Wireless Networks

Dependability in Wireless Networks

Can We Rely on WiFi?
WiFis dependability requirements are growing as its usage spreads to public hotspots and personal home networks. Authentication and condentiality are crucial issues for corporate WiFi use, but privacy and availability tend to dominate pervasive usage. This article discusses dependability and its impact on WiFi usage scenarios.

iFishort for wireless delityis the commercial name for the 802.11 products that have ooded the corporate wireless local area network (WLAN) market and are becoming rapidly ingrained in our daily lives via public hotspots and digital home networks. However, because a technologys dependability requirements are proportional to its pervasiveness, newer applications mandate a deeper understanding of how much we can rely on WiFi and its security promises. So far, WiFi hasnt had the best track record: researchers and hackers easily defeated its rst security mechanism, Wired Equivalent Privacy (WEP).1 Although the 802.11i standard (which is also known by its commercial name, WPA2) addresses this failure and the larger issues of condentiality and authentication,2 no ongoing standardization effort handles WiFi availability, and problems with robustness mean that a successful attack can block a network and its services, at least for the attacks duration. Another oft-neglected aspect of 802.11 networks is privacynot payload condentiality but node activity monitoring. This kind of monitoring has value on its own (for example, for contrasting user identication and location), but it also has a strong link to dependability in attacks targeted at a specic node. To our knowledge, no current practical or theoretical framework handles WiFi dependability issues. Moreover, no previous work has analyzed WiFi security from this viewpoint. Most research examines WiFi condentiality and authentication by explaining the problems related to native 802.11 security (WEP and shared-key authentication) and showing how inadequate such mechanisms are. The same effort hasnt been
PUBLISHED BY THE IEEE COMPUTER SOCIETY

put into analyzing a wireless networks availability and robustness: in fact, many denial-of-service (DoS) attacks against WLANs are known, but so far only one research effort describes the actual implementation of two DoS attacks and possible countermeasures.3 In this article, we present an overview of WiFi vulnerabilities and investigate their proximate and ultimate origins. The intended goal is to provide a foundation to discuss WiFi dependability and its impact on current and future usage scenarios. Although a wireless networks overall security depends on the network stack to the application layer, this article focuses on specic vulnerabilities at the physical (PHY) and data (MAC) layers of 802.11 networks.

MARCO DOMENICO AIME, G IORGIO CALANDRIELLO, AND ANTONIO LIOY Politecnico di Torino

The PHY layer

WiFi uses a single narrow-band radio channel on a public frequency. Radio communications are typically multiplexed and based on some combination of space, frequency, time, and codingWiFi exploits the rst three. The available power range in WiFi devices allows for cells with an average radius of less than 100 meters (the exact value depends heavily on obstacles and antenna directionality, ranging from hundreds of meters with radio bridges to a few meters in closed rooms). Generally, WiFi uses a limited pool of narrow-band frequencies on unlicensed bands at 2.4 and 5 GHz. Current WiFi networks rely on two different basic coding techniques: the Direct Sequence Spread Spectrum (DSSS), which 11b and 11g devices use, and Orthogonal Frequency Division Multiplexing (OFDM), which 11a and 11g devices use. Nodes on the same frequency share a
1540-7993/07/$25.00 2007 IEEE IEEE SECURITY & PRIVACY

23

Wireless Networks

single channel, which the 802.11 MAC layer serializes through random access and contention mechanisms. These characteristics allow for several attacks, which well discuss in more detail in the following subsections.

tion leakage, from content eavesdropping to identity tracking and trafc analysis.

Injection
Radio transmission, as well as reception, cant be conned in a restricted area, so WiFi relies on logical access control mechanisms for authorized access. However, this heavily limits the validity of well-established security tools such as rewalls and network intrusion detection systems, so authorized trafc is instead validated as it ows over the wireless link (the security perimeter is now spread across every network link). In practice, though, this activity constrains the upper network layers in their attempt to provide specic security mechanisms. As a solution, the MAC level could provide data source authentication for every transmitted frame by identifying the source as a specic node or as a member of a trusted group.

We must therefore accept that interception is easy, especially because radio coverage area cant be delimited precisely.
Interception
Its not surprising that an attacker can intercept a radio communication, but the threats relevance clearly depends on the nature of the leaked information. Most cryptographic protocols address content eavesdropping but pay little attention to privacy issues. The 802.11 standard never uses mechanisms for preventing trafc analysis, so its fairly easy to infer the number of talking nodes, their identities (that is, some long-living identier for each of them), and whos talking to whom. This lets an attacker violate user privacy, so we want to hide as much information as possibletaken to the extreme, we even want to conceal an ongoing communications existence. Content eavesdropping is still an issue if cryptographic protocols arent used properly. Of course, the prologue of any content-eavesdropping attack is channel selection. Unfortunately, the limited number of channels and frequencies in WiFi devices make this step trivialmoreover, any 802.11 device has built-in capabilities to scan and report activity on all available channels. The 802.11 specication originally included a lowrate (1 to 2 Mbps) PHY layer that used a frequencyhopping transmission technique. Frequency-hopping could make interception harder, but 802.11 designed it for avoiding interferences only. It used 79 channels and a set of 78 possible hopping sequences; the access point (AP) broadcasts the hopping sequence and the dwell time. Keeping the hopping information hidden makes channel selection harder for casual attackers, but given a limited number of channels and a static sequence, they could easily recover the hidden sequence. In general, todays narrow-band radio technologies cant hide communication. Their spectral efciency is too low to support a sufciently large number of highbit-rate channels over available bands, and its easy to scan a small number of possible channels for ongoing communications. We must therefore accept that interception is easy, especially because radio coverage area cant be delimited precisely. Physical anti-interception techniques arent t for common WiFi usage scenarios, so mechanisms at the MAC layer or above must prevent informa24
IEEE SECURITY & PRIVACY JANUARY/FEBRUARY 2007

Jamming
Radio communications are subject to jamming, which is cheap and easy to do in a narrow-band channel such as the one WiFi devices occupy. Jamming can make corporate WLANs unavailable, which is certainly annoying, or even block a residential phone network or hospital medical infrastructure, which is much scarier. The WiFi nodes themselves can easily detect a jam because each station already monitors channel quality for AP and bit-rate selection, but locating the actual attacker is a different story. WiFi sails on unlicensed industrial, scientic, and medical (ISM) bandsin these bands, networks of devices subject to independent authorities can coexist in the same area and share the same communication channel. The WiFi MAC layer handles overlapping cells, but doesnt guarantee fairness in the presence of dishonest nodes. Even worse, transmissions are vulnerable to interference by any technology that exploits popular ISM bands, from Bluetooth devices to microwave ovens.

Locating mobile nodes

Wandering through a wireless world, an attacker can easily track MAC addresses and build a database that lists wireless nodes, their locations, and their movements, even for wearable devices such as PDAs. Although a wireless nodes exact position might be hard to get, its much easier to detect its presence in a large area. If the device is a personal one, this could even help someone track the device owners locationfor example, a burglar could discover when a target property is empty while staying comfortably outside its perimeter and without performing a physical examination. No effective solution exists yet for localizing wireless intruders, even in networks of moderate dimension. Although some recent commercial products can coordinate APs to detect and point out naive static attackers (such as unauthorized APs), the radio medium is intrinsically

Wireless Networks

hard to map, and intruders typically arent collaborative (they can individually spoof, move, change transmission power, use directional antennas, exploit multiple coordinated probes, and so on without any help).

is twofold: power-conservation features and their protection become vital, and any security mechanism must be carefully evaluated against its energy cost.

The MAC layer

Although it inherits the underlying PHY layers insecurity, the 802.11 MAC layer adds some peculiar weaknesses of its own. Its dangerous features are that it implements a shared channel, can have a star or mesh topology, and must synchronize among different parties, making it much more complex than Ethernet. These three broad categories leave the network open to several different vulnerabilities.

Access control
To control access, the network must classify wireless nodes into trusted and untrusted sets and update them in real time. Nodes fast and long-range mobility makes radio network topology highly dynamic: both the set of nodes forming the network and their connectivity can change rapidly over time. To allow for quick topology change, the network must implement and carefully secure two basic network functionsneighbor discovery and node associationbut, perhaps not surprisingly, some past and present security aws in WiFi are related to discovery and association mechanisms. The problem lies not in selecting a suitable authentication mechanism but in enrolling and managing proper credentials. Current authentication infrastructures for wired networks arent designed to match tight cost and usability constraints, but these two factors might be even more important than the overall security level in WiFi usage outside of LANs.

Shared channel
When many nodes use the same channel, their trafc must be distinguishableaccordingly, 802.11 networks use a MAC address as a static station identier. But even if communication is encrypted, the header must remain in the clear for delivery reasons, which makes statistical trafc analysisand identity trackingfeasible. A shared channel also implies a shared bandwidth, thus transmission speed lowers if several nodes use it simultaneously. It might seem that limiting the number of users per cell would guarantee an adequate bandwidth per node, but this doesnt really work because the 802.11 MAC layer allows the coexistence of many independent cells on the same physical channel, each with its own nodes. The 802.11e standard deals with providing quality of service over WiFi networks via trafc prioritization mechanisms, but these mechanisms rely fully on the existing MAC layer, its rules, and, more important, its vulnerabilities. As such, the proposed quality-of-service mechanisms dont enforce availability. Additionally, the WiFi medium has strict access rules because its shared, and the 802.11 MAC layer works properly only when the nodes observe specic access rules (such as timing, physical and virtual channel sensing, and back-off times). Unfortunately, its easy to violate these rules and cause network malfunctions because many off-the-shelf devices ship with spe-

Hijacking
Man-in-the-middle attacks are a traditional threat against access control solutions. Although its easy for attackers to intercept wireless trafc and inject an attack, it isnt trivial to hijack a wireless channel. The attacker must ensure that the two victims cant talk directly, thus the targets must either lie outside each others radio range or be desynchronized. An attacker can try to jam the receiver while still being able to access the transmitted trafcfor example, by using directional antennas or a set of two probes near the sender and the receiver (attackers can always use a coalition of nodes that utilize a different unmonitored frequency to cooperate). Alternatively, the attacker can force the two targets over to two distinct frequencies and continue to relay trafc between themdoing so makes it easy for the attacker to manipulate them. Such threats are avoidable only by including spatial and frequency information in the victims authentication mechanisms. Although secure distance verication is an active research topic,4 WiFi authentication ignores this problem because it doesnt convey any spatial or frequency information. This still holds for the 802.11i standard.

Although its easy for attackers to intercept wireless traffic and inject an attack, it isnt trivial to hijack a wireless channel.
cial test modes thatif turned onlet the user access the WiFi medium without respecting timing constraints. We describe our experience with a continuous transmission mode in 802.11b cards later, but a differwww.computer.org/security/ IEEE SECURITY & PRIVACY

Energy
Batteries are a key enabling factor for mobility in radio networks, but a limited energy supply can easily become a perfect target for availability attacks. Although breakthroughs in energy production technology will hopefully mitigate this problem, the short-term impact on security

25

Wireless Networks

ent strategy is to set a high noise threshold so that the channel is perceived to be free regardless of other nodes activity: in both cases, the device transmits and violates access rules. This trick can easily defeat the

the AP acts as a gateway toward a well-established security infrastructure, whereas the native 802.11 ad hoc mode relies only on a static shared secret.

Synchronization

Anything thats simple in a wired environment must be emulated with special frames in the wireless world.
clear channel assessment function of the DSSS-based 802.11b standard (researchers have shown the DSSS physical layer to be particularly sensitive to access violations5), but we can also apply the general concept to OFDM-based 802.11a. Customization of a devices rmware can fully subvert the MAC layers rulesunfortunately, programmable MAC and radio layers are already used in research activity. The 802.11 standard also uses a logical mechanism to assess if the channel is free or busy; it implements this mechanism with every frame of the protocol, and includes a duration eld that indicates channel occupation time in microseconds. This eld implements a virtual channel-sensing mechanism that can cope with signal collisions from hidden terminals. Unfortunately, cryptographic mechanisms cant protect such information cheaply due to its broadcast nature. This situation opens up a new vulnerability because an attacker can mangle the duration eld and fool a station into believing that the channel is busy when its actually free (more information about this and other attacks appears elsewhere3,6).

Anything thats simple in a wired environment (such as network cables plugged into wall sockets) must be emulated with special frames in the wireless world, which can lead to problems when synchronizing state transitions between two or more entities (such as client and AP, or two peers in an ad hoc network). As in any system in which two or more parties must remain synchronized to work, a successful desynchronization forced by an attacker leads to a system malfunction. This problem is especially acute for WiFi network features such as authentication and association, power saving, and level 2 cryptography.
Authentication and association. WiFi provides associ-

Topology
We can set up WLANs in two different modes corresponding to two distinct network topologies: the infrastructure mode, in which an AP centrally coordinates the network, which in turn assumes a virtual star topology, and the ad hoc mode, which has no centralized coordination and a mesh topology. In the infrastructure mode, the AP is the single required element in the network: if the AP falls, the whole network is blocked. Recent commercial solutions mitigate this single point of failure through fault-tolerance mechanisms. APs can increase their transmission power and cover a broader area after discovering a neighbor AP has vanished. A straightforward attack against an AP consists of ooding it with false authentication requests to exhaust its buffers and make it refuse any other legitimate access to the network. This drawback is balanced by the fact that a network with centralized coordination is easier to manage from a security standpoint than a fully distributed one. Networks in the infrastructure mode, for example, can benet from 802.1X authentication because
26
IEEE SECURITY & PRIVACY JANUARY/FEBRUARY 2007

ation and authentication mechanisms to distinguish among unauthorized nodes. The rst attempt at implementing it included a basic MAC-layer authentication that exploited special frames and could either be null or a WEP-based challenge response. Because WEP was so easy to defeat, a new security layer was added but isnt compulsory. After the basic open authentication, it performs the real authentication and uses normal data frames (like any other application). As straightforward as they seem, these solutions are awed because the mechanisms lack protection: the open authentication doesnt include any security, whereas WEP performs only client authentication (the AP doesnt authenticate itself to the client), paving the way to man-in-the-middle attacks. In addition, the logout mechanism isnt protected, thus allowing DoS attacks. Moreover, the deauthentication frame isnt, in fact, authenticated, not even with the extra extensions in the 802.11i standard, so its easy to attack the network with packet-injection techniques.3 Extensible Authentication Protocol (EAP; RFC 2284) suffers from similar vulnerabilities and had to be xed for WiFi usage: only EAP methods that provide mutual authentication are allowed (thus we can use EAPTLS but not EAP-MD5), and a further exchange (the four-way handshake) was added to prove authenticity of the AP when separated from the authentication server. As a result, our robust security network lacks robustness: the EAP logout mechanism (the EAP-Logoff frame) is unprotected, and successful desynchronization of the basic 802.11 authentication also clears EAP authentication. Depending on the actual EAP method, the authentication process can take up to 12 times longer than the basic 802.11 open authentication.
Power-saving capabilities. When a station is about to go into power-saving mode, it rst synchronizes with

Wireless Networks

other parties (stations or APs) to buffer its trafc. To break this synchronization, an attacker can induce any state transition triggered by an unprotected event. The powersaving mechanism is thus vulnerable to attacks such as trafc stealing (an attacker claims another stations trafc), articial delay (trafc for the target is buffered even if the station isnt in power-saving mode, which is especially dangerous for time-critical trafc such as multimedia streams), and sleep deprivation (preventing a station from going into power-save mode by continuously sending trafc to it). In our experience, the 802.11 MAC layer is quite effective at limiting sleep deprivation: a station cant be forced to violate its power-conservation policy. The impact of other attacks depends on the type of trafc the target station exchanges.3
Cryptography at level 2. We arent concerned here with classic cryptographic vulnerabilities, such as those found in WEPrather, weve found that even unbreakable cryptographic mechanisms offer a vulnerable side because they might require computational and energy resources that are quite large for small and mobile devices. The Temporary Key Integrity Protocol (TKIP), the patch the 802.11i standard provided for WEPs weaknesses, adopts simple algorithms to match available computing power.2 Because this also creates a weakness, TKIP employs countermeasures if it suspects an attack: the attacks targets must stop exchanging traffic, shut down any existing security association, and re-establish new ones. However, these countermeasures could also become a DoS mechanismdoing so ultimately depends on how easy it is to mount a man-in-themiddle attack. Eliminating or limiting cryptography doesnt necessarily yield a better global power budget because the energy that cryptography requires is just a fraction of that used for radio communication.7 The energy related to wireless activity is accounted for not only in the WLAN card itself but also in the rest of the platform (mainly the CPU and I/O bus). The processing of an incoming packet requires both the CPU and I/O bus for power, but if a packet is discarded, only the WiFi device requires full power. Thus, discarding invalid incoming packets as soon as possible is vital for mitigating a ooding attacks impact. Because packet verication occurs after packet acknowledgment, an attacker can always make the WiFi device turn on its own transmission circuitry. However, this exposure is negligible due to the ACK frames shortness and the comparable power consumption of WiFi-receiving and transmitting modes. This choice avoids imposing hard timing constraints on cryptographic operations and allows software implementations in the driver besides the hardware ones on the card.

Upper levels
Applications that deal with personal information are extremely vulnerable to data capture and disclosure. At first glance, home banking might seem to be the most sensitive application, but most banks provide secure access through their SSL channels. The real issue here is privacymost services typically arent protected in the network stacks upper layers and carry information that attackers can use to profile and track potential victims. Vulnerabilities typically narrow the available bandwidth, and a narrow channel incurs delays that can hurt real-time servicesas noted earlier, multimedia streams in particular are very sensitive to delays in packet delivery because they directly affect quality of service. A possible defense could be to make upper-level protocols able to handle the radio links unavailability. This is a key research eld in networking,8 and the typical goal is to distinguish between congestion and unavailability due to the radio mediums coarse and variable nature.

Lab experience
The analysis weve presented so far raises a key question: how real are the threats weve outlined? To answer that question, we built some attack tools that exploit a few of the vulnerabilities discussed here and tested them against a small WiFi network in our labs. Every test had three key objectives: to understand whether the attack could really be implemented from commercial off-the-shelf components, to determine the actual effects on WiFi activity, and to gure out how to isolate the attack with an intrusion detection module. All the attacks we tested use off-the-shelf hardware and open source device drivers, and are fairly easy to do. We needed a bit of expertise to design them, but we believe anyone with adequate knowledge of Linux and wireless networks can use them effectively. Under some attack conditions, the target network was completely blocked for the tests whole duration. A packet capture engine could detect almost all the attacks, and all of them introduced various anomalies in network behavior.

All the attacks we tested use off-the-shelf hardware and open source device drivers, and are fairly easy to do.
Deauthentication and EAP-Logoff
We implemented our attacks via the libwlan open source packet injection library and gradually raised the injection rate of spoofed frames. The network was blocked at a rate
www.computer.org/security/ IEEE SECURITY & PRIVACY

27

Wireless Networks

of one spoofed frame every second for the deauthentication attack and every two seconds for the EAP-Logoff attack. The re-authentication time was approximately 35 ms for 802.11 open authentication and grew 12 times for

Clearly, location verification must also be secured, but node location with the current 802.11 technology is a complex problem.
the EAP-TLS authentication method. The observed anomalies were a high number of deauthentication/ EAP-Logoff frames followed by a new authentication/ EAP-Start sequence.

MAC-level jamming
Our version of the jamming attack consisted of a special test mode already available in the devices we used, which gave us continuous transmission regardless of MAC-level access rules. This caused constant collisions with every other station in the cell, which was then totally blocked. Because colliding stations back off and dont transmit for some time, we didnt need to perform full-time jammingwe only had to send small bursts of noise. Our tests showed that a 10 percent jamming period was enough to halt transmission in a cell, and as a side effect, most of the devices cleared their association information after missing a small number of beacon frames from the AP. The jamming effect spanned across three adjacent WiFi channels, but this attack didnt require packet injection techniques and thus was hardly detectable with a network-layer intrusion detection system.

Multimedia performance
By forging the appropriate frame (for example, an empty data frame with the power management bit set), we could make AP believe that the victim was in power-save mode so that it could start buffering trafc for it. This caused delays in trafc delivery, which especially hurt our real-time trafcin fact, we could stop a Real-Time Protocol (RTP) ow with this attack. Of course, the victims precise behavior depends on the power-save modes device driver implementation. But some drivers always react upon receipt of the trafc information map (TIM; its part of every beacon frame and announces the presence of buffered trafc) and tell the AP that theyre not in power-save mode, thus mitigating the attacks effects. Other drivers ignore the TIM if the station isnt in power-save mode and thus suffer the attacks whole effects.
28
IEEE SECURITY & PRIVACY JANUARY/FEBRUARY 2007

hus far, weve made it clear that WiFi isnt ready for critical applications, mainly because of its intrinsic robustness problems. But next-generation wireless networks need modern security features, and WiFi will have to provide extensions and changes to maintain its supremacy among the various wireless data technologies. Jamming attacks have so far gone unstopped, and their effects are devastating. Researchers have suggested various approaches to thwarting them,9 but a recent approach to detecting them is to monitor the channel and share what each node sees, to create a global view of the network.10 The idea is to detect the jam via node cooperation because a single node cant distinguish jamming from channel saturation. Any approach that improves wireless networks anonymity could also help with robustness: the trafc related to a specic node would be more difcult to select and jam.10,11 At the physical level, a new radio technology that can greatly help with robustness problems is ultra wide band (UWB).12 Despite some standardization delays, its expected to hit the mass market soon as a radio layer of the USB wireless extension. UWB could potentially exploit its extreme large bandwidth to hide communication channels by coding or frequency hopping, which makes interception harder and jamming at least more manifest. Unfortunately, current UWB standardization efforts for wireless personal area networks are heading toward a fully shared MAC layer, which removes any formerly available potential benets. Nevertheless, UWB still offers a key security property: it supports ne-grain location of transmitting nodes. In general, knowledge of exact locations can help prevent man-in-the-middle attacks, and inconsistencies between a nodes actual position and the one the peer perceives can point out the presence of an attacker in the middle. Clearly, location verication must also be secured, but node location with the current 802.11 technology is a complex problem.13 In corporate environments, some proprietary commercial solutions for attacker location are available, but theyre based on the coordination of several homogeneous, centrally managed APs. The main research issue is how to design a robust secure wireless channel, but this eld lacks both theoretical and practical literature. The general problem here is how to identify and reject fake events at the MAC level. In some cases (such as with man-in-the-middle attacks), the MAC layer can quickly identify malicious events by making security mechanisms aware of specic wireless information, such as frequency, location, or distance. We can easily extend some 802.11 frames (notably, the ones for cell advertisement, node authentication, and association) to carry additional pieces of information. We can address other vulnerabilities, such as the deauthentication attack, with short-term xesfor example, a spoofed deauthentication frame can be detected (and

Wireless Networks

discarded) by waiting for further trafc from the victim. We can extend the same trick to mitigate similar vulnerabilities in EAP. When trying to generalize the approach to detecting fake MAC-level events, the natural direction is to extend classic intrusion detection techniques for typical wireless mechanisms.14 In general, anomaly-based intrusion detection techniques are the most likely to be widely applied to wireless networks because they can detect new and previously unknown attacks. Anomaly detection is especially important in wireless networks because theyre used with mobile nodes and in many different scenarios that have different security policies. Anomaly detection typically uses data-mining techniques and requires cooperation among all the nodes in the network, especially for trafc monitoring and event correlation.15 However, data mining isnt needed when an attacks characteristics are well knownits easy to detect the desynchronization attack, for example, by looking at some statistical property of the resulting trafc. Naturally, we advocate more research that ultimately builds robust and opaque wireless channelssuch features will help WiFi become a fundamental building block for critical applications. Research is ongoing in the use of WiFi technology in industrial environments.16

Acknowledgments
The work described in this article is part of the activities performed at the e-security joint lab between the Politecnico di Torino and the Istituto Superiore Mario Boella. We especially thank Daniele Mazzocchi for his many useful discussions on wireless network security.

References
1. N. Borisov, I. Goldberg, and D. Wagner, Intercepting Mobile Communications: The Insecurity of 802.11, Proc. 7th ACM Intl Conf. Mobile Computing and Networking, ACM Press, 2001, pp. 180189. 2. B. Potter, Wireless Security Future, IEEE Security & Privacy, vol. 1, no. 4, 2003, pp. 6872. 3. J. Bellardo and S. Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, Proc. 11th Usenix Security Symp., Usenix Assoc., 2003, pp. 1528. 4. S. Capkun and J.P. Hubaux, Securing Position and Distance Verification in Wireless Networks, tech. report EPFL/ IC/200443, Swiss Federal Inst. of Tech., May 2004. 5. C. Ware, T. Wysocki, and J.F. Chicharo, Hidden Terminal Jamming Problems in IEEE 802.11 Mobile Ad Hoc Networks, Proc. IEEE Intl Conf. Communications (ICC), IEEE CS Press, 2001, pp. 262265. 6. V. Gupta, S. Krishnamurthy, and M. Faloutsos, Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks, Proc. IEEE Military Communications Conf. (MILCOM), IEEE CS Press, 2002, pp. 11181123. 7. D.W. Carman, P.S. Kruus, and B.J. Matt, Constraints and

Approaches for Distributed Sensor Network Security, NAI Labs tech. report #00-010, NAI Labs, Sept. 2000. 8. S. Mascolo et al., TCP Westwood: Bandwidth Estimation for Enhanced Transport over Wireless Links, Proc. 7th ACM Intl Conf. Mobile Computing and Networking (MOBICOM), ACM Press, 2001, pp. 287297. 9. W. Xu et al., The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks, Proc. 6th ACM Intl Symp. Mobile Ad Hoc Networking and Computing, ACM Press, 2005, pp. 4657. 10. A.R. Beresford and F. Stajano, Mix Zones: User Privacy in Location-Aware Services, IEEE Intl Workshop on Pervasive Computing and Communication Security (PerSec), IEEE CS Press, 2004, pp. 127131. 11. J. Kong and X. Hong, ANODR: ANonymous On Demand Routing with Untraceable Routes for Mobile Adhoc Networks, ACM Intl Symp. Mobile Ad-Hoc Networking and Computing, ACM Press, 2003, pp. 291302. 12. L.E. Miller, Why UWB? A Review of Ultrawideband Technology, WCTG Report for Darpa, Natl Inst. Standards and Technology Wireless Comm. Technologies Group, Apr. 2003. 13. J.W. Branch et al., Autonomic 802.11 Wireless LAN Security Auditing, IEEE Security & Privacy, vol. 2, no. 3, 2004, pp. 5664. 14. M. Raya, J.P. Hubaux, and I. Aad, DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots, ACM MobiSys, ACM Press, 2004, pp. 8497. 15. Y. Huang and W. Lee, A Cooperative Intrusion Detection System for Ad-Hoc Networks, ACM Workshop on Security of Ad-Hoc and Sensor Networks, ACM Press, 2003, pp. 135147. 16. D. Brevi et al., A Methodology for the Analysis of 802.11a Links in Industrial Environments, IEEE Intl Workshop on Factory Comm. Systems, IEEE CS Press, 2006, pp. 165174.
Marco Domenico Aime is a research assistant of computer engineering at the Politecnico di Torino. His research interests include wireless network security, trusted computing, and dependability analysis of large systems. Aime has an M.Sc. and a PhD in computer engineering from Politecnico di Torino. He is a member of the IEEE and the ACM. Contact him at marco domenico.aime@polito.it. Giorgio Calandriello has an M.Sc. in computer engineering and is a PhD student in the same field at the Politecnico di Torino. He started working on wireless security with his masters thesis, exploring the issues of dependability and denial-ofservice attacks. Contact him at giorgio.calandriello@polito.it. Antonio Lioy is a professor at the Politecnico di Torino, where he leads a research group active in information systems security. His research interests are in the elds of network security, PKI, and policy-based system protection. Lioy has an MSc in electronic engineering and a PhD in computer engineering. He is a member of the IEEE and the IEEE Computer Society. Contact him at lioy@polito.it.
www.computer.org/security/ IEEE SECURITY & PRIVACY

29