Wireless Network Vulnerabilities

Many new technological solutions being embraced by the mobile workforce include the use of mobile data-connected equipment such as cell phones, text pagers , and personal digital assistants (PDAs). Mobile equipment may use many different communications standards, including long-range mobile communications using the Wireless Application Protocol (WAP) or i-Mode standards, as well as wireless local area network (WLAN) communications using the 802.11 wireless fidelity (Wi-Fi) or Bluetooth standards.

Wireless Transport Layer Security (WTLS)

Wireless Transport Layer Security (WTLS) is the security level for the Wireless Application Protocol (WAP). Its objective is to provide reliability and privacy for wireless applications. The basis for WTLS is Transport Layer Security (TLS). WTLS was developed because most wireless devices have limited memory and processing power as well as operate in limited-bandwidth environments.

In a wireless environment, the client communicates directly with a gateway. The gateway translates the request to communicate with a server. WTLS encrypts the communication between the client and the gateway. The gateway then decrypts the message and reencrypts it using SSL.

WTLS presents several security issues. It allows for weak algorithms, and there is a possibility that the gateway could be compromised if it is not properly protected. For more information on security and WTLS, see www.hut.fi/~jtlaine2/wtls/#chap4.3.

WTLS is continually being developed, and future versions may address some of the current vulnerabilities.

Wireless Local Area Networks (WLANs) Using 802.11 x or Bluetooth Standards

New technologies using radio frequency transmissions are beginning to replace wired office networks and provide network support for mobile Bluetooth- or 802.11 x -enabled devices. Popular coffee house chains, college campuses, apartment complexes, and home users are taking advantage of the rapid proliferation of 802.11b technology using the 2.4GHz unregulated range of frequencies made popular by many vendors producing Wi-Fi network equipment.

The 802.11 specifications extend the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) method of connectivity specified within the Ethernet protocol to provide wireless network access.

There are currently four 802.11 x specifications:

• 802.11 This specification was released in 1997. It has a data rate of 1 to 2Mbps in the 2.4GHz band .

• 802.11a This specification is an extension to 802.11. It provides up to 54Mbps in the 5GHz band.

• 802.11b Adopted in 1999, this specification provides 11Mbps (with fallback to 5.5, 2, and 1) in the 2.4GHz band.

• 802.11g This specification provides 20+ Mbps in the 2.4GHz band.

The Bluetooth wireless specification operates under the 802.11b specification at 1MHz in the 2.4GHz band. It uses frequency- hopping techniques to keep noise out of communications. Its distance is currently limited to about 10 meters . Each Bluetooth network can support eight devices, and many networks can operate in the same area. Its premise is communications in personal space or personal area networks (PANs) .

WAP and i-Mode

Wireless technologies such as mobile data cell phones can present Web content in textual format using either the Compact Wireless Application Protocol (CWAP) over Japan's i-Mode standard or the Wireless Markup Language (WML) supported by the WAP standard. Both standards also provide the capability to access email, instant messaging, newsgroups, and other types of data.

The Wireless Application Protocol (WAP) forum is working with many standards organizations, including the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), to develop the official standard.

The WAP standard includes several other standard specifications:

• Wireless Application Environment ( WAE ) Specifies the framework used to develop applications for mobile devices, including cell phones, data pagers, and PDAs.

• Wireless Session Layer ( WSL ) Equivalent to the Session layer of the Open Systems Interconnection (OSI) model.

• Wireless Transport Layer ( WTL ) Equivalent to the Transport layer of the OSI model.

• Wireless Transport Layer Security ( WTLS ) Specifies a WTL security standard based on the Transport Layer Security (TLS) standard. WTLS is optimized for low-bandwidth communications with possible lengthy delays between packet transmission and receipt, which is referred to as latency .

WAP uses WTLS, which must be decrypted when it gets to the gateway and then reencrypted to be forwarded on to the Web under the SSL protocol. WAP does not offer end to end security. The information flows in cleartext during this process, which is often referred to as the gap in the WAP . i-Mode, on the other hand, does not have these limitations.

Wired Equivalent Privacy (WEP)

Specifications for the Wired Equivalent Privacy (WEP) standard are detailed in the 802.11b (Wi-Fi) specification. This specification details a method of data encryption and authentication that may be used to establish a more secured wireless connection.

Recent developments in cryptography have revealed the WEP encryption method to be less secure than originally intended and vulnerable to cryptographic analysis of network traffic. Current recommendations for a more secure wireless network include the use of IPSec and VPN connectivity to tunnel data communications through a secured connection.

Site Surveys

A site survey is necessary before implementing any WLAN solution to optimize network layout within each unique location. This is particularly important in distributed wireless network configurations spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas.

A site survey should include a review of the desired physical and logical structure of the network, selection of possible technologies, and several other factors, including the following:

• Federal, state, and local laws and regulations relating to the proposed network solution.

• Potential sources of radio frequency (RF) interference, including local broadcast systems as well as motors, fans, and other types of equipment that generate radio frequency interference. This includes an analysis of potential channel overlap between wireless access point hardware.

• Available locations for WAP hardware installation and physical network integration connectivity.

• Any special requirements of users, applications, and network equipment that must function over the proposed wireless network solution.

• Whether a point-to-point (ad-hoc or wireless bridge) or multipoint wireless solution is required. In most solutions, point-to-multipoint connectivity will be required to support multiple wireless clients from each wireless access point connected to the physical network.

All wireless networks share several common security vulnerabilities related to their use of radio frequency broadcasts, which may potentially be detected and compromised without the knowledge of the network administrator. Data transported over this medium is available to anyone with the proper equipment; therefore, it must be secured through encryption and encapsulation mechanisms not subject to public compromise.

Wireless solutions are susceptible to interception and sniffing because installing a wireless device is relatively easy to do, and many wireless devices are set up without any encryption. In addition, wireless communication takes place over airwaves; therefore, it is possible for hackers to access the network without any physical access. This is known as war-driving . A hacker can sit in the parking lot and access the network via unsecured wireless devices, especially because most networks use DHCP. The devices the hacker uses can easily obtain a network address because wireless access points advertise their presence and service set identifier (SSID).

You can use encryption on a wireless network, but the encryption (RC4) is weak. The RC4 keyspace is small; therefore, a hacker can use a sniffer to collect all the keys in a relatively short time. After the keys are collected, the encrypted text can be broken. Because so many networks are unprotected , if a hacker finds a network using encryption, he may move on, but if there is information on the network he wants to access, he may spend the additional time to hack the network.

To protect your wireless network, be sure that WEP is enabled, change the default SSIDs of access points, disable the SSID broadcast, and, if possible, use static addresses instead of DHCP. You may also want to put wireless access points in a DMZ and use a VPN for the wireless users or place them on a separate subnet. You should also use a program from outside of your building to check for rogue access points. Airsnort is a Linux program that can take advantage of the weakness in the key-scheduling algorithm of RC4. It can determine a WEP key in seconds. NetStumbler is shareware program that logs an exceptional amount of data and also allows you to discover key details.