Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.

The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

The publisher offers discounts on this book when ordered in quantity for bulk purchases and special sales. For more information, please contact:

U.S. Corporate and Government Sales

(800) 382-3419

For sales outside of the U.S. please contact:

International Sales

(317) 581-3793

Visit Addison-Wesley on the Web:

Library of Congress Cataloging-in-Publication Data

Swaminatha, Tara M.

Wireless security and privacy : best practices and design techniques

Tara M. Swaminatha, Charles R. Elden.

p. cm.

Includes bibliographical references and index.

1. Wireless communication systemsóSecurity measures. 2. Wireless communication systemsóDesign and construction. 3. Privacy, Right of.

I. Elden, Charles R. II. Title.

TK5103.2 .S93 2003

384.5ódc21 2002071657

Copyright © 2003 by Pearson Education, Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada.

For information on obtaining permission for use of material from this work, please submit a written request to:

Pearson Education, Inc.

Rights and Contracts Department

75 Arlington Street, Suite 300

Boston, MA 02116

Fax: (617) 848-7047

Text printed on recycled paper

1 2 3 4 5 6 7 8 9 10óCRSó0605040302

First printing, September, 2002


To my grandparents, Joseph and Nora McGraw


To my wife, Sandra




Wireless security is becoming increasingly important as wireless applications and systems are widely adopted. Numerous organizations have already installed or are busy installing Wireless Local Area Networks (WLANs). These networks, based on the IEEE 802.11b standard, are very easy to deploy and inexpensive. Other important trends in wireless adoption include the introduction of wireless e-mail with devices such as the BlackBerry and the Palm VII, rampant digital cell phone use (including the use of Short Message Service [SMS]), and the advent of Bluetooth devices. Wireless is clearly here to stay.

But all is not well in the wireless universe. The risks associated with the adoption of wireless networking are only now coming to light. A number of impressive attacks are possible and have been heavily publicized, especially in the IEEE 802.11b arena. Since October 2000, at least ten major wireless security stories have played out (see Table F.1). These stories were covered by the New York Times, the Wall Street Journal, CNN, and NBC Nightly News, among others. Apparently, the world finds wireless security both interesting and important.

Table F.1. A Chronology of Wireless Security Topics, Issues, and Stories (Incomplete)





October 2000

Jesse Walker of the University of Maryland

Several problems in WEP

January 2001

U.C. Berkeley researchers Nikita Borisov, Ian Goldberg, and David Wagner

Seminal work on WEP insecurity

March 2001

University of Maryland researchers Bill Arbaugh, Narendar Shankar, and Justin Wan

Several access control and authentication problems in 802.11b

June 2001

Tim Newsham from @stake

A key generation algorithm problem leading to dictionary attacks

August 2001

Scott Fluhrer, Itsik Mantin, and Adi Shamir

A cryptographic flaw in the RC4 key setup algorithm used by WEP






August 2001

Avi Rubin from AT&T Research and Adam Stubblefield of Rice University

Implementation of the WEP crack

October 2001

Bob Fleck from Cigital's Software Security Group

ARP cache poisoning attacks that work against 802.11 networks

February 2002

Arunesh Mishra and Bill Arbaugh from the University of Maryland

Several flaws in 802.1X (still in committee)

May 2002

Avi Rubin of AT&T Research

X10 Wireless camera vulnerabilities

The most interesting thing about wireless security is the opportunity presented by the very recent adoption of wireless technology. New users of wireless technology have a chance to build things properly and securely as they adopt wireless networks and create applications to run on them. That's not to imply that this will be easy, because it will not be. This book presents an important, and a necessary, introduction to critical issues in wireless security, something that will be extremely useful to those adapting wireless technology. Armed with a solid understanding of reality, readers of this book are unlikely to fall prey to hype.

As far as base technology is concerned, wireless security appears to be following the usual "penetrate and patch" route. This is unfortunate, but perhaps unavoidable. Early wireless security is focused almost exclusively on cryptography and secure trans-missionówith unfortunate results thus far. WEP security, the cryptography built in to 802.11b, for example, is completely broken and offers very little real security. In fact, one might argue that using WEP is worse than using no cryptography at all, because it can lull users into a completely unfounded sense of security. Given that our wired networks are in such bad shape, perhaps the notion of attaining "wired equivalent privacy" is ironically accurate after all!

An over reliance on cryptography springs from a misunderstanding of the fact that cryptography is a tool with which to approach security (and not security itself). This misunderstanding is deeply entrenched in many other subfields of security, especially software security, where "magic crypto fairy dust" is sprinkled liberally over designs in hope of attaining an easy security solution. Alas, software security is not that easily accomplished. Neither is wireless security.

The Gates memo of January 2002 highlights the importance of building secure software to the future of Microsoft. But software security reaches far beyond shrink-wrapped software of the sort that Microsoft produces. Software has worked its way into the very heart of business and government and has become essential in the new millennium. Software applications will clearly play a crucial role in the successful evolution of wireless systems. This is a critical fact that, to their credit, the authors understand and highlight in this book.

Mature software security practices and sound systems security engineering should be used when designing and building wireless systems. Security measures must be implemented throughout the wireless software development lifecycle, or wireless applications risk running afoul of the same security pitfalls that currently afflict wired applications. The difficulty in constructing a secure wireless system lies in the medium's limitations: Devices are smaller, communications speeds are slower, and consumers are more demanding. These limitations force a trade-off between security and functionality. The trick to sound security is to begin early, know your threats (including language-based flaws and pitfalls), design for security, and subject your design to thorough objective risk analyses and testing.

This book will help.

Gary McGraw, Ph.D.
Trento, Italy
May 2002