Wireless Security - A Primer

Wireless networks are desirable to many organisations because they increase workforce flexibility and save cabling costs. In older offices, listed buildings, and businesses based in the outdoors, wireless maybe the only way to provide network access to all parts of the workplace environment. Some businesses even provide wireless networks to reach out to visitors and customers to entice them into their premises and allow them to work from there. Wireless networks will enable the coming myriad of tablet and slate machines to function as seamless Internet terminals. They are here to stay.

For all their flexibility and low cost, securing wireless networks is one of the most challenging infrastructure security tasks that a network manager needs to consider. The broadcast nature of the radio technologies that underpin wireless Ethernet (WiFi) networks means that the signals can be picked up in areas where they were not intended to be received – including outside of the business premises. Turn on a wireless network transceiver in any city and many tens of networks will be detected within a few seconds. Many of these will be ‘leaking’ outside of their intended reception range. The radio waves used to carry WiFi networks typically have a range of forty-five metres indoors and ninety metres outdoors. (0) This can mean that they can be picked up far outside the building that they are intended to serve.

This broadcast based technology is the root cause that underlies all the security problems, vulnerabilities and eventual attacks that this article will discuss. With wired networks it is very hard to intercept data without intruding physically into the building under attack. A network tap would have to be located inside the core network of the business. This approach is potentially dangerous to liberty and takes a dedicated and brave individual to make the attempt. Wireless networks, on the other hand take away any of this danger. They simply beam the network right to a potential attacker. Naturally, one of the primary attacks against wireless networks is the interception of these broadcast signals. Even if these signals are encrypted, access to the data inside is only delayed as long as the encryption key remains uncompromised. It is sensible to assume that a key can be found eventually. A discussion of WiFi encryption mechanisms follows later in this article.

A second attack against wireless networks is denial of service. Unfortunately, this is very easy to achieve. In fact, the very prevalence of wireless technologies can cause denial of service due to the frequency allocations assigned. The radio frequency bands used by WiFi networks are 2.4Ghz and 5Ghz. The lower frequency band particularly is an open access range that has been made available for low power use by licensed manufacturers. The end user of the equipment does not require a license at the point of use provided that the power output of the equipment does not exceed specified power output.

There are not many of these open access bands available in the crowded allocated frequency spectrum. This means that vendors of business and consumer radio equipment prize this range alike. The 2.4Ghz range is not used by any other ‘more important’ licensed radio technologies because it is the harmonic frequency at which water molecules vibrate. This is the way in which microwave oven work. They excite the water molecules inside the food to be heated at 2.4Ghz. These excited molecules exhibit this additional energy as heat; the food gets hot and cooks. This phenomenon can cause problems for radio transmissions in this frequency range. If the atmosphere contains a large amount of moisture (such as in a steamy kitchen or factory floor) it can become opaque to these radio waves.

Common technologies using this frequency range are WiFi, HyperLAN, Bluetooth, DECT, low-power remote control of toys such as miniature model aircraft and cars and microwave ovens. This over allocation may cause some disruption and collision between technologies using this frequency range. In practise, there is surprisingly little perceived interference because the radio technologies in use layer error correction and recovery protocols over the broadcast mechanism. Unfortunately, there is increased overhead in error correction, which reduces the effective bandwidth of the network.

Malicious denial of service is affected simply by blocking these frequencies. This can be achieved by blocking the channel being used by the target network using another WiFi device and an all out packet flood. It is possible to transmit tens of thousands of packets per second effectively flooding the available bandwidth ‘in the air’. It is not possible to attack a wired network in this way without much more intimate access to the network.

A second more effective – if dangerous – attack is to use an unshielded microwave generator such as that found in an oven. This would provide some 800Watts of output as opposed to a typical WiFi network at 5Watts maximum; the effect on WiFi networks would be devastating. While this sounds extreme it is entirely possible that this kind of attack might be used against a city block where the density of wireless networks affected would be highest.

The third main attack against a wireless network is to gain unauthorised access. This attack is widely perpetrated against home wireless users because a large number of them do not use any mechanism to secure access to their network. For most consumer networks, the primary aim of wireless networking is to allow one more laptops to connect conveniently to a shared Internet connection. If no protection mechanisms are configured then anybody with a suitable wireless device can use that same Internet connection for free. Why pay for broadband yourself when you can borrow bandwidth from a neighbour? Once worry is that any illegal activities carried out by the unwanted visitor using the network can be attributed to the subscriber.

There is an even more sinister aspect to this attack even in the home environment, however. Using wireless it is fundamentally possible to gain access to systems connected to the target home network. This might include stealing files, music or executing malicious code to gain administrative access to the system. Identity theft, access to bank and other online accounts might be possible through this mechanism.

In the UK, there have been arrests where unauthorised access to wireless networks has been suspected. The UK Communications Act of 2003 states that a "person who (a) dishonestly obtains an electronic communications service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence".

If this is a worry for the home user, then the corporate network administrator has bigger nightmares. While wishing to provide wireless networks there is the very real risk of network intrusion over this medium. A network manager would be sacked for trailing a long Ethernet cable from their core switch out onto the unprotected pavement outside their building. When they use wireless networks they could be said to be doing exactly this. The ‘cable’ is broadcast radio, but the analogy is sound.

If an attacker can gain access to a wireless network that forms part of the internal corporate environment then they may as well be sat at a desk inside the building. The same problems of data theft, malicious access and bandwidth erosion are possible on the corporate network too. The impact of these intrusions could be much greater in financial and reputational terms.
So even early versions of the WiFi standards had provision for encryption network and access control. The first attempt was known as Wired Equivalent Privacy (WEP) and was included in the IEEE 802.11 standard as ratified in 1997. It provides data encryption and access control via authentication. It has since been shown to exhibit a flawed design.

A standard 64bit WEP key is in fact a 40 bit shared key combined with a 24bit ‘Initialisation Vector’ (IV), while a 128bit key is based on a 104bit shared key. This key is then used to fuel an RC4 cipher that encrypts the traffic data. The key lengths used with WEP are fairly low, but there are more significant attack vectors against the algorithm itself.

An IV is a set of random bits that is used to seed a stream cipher such as the RC4 cipher used in WEP. This value can be changed easily and regularly without having to go through a rekeying process. In WEP, the IV is transmitted once in plain text as the client associates with the wireless access point and then automatically incremented with each packet. The problem is that 24bits is too few. 2^24 is approximately 16.7 million. This is a very small number compared to the number of packets typically sent by clients on a busy network, so eventually, IVs will be repeated. This gives an eavesdropping attacker a chance.

An identical packet encrypted by the same key using a stream cipher gives the exact same encrypted output packet. If the IV is repeated, then the keying material at that moment is exactly the same key because the shared key component does not change at all regularly, if ever. These two facts lead to the possibility of probability based cryptographic attacks. The more repeated IV’s, the more chance of success of the attack. Simply listening for repeated IV frames can work if sufficient traffic is transmitted on the network. In a quieter network, the attacker must replay captured packets to generate sufficient IV collisions.

The author has been able to repeatedly demonstrate this attack to clients using freely available software tools and a suitable wireless network card. The time taken to crack a WEP key is typically between five minutes and half an hour depending on the relative signal strength of the network being attacked. This means that WEP is all but useless in any practical security sense against a determined and equipped attacker. However, like a fake burglar alarm affixed to the front of a building, it will still keep out a less knowledgeable or poorly equipped would-be intruder.

It is possible to apply MAC address filtering to all wireless networks. This has the effect of allowing only a white-list of MAC addresses to associate with the wireless access point. When the list of possible wireless clients is small such as in a home network this is a useful addition that will keep out low-level attackers. It is always possible to detect existing traffic by sniffing packets. These packets can be decoded and the MAC address faked onto the attackers network card. This is a trivial attack.

WEP has been superseded by two security technologies known as WPA and WPA2. WPA (WiFi Protected Access) was designed and implemented as a short-term fix for the shortcomings of WEP. It was designed to be compatible with WiFi hardware that provided sufficient facilities to support for WEP. There is no official ratified IEEE standard for WPA; it slots in between 802.11 for WEP and the 802.11i standard that defines WPA2.

The WPA protocol implemented a new key management scheme known as the Temporal Key Integrity Protocol (TKIP). This provides massive improvements over WEP, but significantly could be implemented on older WiFi hardware as long as firmware upgrades were applied. In theory this removed a major barrier for adoption of WPA over WEP, although in practise it was harder to upgrade older access points to support WPA than had been anticipated. Most new client and access point hardware from 2003 onwards supports WPA without issue.

The encryption algorithm is the same as in WEP, but the way in which IV’s are generated is modified. IV length is increased to 48bits. This is an extremely large number and effectively eliminates the collision problem. A second layer of protection called MIChael provides protection against the packet replay attacks that were at the heart of the active packet generation attack discussed above. With WEP, it is possible to flood the network to generate IV collisions more quickly. The MIChael scheme uses the sender and receiver hardware MAC addresses to generate a UID that is used for integrity. If the algorithm detects two repeated packets in a sixty-second timeframe, it shuts down the network for a further sixty second. It is easy to break the UID generation in order to fool MIChael that in turn generates a possible denial of service attack scenario.

WPA supports two modes of operation. The first is a pre-shared key mode (WPA-PSK) where both sides of the communication need to know the same key. The shared key is supplied by the administrator and must be changed at both access point and client if it needs to be updated due to good policy or compromise. If the access point key is changed out of sync, then previously enabled clients would be unable to connect, prompting support desk work to rectify the situation. This leads to a situation where, in common with WEP and most pre-shared key based protocols from IPSEC to bank card PINs, this key is rarely changed.

Keys can be supplied as sixty-four hexadecimal digits or as a passphrase ranging from eight to sixty-three ASCII characters. The ASCII version is padded appropriately and both are converted to a 256bit key. WPA is susceptible to brute force attacks if a weak pre-shared base key is chosen. There are look up tables available to speed this cracking process. Recently, a WPA cracking service running on a cloud based computing platform has been released. A user of the service needs to upload a set of packet data that is then compared to a set of WPA rainbow tables. At the time of writing the price of a cracking run is $17 or $35 depending on the service level chosen.

The second mode of operation is an enterprise model where an Extensible Authentication Protocol (EAP) module is used to improve the authentication of WiFi network clients. EAP is an authentication framework that supports the use of 802.1x network access control. This mode of operation is much stronger in practise than WPA-PSK, but it of little use to the average home user or smaller business that does not have the necessary investment in 802.1x VLAN capable switches and NAC devices.

In 2008, a flaw was discovered in TKIP. This is based on a known problem with the WEP algorithm. The attacker monitors network traffic until an ARP packet is captured. An ARP is easily distinguished even when encrypted. An ARP request uses a broadcast MAC address as the destination and is a very short packet. Using a statistical attack, it is possible to derive the unknown parts of the ARP packet. This attack takes just under a quarter of an hour to work because it triggers the sixty second network timeout built into MIChael a number of times as various keys are computed based on responses from the protocol. Once this has been achieved, it is possible to inject malicious packets into the network.

WPA2 fully implements the IEEE 802.11i standard, including a replacement for TKIP based on the AES block cipher. This improvement is known as CCMP. This protocol, as the time of writing, is considered fully secure. It is recommended that all networks implement WPA2 where possible. However, in practical terms the majority of Windows XP laptops that the author has encountered do not have the optional WPA2 client software installed. The installation of this update requires administrator rights on the laptop in question meaning that it is unlikely to be a field upgrade for already deployed laptops. Newer versions of Windows and Mac OS X inherently support WPA2. For users of these operating systems there are no barriers to the adoption of WPA2 in all wireless networks.

Some network environments do not wish to take the risk of implementing any wireless networks at all. Even with implementing WPA2-Enterprise and utilising 802.1x network access control features, some organisations have made the decision to avoid any risks associated with WiFi networks. Even if a slightly less risk adverse administrator goes to the trouble of encrypting and securing their own WiFi networks, they are still at risk from employees who might implement a rogue wireless access point. These are unofficial access points that are simply connected to the main network. From experience of performing scans for rogue networks, these are rarely secured in any way and often advertise the name of the company to which the ‘belong’ by broadcasting a poorly named SSID or network name. There is real danger to corporate networks here. One solution is to perform regular WiFi scanning to search for, locate and disable these devices. Automated wireless IDS products are also available that are able to perform the same task at some cost to the organisation.

A related problem is the proliferation of coffee shop and free wireless provision in inner city environments. While these networks allow employees to make contact back to the corporate network while out of the office, they also pose a significant security risk while users are in the office. Most operating systems cache a list of known (read: trusted) wireless SSIDs. They will automatically connect to known networks even while connected to a wired network. This affectively creates a bridge between the corporate network and Starbucks wireless! Software is available to detect and control this behaviour if users are not technical enough to understand these implications on their own.

A secure implementation of wireless networks needs to consider the following: