2/4/2015

Login

MinimizingWLANSecurityThreats

Register

Reviews
Tutorials

Tutorials&Training

WiFiTrends

MinimizingWLANSecurityThreats

MinimizingWLANSecurity
Threats
ByJimGeier
September05,2002
MostwirelessLANsdonotinvokeadequatesecurity
measurestoguardagainstattacks.Learnwhatsecurity
threatsexistforwirelessLANsasthebasisfordeploying
effectivesecuritymeasures.

Resources
RECOMMENDED

Search
MOST
POPULAR

1. ArubaBringsWiFitoWall
Plates
2. Review:MerakiEnterprise
CloudControllerforAPs
3. LogitechHarmonyLinkReview
4. AsktheWifiGuru:Episode42
5. CiscoAcceleratesWiFiwith
Aironet3600

Becausetheyuseradiowaves,wirelessLANsareopentohackerstryingtoaccesssensitiveinformationor
spoiltheoperationofthenetwork.Infact,mostwirelessLANsdon'timplementanyformofreliablesecurity,
enablingaccesstojustaboutanyone.I'veproventhatbydrivingaroundseverallargecitiesrecentlyand
using802.11packetsniffingtoolstodetectwirelessLANs.Ifoundthatmanymajorcorporations,retailstores,
airports,andhomesarewideopen.
Spreadspectrumnotverysecure
Severalofthe802.11wirelessLANstandards(including802.11b)usespreadspectrum,amodulation
techniquedevelopedduringthedaysofWorldWarIItokeepenemyforcesfromjammingradio
communicationsandradioguidedmissiles.WhenwirelessLANsfirstbegantoappearintheearly1990s,
vendorstoutedtheinherentsecurityofwirelessLANsbecauseoftheuseofspreadspectrumtechnology.
SomewirelessLANvendorstodaystilladvertisethesecuritythatspreadspectrumprovides.
Spreadspectrumingeneraliscapableofchangingthe"spreadingcodes"inasecretiveway,whichmakesit
nearlyimpossibleforsomeonetodecipherthesignal'sintelligenceunlesstheyknowthecode.Theproblem,
however,isthatthe802.11standardclearlydescribesthespreadingcodespubliclysothatcompaniescan
designinteroperable802.11components.Asaresult,ahackeronlyneedsan802.11compliantradioNICas
thebasisforconnectivity,whichobliteratesthesecuritybenefitsofspreadspectrum.
SSIDsareuseless
The802.11standardspecifiestheSSID(servicesetidentifier)asaformofpasswordforauser'sradioNICto
joinaparticularwirelessLAN.802.11requiresthattheuser'sradioNIChavethesameSSIDastheaccess
pointhavetoenableassociationandcommunicationswithotherdevices.Infact,theSSIDistheonly
"security"mechanismthattheaccesspointrequirestoenableassociationintheabsenceofactivating
optionalsecurityfeatures.
TheuseofSSIDsisafairlyweakformofsecurity,however,becausemostaccesspointsbroadcasttheSSID
multipletimespersecondwithinthebodyofeachbeaconframe.Ahackercaneasilyusean802.11analysis
tool(e.g.,AirMagnet,Netstumbler,orAiroPeek)toidentifytheSSID.Inaddition,WindowsXPdoesagreatjob
of"sniffing"theSSIDinusebythenetworkandautomaticallyconfiguringtheradioNICwithintheenduser
device.
SomenetworkadministratorsturnoffSSIDbroadcasting(whichdeletestheSSIDfromthebeaconframes),
butahackercanstillsnifftheSSIDfromframesthatstationsusewhenassociatingwithanaccesspoint.They
justhavetowaituntilsomeoneassociatesorreassoicates(e.g.,whenroaming)withthenetwork.
AsidefromsniffingtheSSID,manywirelessLANadministratorsmakeiteveneasierbyusingthevendor's
defaultSSIDs,whichareprettywellknown.ForexampleCiscousestsunamiandmostothervendorsusethe
nameoftheircompanyasthedefaultSSID.Justdosomewardriving,andyou'llseethatthisistrue.
DHCPhurtssecurity
EvenifanintruderiscapableofassociatingwithanaccesspointbyusingthecorrectSSID,theymustoften
haveanapplicableIPaddressbeforetheycandirectlyaccessresources(userPCs,servers,etc.)onthe
network.ManywirelessLANs,though,useDHCP(dynamichostconfigurationprotocol)toautomatically
assignIPaddressestousersastheybecomeactive.WithDHCPenabled,ahackerreceivesanapplicableIP
addressjustasotherlegitimateusersdo.Thisprovidesfreedomstothehackeryou'drathernotshare.
Forexample,youmaybesittingatanairportusingapublicwirelessLAN.Someoneassociatedtothesame
wirelessLANcaneasilyuseWindowstoseeotherusers(i.e.,you)connectedtothenetwork.Ifyouhavefile
sharingturnedon,theotherpersoncanclickonyourdeviceanddrilldowntoyourdocumentsfolderand
openorcopyfilestotheirlaptop.Thisisaseriousproblemthatmanyendusersoverlook,especiallywhen
operatingfromhomeandpublicnetworks.
Maninthemiddleattacks
Throughtheuseofan802.11analyzer,apersoncanmonitor802.11framessentoverthewirelessLANand
easilyfoolthenetworkthroughvarious"maninthemiddle"attacks.Youcanviewtheframessentbackand

http://www.wifiplanet.com/tutorials/article.php/1457211

1/3

2/4/2015

MinimizingWLANSecurityThreats

forthbetweenauser'sradioNICandaccesspointduringtheassociationprocess.Asaresult,you'lllearn
informationabouttheradiocardandaccesspoint,suchasIPaddressofbothdevices,associationIDforthe
radioNIC,andSSIDofthenetwork.
Withthisinformation,someonecansetuparogueaccesspoint(onadifferentradiochannel)closertoa
particularusertoforcetheuser'sradioNICtoreassociatewiththerogueaccesspoint.Because802.11
doesn'tprovideaccesspointauthentication,theradioNICwillhappilyreassoicatewiththerogueaccess
point.Oncereassociationoccurs,therogueaccesspointwillcapturetrafficfromunsuspectedusers
attemptingtologintotheirservices.Ofcoursethisexposessensitiveusernamesandpasswordstoahacker
whohasaninterfacewiththerogueaccesspoint.
SomeonecanalsousemaninthemiddletechniquesusingarogueradioNIC.Aftergleaninginformation
aboutaparticularwirelessLANbymonitoringframetransmissions,ahackercanprogramarogueradioNIC
tomimicavalidone.Thisenablesthehackertodeceivetheaccesspointbydisassociatingthevalidradio
NICandreassociatingagainasarogueradioNICwiththesameparametersasthevalidradioNIC.Asa
result,thehackercanusetherogueradioNICtostealthesessionandcarryonwithaparticularnetwork
basedservice,onethatthevaliduserhadloggedinto.
ProblemswithWEP
On802.11networks,youcanenableWEP(wiredequivalentprivacy),whichencryptsthebodyofeachframe.
Thisissupposedtokeephackersfromviewingsensitiveemails,usernamesandpasswords,proprietary
documents,etc.Asdiscussedinaprevioustutorial,hackerscanfairlyeasilydecodeWEPencrypted
informationaftermonitoringanactivenetworkforlessthanoneday.
Consequently,don'tdependonWEPforprotectingsensitiveinformation.TheuseofWEPinmostcases,
nevertheless,isbetterthannoencryptionatall,especiallyifyoudeployamechanismtochangetheWEPkey
often(seerelatedtutorial).
Denialofserviceattacks
Anotherformofsecurityattackisdenialofservice.Inthiscase,thehackermightnotstealanyinformation.
Theyjustkeepusersfromaccessingservices,eithertogainsomesortofcompetitiveadvantageorjusthave
somedevious"fun."
AmischievouspersoncanuseawirelessclienttoinsertboguspacketsintothewirelessLANwiththeintent
ofkeepingusersfromgettingaccesstoservices.Abruteforcewayofdoingthisistosetuparelativelyhigh
powersignalgeneratortoproduceenoughRFinterferencetoblockotherradioNICsfromaccessingthe
medium.The802.11MACLayerisfairlypoliteandavoidstransmittingwhenitsensesotherRFactivity.This
givestheintruderenoughcontroltokeepusersfromaccessingnetworkservicesforanindefiniteperiodof
time.
OthermoreeloquentmethodsfordenyingserviceincludefoolingvalidradioNICswithfake802.11frames.
Forexample,someonecouldsetuptheirradioNIC(or802.11framegenerator)tosendacontinuousstream
ofCTS(cleartosend)frames,whichmimicsanaccesspointinformingaparticularradioNICtotransmitand
allotherstowait.(CTSispartof802.11'sRTS/CTSfunction.)TheradioNICbeinggivenpermissionto
transmitcouldbeafictitioususer.Asaresult,thelegitimateradioNICsinenduserdeviceswillcontinually
delayaccesstothemedium.
Thebottomline
Asyoucansee,therearemanywirelessLANsecurityissuesthatrequireattention.Ifandhowyouhandle
theseproblemsdependsgreatlyonyoursecurityrequirements.Insomecases,youmightwanttokeepthe
networkasopenaspossibleandonlyprotectfilesonuserPCs.Mostotherscenarios,however,willlikely
needmuchmore.It'spossibletomakewirelessLANsverysecure,aswe'lldiscussinafuturetutorial.Stay
tuned!
JimGeierprovidesindependentconsultingservicestocompaniesdevelopinganddeployingwireless
networksolutions.HeistheauthorofthebookWirelessLANs(SAMs,2001),andregularlyinstructs
workshopsonwirelessLANs.
JoinJimfordiscussionsasheanswersquestionsinthe802.11PlanetForums.
Originallypublishedon.
0Comments(clicktoaddyourcomment)
CommentandContribute

Yourname/nickname

Youremail

Subject(Optional)
Comments

(Maximumcharacters:1200).Youhave 1200

http://www.wifiplanet.com/tutorials/article.php/1457211

charactersleft.

2/3

2/4/2015

MinimizingWLANSecurityThreats

Typethetext
Privacy&Terms

Perspective/Opinions

News

ControllersandAccessPoints

Security
Devices

HomeandSmallBusiness
SecurityTools

Management

Software

SiteMap

PropertyofQuinstreetEnterprise.
TermsofService |Licensing&Reprints|AboutUs|PrivacyPolicy|Advertise
Copyright2015QuinStreetInc.AllRightsReserved.

http://www.wifiplanet.com/tutorials/article.php/1457211

3/3