ICE-4103: Information, Network

and Software Security

Wireless Network Security

Wireless Security Overview

• Concerns for wireless security are similar

to those found in a wired environment
• Security requirements are the same:
― Confidentiality, integrity, availability, authenticity,
accountability
― Most significant source of risk is the underlying
communications medium
Wireless Network Modes
• The 802.11 wireless networks operate in two
basic modes:
― Infrastructure mode
― Ad-hoc mode
• Infrastructure mode
― Each wireless client connects directly to a central
device called Access Point (AP)
― No direct connection between wireless clients
― AP acts as a wireless hub that performs the
connections and handles them between wireless
clients
Wireless Network Modes

• Ad-hoc mode:
― Each wireless client connects directly
with each other
― No central device managing the
connections
― Rapid deployment of a temporal network
where no infrastructures exist
(advantage in case of disaster…)
― Each node must maintain its proper
authentication list
Risk of wireless network
Key factor contributing to the higher security risk of wireless
networks compared to wired networks:
➢Channel: Wireless networking typically involves broadcast
communications, which is far more susceptible to eavesdropping
and jamming than wired networks.
➢Mobility: Wireless devices are, in principal and usually in
practice, far more portable and mobile than wired devices. This
mobility results in a number of risks
➢Resources: Some wireless devices, such as smartphones and
tablets, have sophisticated operating systems but limited
memory and processing resources with which to counter threats,
including denial of service and malware.
➢Accessibility: Some wireless devices, such as sensors and
robots, may be left unattended in remote and/or hostile
locations. This greatly increases their vulnerability to physical
attacks.
Wireless Networking Components
(Facilitating points of attack)

Wireless client: WIFI-enabled laptop/tablet, cell phone, Bluetooth device, …

Access point: Cell towers, WIFI hotspots, wireless routers
Transmission medium: carries signals
 Wireless Network Threats
No central
Accidental Malicious Ad hoc point
association association networks of control

Identity theft Man-in-the

Nontraditional
(MAC middle
networks
spoofing) attacks
Bluetooth,
PDAs (spoofing
Bogus reconfiguration
and eavesdropping) Denial of Network cmds to routers/switches
service (DoS) injection and degrade performance
Wireless Network Threats
➢Accidental association: Company wireless LANs or wireless access points to
wired LANs in close proximity (e.g., in the same or neighboring buildings) may
create overlapping transmission ranges. A user intending to connect to one
LAN may unintentionally lock on to a wireless access point from a neighboring
network. Although the security breach is accidental, it nevertheless exposes
resources of one LAN to the accidental user.
➢Malicious association: In this situation, a wireless device is configured to
appear to be a legitimate access point, enabling the operator to steal
passwords from legitimate users and then penetrate a wired network through
a legitimate wireless access point.
➢Ad hoc networks: These are peer-to-peer networks between wireless
computers with no access point between them. Such networks can pose a
security threat due to a lack of a central point of control.
➢Nontraditional networks: Nontraditional networks and links, such as
personal network Bluetooth devices, barcode readers, and handheld PDAs,
pose a security risk in terms of both eavesdropping and spoofing.
Wireless Network Threats
➢Identity theft (MAC spoofing): This occurs when an attacker is able to
eavesdrop on network traffic and identify the MAC address of a computer with
network privileges.
➢Man-in-the middle attacks: This attack involves persuading a user and an
access point to believe that they are talking to each other when in fact the
communication is going through an intermediate attacking device. Wireless
networks are particularly vulnerable to such attacks
➢Denial of service (DoS): In the context of a wireless network, a DoS attack
occurs when an attacker continually bombards a wireless access point or some
other accessible wireless port with various protocol messages designed to
consume system resources.
➢Network injection: A network injection attack targets wireless access points
that are exposed to nonfiltered network traffic, such as routing protocol
messages or network management messages. An example of such an attack is
one in which bogus reconfiguration commands are used to affect routers and
switches to degrade network performance.
Wireless Security Measures
• We can group wireless security measures into those
dealing with wireless transmissions, wireless access
points, and wireless networks (consisting of wireless
routers and endpoints).
❑ SECURING WIRELESS TRANSMISSIONS: The principal
threats to wireless transmission are eavesdropping,
altering or inserting messages, and disruption. To deal
with eavesdropping, two types of countermeasures are
appropriate:
• Signal hiding
― Turn off SSID name broadcasting
― Cryptic names
― Reduce signal strengths (place away from windows and
external walls
― Directional antennas
• Encryption (standard)
SECURING WIRELESS ACCESS POINTS
• The main threat involving wireless access
points is unauthorized access to the
network. The principal approach for
preventing such access is the IEEE 802.1X
standard for port-based network access
control.
• The standard provides an authentication
mechanism for devices wishing to attach
to a LAN or wireless network. The use of
802.1X can prevent rogue access points
and other unauthorized devices from
becoming insecure backdoors.
❑ Securing Wireless Networks
The following techniques are recommended for wireless network security:

1. Use encryption. Wireless routers are typically equipped with

built-in encryption mechanisms for router-to-router traffic.
2. Use antivirus and antispyware software, and a firewall. These
facilities should be enabled on all wireless network endpoints.
3. Turn off identifier broadcasting. Wireless routers are typically
configured to broadcast an identifying signal so that any device
within range can learn of the router’s existence. If a network is
configured so that authorized devices know the identity of routers,
this capability can be disabled, so as to thwart attackers.
4. Change the identifier on your router from the default. Again,
this measure thwarts attackers who will attempt to gain access to
a wireless network using default router identifiers.
5. Change your router’s pre-set password for administration.
This is another prudent step.
6. Allow only specific computers to access your wireless
network. A router can be configured to only communicate with
approved MAC addresses. Of course, MAC addresses can be
spoofed, so this is just one element of a security strategy.
SSID – Service Set Identification
• Identifies a particular wireless network
• A client must set the same SSID as the one in that
particular AP Point to join the network
• Without SSID, the client won’t be able to select and
join a wireless network
• Hiding SSID is not a security measure because the
wireless network in this case is not invisible
• It can be defeated by intruders by sniffing it from any
probe signal containing it.
SSID
• A way for vendors to make more money
• It is easy to find the ID for a “hidden” network
because the beacon broadcasting cannot be turned
off
• Simply use a utility to show all the current
networks:
― inSSIDer
― NetStumbler
― Kismet
Mobile Device Security Challenges
• No more tight control over computing devices
• Growing use of mobile (endpoint) devices
• Cloud-based applications readily available (Box,
Dropbox, Skype, …)
• De-perimeterization: static network perimeter is
gone
• External business requirements (guests, third-
party contractors, …)
• Bring Your Own Device (BYOD)
• The above results in threats (next page)
Mobile Device Security Threats

• Lack of physical security control

• Use of untrusted mobile devices
• Use of untrusted networks
• Use of apps created by unknown parties
• Interaction with other systems (e.g.,
cloud-based data sync)
• Use of untrusted contents
Mobile Device Security Strategy

• Device security (next slide)

• Traffic security (e.g., SSL, VPNs)
• Barrier security (e.g., firewalls, IDS/IPS)
Mobile Device Security
• DEVICE SECURITY: Many organizations find it convenient or even
necessary to adopt a bring-your-own-device (BYOD) policy that allows
the personal mobile devices of employees to have access to corporate
resources. The organization should configure the device with security
controls, including the following:
➢Enable auto-lock, which causes the device to lock if it has not been used
for a given amount of time, requiring the user to re-enter a four-digit PIN
or a password to re-activate the device.
➢Enable password or PIN protection. The PIN or password is needed to
unlock the device. In addition, it can be configured so that email and other
data on the device are encrypted using the PIN or password and can only
be retrieved with the PIN or password.
➢Avoid using auto-complete features that remember user names or
passwords.
➢Ensure that SSL protection is enabled, if available.
Mobile Device Security
➢Make sure that software, including operating systems and applications,
is up to date.
➢Install antivirus software as it becomes available
➢Either sensitive data should be prohibited from storage on the mobile
device or it should be encrypted.
➢IT staff should also have the ability to remotely access devices, wipe the
device of all data, and then disable the device in the event of loss or theft.
➢The organization may prohibit all installation of third-party applications
➢The organization can implement and enforce restrictions on what
devices can synchronize and on the use of cloud-based storage.
➢To deal with the threat of untrusted content, security responses can
include training of personnel on the risks inherent in untrusted content
and disabling camera use on corporate mobile devices.
➢To counter the threat of malicious use of location services, the security
policy can dictate that such service is disabled on all mobile devices.
Mobile Device Security Elements

Configure based
on policy
Encrypt

Authenticate/
access control
➢TRAFFIC SECURITY : Traffic security is based on the usual
mechanisms for encryption and authentication. All traffic should be
encrypted and travel by secure means, such as SSL or IPv6. Virtual
private networks (VPNs) can be configured so that all traffic
between the mobile device and the organization’s network is via a
VPN.

➢BARRIER SECURITY The organization should have security

mechanisms to protect the network from unauthorized access. The
security strategy can also include firewall policies specific to mobile
device traffic. Firewall policies can limit the scope of data and
application access for all mobile devices. Similarly, intrusion
detection and intrusion prevention systems can be configured to
have tighter rules for mobile device traffic.
IEEE 802.11 Wireless LAN

• IEEE 802: a committee responsible for

LANs
• IEEE 802.11: responsible for developing
wireless protocols
― Many standards
• The Wi-Fi alliance: became popular with
802.11b
― Wi-Fi Protected Access (WPA, WPA2)
Wireless Fidelity (Wi-Fi) Alliance
• 802.11b
― first 802.11 standard to gain broad industry acceptance
• Wireless Ethernet Compatibility Alliance (WECA)
― industry consortium formed in 1999 to address the
concern of products from different vendors successfully
interoperating
― later renamed the Wi-Fi Alliance
• term used for certified 802.11b products is Wi-Fi
― has been extended to 802.11g products
• Wi-Fi Protected Access (WPA)
― Wi-Fi Alliance certification procedures for IEEE802.11
security standards
― WPA2 incorporates all of the features of the IEEE802.11i
WLAN security specification
IEEE 802.11 Terminology
IEEE 802.11 Protocol Stack
• Physical layer
(encode/decode
signals)
• MAC layer:
assembles MAC
frame, disassembles
frames and
performs address
recognition
• LLC: keeps track of
frame transmission
A MAC Frame (MPUD)

• MAC protocol data unit (MPUD)

IEEE 802.11 Extended Service Set
• BSS: the
smallest
building block
• BSSs connected
via APs
― Aps functions
as bridges
• ESS: two or
more BSSs
IEEE 802.11# Wireless Security

• Wired Equivalent Privacy (WEP)

• Wi-Fi Protected Access (WPA)
• WPA2
• Robust Security network (RSN)
WEP - Wired Equivalent Privacy

• The original native security mechanism for WLAN

• provide security through a 802.11 network
• Used to protect wireless communication from
eavesdropping (confidentiality)
• Prevent unauthorized access to a wireless
network (access control)
• Prevent tampering with transmitted messages
• Provide users with the equivalent level of privacy
inbuilt in wireless networks.
How WEP works

IV original unencrypted packet checksum

RC4
key

IV encrypted packet
WEP Flaws and Vulnerabilities
▪ Weak keys:
✓ It allows an attacker to discover the default key
being used by the Access Point and client stations
✓ This enables an attacker to decrypt all messages
being sent over the encrypted channel.
▪ IV (initialization vector) reuse and small size:
✓ There are 224 different IVs

✓ On a busy network, the IV will surely be reused, if

the default key has not been changed and the
original message can be retrieved relatively easily.
 Attacks on WEP
• WEP encrypted networks can be cracked in 10
minutes
• Goal is to collect enough IVs to be able to crack
the key
• IV = Initialization Vector, plaintext appended to
the key to avoid Repetition
• Injecting packets generates IVs
Attacks on WEP

• Backtrack 5 (Released 1st March

2012)
• Tutorial is available
• All required tools on a Linux
bootable CD + laptop + wireless
card
WEP Cracking Example
WPA - WI-FI Protected Access
• New technique in 2002
• Replacement of security flaws of WEP
• Improved data encryption
• Strong user authentication
• Because of many attacks related to static
key, WPA minimize shared secret key in
accordance with the frame transmission
• Use the RC4 algorithm in a proper way and
provide fast transfer of the data before
someone can decrypt the data.
WPA2 - WI-FI Protected Access 2
▪ Based on the IEEE 802.11i standard
▪ 2 versions: Personal & Enterprise
▪ The primary enhancement over WPA is the use of the
AES (Advanced Encryption Standard) algorithm
▪ The encryption in WPA2 is done by utilizing either AES or
TKIP
▪ The Personal mode uses a PSK (Pre-shared key) & does
not require a separate authentication of users
▪ The enterprise mode requires the users to be separately
authenticated by using the EAP protocol
WPA2
▪ WPA2 has immunity against many types
of hacker attacks
✓ Man-in-the middle
✓ Authentication forging
✓ Replay
✓ Key collision
✓ Weak keys
✓ Packet forging
✓ Dictionary attacks
WEP vs WPA vs WPA2
WEP WPA WPA2

ENCRYPTION RC4 RC4 AES

KEY ROTATION NONE Dynamic Dynamic
Session Keys Session Keys
KEY DISTRIBUTION Manually typed Automatic Automatic
into each device distribution distribution
available available
AUTHENTICATION Uses WEP key as Can use 802.1x Can use 802.1x
Authentication & EAP & EAP
Procedures to Improve Wireless
Security
▪ Use wireless intrusion prevention system (WIPS)
▪ Enable WPA-PSK
▪ Use a good passphrase
(https://grc.com/password)
▪ Use WPA2 where possible
▪ AES is more secure, use TKIP for better
performance
▪ Change your SSID every so often
▪ Wireless network users should use or upgrade
their network to the latest security standard
released
 Wireless Network Tools
❖ MAC Spoofing
✓ http://aspoof.sourceforge.net/

✓ http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp

✓ http://www.klcconsulting.net/smac/

❖ WEP Cracking tools

✓ http://www.backtrack-linux.org/
✓ http://www.remote-exploit.org/articles/backtrack/index.html
✓ http://wepattack.sourceforge.net/
✓ http://wepcrack.sourceforge.net/
❖ Wireless Analysers
✓ http://www.kismetwireless.net/
✓ http://www.netstumbler.com/
IEEE 802.11 Services
Service provider
may be a station
or DS; station
services are
implemented
in every 802.11
station

MAC Service Data Unit (MSDU)

Association Services

• establishes an initial
association association between a station
and an AP

• enables an established association to

reassociation be transferred from one AP to
another, allowing a mobile station to
move from one BSS to another

• a notification from either a station or

disassociation an AP that an existing association is
terminated
Association-Related Services
• Transition types, based on mobility:
― No transition
• A station of this type is either stationary or moves only within
the direct communication range of the communicating stations of
a single BSS
― BSS transition
• Station movement from one BSS to another BSS within the same
ESS; delivery of data to the station requires that the addressing
capability be able to recognize the new location of the station
― ESS transition
• Station movement from a BSS in one ESS to a BSS within another
ESS; maintenance of upper-layer connections supported by
802.11 cannot be guaranteed
Wireless LAN Security Protocols

• Wired Equivalent Privacy (WEP) algorithm

― 802.11 privacy

• Wi-Fi Protected Access (WPA)

― Set of security mechanisms that eliminates
most 802.11 security issues and was based on
the current state of the 802.11i standard
• Robust Security Network (RSN)
― Final form of the 802.11i standard
IEEE 802.11i Services

• Authentication: the exchange between a

user and an authentication server (AS);
temporary keys are generated
• Access control: routes messages
properly, facilitates key exchange
• Privacy: MAC level data are encrypted
• Security protocols that support the above
services: next page
Elements of IEEE 802.11i
Phases of Operations: Possibilities

• Two wireless STAs in the same BSS

communicate via an AP
• Two wireless STAs in the same ad hoc BSS
communicating directly
• Two wireless STAs in different BSS
communicating via their Aps
• A wireless less STA communicating with
wired station via its AP
IEEE 802.11i Phases of
Operation
• Discovery: AP sends Beacon,
Probe responses to advertise its
802.11 security policy
• Authentication: STA and AS
prove their identities
• Key MGMT: cryptographic key
are generated and saved in STA
and SA
• Protected data transfer
• Connection termination
IEEE 802.11i
Phases of
Operation
IEEE 802.1x Access Control (for Controlling
Access)
Two physical ports;
many logical ports
mapped to the physical
ports
MPDU Exchange
• authentication phase consists of three phases:
― connect to AS
• the STA sends a request to its AP that it has an association with for
connection to the AS; the AP acknowledges this request and sends an access
request to the AS

― EAP (Extensible Authentication Protocol ) exchange

• authenticates the STA and AS to each other

― secure key delivery

• once authentication is established, the AS generates a master session key
and sends it to the STA
IEEE 802.11i
Keys for Data
Confidentiality
and Integrity
Protocols

EAP: Extensible Auth. Protocol

EAP over LAN: supports integrity

and origin authentication

EAP Key Encryption Key: protects

confidentiality

Temporal Key (TK): protects

transmission
IEEE 802.11i
Key Hierarchy
(Key MGMT)
Phases of
Operation:
4-way
Handshake
Temporal Key Integrity Protocol (TKIP)
• Designed to require only software changes to devices
that are implemented WEP

• Provides two services:

message data
integrity confidentiality

adds a message provided by

integrity code to encrypting the
the 802.11 MAC MPDU
frame after the
data field
Summary
• Wireless security overview
― wireless network threats

― wireless security measure

― IEEE 802.11 wireless LAN overview
― Wi-Fi alliance
― IEEE 802 protocol architecture
― IEEE 802.11 network components and architectural
model
― IEEE 802.11 services