Survey on Vulnerabilities In Wimax

Size: px

Start display at page:

Download "Survey on Vulnerabilities In Wimax"

Merilyn Whitehead
5 years ago
Views:

1 Survey on Vulnerabilities In Wimax Deepali Gawali, Shweta Bagul,Omkar Kulkarni,Dr.B.B.Meshram Department of Computer Technology, Veermata Jijabai Technological Institute, Mumbai, India Abstract: Worldwide interoperability for microwave access (wimax) is going to be an emerging wireless technology for the future. In this Paper the research is described the analyzing security issues in wimax. At first overview of the wimax technology given followed by the security issues involve in this technology.then the vulnerabilities mentioned in literature are presented. Keywords: Wimax,IEEE802.16,security,Vulnerabilities,authentication and authorization. Corresponding Author: Deepali Gawali I Introduction: The latest development in wireless Metropolitan area network is IEEE , is the Standard to state the radio frequency of fixed Broadband Wireless Access (BWA).WiMAX is the trade name of IEEE Standard. IEEE was first planned to offer the last mile for Wireless Metropolitan Area Network (WMAN) with the line of sight (LOS) of km.[1]with the increasing popularity of Broadband internet, wireless networking market is thriving,wireless network is not fully secure due to rapid release of new technologies, market competition and lack of physical infrastructure. In IEEE , security has been considered as the main issue during the design of the protocol. However, security mechanism of the IEEE (WiMAX) still remains a question. WiMAX is relatively a new technology; not deployed widely to justify the evidence of threats, risk and vulnerability in real situations. Threats are very common to the wireless networks and the Wimax technology is not the one that still safe for wireless communication. Attacker can easily attack on the insecure network by using different techniques.additionally, attacker with a properly positioned Radio Frequency (RF) receiver can interrupt the messages sent through wireless, and therefore a security mechanism in the design is required.current security mechanisms do not address well in IEEE a Mesh modes network, which lead into new security threats. So it is necessary to address the security aspects of the IEEE Standard and point out the security vulnerabilities,threats and risks associated with this standard. II Overview of Wimax: 1.1 Basic concept of Wimax: WiMAX technology has attracted significant attention and interest because of its long transmission range, high transmission rate, and mobility support. But to make WiMAX Page 74

2 networks usable and reliable,several security issues must be addressed in both the standard and its protocols[2]. The architecture of wireless communication systems is much simple than that of wired network connections.this is the reason why now people prefer wireless internet connections. WiMax network forum is responsible for guiding the guideline for WiMax architecture. Components of WiMax Network Architecture: There are three main components of WiMax network architecture. 1. Mobile Stations which are used as a source of network connection for end user. 2. An access service network which is formed of more than two or three base stations.it also contains ASN gateways which build the radio access at the end. 3.Connectivity Service Network which is responsible for providing IP functions. The base station provides the air interface for the mobile stations.the base stations also provide mobile management functions, triggering and tunnel establishment, radio resource management,dynamic host control protocol proxy, quality of service enforcement and multicast group management. ASN is responsible for radio resource management, encryption keys, routing to the selected network and client functionality.connectivity service network is responsible for internet connections, corporate and public networks and many other user services. Standard WiMax Architecture Let us analyze a standard WiMax network. As explained earlier the WiMax network is based on three four basic components like AS gateway, CSN and MS.The basic network has a central IP core which is surrounded by an ASN gateway, which is connected to service network or CSN.The main IP core is attached to the internet backbone for help and coverage.the WiMax network which is also part of the ISP network is known as access service gateway.this ASN handles the micro and macro base stations, which provide WiMax access to end users.the connectivity service network or CSN is an important part of WiMax architecture which provides the authentication to the user devices.csn is also responsible for providing roaming among the network service providers.it is CSN which is responsible for user security and quality for service for this purpose it uses several protocols.the IP address management is also handled by CSN. IP core is in the middle of CSN and ASN. CSN provides the internet and telecommunications connectivity. Page 75

3 ASP communicates to the base stations and the mobile stations. At the users end the WiMax architecture may further contain firewall for security.wimax architecture provides discretion at user end to make possible amendments. Two Dimensions of WiMax Network WiMax network is composed of two parts the WiMax tower and the WiMax receiver.wimax tower is connected directly to the internet backbone using a wired connection such as optical fiber.it can be connected to the WiMax tower using a line of sight link or a non line of sight link. The line of site communication involves the use of fixed antenna or dish. This antenna is fixed or deployed on the roof top or the tower of your building.line of sight connection is considered as more strong and stable connection. Therefore it sends lot of error free data over the network. It uses a frequency range of 66Ghz. Higher frequency decreases the chance of signal weakness and interference and provides more bandwidth.on the other hand the non line of sight connection provides you connectivity with the installation of small antenna in your PC.This mod provides lower frequency range from 2 GHz to 11 GHz. The lower band signals are not prone to obstructions like trees and walls.hence the signal strength is more and the user receives the quality of service.for every WiMax connectivity and architecture it is important to connect to an internet backbone via swift wired connection[3]. III.Security Issues, Vulnerabilities Involved In Wimax In order to understand WiMAX security issues, we first need to understand WiMAX architecture and how securities specifications are addressed in WiMAX. This section provides background and detailed information about WiMAX securities specifications in the security sub layer. IEEE protocol architecture: The IEEE protocol architecture is structured into two main layers: the Medium Access Control (MAC) layer and the Physical (PHY) layer, as described in the following table[4] Fig 1-IEEE Protocol Structure MAC layer consists of three sub-layers. Service Specific Convergence Sub-layer (CS),which maps higher level data services to MAC layer service flow and connections [5]. Common Part Sub-layer (CPS), which is the core of the standard and is tightly integrated with the security sub-layer. This layer defines the rules and mechanisms for system access, bandwidth allocation and connection management. The MAC protocol data units are constructed in this sub-layer. Page 76

4 Security Sub-layer which lies between the MAC CPS and the PHY layer, addressing the authentication, key establishment and exchange, encryption and decryption of data exchanged between MAC and PHY layers. The PHY layer provides a two-way mapping between MAC protocol data units and the PHY layer frames received and transmitted through coding and modulation of radio frequency signals. Major Threats to WiMAX Technology: Rouge Base Station: A rogue base station is an attacker station that duplicates a legitimate base station. The rogue base station puzzles a set of subscribers trying to get service through what they believe to be a legitimate base station.. It may result in long disturbance of service. This attack depends on the type of network. In a WiFi network, which is carrier sense multiple access, the attacker has to capture the identity of a legitimate access point. Then it builds frames using the legitimate access point's identity. It then injects the crafted messages when the medium is available. In a WiMax network, this is more difficult to do because WiMax uses time division multiple access. The attacker must transmit while the rogue base station is transmitting. Fig 2-Working of rogue base station attack[6] The signal of the attacker, however, must arrive at targeted receiver subscribers with more strength and must put the signal of the rogue base station in the background Again, the attacker has to capture the identity of a legitimate base station. Then it builds messages using the stolen identity. The attacker has to wait until time slots allocated to the fake base station start and transmit during these time slots. The attacker must transmit while achieving a receive signal strength higher than the one of the fake base station. The receiver subscribers reduce their gain and decode the signal of the attacker instead of the one from the fake base station. The rogue base station is likely to occur as there are no technical difficulties to resolve. Extensible Authentication Protocol (EAP) supports mutual authentication, i.e. the base station also authenticates itself to the subscriber. When EAP mutual authentication is used, the likelihood of the threat is mitigated, but not totally and remains possible for reasons similar to EAP based authorization. The rogue base station or access point attack is therefore a threat for which the risk is critical[7]. DoS (Denial of Service) Attacks: In wireless metropolitan area networks (MAN), the data service for a mobile is based on the model of service flow, a MAC layer transport service that describes the unidirectional flow of either uplink or downlink data. The establishment of a service flow uses a two phase model: a Page 77

5 service flow is first admitted with provisioned resources, and then the service flow is then activated to have the resources committed on an on-demand basis. The service flow may be de-activated later to conserve network resources. Primarily, when a wimax network has no downlink or uplink data, it will enter either Sleep Mode or Idle Mode, both of which aim to trim down the power utilization of the mobile station. Upon the availability of data, the serving base station will awaken the mobile station. The mobile station then establishes a connection with the base station via initial ranging. Ranging parameters are then adjusted for the connection. Finally, the service flow is reactivated for data transfer, and the mobile station returns to the normal operation stage. Depending on whether the serving base station has the necessary information, the mobile station may need to carry out more signaling operations, such as basic capability egotiation, authentication and key management, re-registration, as well as IP connectivity reestablishment. Given the above signaling procedures, attackers may also launch similar signaling attacks to WiMax base station by triggering unnecessary state transitions that overload the base station with signal processing that leads to denail of service (DoS) attacks[8]. Data Link-Layer Threat The WiMax Media Access Control (MAC) protocol, a sub layer of the data link layer, manage the consumer s access to the physical layer. However, the scheduling algorithm within the WiMAX MAC protocol offers optimal prioritization of this traffic based on First- In First-Out (FIFO) scheduling, in which clients seeking access to the base station are allocated bandwidth upon time of initial access, instead of random queue assignment based on order of Media Access Control (MAC) address as in Wi-Fi. Furthermore, the WiMax Media Access Control (MAC) protocol ensures optimal quality of service (QoS) over its WiFi predecessor, allocating bandwidth effectively by balancing client s needs instead of best effort service; that is, equal distribution of what remains after allocation to other consumers. In addition, before encrypting the radio signal with Wired Equivalent Privacy (WEP), WPA/PSK, or any other existing Layer 2 security protocol, WiMax basic authentication architecture, by default, employs X.509-based public key infrastructure (PKI) certificate authorization, in which the base station authenticates the client s digital certificate prior to granting access to the physical layer[9]. Application Layer Threat software based threat management and secure access solutions will be as essential as ever, with a typical security infrastructure comprising components such as firewalls, virtual private networking (VPN), Internet key exchange (IKE) tunnelling, and intrusion prevention systems (IPS), each of which reside at the application layer of WiMAX Infrastructure For example, in an WiMax mesh network installation where routers or gateways will operate as intermediaries, or hot spots linking client and base station, there is an increased potential of security vulnerabilities, as the intermediary routers that reside between base station and client are presentable and vulnerable to attacks. Popular application level services, such as voice over Internet protocol (VoIP), could be broken by hackers who can initiate the download of remote configuration settings and resynchronize clients CPE settings to their specifications. Hackers may also replicate, or spoof the address of the intermediary router or server and deceive other clients into believing their connection is secure, thus opening them Page 78

6 up to malicious attack. These routers and gateways will require robust security measures to ensure that unprotected clients remain protected behind the intermediary access point. he majority of existing routers will have their own firewall components that provide Application Layer Gateway (ALG) functionality for the signalling protocols that support and keep multiple sessions. Any deficiency in the Application Layer Gateway (ALG) functionality could result in diminished QoS for low latency applications, such as VoIP and videoconferencing. OEMs must develop devices with Application Layer Gateways (ALG)s that permit inward call requests to the devices only from the device registered with the server and endpoints, while dynamically allowing inward media packets only on call set up. These media sessions are to be disabled on termination of the connection[10]. Physical Layer Threat: Privacy Sub-layer resides on the top of Physical layer in IEEE standard, therefore, Wimax networks are open to to physical layer attacks for example, blocking and rushing. Blocking is done by activating a source of strong noise to significantly lowering the capacity of the channel, therefore denying services (DoS) to all stations. However, blocking or jamming is detectable with radio analyzer devices. Rushing or scrambling is another type of jamming, but it takes place for a short interval of time aimed at particular frames. Control or management messages could be jumbled, but it is not possible with delay sensitive message i.e., scrambling Uplink slots are comparatively hard, because attacker has to interpret control information and to send noise during a particular interval[11]. Privacy Sub-Layer Threat: Privacy Sub layer s main objective was to protect service providers against theft of service, rather than securing network users. It is obvious that the privacy sub layer only secures data at the data link layer, but it does not ensure complete encryption of user data. Furthermore, it does not protect physical layer from being interrupted. It is essential to include technologies to secure physical layer and higher layer security for a converged routable network and devices within the system.[12] Key Management Problem : Key Management is another problem is WiMax technology, which uses Traffic Encryption Key (TEK) sequence space; it uses sequence number to make different messages. The protocol identifies each Traffic Encryption Key (TEK) with a 2 bit sequence number, enclosing the sequence number from 3 to 0 on every fourth re-key as a problem of replay attack; if replay works, Subscriber Station (SS) could not be able to detect this issue.[13] Water Torture: A common threat to wimax arises from the water torture attack, in which an attacker sends a series of frames to drain out the receiver s battery. An attacker can easily write to a radio frequency channel with the help of properly configured Radio Frequency transmitter to build new frame, capture, change, and retransmit frames from authorized station. The design is required to ensure a data authenticity technology. It is also likely to resend a valid, already sent frame unchanged. In case of long distance transmission, radio interference and distance may possibly allow an attacker to alter and selectively forward frames, in a situation where two authorized stations are not able to contact directly with each other. For that reason, the design is required to detect replayed frames during transmission[14]. Page 79

7 Black Hat Threat Another threat to WiMax is black hat hackers, they are commonly known as awful people in our world with the negative thinking about cracking into the network or the computer system for their own financial benefit or mental satisfaction. They are also known as crackers or Black Hats. The essential thing to understand is not all the hackers are terrible as some people are doing penetration of a network or computer system in the limits of ethical standards to understand the vulnerabilities in their system or their clients system, also called white hat hackers. There are still the possibility that the WiMAX network can be a victim of black hats like WiFi and other wireless technologies[15]. IV Conclusion : In this paper we have studied the vulnerabilities and threats of IEEE (WiMAX). It can be seen that WiMAX provides a robust user authentication, access control, data privacy and data integrity using sophisticated authentication and encryption technology. WiMAX has both a sophisticated set of security protocols in its security suite and advanced bandwidth allocation mechanisms, which makes it a suitable candidate for enterprise applications. On the other hand, it was found that WiMAX is subject to critical threats including jamming, eavesdropping and modification of management messages, masquerading as BS, and DoS attacks. Even though some issues are no longer valid since the recent amendments and security solutions in , some remain unsolved and need to be carefully reviewed to avoid the same mistake as /Wi-Fi. VI References: [1]. Jamshed Hasan,Security Issues of IEEE (WiMAX [2]. Responding to Security Issues in WiMAX Networks-Chin-Tser Huang, University of South Carolina,J.Morris Chang,Iowa State University [3] [4] Johnson and Jesse Walker, "Overview of IEEE Security", Intel Corp, IEEE [5] Department University of Bridgeport, Bridgeport,CT. ofessional/asee12008_0022_paper.pdf [6] Detection of rogue base station attack using matlab-ijcse journel by ramnpreet singh,sukhwinder singh [7] [8] [9] [10] [11] [12] [13] wimax.html [14] [15] Page 80

The WiMAX Technology

Page 2 Oeconomics of Knowledge, Volume 2, Issue 2, 2Q 2010 The WiMAX Technology Felician ALECU, PhD, University Lecturer Department of Economic Informatics Academy of Economic Studies, Bucharest, Romania