9.6 How Intruders Obtain Network Access to a WLAN

9.6.1 WLAN Attacks

All risks known to exist with 802.11 standards-based equipment are the result of one or more of the aforementioned active or passive attack methods . These attacks generally cause a loss of proprietary information, with companies suffering legal and recovery costs and sometimes even a tarnished image as a result of publication of the attack (which is known as an event in the security field) that resulted in a total loss of network service. With the rapid rate of growth and adoption of 802.11b WLAN technology in many organizations attempting to capitalize on the benefits of "going wireless," there are many chances for hackers to take advantage of these known vulnerabilities when they discover that lax security practices are used by an adopter. Numerous published reports and papers have described attacks on 802.11 wireless networks and exposed risks to any organization deploying the technology. It is wise for those planning to adopt WLAN technology to find these papers and educate themselves and their staff on the risks and, more-over, to weigh these risks against the benefits of using the WLAN.

9.6.2 WEP Decryption Tools

In order to recover WEP encryption keys, WEP decryption software is used to passively monitor data transmission on a WLAN segment. When enough data has been collected, these decryption tools can compute the cryptographic key used to encrypt the data. Once this occurs, the network is totally insecure . For this to work, the decryption software must collect enough packets formed with "weak" initialization vectors. Wireless packet analyzers, such as AirSnort and WEPcrack, are common tools that are readily available on the Internet and are very popular WEP crackers. Both of these applications run in Unix-based environments.

AirSnort was one of the first tools created to automate the process of analyzing network traffic. Unfortunately, hackers quickly discovered that it is also great for breaking into wireless networks. AirSnort leverages known vulnerabilities found in the key-scheduling algorithm of RC4, which is used to form the basis of the WEP standard. The software monitors the WLAN data in a passive mode and computes encryption keys after about 100 MB of network packets have been sniffed. On a busy network, collecting this amount of data may take only three or four hours, but if traffic volume is slow, it could easily stretch out to a few days. After all of these network packets have been collected and analyzed , the cryptographic key can be determined in a matter of milliseconds . This gives the attacker access to the root key, and he or she can now read cleartext of any packet traversing the WLAN.

9.6.3 MAC Address Spoofing and Circumventing Filters

Numerous 802.11 product vendors provide capabilities for restricting access to the WLAN based on device MAC ACLs, which are stored and distributed across many APs. MAC address exploitation can be accomplished by an adversary capturing a series of wireless frame packets obtained during normal business hours at the target location. The captured frames contain all information needed to circumvent MAC filters. Using this data, the hacker is able to derive valuable information from the packet trace log, which is generated via a wireless protocol packet analyzer such as WildPackets Airopeek or Network Associates Sniffer Pro Wireless. By reviewing the BSS IDs (the MAC address of an access point) found in the packet trace, the hacker can figure out which units are access points and which are clients. Once this is known, it is a rather simple matter to deduce which SSIDs and MAC addresses are used by the connecting clients . Additionally, IP subnet information can be recorded in order to establish subsequent network connections once the hacker device is associated to the target access point. Once these data have been recorded, the hacker is in a position to gain unauthorized access to the target network.

9.6.4 Rogue AP Exploitation

Rogue APs pose huge security risks. Malicious users have been known to surreptitiously insert rogue APs into closets, under conference room tables, and in other hidden areas in buildings to gain unauthorized access to targeted networks. As long as the rogue AP location is close to WLAN users, the rogue AP can intercept wireless traffic between an authorized AP and its wireless clients without being detected . The rogue AP needs to be configured with a stronger signal than the existing AP in order to intercept client traffic. Malicious users can also gain access to a wireless network by using APs configured to allow blanket access without authorization.

9.6.5 Exploiting Confidentiality Weaknesses

Confidentiality infers that specific information is not to be made available or disclosed to unauthorized individuals, entities, or processes. Confidentiality is a fundamental security requirement for most organizations. Because of the very nature of wireless communications, confidentiality is a difficult security requirement to implement. Often, it is not possible to control the distance over which a WLAN transmission occurs. This makes traditional physical security countermeasures ineffective for WLANs. Passive eaves-dropping of wireless communications is a significant risk to any organization. Because 802.11b signals can travel outside the building perimeter, hackers are often able to listen in and obtain sensitive data such as corporate proprietary information, network IDs, passwords, and network and systems configuration data. Sometimes, the hacker is even an insider who may be disgruntled . The extended range of 802.11 broadcasts enables hackers to detect transmissions from company parking lots or from positions curbside on nearby roads . This kind of attack, which is performed with a wireless network analyzer tool, or sniffer, is particularly easy for two reasons:

1. Confidentiality features of WLAN technology are often not even enabled.

2. Numerous vulnerabilities in the 802.11b technology security are compromised.

When an AP is connected to a network through a hub, it poses yet another risk to loss of confidentiality. Hubs generally broadcast all network traffic to all connected devices, which leaves hub-relayed traffic vulnerable to unauthorized monitoring. An adversary can monitor such traffic by using a laptop and wireless NIC (set to promiscuous mode) when an access point is connected to a hub instead of a switch. If the wireless AP is connected to an Ethernet hub, the hacker device monitoring broadcast traffic is able to easily pick up data that was intended for wireless clients. Consequently, organizations should consider using switches instead of hubs for connections to wireless access points.

9.6.6 Exploiting Data Integrity Weaknesses

Wireless networks face the same data integrity issues that are found in wired networks. Organizations frequently implement wireless and wired communications without adequate data encryption. As a result, data integrity can be very difficult to achieve. A determined hacker can compromise data integrity simply by deleting or modifying data in an e-mail from an account found on the wireless system. The impact of such message modification could be quite detrimental to an organization depending on the importance of the e-mail and how widespread its distribution is across the company. Existing security features of 802.11 do not provide strong message integrity. This can lead to vulnerability from other kinds of active attacks. The WEP-based integrity mechanism used in wireless networking is simply a linear Cyclical Redundancy Check (CRC). Message modification attacks are possible without implementation and use of some cryptographic checking mechanisms, such as message authentication codes and hash codes (message digests).

9.6.7 Exploiting Authentication Weaknesses of the Service Set Identifier

Two methods are defined in the 802.11b specification for validating wireless users as they attempt to gain access to a network. One method depends on cryptography. The other method consists of two types of checks used to identify a wireless client attempting to join a network. Both of these noncryptographic approaches are considered to be identity-based verification mechanisms. When establishing a connection, the wireless station requesting access will reply to a challenge with the SSID of the wireless network ”there is no true "authentication." This method is known as closed system authentication. With closed system authentication, wireless clients must respond with the actual SSID of the wireless network. That is, a client is allowed access if it responds with the correct 0- to 32-byte string identifying the BSS of the wireless network. Conversely, when using open system authentication, a client is considered authenticated if it simply responds with an empty string for the SSID ”hence, the name "NULL authentication." Both of these primitive types of authentication are only identification schemes, not true authentication methods. Neither of these two schemes offers very strong security against unauthorized access. Both open and closed authentication schemes are highly vulnerable to attacks, and steps should always be taken to mitigate such risk.

It is possible for a WLAN to hide the SSID from potential intruders. Currently, a few APs have software settings used to exclude sending the SSID in order to obscure the WLAN's identity. Even with this feature, it is fairly easy for a hacker to learn the SSID of an active but hidden WLAN. The hacker will do this by sending a spoofed " disassociate " message to the AP. This message will force the wireless station to disconnect and reconnect to the WLAN. This method of forcing a hidden WLAN to reveal its SSID typically takes a hacker less than a second to execute against a station actively transmitting data.

9.6.8 Exploiting Cryptographic Weaknesses

A common cryptographic technique used for authentication is shared key authentication. It is a simple "challenge and response" scheme. The premise of this scheme is based on whether a client has knowledge of a shared secret. For example, a random challenge is generated by the access point and sent to the wireless client. The wireless client uses a cryptographic key (a.k.a., a WEP key), which is shared with the AP to encrypt the issued challenge and return the encrypted result to the AP. The AP then decrypts the encrypted challenge that was computed by the client. The AP will only allow access if the decrypted value is the same as the value issued during the challenge transmittal. The RC4 stream cipher algorithm is used to compute the encrypted and decrypted values. This authentication method is considered a rudimentary cryptographic technique. It does not provide mutual authentication. The client does not authenticate the AP. There is no assurance that a client is communicating with a legitimate AP as opposed to communicating with a rogue AP. Challenge-response schemes are considered to be a very weak form of security. Because of this weakness, challenge-response schemes are vulnerable to many types of attack, such as the man-in-the-middle attack.