Wireless LAN Risks and Vulnerabilities 

 

A scan of today's network marketplace indicates that wireless networking is ready for deployment in businesses, even in preference to the wired networks that are now commonplace. The ability to install a local area network (LAN) and to move network stations without the cost of installing or modifying cabling in already-built facilities is a major benefit of this technology. Since the mid-1990s, the technical standards underlying these networks have evolved from multiple proprietary specifications into a few generally agreed-upon international standards. This, in turn, has provided the ability to construct networks comprised of products from more than a single vendor. Network speeds have risen from a few hundred kilobits per second to at least 10 megabits per second, rates that are fully competitive with wired 10BaseT Ethernet networks. This has made the mobile use of wireless networks not only possible but also feasible, and they can be found in many airport clubs, hotels, office buildings and even Starbucks coffee shops.1, 2 To make things even more attractive, prices have fallen and nearly 20 percent of companies surveyed by Sage Research now have installed wireless networks.3

Wireless LANs, however, still have their problems. Connecting network elements by radio waves instead of wires presents many challenges. From the reliability standpoint, it is difficult to predict a priori the dependable coverage of a wireless network radio inside a building. This is largely because building construction varies widely, and things like steel beams and heavily plastered walls severely attenuate radio waves. Even for external structures, predicting coverage is difficult due to radio propagation issues, such as multipath fading, which are probabilistic and not deterministic. Perhaps more troubling is that, by their very nature, wireless LANs broadcast data into space, where they can be intercepted by anyone with the ability to listen in at the appropriate frequency. Worse, the very features that facilitate itinerant use of wireless LANs also enable interlopers to easily enter such networks unless measures are taken to mitigate those threats.4 That presents a major security risk. In addition, although speeds are comparable to 10BaseT Ethernets, they still are much slower than 100BaseT Fast Ethernet.

This article provides an overview of how wireless LANs work, while reviewing the risks, vulnerabilities and threats that affect wireless networks differently than their wired brethren.

Wireless LAN Technology

At root, all wireless LANs are radio networks. The signals traveling among the network stations are high-frequency signals in the range of 10 MHz to 300 MHz or higher. What distinguishes wireless LANs from their wired kin is that wired networks attempt to confine these signals to cables and view signal emanation from the network cables as a problem. Wireless networks deliberately broadcast their data as radio waves, and then receive them out of the air to complete the network connection. As with entertainment radio and television, it is not practical to broadcast the network backbone signals directly, so a process known as modulation impresses them onto another radio frequency--the carrier.

The types of modulation used for wireless LANs fall into the category known as spread spectrum. Spread spectrum signals occupy a large portion of the assigned radio spectrum, rather than being narrowly centered on the carrier frequency, as is customary with radio and television stations. Military applications drove the development of spread spectrum technology. One advantage of spread spectrum is that it is tolerant of interference from narrow-band signals (as are radio and television stations) than are narrow-band modulation techniques. This advantage is achieved at the cost of increased complexity. Fortunately, modern large-scale integration (LSI) technology makes it possible to realize a practical and affordable spread spectrum system on just a few, or even a single, integrated circuit.

There are two primary types of spread spectrum modulation used for wireless LANs:5

  • Frequency hopping spread spectrum (FHSS) is a system wherein the transmitter constantly changes frequency within an assigned range, remaining only a short time on each frequency visited. Clearly, the transmitter and receiver must shift frequencies (hop) in step, which requires that they share a key containing the hop sequence. US Federal Communications Commission (FCC) rules require that, in the most-used bands, the hop sequence using channels spaced at 1 MHz intervals must cover at least 75 channels in the assigned band and not remain on any single channel for longer than 400 milliseconds in any 30-second period.6
  • Direct sequence spread spectrum (DSSS) achieves the spreading of the signal by modulating the data with a key sequence known as the chipping code. The result of this operation is a signal spread across the desired frequency band, as is achieved with FHSS. DSSS generally can support higher data rates than FHSS, and is more tolerant of most types of interference. Like FHSS, it requires that transmitter and receiver share a secret, in this case, the chipping code.

It is important to note that wireless networks, as a direct result of the type of modulation they employ, are private key systems. All stations on a given network share a common key. This facilitates management, but causes security problems.

Another type of modulation, orthogonal frequency division multiplexing (OFDM), is planned for use when high-speed wireless LANs become available. In essence, OFDM involves splitting the input data into several parallel streams, modulating each stream onto a separate carrier frequency, then demodulating all the carriers at the distant end and recombining the data into a replica of the original.

Wireless LANs available and planned at this time operate in one of three radio bands designated as industrial, scientific and medical (ISM). These bands are located at 900 MHz (902-928 MHz), 2.4 GHz (2400-2483.5 MHz) and 5.8 GHz (5725-5850 MHz).7 Devices that also operate in these bands are microwave ovens (in the 2.4 GHz band) and cordless telephones (in both the 900 MHz and 2.4 GHz bands). The 5.8 GHz band is not yet in wide use, but that almost certainly will change before long.8 The attraction of the ISM bands is that under Part 15 of the FCC Rules, the equipment operator requires no license to operate radio equipment at those frequencies.9 The only requirement is that the equipment has been certified by the manufacturer to the licensing authority (a government agency) as meeting the technical requirements established by the agency for operation within the ISM band. Those requirements include specifying modulation type, power output and assurance that the device does not put the operator at risk.

This attraction has an ugly side, however. Equipment that operates under the Part 15 FCC Rules must share this spectrum on a noninterference basis with licensed users in the same band.10 Simply put, wireless LANs must not cause interference to licensed users in the ISM frequency band, and must accept any interference they encounter. This is a significant design and operational challenge, and it is a testament to the state of modern technology that these systems operate at all, much less at high data rates in critical applications.

A recent alternative is the addition of an Unlicensed National Information Infrastructure (UNII) 5GHz band, which supports high data rates and promises less interference than the ISM bands.

Like cordless telephones, wireless LANs are used primarily as extensions of fixed networks. They are connected to the fixed network by an access point, which functions as a bridge between the fixed and wireless portions of the network. Although wireless LANs are basically Ethernets, another protocol suite is required to ensure interoperability. Table 1 shows the predominant wireless LAN standards. The Institute of Electrical and Electronics Engineers (IEEE) has published a draft standard, IEEE 802.11e. Its purpose is to add quality of service specifications and maintain backward compatibility with the earlier 802.11 variants. This is intended to resolve a major shortcoming with the existing 802.11 family, namely the lack of quality-of-service standards.11 It is still in the comment stage.

Table 1

The other major WLAN standards issue is the perennial North America/European Union contest. The existing standards for WLANs within the European community are HiperLAN and HiperLAN/2, summarized in table 1. It can be argued that the HiperLAN standard is technically superior to 802.11, but the 802.11 family market share continues to grow, possibly owing to the 5 to 15 percent price premium for HiperLAN/2. The IEEE has introduced a new variant of 802.11a, named 802.11h, which adds transmit power control (TPC) and dynamic frequency selection (DFS) to the 802.11a standard to deal with particular interference problems found in Europe, where the 5 GHz band is shared with defense establishment and NATO radars and satellites.12 At least one vendor, Philips, has decided that the future lies with the 802.11h standard and is tooling its silicon foundry to produce chips solely to implement that standard.13

There still are issues with interoperability among devices of different makes that implement the same technical standard, but these are being resolved slowly as a result of market pressures. However, it is important to note that with the exception of backward compatibility from 802.11b to 802.11, devices using the standards above are not interoperable (802.11a and 802.11h interoperability is yet to be resolved).

Wireless LAN Vulnerabilities and Risks

In addition to all the vulnerabilities common to wired networks, wireless LANs introduce a new series of risks. The critical vulnerabilities are eavesdropping, illicit entry into the network and denial of service. Some users may perceive they are at risk from being exposed to radio wave energy, but there is no credible research supporting this thesis, and US FCC Part 15 certification requires that devices meet the government standard for exposure.

Because it is by far the most popular wireless LAN standard at this time, the following discussion will be limited to the variants of the IEEE 802.11 standard. Only the specifics of vulnerabilities and performance discussed herein are pertinent to that series of networks. The modalities of risk are the same for all types of wireless LANs. In other words, all wireless LANs face the same population of risks to message confidentiality, integrity and authenticity as is faced by the 802.11 series. Only the technical details of dealing with those threats differ from standard to standard.

Eavesdropping
By their nature, wireless LANs radiate network traffic into space. Once that is done, it is impossible to control who can receive the signals. So, it must be assumed in any wireless LAN installation that the network traffic is subject to interception and eavesdropping by third parties. The obvious solution to this problem is to encrypt the data stream. The 802.11 standards provide for doing precisely that. Unfortunately, the implementation of this solution is less than perfect.

To provide security on wireless LANs, the 802.11b standard provides for wired equivalent privacy (WEP). WEP uses 40-bit static keys and RC4 encryption.14 There are several problems with the implementation of this approach. First, WEP is an option. It is not activated by default in shipped products, and it reduces raw throughput by as much as 50 percent. To make matters worse, it is widely believed that many network administrators are unaware the feature even exists. Consequently, most operating networks have not enabled WEP.15 In such a situation, the network is broadcasting all network traffic in the clear for the benefit of all who can intercept it. That is hardly a secure mode of operation. Worse, it turns out that WEP itself is fatally flawed. A committee of the IEEE responsible for WEP and other wireless LAN standards has approved a fix for this flaw.

The WEP approach to cryptography sounds secure: WEP encrypts every packet with a different key. However, WEP does not properly implement the RC4 initialization vector. It uses a straightforward and predictable way of incrementing the vector from one packet to the next. Coupled with weak key management and a restricted key space, WEP is demonstrably insecure. Early in 2001, researchers at the University of California, Berkeley (USA), provided theoretical proof that the WEP security scheme could be broken.16 More recent efforts by other researchers using those techniques succeeded in breaking the key on an actual network in a few hours the first time they tried, and in much less time on subsequent attempts.17 Researchers also have shown it is possible to listen to packets, inject packets and alter packets on wireless LANs using WEP.18 As if these findings were not enough, the WEP password scheme also has been found to be flawed with the result that an intruder can gain access to some WEP-protected networks in as little as 30 seconds.19

The root cause of this problem has been reported as being solely the RC4 encryption scheme. However, a more accurate description is that WEP was created without thorough understanding and public review of the cryptographic primitives that were combined to form it, and it is required to perform several security functions simultaneously: authentication, integrity and confidentiality.20 The result is that WEP alone--as it is exists at this writing--cannot be relied upon to secure the wireless network.

The IEEE has also proposed an updated standard, WEP2, to address these shortcomings. WEP2 uses 128-bit encryption and a 128-bit initialization vector. However, it still relies on RC4 encryption and still is assessed as being vulnerable to the attacks described previously.21 The IEEE has further undertaken to define an enhanced security network standard that will use the newly adopted Advanced Encryption Standard (AES), which is replacing the Digital Encryption Standard (DES) in use since the 1970s. Commercial products incorporating this new standard will be introduced in 2002. However, compatibility issues will remain.

There clearly are technologies that can be employed to provide cryptographic level confidentiality beyond what is offered by WEP. The researchers who "broke" WEP recommend treating all wireless networks as being outside the firewall and using higher-level protocols, such as SSH or IPSec, to provide security. Another approach is an overlaid proprietary cryptographic schema based on the MD5 algorithm from NextComm.22 There doubtless will be other approaches in the near future. The problem is that these further reduce throughput, increase complexity, potentially add proprietary hardware and/or software and reduce network ease of use for the end users.

In the midst of all this dreary news about wireless security, one should realize that absolute security was never the goal of WEP. Of course, absolute security is impossible. The goal of WEP was to provide a level of security commensurate with that found on wired LANs. One can argue that, despite its cryptographic problems, WEP has achieved that goal. Wired networks are not generally very secure unless protected by measures beyond those provided by the network protocols. Many have experienced connecting a computer to a wired LAN and being able suddenly to access resources to which they had no right.23 This is a common problem, usually controlled by limiting which computers may physically connect to the LAN. However, in the wireless domain, it is more difficult to limit who can connect to the LAN, so WEP--despite its shortcomings--is an important tool in the overall management of network security.

Illicit Entry
Wireless LANs could be used just to network fixed computers, thereby avoiding the costs of cabling. Usually, however, they are used to interconnect highly mobile user populations provisioned with laptop computers. The very nature of the wireless protocols is to make the network user friendly by facilitating connection to an access point--and thus the entire network--as the user moves about. That is to say, the system has weak authentication. One can think of the cellular telephone network as a rough analog: the cellular network would not be nearly as useful, if users could not move about freely in their home areas and away from home. Unfortunately, the very feature that makes wireless LANs so useful also opens a major security hole.

Wireless network equipment, as configured out of the box, is generally set so the network name is a default name for public access and all network interface cards that conform to the standard of the network (e.g., 802.11b) can readily connect to the system. Few network administrators bother to change the level of access to something more restrictive than the default. The wireless access point advertises its presence and its network name, and when a wireless client senses the access point, the client attempts to connect to the network. Unless the ability to connect is somehow restricted, the connection attempt will succeed, and another user will have been added to those already supported. As wireless LANs primarily serve to extend wired networks, the view this newcomer has of the network may be quite extensive, and the resources available may include many not intended for casual visitors. This is virtually identical to the situation with wired networks. The difference is that one must gain physical access to a wired network in order to connect to it. With a wireless LAN, one only has to be in the vicinity. As it happens, the vicinity may be rather large.

Depending on the structural elements in the path, a wireless LAN signal may be usable for distances of approximately 500 meters. While this is helpful from a coverage standpoint, it is not helpful from a security standpoint. Using directional antennae, one can detect wireless network signals at distances up to eight miles (12.8 kilometers) from the network node.24 In such a situation, someone can connect to a network from outside the perimeter of a place of business and probably without the organization's knowledge. The ability of unauthorized users to join wireless networks without detection has been demonstrated repeatedly and has appeared in the mainstream media. One researcher has stated publicly that "hackers can travel the entire length of Market Street in San Francisco 'and basically not lose 802.11 coverage' while picking up wireless LAN signals in their cars."25 Software, freely available on the Internet, readily turns a laptop computer with a wireless network card into a tool that detects wireless networks, presents the user with the network identification and information about encryption being used, and then allows the user to log into unprotected wireless networks.

Large networks that cater to itinerant users are more or less forced to accept the poor authentication provided by WEP. It would not do if one had to register in advance to use a network in a public airport space, for instance. However, smaller networks have an option that can help. It is possible to restrict access to the network to those network nodes whose media access control (MAC) addresses are known in advance by the access point. For small wireless networks with a stable user population, this is an attractive option. Remember, although this will make it harder for interlopers to join the network, it will remain possible. Moreover, it will do nothing about the eavesdropping risk.

Denial of Service
A denial-of-service (DoS) attack is one wherein the attacker attempts to render the target network unable to serve its legitimate users. In the wired domain, many have become accustomed to protocol-based attacks, such as the "Ping of Death," which seek to overwhelm the target network with traffic forcing the network servers to crash. This type of attack also is effective against wireless networks.

In addition to protocol-based DoS attacks, wireless networks are vulnerable to a denial-of-service attack that is not viable against their wired brethren. Because their signals must travel through the public airwaves rather than in protected cables, wireless networks are extremely vulnerable to radio interference, either deliberate or accidental. Accidental interference occurs all too often owing to the shared nature of the bands in which these networks operate. It is very common for a wireless network, or a portion of it, to become unusable when a cordless telephone is operating in the same band and in physical proximity to the wireless node. It also is common for one wireless network to interfere with another nearby network, often making both useless.

Deliberate jamming attacks are not as common as accidental interference, but they are certainly straightforward. All that is required is to set up a transmitter covering the band where the wireless LAN operates and ensure that the transmitter has sufficient power to overwhelm the relatively weak LAN nodes. As it happens, the most ubiquitous occupant of the 2.4 GHz ISM band is the microwave oven. Microwave ovens are supposed to operate at a single frequency in that band, but their frequency stability is poor. A devious user can make the frequency stability deliberately worse, so that the oven frequency covers many of the channels assigned for use by the wireless LAN. Wireless network nodes operate at power outputs of no more than a watt and usually less. With minor modification, the typical microwave oven, which operates at power output levels of around 600 watts, can become a practical jammer for wireless LANs. When designing a wireless LAN, involving a competent radio engineer to do a survey of existing signals in the frequency band of interest and assessing the likelihood of introducing jammers into the vicinity is usually money well spent. Periodic resurveys are a wise precaution. Wireless LAN users must be sensitive to the potential for both deliberate and accidental interference and have a plan for dealing with interruptions this may cause.

Summary

It is impossible in an article of this length to exhaustively cover all the risks and vulnerabilities pertaining to wireless LANs. The most severe and most common vulnerabilities have been covered, namely eavesdropping, illicit entry of outsiders into a network and radio interference.

Protecting a wireless network requires forethought and planning, just as protecting a wired network does. Among the key protective measures to be undertaken are:

  • Not relying on WEP to provide security for the network
  • Limiting, as much as is possible, who can attach to a network
  • Surveying the interference and jamming likelihood for a planned wireless LAN before it is installed

By understanding and dealing properly with the risks and threats unique to the wireless domain, a wireless LAN can be a valuable--and appropriately secure--addition to a wired enterprise network.

Endnotes

1 Marsan, Carolyn Duffy, "Starbucks Wireless Network a Sweet Deal for MobileStar," Network World, 25 June 2001
2 Meeks, Fleming, "The Next Big Thing," Barrons, Vol. LXXXI, No. 46, pp. 29-30, 12 November 2001
3 Williams, Gerald, "CrossNodes Briefing: Wireless LAN Connections," CrossNodes, 14 May 2001
4 Gomes, Lee, "Many Wireless Networks Open to Attack," The Wall Street Journal Online, 27 April 2001
5 Williams, Gerald, op. cit.
6 Code of Federal Regulations, Title 47, Section 15.247(a)(1)(iii), US Government Printing Office, 1 October 2000
7 47 CFR § 15.247.
8 Cox, John, "High-speed Wireless LANs Are Coming," Network World, 9 April 2001
9 47 CFR § 15.1
10 47 CFR § 15.247(h)
11 Courtney, Martin, "Wireless LANs Get in a Tangle," IT Week (UK), 26 November 2001
12 Evers, Joris, "Too Many Standards Spoil Wireless LAN Soup," IDG News Service, 2 January 2002
13 Fell, Nolan, "Philips Sees No Future in HiperLAN/2 Chips," EE Times UK, 29 October 2001
14 Garcia, Andrew, "WEP Remains Vulnerable," eWEEK, 26 March 2001
15 Simonds, Wes, "Bad Packets: WLAN In, WEP Out," SearchNetworking, 17 September 2001
16 Fluhrer, S., I. Mantin and A. Shamir, "Weaknesses in the Key Scheduling Algorithm of RC4," Eighth Annual Workshop on Selected Areas in Cryptography, August 2001
17 Stubblefield, Adam, John Ioannidis and Aviel D. Rubin, "Using the Fluhrer, Mantin, and Shamir Attack to Break WEP," AT&T Labs-Research, Florham Park, New Jersey, USA, 6 August 2001
18 Verton, Dan, "Flaws in Wireless Security Detailed," Computerworld, 16 July 2001
19 Lemos, Robert, "Wireless Networks Wide Open to Hackers," CNET News.com, 12 July 2001
20 Simonds, op. cit.
21 Verton, Dan; and Bob Brewin, "New Wireless LAN Vulnerabilities Uncovered," Computerworld, 9 August 2001
22 Stevenson, Ted, "New Encryption Technology Closes WLAN Security Loopholes," Internet News, 13 September 2001
23 Mittag, Larry, "Hacker's Delight," Communication Systems Design, 2 April 2001
24 Verton, op. cit.
25 Verton, op. cit.

Richard A. Stanley, Ph.D., PE, CISSP
is vice president of Wheeler Associates, Limited, a technology and educational consulting firm outside Boston, Massachusetts, USA, which specializes in custom security solutions. He has more than 35 years', experience with telecommunications and security systems and has directed research in those areas for both the US government and the private sector. He is a member of the New York Electronic Crimes Task Force and is an adjunct professor at Worcester Polytechnic Institute and at Suffolk University.

Information Systems Audit and Control Foundation (ISACF) is currently conducting a research project on wireless communications. Because wireless communications transcend traditional and regulatory boundaries, they pose significant technical challenges, as well as greater challenges in the areas of control, security and audit. This project will provide both a technical and functional assessment and will be written from a business and risk management perspective. Completion is scheduled for first quarter 2002. Look to the ISACA web site (www.isaca.org) for a white paper on the subject, as well as a technical reference guide to assist both business users and assurance, control and security professionals.