How Insecure is Wireless LAN?

Similar documents
Wireless LAN Security (RM12/2002)

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Wireless Attacks and Countermeasures

What is Eavedropping?

Wireless Security Security problems in Wireless Networks

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Karthik Pinnamaneni COEN 150 Wireless Network Security Dr. Joan Holliday 5/21/03

Wireless technology Principles of Security

CITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

NETWORK SECURITY. Ch. 3: Network Attacks

LESSON 12: WI FI NETWORKS SECURITY

Analyzing Wireless Security in Columbia, Missouri

Wireless Networking Basics. Ed Crowley

Wireless# Guide to Wireless Communications. Objectives

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

Overview of Security

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Wireless Network Security Spring 2015

Wireless Network Security Spring 2016

Mobile Security Fall 2013

Physical and Link Layer Attacks

WLAN Security Performance Study

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

WIRELESS LOCAL AREA NETWORK SECURITY USING WPA2-PSK

Network Encryption 3 4/20/17

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8


1. INTRODUCTION. Wi-Fi 1

D-Link AirPlus G DWL-G700AP

Overview of IEEE b Security

WL-5420AP. User s Guide

Wireless LAN Security. Gabriel Clothier

CS263: Wireless Communications and Sensor Networks

Wireless Networks. Authors: Marius Popovici Daniel Crişan Zagham Abbas. Technical University of Cluj-Napoca Group Cluj-Napoca, 24 Nov.

FAQ on Cisco Aironet Wireless Security

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Wireless Technologies

Managing Rogue Devices

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

CIT 380: Securing Computer Systems. Network Security Concepts

PMS 138 C Moto Black spine width spine width 100% 100%

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

WiFi Networks: IEEE b Wireless LANs. Carey Williamson Department of Computer Science University of Calgary Winter 2018

Wi-Fi Scanner. Glossary. LizardSystems

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Security Setup CHAPTER

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Wireless and Mobile Networks Reading: Sections 2.8 and 4.2.5

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

CHAPTER 8 SECURING INFORMATION SYSTEMS

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Configuring a VAP on the WAP351, WAP131, and WAP371

CSCD 433/533 Advanced Networking

Securing a Wireless LAN

Wireless Network Security Spring 2011

Chapter 3.1 Acknowledgment:

Managing Rogue Devices

Viewing Status and Statistics

PRODUCT GUIDE Wireless Intrusion Prevention Systems

Configuring Security Solutions

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

Wireless KRACK attack client side workaround and detection

Configuring Cipher Suites and WEP

Wireless (Select Models Only) User Guide

Wireless Network Security

Chapter 24 Wireless Network Security

Table of Contents 1 WLAN Service Configuration 1-1

CE Advanced Network Security Wireless Security

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Advanced Security and Mobile Networks

How can you bring. Trust and Security. to Wireless LAN solutions? November 2002

Networking interview questions

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Selection of EAP Authentication Method for use in a Public WLAN: Implementation Environment Based Approach

Appendix E Wireless Networking Basics

Wireless Router at Home

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Wireless LAN -Architecture

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

CIS 5373 Systems Security

Chapter 1 Describing Regulatory Compliance

Wireless (Select Models Only) User Guide

A Visualization Tool for Wireless Network Attacks

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

On completing this chapter, you will be able to Explain the different WLAN configurations Explain how WLANs work Describe the risks of open wireless

Interworking Evaluation of current security mechanisms and lacks in wireless and Bluetooth networks ...

CS 393/682 Network Security

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Digital Entertainment. Networking Made Easy

Define information security Define security as process, not point product.

Configuring Security Solutions

Transcription:

Page 1 of 7 How Insecure is Wireless LAN? Abstract Wireless LAN has gained popularity in the last few years due to its enormous benefits such as scalability, mobile access of the network, and reduced cost of ownership. Wireless LAN has vulnerable security and over the period of time many loopholes in the security have been identified. In this paper, we discuss in detail the security concerns of WLAN such as rouge access point, war-driving, MAC address spoofing, and denial of service attacks etc. The working and security leaks of the WEP are also a part of the paper. At the end of the paper, we will be suggesting a few techniques to ensure secure communication in WLANs. 1. Introduction Local Area Network (LAN) supplies networking capability to a group of computers in close proximity to each other, such as in an office building, a school, or a home. LAN facilitates sharing of resources and connectivity to the Internet. Traditionally the LAN was implemented as a wired network using Ethernet cable. WLAN is a data communication system that is implemented as an alternative or extension to wired LAN using electromagnetic waves instead of wires. The electromagnetic waves are referred as radio carriers, because of their functionality of delivering energy to a remote receiver. The information to be transmitted is modulated over the carrier and the modulated signal contains all the information. Multiple radio carriers can exist at the same time within a space, if they transmit on different radio frequencies. The receiver extracts the signal at the same frequency to which the signal was transmitted, while rejecting every thing at other frequencies. WLAN is built by attaching the access points to the edges of the wired network. Access point (AP) is a device that receives, buffers, and transmits data between the wired infrastructure and wireless LAN. Clients then communicate with the AP using a wireless network adapter similar to a traditional Ethernet adapter as shown in Figure 1. The WLAN adapters provide an interface between the client network operating system (NOS) and the airwaves via the antennas. The nature of the wireless connection is transparent to the NOS.

Page 2 of 7 Laptop computer with PC card adapter Tablet with PC card adapter Users can roam Laptop computer from one AP to Laptop computer another Handheld with PC card adapter Desktop System with PC card adapter Wireless Ethernet Access Point Cable Ethernet Access Point Wireless Ethernet Switch Cable Ethernet Switch Wired Network Backbone (Ethernet) Figure 1: Typical Wireless LAN setup. The range for WLAN varies from hundred to five hundred feet, it can also penetrate through walls and other surfaces because of its operation at radio frequency. The other devices, such as microwave oven, operating at the same frequency as that of WLAN may cause interference in the communication. WLANs from different vendors operating in the same vicinity may interfere with each other; using appropriate vendor s product solves this issue. Three popular standards have emerged since the inception of WLANs, 802.11a, 802.11b, and 802.11g. The comparison of these standards on the basis of some parameters is given in Table 1. Parameter 802.11 a 802.11 b 802.11 g Frequency Band (GHz) 5.15 5.25, 5.25 5.35, 5.725 5.825 Table 1: Comparison of 802.11 a, b, g. 2.4 2.4835 2.4 2.4835 Number of Channels 12 or 4 in each band 3 non-overlapping 3 non-overlapping Data rate (Mbps) Modulation 6, 9, 12, 18, 24, 36, and 54 Mbps Binary Shift Keying; Quad Phase Shift Keying 1, 2, 5.5 and 11 Differential Binary & Quad Phase Shift Keying 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48 and 54 Binary & Quad Phase Shift Keying; Diff Binary & Quad Phase Shift Keying WLAN provides mobility to the users; they can login from anywhere within network range, thus increasing productivity in the organizations. The installation is simple, fast. WLAN eliminates the need of pulling the cables through walls and ceilings; also the WLAN can be installed at the places where we

Page 3 of 7 cannot run the wires. WLANs are being implemented at hotels, airports, coffee shops, and in universities. With these benefits comes the security issue as well. The signals can be intercepted without physically accessing the network; this makes the WLAN security vulnerable. We discuss the WLANs with the security perspective in this survey paper. The following section is devoted to the features of the WLAN that make its security vulnerable. In section 3, we discuss the types of attacks and the security tools to protect WLAN. Section 4 describes overview and flaws of WEP. (To be continued in the final report) 2. How attackers gain access to WLAN? Wireless LAN access points (APs) announce their presence periodically by transmitting special format frames known as beacons. In this way the potential clients can find out the presence of the Wireless LAN and can link up to the services. This makes the access to the Wireless LAN very easy. The beacon frames are not protected by any privacy function, so any device with an 802.11 card can access to the 802.11 network and its parameters. War-driving is a method to locate the access points of an 802.11 networks in the area. In war driving the attackers make use of high-gain antennas and drive around in the city to monitor the appearance of beacon frames being transmitted by the access points. They use software to log the presence of the beacon frames and record the coordinates of the AP location using the global positioning system (GPS). Hence they associate the located APs with the geographic locations in the AP maps. Tools like NetStumbler are available to assist the war-driving. Attackers share these AP maps on the Internet and those APs become the potential target of attack. AP maps of several cities with the thousands of AP locations are available on the Internet [1]. War-chalking is another way for marking the APs in the area, attacker marks the area with some specific symbols to pointing out that an AP is in the area. WiFi symbols can be accessed on the Internet as well [2]. Rogue Access Points: There are two cases of installation of rouge access points. First, one of the company s employees can deploy an AP onto the corporate network without authorization from the network administrator. This poses serious threat because user would not be able to implement security features properly and will provide a gateway to the intruders to access the network. Second, an intruder may physically place an AP on the network to gain remote access to the network via wireless. Once an attacker gains access to the wireless network through rouge access point, it can be a launch point of attacks. 3. Types of Attack Attacks can be categorized into two types: active attacks and passive attacks. Passive Attacks: Listening to the network traffic, with out interfering, to get information being transmitted, is known as passive attack. Passive attacks are of two types. First, the release of message content in which intruder tries to learn the content of the network traffic. Second type is traffic analysis, when eavesdropper captures the network traffic. However, even if the packets are encrypted still intruder can analyze the captured packets to make a guess about nature of the communication. Active Attacks:

Page 4 of 7 In active attacks, the intruder tries to modify the contents of the data stream of the victim network. Such attacks can be divided into four categories. First, when one entity pretends to be another entity, it is the masquerade attack. The attackers try to gain access to the resources by impersonating the entity, which has privilege to do so. Second, Replay is the extension of passive attack by retransmitting the captured packets to create an unauthorized effect. Third, Modification of the messages when a part of the legitimate message is altered, to create an unauthorized but attacker-desired effect. Forth, denial of service attack can be created by simply overloading the network with the bogus messages. This could result in the degraded performance or the unavailability of the network services because illegitimate traffic captures the frequencies, and legitimate traffic cannot get through. An attacker can configure its client to duplicate the IP or MAC address of a legitimate client causing the disruption on the network. Let us discuss some examples of active and passive attacks. 3.1 MAC Address spoofing 802.11 networks do not authenticate frames. Access point caters all such frames, which have a valid MAC address. Some vendors provide the feature of MAC address filtering. Cisco s AP maintains a list of authorized MAC addresses and do not allow other users to connect, having MAC addresses other than the authorized one. The attacker can easily sniff the WLAN traffic. These packets contain all the information required to make an attack, which is MAC address and IP address. The attacker uses this information to mimic a valid MAC address and also use the IP address assigned to that MAC address. In spoofing the MAC address, attacker can spoof a MAC address by editing the registry. Attacker will set the value of the Network-Address key in the registry as the authorize MAC address. In the presence of a valid MAC and IP address intruder machine will be considered as a legitimate user of the network. Hence an attacker can gain direct access to the network resources. However, the attacker would not be able to access network until the valid system stops using the network. 3.2 Session Hijacking It is possible to inject false traffic into a connection. Attacker can issue commands on behalf of a legitimate user by injecting traffic and hijacking the victim session. 3.3 Base Station Clone (Evil Twin) Another security feature is server set identifier (SSID); it works like a shared password between base station and clients. This allows only those clients to communicate with base station, which are configured with the same SSID as that of base station. Most APs broadcast their SSID as part of the beacon frames to announce their presence. Tools like NetStumbler can capture these packets to find out the SSID. Now an attacker can use the valid SSID over the false AP to trick the clients to connect to it. Effectively SSID does not protect WLAN against the attacks; it is merely a mechanism to prevent wandering wireless devices in the area to get onto your network. A rouge access point, also known as honey pot, can pretend to be a valid access point by broadcasting the right SSID. The wireless clients of the network will connect to the attacker s false AP. The intruder can steal credentials by tricking the users with the false login prompts, and user gives away his/her password to the attacker in ignorance. Another way of stealing the credential is man-in-the-middle (MITM) attack, where attacker places himself between the station and the AP relaying the packets from the AP to the station or vice versa. 3.4 Traffic Redirection Attackers can use spoofed frames to redirect traffic and to corrupt the Address Resolution Protocol (ARP) tables in the switch on the wired network. The corrupted ARP tables cause the packets destined for a wired client to be routed to the attacking wireless client. 4. Wired Equivalent Privacy (WEP) Algorithm:

Page 5 of 7 The IEEE 802.11 standard for wireless LAN communications introduced the Wireless Equivalent Privacy (WEP) protocol in an order to address the privacy issues. The WEP protocol protects the link level data during wireless transmission. It was an effort to bring the security level of wireless LAN closer to that of wired LAN. The working of WEP is described first, and then we will be discussing its weaknesses. WEP tries to achieve the security goals of the networks; such as confidentiality, access control, and data integrity. Wireless LAN transmissions are broadcasted over radio frequencies; anyone can intercept the information. WEP is implemented at MAC layer, and most of the radio network interface card and access point vendors support the protocol. The network interface card (NIC) encrypts the payload, which includes frame body and cyclic redundancy check (CRC). Then it transmits each frame using RC4 stream cipher. The receiving station, such as an access point or another radio NIC, performs decryption upon arrival of the frame. As a result, 802.11 WEP only encrypts data between 802.11 stations. Once the frame enters the wired side of the network, such as between access points, WEP no longer applies. The encryption process of WEP is based on a secret key shared between the communicating parties; the key protects the data being transmitted in the frame. First of all the integrity checksum of the message is calculated, and then concatenated with the message to form the plain text. The plain text is the data fed into the algorithm as the input for encryption. The plain text is encrypted using the famous encryption algorithm RC4. A 24-bit initialization vector (IV) is concatenated to the shared secret key supplied by the user of the sending station. The resulting block forms the seed that is input to pseudorandom number generator (PRNG) defined in RC4. The IV lengthens the life of the secret key because the station can change the IV for each frame transmission. Then the key stream is XOR-ed with the plain text to get the cipher text. This cipher text along with the IV is transmitted over the radio link as shown in the Figure 2. On the receiving end, the encryption process is reversed. With WEP, the receiving station must use the same secret key for decryption. Each radio NIC and access point, therefore, must be manually configured with the same secret key. First the recipient regenerates the key stream; then the key stream and the cipher text are XOR-ed to get back the initial plain text as shown in the Figure 2.

Page 6 of 7 Plain Text Decrypted Plain Text Message CRC Message CRC Key Stream = RC4 ( IV + key ) Key Stream = RC4 ( IV + key ) XOR XOR IV Cipher Text IV Cipher Text Transmitted Packet Received Packet Sender's End Receiver End Figure 2: Encryption and Decryption using WEP. The checksum is verified by recalculating the checksum and then matching that by the sent value, to check the integrity of the message. The receiver accepts the frames only with valid checksum. Note: In the final report we will discuss the WEP protocol flaws and the corresponding attacks. We will also discuss how we can build secure WLAN using different security tools to provide a shield against the attacks at multiple levels. References [1] www.netstumbler.com [2] www.warchalking.org [3] www.wigle.net [4] www.wifimaps.com [5] www.wlana.com [6] M. Gast. Seven security problem of 802.11 Wireless. [7] M. Gast. Wireless LAN security: A short history. [8] N. Borisov, I. Goldberg, and D. Wagner, Intercepting Mobile Communications: The Insecurity of 802.11. [9] L.M.S.C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE standard 802.1, 1999 Edition, 1999.

Page 7 of 7 [10] William Stallings, Wireless Communications and Networks. Pearson Education Inc., 2002. [11] William Stallings, Data and Computer Communications 6 th Edition. Prentice Hall, 2000.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback