulnerable. It is also common for an organization to simply forget about the
temporary wireless LANs they install, or to forego security measures because they believe
the wireless LANs are not being used for business-critical functions.
The critical vulnerability with these wireless LAN installations is that they are completely open
for an attacker to utilize for his own nefarious purposes. Attackers leverage these vulnerable

FORESEC

FORESEC ACADEMY
networks to their advantage, using them to deliver SPAM email messages, share copyrightinfringed software, music, and movies, or gain anonymity when launching attacks against
other organizations' networks. The lesson here is that no wireless networks should be
deployed without first completely understanding the risks to the business in the event that
they are exploited.

FORESEC