802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A)

UNCLASSIFIED

IT SECURITY

TECHNICAL PUBLICATION

802.11 Wireless LAN Vulnerability
Assessment (ITSPSR-21A)

ITSPSR-21A

May 2009

May 2009

UNCLASSIFIED

802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A)

This page intentionally left blank.

May 2009

UNCLASSIFIED


Foreword
The 802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A) is an
UNCLASSIFIED publication, issued under the authority of the Chief, Communications
Security Establishment Canada (CSEC).

Suggestions for amendments should be forwarded through departmental
communications security channels to your Client Services Representative at CSEC.

Requests for additional copies or changes in distribution should be directed to your
Client Services Representative at CSEC.

For further information, please contact CSEC’s ITS Client Services area by e-mail at
client.svcs@cse-cst.gc.ca or call (613) 991-7600.

Effective Date
This publication takes effect on May 1st, 2009.

____________________________________________________
Gwen Beauchemin
Director, Mission Management

Government of Canada, Communications Security Establishment Canada © 2009

It is not permissible to make copies or extracts from this publication without the written consent of CSEC.

Foreword May 2009 i

UNCLASSIFIED



ii May 2009

UNCLASSIFIED


Executive Summary
WLAN devices based on the IEEE 802.11 standard have a number of vulnerabilities related to
the fact that wireless signals are sent over the air rather than through closed wiring paths. In
WLANs, network traffic is broadcast into uncontrolled public spaces, which may result in the
compromise of sensitive information. Additionally, signals from unauthorized external sources
may easily enter the network, allowing attackers to join the network as though they were bona-
fide users. This creates risks not only for the WLAN but also for any other network to which it is
connected. These risks may also arise on traditional wired networks because it is easy and
inexpensive for users to install their own WLAN devices without the knowledge or consent of
network authorities. The risk of outside attack is very high: activities such as “war driving” and
free, simple-to-use software tools for discovering and exploiting WLANs are readily available
and may allow outsiders to penetrate the network.

The 802.11 standard originally included provision for a security scheme known as Wired
Equivalent Privacy (WEP), which provided some protection against casual interception of
network traffic or insertion of unauthorized traffic. However, WEP suffered from serious design
weaknesses that made it vulnerable to hacker exploitation tools. Recent 802.11 revisions include
improved security mechanisms in the form of Wi-Fi Protected Access (WPA) and 802.11i (also
called WPA2). WPA2 addresses the weaknesses in previous schemes and features strong, AES-
based encryption (some brands/models of WLAN APs carry FIPS140-2 certification), as well as
802.1X enterprise authentication features allowing WLAN access authentication to be integrated
with existing corporate user authentication mechanisms (smart cards, tokens, PKI, biometrics,
etc). Practical attacks against WPA2 are few and primarily targeted at Pre-Shared Key (PSK)
deployments.

Note that these security features are usually turned off by default, and must be enabled to have
any effect: WLANs deployed without enabling security features leave the network wide open to
discovery and attack.

CSEC recommends that WPA2 security be mandatory with 802.1X authentication wherever
possible for all unclassified WLAN deployments within the Government of Canada. Older
equipment not supporting WPA2 must be replaced or upgraded. In instances where especially
sensitive information may be transferred over a WLAN, additional security measures such as
end-to-end encryption or VPNs should also be deployed. Other essential protection measures
include network monitoring for unusual traffic and to detect the installation of unauthorized
wireless devices.

CSEC is in the process of developing a comprehensive security solution to mitigate the risk of
802.11 WLAN technology. This solution will combine a variety of measures including the use of
Firewalls, Virtual Private Network (VPN) encryption and strong authentication, which
departments should deploy to isolate WLANs from sensitive government networks.

Executive Summary May 2009 iii

UNCLASSIFIED



iv May 2009

UNCLASSIFIED


Revision History

Document No. Title Release Date

ITSPSR-21 802.11 Wireless LAN Vulnerability Assessment November 2002

Revision History May 2009 v

UNCLASSIFIED



vi May 2009

UNCLASSIFIED


Table of Contents
Foreword......................................................................................................................... i
Effective Date ................................................................................................................. i
Executive Summary ..................................................................................................... iii
Revision History ............................................................................................................ v
Table of Contents ........................................................................................................ vii
List of Abbreviations and Acronyms.......................................................................... xi
1 Introduction ........................................................................................................... 1
1.1 Background .................................................................................................. 1
1.2 Purpose ........................................................................................................ 1
1.3 Scope ........................................................................................................... 1
1.4 Document Structure ..................................................................................... 1
2 802.11 WLAN System Overview ........................................................................... 3
2.1 Technology................................................................................................... 3
2.1.1 Background........................................................................................ 3
2.1.2 Infrared (IR) Technology .................................................................... 3
2.1.3 Radio Frequency (RF) Technology .................................................... 4
2.2 Architecture .................................................................................................. 5
2.2.1 General .............................................................................................. 5
2.2.2 Ad Hoc Mode ..................................................................................... 5
2.2.3 Infrastructure Mode............................................................................ 6
2.2.4 Distribution System Mode .................................................................. 6
2.2.5 Wireless Distribution System Mode ................................................... 7
2.2.6 Wireless Mesh Networks ................................................................... 7
2.3 WLAN Standards.......................................................................................... 8
2.4 IEEE 802.11 Standards .............................................................................. 10
2.4.1 Background...................................................................................... 10
2.4.2 IEEE 802.11 Task Groups/Amendments ......................................... 10
2.5 Wi-Fi™ Interoperability Standard ............................................................... 12
2.5.1 Wireless Ethernet Compatibility Alliance (WECA) and the Wi-Fi
Alliance ............................................................................................ 12
3 Security Mechanisms.......................................................................................... 17
3.1 General....................................................................................................... 17
3.2 Access Control ........................................................................................... 17
3.2.1 General ............................................................................................ 17
3.2.2 Service Set Identifier (SSID) ............................................................ 17
3.2.3 MAC Address Access Control List (ACL)......................................... 18
3.3 Authentication Services .............................................................................. 18
Table of Contents May 2009 vii

UNCLASSIFIED


3.3.1 General ............................................................................................ 18
3.3.2 Open System Authentication ........................................................... 18
3.3.3 Shared Key Authentication .............................................................. 19
3.3.4 802.1X Authentication...................................................................... 19
3.4 Data Confidentiality and WEP/WPA/802.11i/WPA2 ................................... 21
3.4.1 General ............................................................................................ 21
3.4.2 Wired Equivalent Privacy (WEP) Protocol ....................................... 21
3.4.3 Wi-Fi Protected Access (WPA) ........................................................ 22
3.4.4 IEEE 802.11i/Wi-Fi Protected Access version 2 (WPA2)................. 23
4 Vulnerabilities...................................................................................................... 25
4.1 Access Control Vulnerabilities .................................................................... 25
4.1.1 General ............................................................................................ 25
4.1.2 SSID ................................................................................................ 25
4.1.3 MAC Address Access Control List (ACL)......................................... 25
4.2 Authentication Mechanism Vulnerabilities .................................................. 25
4.2.1 General ............................................................................................ 25
4.2.2 Shared Key Authentication Flaw...................................................... 25
4.2.3 802.1X/EAP Vulnerabilities .............................................................. 26
4.3 WEP Vulnerabilities .................................................................................... 26
4.3.1 General ............................................................................................ 26
4.3.2 Keystream Re-use ........................................................................... 26
4.3.3 Message Integrity ............................................................................ 26
4.3.4 Key Management............................................................................. 26
4.4 WPA/WPA2 Vulnerabilities......................................................................... 27
4.4.1 General ............................................................................................ 27
4.4.2 Key Management............................................................................. 27
4.4.3 4-Way Handshake and Weak Passphrase Vulnerability .................. 27
4.4.4 WPA MIC Spoofing Countermeasure .............................................. 28
4.5 Configuration Defaults ................................................................................ 28
4.6 Simple Network Management Protocol (SNMP)......................................... 28
5 Exploits ................................................................................................................ 29
5.1 Network Discovery and Access Attacks ..................................................... 29
5.1.1 General ............................................................................................ 29
5.1.2 Network Discovery........................................................................... 29
5.1.3 Network Access via Wireless Router ............................................... 29
5.2 Denial of Service (DoS) Attacks ................................................................. 30
5.2.1 General ............................................................................................ 30
5.2.2 AP Takeover .................................................................................... 30
5.2.3 AP Cloning....................................................................................... 30
5.2.4 RF Jamming .................................................................................... 30
5.3 WEP Protocol Attack .................................................................................. 31
5.3.1 General ............................................................................................ 31
viii May 2009

UNCLASSIFIED


5.3.2 Passive Attack ................................................................................. 31
5.3.3 Active Attacks .................................................................................. 31
5.3.4 Decryption Table Attack................................................................... 32
5.4 WPA/WPA2 Attacks ................................................................................... 32
5.4.1 General ............................................................................................ 32
5.4.2 Pre-Shared Key Dictionary Attack ................................................... 32
5.5 Monitoring and Interception Attacks ........................................................... 32
5.5.1 General ............................................................................................ 32
5.5.2 Traffic Sniffing.................................................................................. 33
5.5.3 Broadcast Monitoring ....................................................................... 33
5.5.4 Man-in-the-Middle Attack ................................................................. 33
6 Solutions.............................................................................................................. 35
6.1 Overview .................................................................................................... 35
6.2 Determine Range of Your Network Coverage ............................................ 35
6.3 Do Not Broadcast Your SSID ..................................................................... 36
6.4 Do Not Use the Default SSID ..................................................................... 36
6.5 Use WPA2.................................................................................................. 36
6.6 Use 802.1X Server-based Authentication................................................... 37
6.7 Change the Key Frequently........................................................................ 37
6.8 Use a VPN and Firewall to Isolate the WLAN............................................. 37
6.9 Use a Personal Firewall on Every Wireless Client...................................... 37
6.10 Consider Wireless Intrusion Detection/Prevention Systems....................... 37
7 Future Work ......................................................................................................... 39
8 Conclusions and Recommendations ................................................................ 41
9 References........................................................................................................... 43

Table of Contents May 2009 ix

UNCLASSIFIED



x May 2009

UNCLASSIFIED


List of Abbreviations and Acronyms
AES Advanced Encryption Standard
ACL Access Control List
AP Access Point
ARP Address Resolution Protocol
ATM Asynchronous Transfer Mode
BSS Basic Service Set
CBC Cipher Block Chaining mode
CCMP Counter-mode with CBC-MAC Protocol
CRC Cyclic Redundancy Checksum
CSEC Communications Security Establishment Canada
DHCP Dynamic Host Configuration Protocol
DES Data Encryption Standard
3DES Triple DES
DoS Denial of Service
DSSS Direct Sequence Spread Spectrum
EAP Extensible Authentication Protocol
ESS Extended Service Set
ETSI European Telecommunications Standards Institute
FCC Federal Communications Commission
FHSS Frequency-Hopping Spread Spectrum
FIPS Federal Information Processing Standards (USA)
GC Government of Canada
GHz GigaHertz
GPS Global Positioning System
HiperLAN High Performance Radio Local Area Network (ETSI)
IBSS Independent Basic Service Set
IEC International Electrotechnical Commission
IEEE Institute of Electrical and Electronics Engineers
IP Internet Protocol
IR Infrared
IrDA Infrared Data Association
ISM Industrial, Scientific And Medical
ISO International Organization For Standardization
IT Information Technology
ITS Information Technology Security
IV Initialization Vector

List of Abbreviations and Acronyms May 2009 xi

UNCLASSIFIED


LAN Local Area Network
MAC Medium Access Control (IP) or Message Authentication Code
(Crypto)
MAN Metropolitan Area Network
Mbps Megabits per Second
MIC Message Integrity Code
MIMO Multiple-Input/Multiple-Output
NAI Network Access Identifier
OCB Offset Code Book
OFDM Orthogonal Frequency Division Multiplexing
OSI Open Systems Interconnection
PHY Physical (Layer)
PMK Pairwise Master Key
PKI Public Key Infrastructure
PPP Point-to-Point Protocol
PRNG Pseudo-Random Number Generator
PSK Pre-Shared Key
PTK Pairwise Transient Key
RC4 Rivest Cipher 4/Ron’s Code 4 (Encryption Algorithm)
RF Radio Frequency
RSN Robust Security Network
SNMP Simple Network Management Protocol
SSH Secure Shell
SSID Service Set Identifier
TKIP Temporal Key Integrity Protocol
TMTO Time-Memory Trade-Off
UMTS Universal Mobile Telecommunications System

VPN Virtual Private Network
WAN Wide Area Network
WECA Wireless Ethernet Compatibility Alliance (see also WFA)
WEP Wired Equivalent Privacy
WFA Wi-Fi Alliance (new name for WECA)
WIDS Wireless Intrusion Detection System
Wi-Fi™ Wireless Fidelity, a Trademark of the Wi-Fi Alliance
WIPS Wireless Intrusion Prevention System
WLAN Wireless Local Area Network
WPA Wi-Fi Protected Access
WPA2 Wi-Fi Protected Access version 2
xii May 2009

UNCLASSIFIED


WPAN Wireless Personal Area Network
WRAP Wireless Robust Authenticated Protocol
XOR Exclusive OR

List of Abbreviations and Acronyms May 2009 xiii

UNCLASSIFIED



xiv May 2009

UNCLASSIFIED


1 Introduction
1.1 Background
With the rapidly increasing adoption of 802.11 technology, WLAN products have become
mainstream and increasingly common in business, education, and home environments. The
enhanced mobility and productivity offered by wireless technology, along with the long-term
cost saving and ease of installation, have attracted organizations to make the move to this
innovative technology. However, both federal departments and private companies are deploying
wireless networks often without fully understanding the security risks associated with their use.

1.2 Purpose
This report provides vulnerabilities and solutions for the use of an 802.11 WLAN in the federal
government environment. It is based on an analysis of the information discovered in the test
laboratory at CSEC and information currently available through open sources such as
manufacturers, and technological organizations and associations. The primary goal of this
vulnerability assessment report is to provide government clients with a better understanding of
the risks involved prior to developing plans for wireless network deployments.

1.3 Scope
This report focuses on the main commercially available variants of the WLAN standard:
802.11b, g and the soon-to-be-approved 802.11n. Their present popularity, relative maturity and
the wide availability of products make the aforementioned versions of the standard the best
models for vulnerability assessment of the 802.11 WLAN technology. It must be pointed out,
however, that most of the information that is provided in this document is not exclusive to
802.11b/g/n but also applies to 802.11a and other 802.11 WLAN standards to various degrees.

1.4 Document Structure
This report provides a brief overview of the WLAN architectures and the IEEE 802.11 standard
that dominates the WLAN market today, followed by an explanation of the security mechanisms,
the vulnerabilities of these mechanisms and some commonly known 802.11 exploits. Interim
steps to mitigate the problems are also included.

Introduction September 2008 1

UNCLASSIFIED



2 May 2009

UNCLASSIFIED


2 802.11 WLAN System Overview
2.1 Technology
2.1.1 Background
Unlike conventional LANs, which rely on physical connections of copper wire or optical fibre to
transport information, Wireless LANs (WLANs) use infrared (IR) light or radio frequency (RF)
electromagnetic waves to transmit and receive data. Wireless technology provides all of the
functionality of wired LANs but removes the physical constraints imposed by the need to hard-
wire the user community. This simplifies and speeds up network installation and increases
flexibility and scalability, while allowing greater user mobility. These advantages, combined
with the ever-increasing data bandwidth offered by wireless technology, make WLANs an
attractive alternative for individuals and organizations that plan to implement or expand a LAN
without having to install or move wires.
In a WLAN environment, each computer that requires over the air connectivity must be equipped
with a WLAN adapter. These adapters normally take the form of plug-in cards for installation in
the expansion slots of desktop computers, PC Cards or USB dongles for installation in the
appropriate slots of notebooks and laptops. These cards and adapters are simply network
interface cards with a built in radio transceiver and a miniature antenna that provide the RF
communication link (or in the case of IR-based WLANs, an infrared emitter/detector pair).
Virtually all recent laptop models come with some variety of WLAN built-in (one or more of:
IR, 802.11, Bluetooth). While this practice increases the convenience and eliminates the number
of additional cards and adapters that must be carried by the user, it adds the complication that in
most cases, such built-in WLAN hardware cannot be easily upgraded to take advantage of new
security or user features.

2.1.2 Infrared (IR) Technology
IR is used in a variety of Information Technology (IT) applications including WLANs and
wireless interfaces for connecting computer and peripheral devices, commonly known as serial
IR links. IR was originally a non-standardized technology, with each vendor and equipment
manufacturer implementing a proprietary protocol; however the Infrared Data Association
(IrDA) was quickly formed to produce a set of standards governing IR computer connectivity.
The IrDA Data standard addresses the use of IR for high speed, short range, line-of-sight, and
point-to-point wireless data transfer. The IrDA Control standard covers the communications
between PCs and wireless peripherals such as the keyboard or mouse. Laser technology is also
employed to establish optical data links capable of transmitting information in a direct line-of-
sight for distances of several kilometers.
The legacy IEEE 802.11 standard also defines the use of infrared as a transmission technology;
however, no commercial 802.11 IR products are known to have been developed and this portion
of the standard has not been updated since the initial release of the standard in 1997.
802.11 WLAN System Overview May 2009 3

UNCLASSIFIED


2.1.3 Radio Frequency (RF) Technology

2.1.3.1 General
RF has become the de-facto technology for the majority of today’s WLANs. Radio signals can
travel in all directions for distances ranging from a few metres to several kilometers. These
characteristics can be very practical in situations where wide or long-range coverage is required
but they become problematic when the signal’s propagation needs to be limited. The fact that
the destination of radio signals cannot be precisely controlled makes this medium the most
vulnerable to undetected interception and exploitation. All unprotected radio traffic can be
monitored with widely available radio equipment by anyone located within the range of the
transmitter; however it is important to note that amplifiers and specialized antennas can also be
used solely at the receiver site to increase the effective range of radio signals, therefore simply
controlling the transmitter power is not sufficient to limit the propagation of signals. For
example, the use of RF wireless computer keyboards should be avoided for the processing of
sensitive information since they broadcast the information that is typed on them, and even
though the transmit power is comparatively low, this information may be still be intercepted at
range. In addition to signal interception, RF communications are also subject to spurious and
deliberate electromagnetic interference that can result in the inability to communicate.

2.1.3.2 Spread Spectrum
The development of spread-spectrum communications technology has been claimed to have
alleviated the vulnerabilities of standard RF transmission: Unlike narrowband systems that
transmit a powerful signal on a single frequency, spread-spectrum systems transmit a low power
signal over a broad range of frequencies. The signal is spread according to pre-established
parameters or patterns that must also be known by the receiver so that it can recover the signal.
This transmission technique provides more resistance to noise and interference and is less
vulnerable to jamming and casual interception. In the case of WLANs, the hardware must be
aware of the signal spreading parameters in order to receive a spread-spectrum signal, so these
parameters are pre-programmed into the hardware chipsets used to build these products.
Although these chipset were intended to be developed into standalone WLAN AP and
workstation hardware, it is inevitable that tools and methods are developed for exploiting these
pre-programmed receivers for the purpose of intercepting spread-spectrum WLAN
communications. Many such tools are freely available on the Internet, and therefore none of the
spread spectrum technologies should be considered to be sufficient to secure a WLAN.
Several signal-spreading schemes have been developed but the methods that prevail in the
WLAN domain are:
1. Frequency Hopping Spread Spectrum (FHSS)
2. Direct Sequence Spread Spectrum (DSSS) and
3. Orthogonal Frequency Division Multiplexing (OFDM)

4 May 2009

UNCLASSIFIED


FHSS and DSSS are the original spread-spectrum technologies employed in 802.11 WLANs.
The concept of expanding spectral use through frequency hopping is fairly self-explanatory;
DSSS is based on the mathematical principle of convolution and provides a greater data
throughput and a higher immunity to interference than FHSS. OFDM is a multi-carrier wideband
modulation scheme introduced in the 802.11g revision and provides even greater data throughput
and is much more resistant to interference than the previous schemes. 802.11n introduces
OFDM+MIMO, which continues to use the same 2.4 GHz frequency band and basic modulation
scheme of OFDM, but adds techniques for using multiple transmitters and receivers while taking
into account temporal and spatial characterization of the RF environment. This effectively
increases the available bandwidth using a practice known as “channel bonding” (combining
multiple adjacent channels into one large channel) to further increase range and throughput.

2.2 Architecture
2.2.1 General
There are five forms of wireless network architectures currently allowed in the overall 802.11
standard: Ad-Hoc Mode, Infrastructure Mode, Distribution System Mode, Wireless Distribution
System mode and Wireless Mesh.

2.2.2 Ad Hoc Mode
In the ad-hoc mode, as illustrated in Figure 1, wireless devices create a LAN by communicating
freely and directly with each other without a centralized base station. This architecture is also
referred to as the peer-to-peer network or the Independent Basic Service Set (IBSS). This
network structure is easy to implement as it requires no infrastructure and minimal
administration but the transfer of information is limited to the propagation range of the
transmitting device.

Figure 1 - WLAN in Ad Hoc Mode


UNCLASSIFIED


2.2.3 Infrastructure Mode
In the more commonly used infrastructure mode, the network is built around a central base
station, or Access Point (AP). The information transmitted by the originating device is received
by the AP and routed to the proper destination. As illustrated in Figure 2, the AP is physically
connected to the wired LAN’s backbone and it provides the communication link between the
wireless client devices and any of the wired network devices. The AP also functions as a radio
relay capable of forwarding information to/from wireless devices that are too distant to
communicate directly with each other. The infrastructure mode is referred to as the Basic Service
Set (BSS).

Figure 2 - WLAN in Infrastructure Mode

2.2.4 Distribution System Mode
The distribution system mode is also referred to as Extended Service Set (ESS) mode. In the
distribution system mode, multiple APs are connected to the wired network by a switching or
bridging device, enabling a WLAN client to roam between APs, thus providing greater range and
mobility. Roaming capability is also provided to mobile users. Note that the roaming capability
requires special AP support and may not be available on all brands/models of AP. Additionally,
the inter-AP communication required to support wireless roaming is not covered by the 802.11
standard as it is a higher layer protocol and most manufacturers either do not implement this
feature or utilize a proprietary protocol; thus in general, roaming between different brands of AP
is not possible, even though they may be connected to the same network.
In an 802.11 WLAN system operating in distribution mode, as a user moves around and out of
range of an AP, the user’s mobile device will re-associate with the next AP in the extended set.
Therefore it will remain “connected” to the network and able to start and receive new
connections on the new AP. However, without dedicated AP roaming support, any existing
open network sessions on the old AP will generally not follow the user to the new AP (unless the
particular application in use by the user has its own roaming capability). This LAN structure is
more complex and in the case of RF-based wireless devices, requires careful frequency or
channel management so that APs do not interfere with each other.

6 May 2009

UNCLASSIFIED


Figure 3 - WLAN in Distribution System Mode

2.2.5 Wireless Distribution System Mode
In the Wireless Distribution System (WDS) mode, a wireless link is used to interconnect
multiple APs, allowing the wireless network to be expanded without the need for wired
infrastructure. The reduction in wired infrastructure allowed by WDS comes at the expense of
throughput. Because each AP must re-broadcast any received WDS traffic in a “repeater”-like
fashion, wireless throughput is cut approximately in half for each hop that a message must travel
over, so that wireless clients at the end of a long string of WDS-connected APs may see very
poor throughput. Additionally, like the wireless roaming functionality discussed previously,
WDS requires Layer 3 and 4 interaction to manage the routing and this aspect is not standardized
under 802.11, which deals primarily with Layers 1 and 2, and thus WDS may be incompatible
between different brands of AP. Finally, in WDS, all APs in the chain must share the same radio
channel and security keys, therefore dynamically assigned encryption keys (e.g. enterprise
WPA/WPA2) are generally not supported over a WDS connection.

Figure 4 - WLAN in Wireless Distribution System Mode

2.2.6 Wireless Mesh Networks
Wireless mesh networks combine features of ad-hoc wireless networks, as well as infrastructure
wireless networks in wireless distribution system mode. The result is a robust wireless
infrastructure network that may be deployed with minimal wiring and cabling costs but is no
longer just confined to a local area, but normally extend to Metropolitan Area Network (MAN)
or Wide Area Network (WAN) scales.
Wireless mesh networks products have been previously released under proprietary standards, but

UNCLASSIFIED


have begun to converge under the banner of the Wi-Mesh Alliance and the proposed 802.11s
standard. This standard allows both wireless mesh ad-hoc networks and wireless mesh
infrastructure networks and defines the routing protocols needed to make the system work.
Security for the proposed standard includes the definition of 802.11i, but adds enhancements to
deal with re-keying and authentication issues in this architecture.

Figure 5 - WLAN in Wireless Mesh Mode

2.3 WLAN Standards
Wireless networking technology has matured through the development of proprietary systems by
various manufacturers. In the absence of formal standards, many manufacturers introduced their
own, however most of these proprietary systems have been superseded by systems based on the
various IEEE standards. Table 1 identifies some of the leading and competing standards and
lists some of their specifications and intended applications. The products that are offered under
most of these proprietary standards are not interoperable. Another issue is the opportunity for
interference among the products from the different manufacturers causing a reduction in data
throughput. Because many standards use the same unlicensed frequency band, spread-spectrum
technology cannot completely eliminate the possibility of packet collisions.
In addition to the standards described on the table, still other wireless networking standards are
in use. These standards are unrelated to 802.11 and are intended to meet different needs and
include standards for Wireless USB (IEEE 802.15.3), ZigBee Industrial Control (802.15.4), or
standards for WiMAX wireless metropolitan area networks (802.16e).

8 May 2009

UNCLASSIFIED


Table 1 – Key WLAN Standards
IEEE 802.11 802.11b 802.11a 802.11g 802.11n HiperLAN HiperLAN/2 HomeRF IEEE 802.15.1
(Draft 2.0) (ETSI) (ETSI) Bluetooth

Frequency 2.4 GHz 2.4 GHz 5 GHz 2.4 GHz 2.4 GHz 2.4 GHz 5 GHz 2.4 GHz 2.4 GHz

RF Technology FHSS or DSSS DSSS OFDM OFDM OFDM+MIMO Single carrier Single carrier FHSS FHSS

Max Transfer Rate 2 Mbps 11 Mbps 54 Mbps 54 Mbps 248 Mbps 23 Mbps up to 54 Mbps 1.6 Mbps 1 Mbps

Typical Outdoor 100 metres 150 metres 120 metres 150 metres 250 metres 100 metres 100 metres 50 metres 10 metres
Range

Security Wired Wired Wired Wired Wired NAI/IEEE NAI/IEEE Optional Challenge-
Equivalent Equivalent Equivalent Equivalent Equivalent address/ address/X.509 response using
Protection Protection Protection Protection Protection X.509 secret key
(WEP) (WEP) + (WEP) + (WEP) / WiFi (WEP) / WiFi (Bluetooth 1.0-
optional WiFi optional WiFi Protected Protected 2.0), Elliptic
Protected Protected Access (WPA/) / Access Curve Diffie-
Access (WPA) Access 802.11i (WPA2) (WPA/) / Hellman
(WPA) 802.11i (Bluetooth 2.1)
(WPA2)

Encryption 40-bit RC4 up to 104-bit up to 104-bit up to 104-bit up to 104-bit DES, 3DES DES, 3DES 128-bit 128-bit E0
RC4 (WEP), RC4 (WEP), RC4 (WEP), RC4 (WEP), Cipher, 128-bit
128-bit RC4 w/ 128-bit RC4 128-bit RC4 w/ 128-bit RC4 w/ SAFER+, ECDH
TKIP key w/ TKIP key TKIP key TKIP key (in version 2.1
scheduling scheduling scheduling scheduling and later)
(WPA) (WPA) (WPA), 128-bit (WPA), 128-bit
AES (WPA2) AES (WPA2)

Fixed network Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet, Ethernet PPP, Ethernet
support IP, ATM, UMTS,
FireWire, PPP 5

Applications Wireless Data Wireless Wireless Data Wireless Data Wireless Data Wireless Data Wireless Cable
Data Wireless Data Replacement
Multimedia Wireless Wireless Data
voice Wireless Voice


UNCLASSIFIED


2.4 IEEE 802.11 Standards
2.4.1 Background
In 1985, the U.S. Federal Communications Commission (FCC) decided to open the Industrial,
Scientific, and Medical (ISM) bands, operating at 902 to 928MHz, 2.4 to 2.483GHz, and 5.725
to 5.875GHz, for unlicensed public use. This not only fulfilled a demand for commercial
communication, but it also sparked the development of WLAN technology. The Institute of
Electrical and Electronics Engineers (IEEE) established the 802.11 WLAN standard [1] in 1997
in an attempt to standardize wireless LAN products utilizing the ISM band. This standard has
since been adopted by the International Organization for Standardization / International
Electrotechnical Commission (ISO/IEC).
The IEEE 802.11 core specification addresses both the Physical (PHY) and Data Link layers of
the Open Systems Interconnection (OSI) Basic reference model. The legacy standard proposed
three (mutually incompatible) implementations for the physical layer: IR pulse modulation, RF
signaling using FHSS, and RF signaling using DSSS. The most obvious difference between the
WLAN and the traditional wired LAN is the physical medium for data transmission; there is no
physical wiring required for the 802.11 network.
The IEEE 802.11 standard has several key amendments. Products compliant to the 802.11a, b
and g amendments are in common use today, with an increasing number of products based on the
“Draft 2.0” release of 802.11n. Key specifications for each of these amendments can be found in
Table 1.
Historically, the first successful commercial 802.11 WLAN products were compliant with the
802.11b standard. Both 802.11a and b amendments were actually adopted at the same time, but
because 802.11b was less complex than 802.11a, products compliant with the 802.11b standard
rapidly materialized while products under 802.11a only reached the market in 2002. Since that
time, the 802.11g amendment which utilized the same 2.4 GHz band as 802.11b, but delivered
faster and more robust connections as well as greater range, has come to dominate the market.
Although in terms of number of units sold, 802.11b products still comprise the majority of global
WLAN market; sales of 802.11g products are poised to surpass this.

2.4.2 IEEE 802.11 Task Groups/Amendments

2.4.2.1 General
Core standard 802.11 WLANs based on IR transport were never commercially implemented and
the RF-based versions suffered from low transmission speed (2 Mbps). The IEEE later
established several task groups to explore various improvements to the original 802.11 core
standard.

May 2009 10

UNCLASSIFIED


2.4.2.2 802.11a Amendment
Task Group A explored the unlicensed 5.0 GHz frequency band, using Orthogonal Frequency
Division Multiplexing (OFDM), working to achieve throughputs up to 54 Mbps. The 802.11a
extension [2] was completed in 1999 and in 2002 vendors began releasing products compliant to
this extension. Because of the different operating band and modulation, the 802.11a standard is
not backward compatible or interoperable with the 802.11b standard. Several vendors are
marketing dual-band, multi-standard (802.11a and 802.11b/g) APs. The 802.11a is currently
licensed for use in North America and most European countries; however commercial use of
802.11a has historically been quite limited.
Recently, 802.11a has enjoyed somewhat of a resurgence in popularity due to the development
of enterprise mesh infrastructure networks. In such networks, 802.11a is used for
communications between APs, and 802.11b/g is used for communications between AP and
wireless clients.

2.4.2.3 802.11b Amendment
Task Group B explored DSSS technology to boost data rates in the original 2.4 GHz band. The
802.11b extension [3], published in September 1999, delivers raw data rates up to 11 Mbps,
which gave data rate parity with the popular 10 Mbps “10Base” wired LAN systems of the day.
The majority of WLAN systems in the market today follow the 802.11b standard and it is
accepted throughout North America, Europe and Asia.

2.4.2.4 802.11g Amendment
Task Group G approved the development of the new extension to the 802.11 standard in
November 2001; the resultant amendment was approved in 2003. The 802.11g operates at 2.4
GHz with mandatory compatibility to 802.11b and uses the OFDM multicarrier modulation
scheme to achieve a maximum data rate of 54 Mbps.

2.4.2.5 802.11n Amendment
Task Group N is currently engaged in the development of the higher data rate extensions to the
802.11 standard. As with 802.11b and g, the 802.11n standard will operate at 2.4 GHz with
mandatory compatibility to 802.11b/g and uses OFDM with MIMO techniques to achieve a
maximum projected data rate of 248 Mbps. As described earlier in this document,
OFDM+MIMO utilizes the same basic modulation as 802.11g. However it utilizes multiple
transceivers with advanced techniques to compensate for both the spatial and temporal variations
of the RF channel as well as the practice of “channel bonding” in order to greatly increase the
range and raw data rate. The 802.11n is still in the draft stage with an expected final approval in
2010, however many “Pre-N” or “Draft-N” products have already begun emerging on the
market. Consumers are cautioned when purchasing such products because, as draft-based
products, they are not subject to the same interoperability testing as full-standard compliant
products. As such, they are not guaranteed to be compatible with, and may not be upgradeable,


UNCLASSIFIED


to the finalized release of the standard.

2.4.2.6 802.11i Amendment
Unlike the previously listed amendments, 802.11i is not focused on RF technologies, frequencies
and data rates. Instead, Task Group I was tasked with addressing the security vulnerabilities in
the existing WEP security. Although work on 802.11i began in 2000, it was not ratified until
2004. Recognizing a need to improve 802.11 WLAN security sooner rather than later, in 2001,
the Wi-Fi Alliance developed an interim improved security standard based on a draft of 802.11i.
This interim release was dubbed Wi-Fi Protected Access (WPA) and turned out to be largely
compatible with the finalized 802.11i, which was subsequently given the name Wi-Fi Protected
Access version 2 (WPA2). This is the name that the 802.11i is commonly known by today.
WPA2 improves on the basic WEP security framework in several ways. Firstly, by adding
improved authentication (all authentication schemes allowed under the Extensible
Authentication Protocol (EAP), defined by RFC 3748, are supported by 802.11i, however most
commercial products only support a limited number of modes: Enterprise authentication using a
RADIUS server, and the pre-shared key mechanism carried over from WEP). Secondly, by
significantly improving the strength of the cryptographic algorithms: 128-bit AES-CCMP is used
as the encryption algorithm in WPA2, which provides substantial security margin over the RC4,
CRC-32 and “Michael” algorithms used previously in WEP and WPA.
While WPA2/802.11i has addressed the majority of WEP deficiencies, one surprising criticism
levelled at WPA2 was its use of AES encryption, which although very strong, also significantly
increased the processing requirements, which many devices utilizing slower microprocessors
were unable to fulfill. As a result, there still exist many devices on the market which only
implement the interim WPA standard with its reduced processing requirements and somewhat
weaker security.

2.4.2.7 Other 802.11 Extensions
There are many other 802.11 extensions dealing with various aspects of WLANs in progress or
being planned. For example, 802.11e addresses wireless quality of service (QoS) concerns,
802.11p and 802.11r address mobility use and roaming, 802.11s deals with ad-hoc mesh
networks, 802.11w is a proposed security-related amendment intended to address the remaining
issue of network management information frames being transmitted without protection or
encryption, and 802.11y which proposes to extend the use of 802.11 into the 3.7 GHz frequency
band. A full list of 802.11 amendments and working groups is available on the IEEE web site.

2.5 Wi-Fi™ Interoperability Standard
2.5.1 Wireless Ethernet Compatibility Alliance (WECA) and the Wi-Fi Alliance
Manufacturers often include proprietary features that render their products incompatible with
those of other companies. To address this concern, several manufacturers founded WECA in

May 2009 12

UNCLASSIFIED


1999. WECA defined a test suite [5] to ensure interoperability of 802.11b products and correct
implementation of WEP. This was soon expanded to include interoperability suites for 802.11g
and WPA. In 2002, WECA changed its name to the Wi-Fi Alliance, and at the time of writing,
the Wi-Fi Alliance has over 320 industry and affiliate members.
Products that pass these tests are deemed to be Wi-Fi (Wireless Fidelity) compliant and are
permitted to display the logo. The popular backing of Wi-Fi™ has enabled the 802.11b/g
family of products to dominate the WLAN market.
Although often used interchangeably in the media, the terms 802.11 and Wi-Fi™ are not
synonymous. The IEEE 802.11 standard contains amendments dealing with all aspects of
WLANs and the 802.11a/b/g/n amendments in particular are PHY and Medium Access Control
(MAC) layer specifications whereas Wi-Fi™ is an only interoperability certification for
802.11a/b/g products. Originally, Wi-Fi was intended to refer only to 2.4 GHz interoperable
products, and a Wi-Fi5™ designation was created for certifying 5 GHz band 802.11a WLAN
products, however with the increasing prevalence of dual-band products supporting both 2.4GHz
and 5 GHz standards, the certification was unified to a single Wi-Fi certification. At the time of
writing, the following mandatory aspects are covered:
1. Radio standards for 802.11a, b, g, including multi-band support
2. Security implementation: WEP, WPA, WPA2
3. Authentication implementation: EAP
The Wi-Fi Alliance also offers optional certification programs for:
1. Product interoperability for 802.11n Draft 2.0
2. Validation of “easy setup” security features
3. Multimedia-over-Wi-Fi features
4. Low-Power Wi-Fi for multimedia applications
5. Combined Wi-Fi + cellular devices (this certification is mandatory for combined devices
seeking CTIA certification)
It is important to note that although products may be Wi-Fi certified, this only refers to operation
within the strictures of the specific 802.11 standards. Devices may still contain non-standard,
proprietary operating modes which are not covered by the Wi-Fi interoperability requirements
(e.g., the “enhanced” 104 Mbps data rate of many commercial 802.11 devices are not compliant
with the official 802.11 standards and such modes are generally NOT compatible or
interoperable between vendors, and indeed, may employ practices that actually interfere with
proper operation of strictly standards compliant devices which are located within common
transmission range). Users are further cautioned to check for compliance with Industry Canada
regulations before utilizing these non-standard modes, as some non-standard modes of operation

UNCLASSIFIED


are known to interfere with operation of other 802.11-based networks in the vicinity.

May 2009 14

UNCLASSIFIED




UNCLASSIFIED


3 Security Mechanisms
3.1 General
With any network, security is an important consideration. Unauthorized access can result in
sensitive information disclosure, data modification, denial of service and illicit use of resources.
Once an unauthorized user has gained access to the network, monitoring of the now unprotected
data can lead to user names and passwords being intercepted, which can then be used for further
attacks. WLANs are subject to all the security issues normally faced with conventional wired
LANs, but additionally, they suffer from vulnerabilities directly associated with the use of
wireless connectivity. The nature of the wireless medium makes it practically impossible to
confine the radio signals to a controlled area. These radiated signals are subject to clandestine
interception and exploitation. In a traditional wired LAN environment, the physical security of
the workplace provides some protection for the LAN as the users need to physically connect
wires to the network to access its resources. In a WLAN environment, this protection is no
longer enough since a wireless network can be accessed remotely from a distance without the
need for a physical connection: anyone using compatible wireless equipment can potentially
access the LAN.
To mitigate these security concerns, encryption is used in an attempt to make the signal unusable
by unauthorized parties if intercepted. However, as in most commercial products, ease-of-use for
the consumer is the primary concern To this day, the majority of 802.11 WLAN products
typically have all encryption options and security features turned off by default, or, where they
are enabled, devices will typically use the simplest and weakest encryption scheme available.

3.2 Access Control
3.2.1 General
Access control is a fundamental requirement for any sensitive network. However, the access
control mechanisms specified in the IEEE 802.11 standard are weak. The following two
mechanisms, although often promoted as security features, are intended more as an interference
prevention measure rather than access control measures.

3.2.2 Service Set Identifier (SSID)
APs send out beacon messages to announce their presence and operating parameters to clients.
The SSID is part of this beacon message that declares the AP’s identity to the network. A client
looking for a specific network to join would scan for this SSID and when the network is
discovered, the authentication process begins. By turning off the broadcast of this SSID, clients
would not be able to automatically identify and associate with the AP, but would instead require
pre-knowledge of the SSID. Unfortunately, this mechanism fails as a security feature because
although the SSID is no longer broadcast on the beacon, it is still sent out in other network
management traffic, which can be sniffed by an attacker.
Security Mechanisms May 2009 17

UNCLASSIFIED


3.2.3 MAC Address Access Control List (ACL)
Some vendors implement a MAC Address (i.e., Ethernet address) filter or ACL to prevent
unauthorized access to an AP. MAC addresses of authorized clients are entered and stored in a
list internal to the AP, and only clients with MAC addresses matching this list are allowed access
to the AP (alternately, certain MAC addresses may be blocked instead). This is similarly
ineffective as a security measure because all traffic sent over the network contains the MAC
address in the unencrypted header. Therefore, by capturing just a single packet and examining
its header, an attacker can determine a legitimate MAC address and program his device with this
address. Further, the process of manually maintaining a list of all permitted MAC addresses is
time consuming and error-prone making it only practical for small and fairly static networks.

3.3 Authentication Services
3.3.1 General
Unlike wired LANs, WLANs transmit over a medium without physical bounds. The IEEE
802.11 standard provides access control via the authentication service. All wireless devices use
an authentication mechanism to establish their identity prior to association. Association of
wireless devices is established only if the authentication is accepted. Authentication can be
performed between two devices or between a device and an AP. The IEEE 802.11 core standard
defines two types of authentication methods: Open System and Shared Key. The Wi-Fi
Alliance’s WPA standard and the 802.11i/WPA2 standards add additional authentication modes
and IEEE 802.1X authentication using the Extensible Authentication Protocol (EAP) is also
supported as an optional extension to all native authentication modes.
It is important to note that the native authentication methods authenticate the devices; they do
not authenticate the users of the devices. Further, in an infrastructure configuration,
authentication is not mutual. Only the wireless client device must prove its identity; the AP is
implicitly trusted and there is no way for a client to verify that an AP is legitimate. The use of
additional 802.1X authentication can be used to address these issues but requires the use of a
dedicated RADIUS or other authentication server and associated infrastructure to support the
additional authentication layer.

3.3.2 Open System Authentication
The Open System provides identification only and is essentially a “null” authentication. A client
requesting access to an AP simply sends its MAC address to the AP, and the AP replies with an
authentication verification message: any client who requests authentication with this algorithm
will be authenticated. This mode of authentication is implemented where ease-of-use is the
primary concern or when security is not an issue for a network administrator. It is important to
note that Open System authentication is the default setting in many 802.11 WLAN devices.
The 802.11 standard allows for use of WEP encryption even with open system authentication- in
this case, both devices must share a WEP key, but unlike the “Shared Key Authentication”

May 2009 18

UNCLASSIFIED


described in the next section, the key is not used for authentication, only for encryption. In this
mode, a client is authenticated using open system authentication and then both ends immediately
begin WEP-encrypted communications. This mode is actually considered somewhat more
secure than shared key authentication because key-related information is not exchanged over the
air.

3.3.3 Shared Key Authentication
Shared Key authentication is a feature of the original 802.11 standard and can only be used if the
legacy wireless security features of the device are enabled. It does not apply when WPA or
WPA2/802.11i is in use, where a similar but somewhat stronger “Pre-Shared Key” scheme is
available.
In this mode, the secret shared key is manually distributed and configured on all participating
stations. The Shared Key authentication process follows a challenge-response scheme where the
encryption/decryption is performed using WEP’s RC4 Pseudo-Random Number Generator
(PRNG) to validate the challenge-response. After a “success” message is received, the link is
considered authenticated. Note that the 802.11 standard also allows for shared key authentication
without link encryption, but virtually all consumer 802.11 WLAN devices will turn on link
encryption by default if shared-key authentication is used.
The Shared Key authentication method was intended to provide a greater degree of security
compared to the Open System authentication; however, weaknesses in the WEP encryption used
in the challenge-response scheme can allow the key to be easily recovered if this exchange is
intercepted by an attacker. As well, it must be noted again, that this authentication only
confirms the identity of the hardware not that of the user. Therefore, individuals gaining
unauthorized access to wireless devices registered for use on a network can potentially gain
access to the network. Because of this, the previously described method of using Open System
Authentication with WEP encryption is actually the preferred mode of operation if no stronger
authentication and encryption measures (e.g. WPA/WPA2) are available. However, adequate
user authentication is also essential no matter which mode is chosen.
802.11 does not specify any key management processes or mechanisms, therefore ensuring the
security of Shared Keys is the responsibility of the user. As with any passphrase-based system,
strong passphrases should be chosen to minimize the possibility of password guessing, and
should be changed regularly.

3.3.4 802.1X Authentication
Both the WPA and the WPA2/IEEE 802.11i amendment specify the mandatory use of another
standard, IEEE 802.1X, for network authentication. 802.1X is an Ethernet standard (IEEE 802.1
family; it is not wireless LAN specific) that provides a framework for authentication, on top of
which various methods (such as passwords, smart cards, certificates, etc) can be used to verify
identity. 802.1X works at the MAC layer to restrict network access to authorized entities.
Network connectivity is provided through the concept of ports, each of which represents an


UNCLASSIFIED


association between a client station and an access point. Further, the standard specifies three
entities involved in the authentication transaction: the supplicant, the authenticator and the
authentication server. A supplicant (wireless client) is an entity that desires to use a service
offered via a port on the authenticator (wireless access point). On a typical network, there may
be many ports available through which a supplicant may authenticate for service. The
authentication server is the entity that verifies the identity of the supplicant that was submitted to
the authenticator, and directs the authenticator to allow access if the verification was successful.

The IEEE 802.1X standard utilizes the Extensible Authentication Protocol (EAP) to permit a
variety of authentication mechanisms to be used. Like the legacy Shared Key authentication,
EAP is similarly based on a challenge-response scheme utilizing four distinct messages types:
EAP Request, EAP Response, EAP Success and EAP Failure. EAP is considered “extensible”
because these messages may be used to encapsulate virtually any authentication mechanism,
although in practice, only a limited set of protocols is supported by commercial WLAN
equipment. In EAP-based authentication, initially, the EAP Request message is sent to a
supplicant, indicating a challenge to which the supplicant responds with the EAP Response
message. Depending on the specific authentication method used, this challenge-response
exchange may be repeated several times and in both directions (allowing mutual authentication
to take place) to exchange authentication data until either an EAP Success or EAP Failure is sent
to allow or deny the connection request.
Use of 802.1X authentication has the potential to greatly increase the security of any LAN
installation, especially since the authentication method can be geared towards individual user
authentication vs. device authentication, which is recommended to be used wherever possible.
Note however that in most cases, a network utilizing 802.1X authentication requires the
installation of dedicated infrastructure in the form of the authentication server (RADIUS server).
Additionally, even when using server-based authentication, it is important to select a method
that addresses the necessary security requirements as not all EAP methods are created equal.
Methods are available that integrate with PKI-infrastructure, two-factor authentication using
tokens, etc, however most devices support at least the EPA-TLS method based on the Transport
Layer Security (TLS) protocol.
As described earlier, both WPA and WPA2/802.11i implement a Pre-Shared Key authentication
scheme that does not require an external authentication server and is intended for home or small
network use. Like the legacy Shared Key authentication, it relies on a challenge response
derived from a shared key in order to authenticate a device. The PSK mechanism uses a “4-way
handshake” based on 802.1X exchanges and is much stronger than the legacy RC4-based
challenge-response; however it is still vulnerable to attack if a weak passphrase is chosen.
Additionally, the use of the PSK mode of authentication suffers from the same issues as the
legacy mechanism, namely those of key management and device vs. user authentication.

May 2009 20

UNCLASSIFIED


3.4 Data Confidentiality and WEP/WPA/802.11i/WPA2
3.4.1 General
The IEEE 802.11 core standard specifies an optional data confidentiality mechanism using the
WEP protocol. It is intended to provide protection for a WLAN from casual unauthorized
eavesdropping and to ensure data integrity. Since its release, the WEP protocol has been proven
to exhibit many weaknesses, resulting in the development of stronger security and data
confidentiality measures. As documented earlier, IEEE 802.11 working group I was formed to
tackle this task. Due to the long process, the Wi-Fi Alliance released an interim standard known
as Wi-Fi Protected Access (WPA) which was based on an early draft of the eventual 802.11i
standard content. Because the two improved security standards turned out to be largely
compatible, 802.11i was also adopted by the Wi-Fi Alliance and came to be known as Wi-Fi
Protected Access version 2 (WPA2). Although WEP/WPA/WPA2 are strictly optional within
the 802.11 standard, they are requirements for Wi-Fi™ compliance certification.

3.4.2 Wired Equivalent Privacy (WEP) Protocol

3.4.2.1 Properties of WEP Protocol
WEP employs the RC4 PRNG algorithm by RSA Data Security, Inc. RC4 is a stream cipher
algorithm developed in 1987 by Ronald Rivest. The RC4 algorithm uses a variable sized
symmetric key independent of the plaintext to produce the ciphertext. The WEP protocol was
designed to be:
a. Reasonably strong (difficult to break through brute-force attack);
b. Self-synchronizing (WEP is self-synchronizing for each message);
c. Computationally efficient (may be implemented in hardware or software);
d. Exportable to all countries; and
e. Optional in use (however implementation is required for an 802.11 Wi-Fi™ compliant
product).

3.4.2.2 WEP Operation Theory
The RC4 stream cipher operates by expanding a secret key and a public 24-bit Initialization
Vector (IV) concatenated to a pre-shared key (generally, the same key used for the
authentication stage) into an arbitrarily long keystream of pseudo-random bits. Encryption is
achieved by performing an exclusive OR (XOR) operation between the keystream and the
plaintext to produce the ciphertext. Decryption is done by generating the identical keystream
based on the IV and secret key and XORing it with the ciphertext to produce the plaintext.
Details of the WEP operation can be found in the IEEE 802.11 standard [1].
Many 802.11b vendors produce products that support 40-bit and 104-bit WEP. Some vendors
refer to the 40-bit version as “64-bit WEP” and the 104-bit variant as “128-bit WEP”. This
discrepancy comes from the fact that although the 40-bit secret key and 24-bit IV are

UNCLASSIFIED


concatenated to make up 64-bits, the 24-bit IV is sent in the clear, thereby reducing the
effectiveness to only 40 bits. Similarly, 128-bit WEP is actually 104 bits of secret key plus the
24-bit IV. Several 802.11a vendors have added more non-standard WEP lengths, for example,
one popular brand of 802.11 appliance features a 152-bit or “True-128-bit” WEP which consists
of a 24-bit IV and a full 128-bit key, and another brand offers “256-bit WEP” (in this case, only
232-bit due to IVs). Readers are cautioned that such modes require matched hardware and
software at both the AP and the wireless client in order to function, and due to weaknesses in the
WEP algorithm, these longer key lengths are not considered any more secure than the basic
version. Only 40-bit WEP is specified in the 802.11b standard and the Wi-Fi™ requirements.
The other WEP lengths are uncertified industry add-ons that may or may not be well-
implemented from a security perspective.
Theoretical weaknesses in WEP were pointed out by Walker [8, 7] as far back as 2000, and the
first practical attacks against WEP appeared in 2001 [9], demonstrating that WEP is not a robust
protection mechanism. WEP suffers from important weaknesses that can provide opportunities
for disclosures of information, unauthorized access to the network and denials of service attacks.
Because of these vulnerabilities, WEP is ineffective as a primary security measure and the use
of WEP is not recommended for the protection of any Government of Canada data. It is
imperative that older equipment which does not support stronger security than WEP be replaced
or upgraded.

3.4.3 Wi-Fi Protected Access (WPA)
The Wi-Fi Protected Access (WPA) system was created by the Wi-Fi Alliance in an attempt to
address the security vulnerabilities in WEP. WPA was an intermediate measure to take the place
of WEP while the official 802.11i standards were being developed. WPA was in fact based on
an early draft of the 802.11i standard, with key frame information elements intentionally
changed to avoid the possibility of conflicts between WPA and the eventual 802.11i release.
The goals of WPA were largely the same as for WEP; improved security was the main objective,
but the new scheme had to be supported on the existing hardware base. To do this, RC4 was
retained as the data stream cipher due to its low processing requirements, but “wrapped” to cover
the insecurities of WEP.
Several major improvements were made in WPA to improve security. A full 128-bit secret key
and a larger 48-bit initialization vector (IV) was used- separate individual keys are used in each
direction as well as for integrity validation and a new key scheduling process known as the
Temporal Key Integrity Protocol (TKIP) was added. TKIP continuously and dynamically
changes these keys as the system operates and combined with the longer IV, defeats the key
recovery vulnerabilities present in WEP.
Related to TKIP, key security was improved in two ways. Firstly, when the Pre-Shared Key
mode is in use, by eliminating the practice of using the shared key and public IV directly as a
master encryption key (same key used for all operations in both upstream and downstream
directions) as was done in WEP. Instead, in WPA, a Pairwise Master Key (PMK, which, in this
May 2009 22

UNCLASSIFIED


mode, is the same as the shared key) is combined with other data exchanged during
authentication in a procedure known as the 4-Way Handshake, to derive a session-specific
Pairwise Transient Key (PTK) which in turn drives the TKIP dynamic key generation (as well as
key generation for other related WPA services). Note, however, that this does not solve any of
the PSK distribution and management issues with using this mode of operation. Secondly,
where an 802.1X authentication server is used, the server will generate a random PMK instead of
using a fixed key, further improving security.
In addition to authentication and encryption changes, WPA also improved the security around
message integrity. The weak 32-bit cyclic redundancy check (CRC32) used in WEP was
replaced by a somewhat stronger, key-based message integrity code (MIC) and also a frame
counter to prevent replay attacks. Although better than the CRC32 at error detection, the MIC
algorithm (called “Michael”) used in WPA is still considered cryptographically weak since it,
like the CRC32, is an invertible algorithm that was designed to be able to run on older hardware
platforms with limited processor capacity. WPA therefore also implements a MIC spoofing
countermeasure which is supposed to disable the wireless connection for one minute if more than
two frames that fail the MIC integrity check are detected in a one minute interval.
Unfortunately, because the system is wireless and subject to RF interference, the occasional
noisy frame can still pass all the simpler integrity checks and trigger the MIC check, causing a
shutdown of the network; intentional denial-of-service attackers can also take advantage of this
mechanism. For this reason, some commercial devices may not implement this countermeasure
or allow it to be turned off, which somewhat increases the risk of a spoofing attack, but improves
overall network robustness.

3.4.4 IEEE 802.11i/Wi-Fi Protected Access version 2 (WPA2)
The official IEEE-endorsed security improvement standard 802.11i was not ratified until 2004
and being backward compatible with the interim WPA standard, came to be known also as
WPA2. As of 2006, all commercial products that wish to be Wi-Fi certified must support WPA2
security measures.
WPA2 continues to support the simple Pre-Shared Key (PSK) mode of operation which can
complicate key management and distribution issues if there is even a moderate population of
wireless users. As with WPA, 802.1X Extensible Authentication Protocol (EAP) is supported;
however the Wi-Fi Alliance now requires validation for a wider range of 802.1X EAP methods
under WPA2 in its certification program.
Of primary significance in WPA2 is the introduction of an AES-based encryption algorithm
known as CCMP or “Counter-mode with CBC-MAC Protocol”, which is a cipher-block chaining
mode of 128-bit AES with integrated message integrity checking (64-bit MAC), as well as a
counter for protection against packet replay attacks.
Note that the WPA2 definition still supports the old RC4/TKIP/Michael mechanisms for
backwards compatibility, but when CCMP encryption is enabled, it completely replaces these
older mechanisms for much stronger ones and addresses the weaknesses in many of the WPA

UNCLASSIFIED


mechanisms: CCMP is now used to strengthen phases of authentication and key exchange and
the weak Michael algorithm is superseded by the integral CBC-MAC in CCMP. These and other
measures introduced in WPA2 comprise the new 802.11i Robust Security Network (RSN)
architecture, which largely address the flaws in previous wireless network standards. It should
be noted for Government of Canada users that AES-CCMP is a GC-approved mechanism for
securing up to Protected B data, and if the use of WLAN is supported by an appropriate threat-
risk assessment, use of WPA2 is mandatory for GC WLANs (in the USA, NIST similarly
requires the use of CCMP for securing Federal agencies’ IEEE 802.11-based WLANs) [21].
Finally, WPA2 optionally allows the use of another AES-based encryption mechanism called
WRAP (Wireless Robust Authenticated Protocol). This was the original mechanism chosen by
the 802.11i committee, and uses AES in the OCB (Offset Code Book) mode, which is considered
slightly stronger than the CCMP mode. However, it was abandoned in favour of the CCMP
mode due to intellectual property issues and the possibility of incurring licensing fees.

May 2009 24

UNCLASSIFIED


4 Vulnerabilities
4.1 Access Control Vulnerabilities
4.1.1 General
The 802.11 standard does not adequately address access control. The following two features
offer limited forms of access control.

4.1.2 SSID
The SSID is used for identifying the network, not as a security measure. Unfortunately, the use
of a SSID is often mistaken as a password protection. The SSID contained in the beacon frame is
always sent in plaintext, regardless of the deployment of the WEP option. Any wireless client,
malicious or not, can listen for this beacon to obtain the SSID and bypass this low level access
control.

4.1.3 MAC Address Access Control List (ACL)
Some 802.11 vendors offer a MAC Address ACL feature that provides minimal access control
by limiting access to only authorized wireless cards. Unfortunately, the packets containing the
MAC addresses are sent in clear text and the entries on the ACL can be easily obtained through
traffic monitoring. An unauthorized user can spoof these MAC addresses and try to gain access
to the AP. Most of the time, the AP has the factory configuration for the administrator username
and password. When the unauthorized user has accessed the AP, the configuration of the AP can
be changed.

4.2 Authentication Mechanism Vulnerabilities
4.2.1 General
The authentication mechanism defined in the 802.11 is used to bring the wireless link up to the
assumed physical standards of a wired link. There are vulnerabilities present in both the design
and the implementation of the service.

4.2.2 Shared Key Authentication Flaw
The Shared Key authentication mechanism is used before an association is allowed. During the
challenge-response sequence, both the plaintext challenge and the encrypted challenge are
transmitted. This is a potential security vulnerability since it allows for discovery of the key and
the IV pair used for the authentication sequence. The 802.11 standard recommends avoiding
using the same key and IV pair for the next frame transmitted but there is no guarantee that
implementations follow this recommendation. For this reason, as noted earlier in this document,
using Open System Authentication along with WEP is generally considered more secure as key-
related information is not transmitted.
Vulnerabilities May 2009 25

UNCLASSIFIED


4.2.3 802.1X/EAP Vulnerabilities
First introduced in WPA, the 802.1X framework has the potential to greatly improve the
authentication capabilities of 802.11 wireless networks. Ironically, the authentication protocol
specified by 802.1X is vulnerable to attack primarily due to its inability to authenticate its own
messages. Because of this flaw, EAP messages may be forged in a man-in-the-middle scenario,
potentially allowing an attacker to bypass an authentication mechanism or to hijack an 802.11
session. [20]

4.3 WEP Vulnerabilities
4.3.1 General
Numerous reports and articles [6,7,8,9,10,11] have been published about the security
vulnerabilities of the implementation of WEP. These reports focus on the minimal security
offered by the WEP protocol, in particular, the following weaknesses:
a. High probability of key re-use due to the short IV (On a busy network, IV re-use occurs
often enough that the hacker may obtain the key in minutes to hours);
b. Weak message authentication due to the short key length used; and
c. Lack of a key management specification.

4.3.2 Keystream Re-use
Based on the use of a relatively short 24-bit IV, it is highly likely that over a short period of time
on an active wireless network, the IV will be re-used. This could facilitate an attack on the
system to recover the plaintext [7]. This vulnerability exists regardless whether 64-bit or 128-bit
WEP is used.

4.3.3 Message Integrity
The CRC-32 checksum is used to ensure the integrity of the packets during transmission. It is
possible for controlled changes to be made to ciphertext without changing the checksum
appended to the message and to inject messages without detection [9].

4.3.4 Key Management
The distributed shared key is the weakest aspect of the system. By using static shared keys,
distributed among all the clients as “passwords,” the number of users aware of these keys will
grow as the network expands. This creates the following problems:
a. Shared key among many people does not stay secret for long;
b. The manual distribution of shared key can be time consuming, especially in a large
environment with many users. Quite often, this results in key not being changed as
frequently as required; and

May 2009 26

UNCLASSIFIED


c. The frequency of IV re-use increases as the network size expands, which makes it more
vulnerable to attack.

4.4 WPA/WPA2 Vulnerabilities
4.4.1 General
WPA and WPA2 have introduced measures designed to address the major vulnerabilities of
WEP, however a few new vulnerabilities were introduced and some vulnerabilities remain,
particularly in WPA because of the requirement for backwards compatibility, and low compute
requirements.

4.4.2 Key Management
Although 802.1X authentication support was made mandatory in WPA/WPA2, its use requires
an external authentication server and so the user is given an option to use a simple pre-shared
key mechanism like WEP. Unfortunately, as with WEP, the pre-shared key authentication
mechanism for both WPA and WPA2 is vulnerable to key management issues: it is virtually
impossible to keep a single shared key secret among a large community, and re-keying and
distributing new keys for a large community is likewise difficult.

4.4.3 4-Way Handshake and Weak Passphrase Vulnerability
The Pre-Shared Key mechanism allows the use of security features in WPA/WPA2 in situations
where the additional 802.1X infrastructure is not available. As with the shared key in WEP, all
users share a common “secret key”. Although the Pre-Shared Key is used as the Pairwise Master
Key (PMK) in WPA/WPA2, unlike WEP, the WPA shared key is not used directly as an
encryption key, but is instead combined with other session-specific information exchanged
during the 4-Way Handshake, to generate a Pairwise Transient Key (PTK), which is in turn used
to generate dynamic encryption and message integrity keys.
Although the short key and IV re-use issue has been resolved by this mechanism, a pre-shared
key in WPA/WPA2 is now vulnerable to dictionary attacks. By capturing the 4-Way
Handshake authentication exchange and using this information along with a dictionary file it is
possible to successfully guess the session keys if the Pre-Shared Key is one of the words in the
dictionary; if the shared key is short or very simple, it may even be found through a brute-force
search. A successful dictionary attack can lead to two scenarios: recovered session keys can be
used to eavesdrop on or disrupt an ongoing session, or the recovered PSK can be used to initiate
a new session and allow unauthorized use of the network resources. If this mechanism must be
used, it is imperative that a long, non-dictionary passphrase be used to secure the access point.

Vulnerabilities May 2009 27

UNCLASSIFIED


4.4.4 WPA MIC Spoofing Countermeasure
As described earlier in this document, the Michael MIC algorithm in WPA was chosen for a
balance between data integrity, security and reduced processing requirements in order to be
supported on existing wireless LAN hardware. Although an improvement over the original
CRC32 used in WEP, the Michael algorithm is invertible and its key discoverable and therefore
vulnerable to spoofing attacks. To address this vulnerability, designers of the WPA standard
implemented a spoofing countermeasure, which terminates the wireless connection for one
minute if more than two bad MICs are received in any one minute period. Unfortunately, this
countermeasure is in itself a vulnerability because it may be used as a doorway to Denial-of-
Service attacks (by deliberately injecting packets with bad MICs), and in noisy RF
environments, where packet errors are common, this countermeasure can inadvertently trigger
and negatively affect the robustness of the wireless network.

4.5 Configuration Defaults
In order to simplify the initial configuration process, many vendors provide a factory default
configuration that provides very little security. For example, some vendor’s factory defaults
permit configuration of the AP from the wireless segment, do not implement any security, and
use documented default system settings such as IP addresses, administrator password, and SSID.
Many APs also have an easily accessible reset button that will reset the device’s configuration
back to these same insecure factory default settings, requiring a degree of physical
security/access control to prevent.
Recently, APs have been introduced which do enable security settings, but for simplicity and
ease of configuration, many will only use WEP with only a 40-bit key, even though stronger
mechanisms may actually be supported by the device.

4.6 Simple Network Management Protocol (SNMP)
Many 802.11 APs support management of the wireless device via SNMP. Often, this feature
permits someone to view system and configuration information, and in some cases, allows the
capability to update this information. Access to this information is normally restricted by the
use of a community string, which is not a password, but simply an identifier given to the SNMP
network. Further, this string is usually a well-known value, obtainable by a simple Internet
search, or easily guessable (e.g.: “GovernmentofCanada”, “DND”, “DFAIT”).

May 2009 28

UNCLASSIFIED


5 Exploits
5.1 Network Discovery and Access Attacks
5.1.1 General
War driving is a term derived from war dialing. War dialing, a technique employed by hackers
for many years, is the use of software to automatically and systematically dial telephone numbers
to discover vulnerable modems through which a hacker can connect and hack into a network.
War driving exploits the same kind of vulnerability as with war dialing. A war driving attacker
drives around with a portable wireless client looking for unprotected entry points into a wireless
network. War driving has become a sport among the hacking community who regularly update
Internet-accessible (e.g. www.wigle.net) maps of wireless access points for communities around
the world. In most cases, war driving is about the challenge of discovering a new access point
before any other hacker, and illicit access to networks is not performed, however many
commercial and free hacker tools which exploit the vulnerabilities described in this document,
are available for all 802.11-based wireless networks and can be used by less ethical individuals
for network penetration.

5.1.2 Network Discovery
Network discovery tools or network auditing tools are software developed to help network
administrators manage and trouble shoot network problems. Most network auditing tools used
by network administrators are quite sophisticated and expensive, making them unpopular for war
driving use. However, various free discovery software packages are publicly available and very
simple to use [13] to scan for networks and logs detailed information, including SSID, AP MAC
address, vendor information, signal-to-noise ratio, and whether security features are enabled. A
war driver equipped with a network discovery package, an 802.11-enabled notebook, and a
Global Positioning System (GPS) receiver, can log the exact latitude and longitude of the APs in
addition to the information mentioned above.

5.1.3 Network Access via Wireless Router
Most APs sold today also have a router built in, often with Dynamic Host Configuration Protocol
(DHCP) services enabled. These wireless routers are particularly vulnerable to bandwidth
hijacking attacks. When a wireless router is discovered, an attacker simply requests an IP from
the DHCP server, or restarts his network connection and has an IP automatically assigned. If
security features are not enabled, the attacker will have complete access to the target network.

Exploits September 2008 29

UNCLASSIFIED


5.2 Denial of Service (DoS) Attacks
5.2.1 General
A DoS attack is one of the most easily and widely carried out attacks against computer networks.
This type of attack usually entails taking over or overloading network resources, denying
normal operation of the target network.

5.2.2 AP Takeover
Many APs utilize SNMP or a web-based interface for configuration and management. If the
community/administration password is improperly configured or left in default setting, an
intruder can obtain sensitive configuration information from the AP. It may be possible for the
intruder to rewrite information to the AP and effectively take ownership of the AP, denying
legitimate clients access to the network.

5.2.3 AP Cloning
AP cloning is sometimes referred to as the “Evil Twin” attack. An attacker physically deploys a
malicious AP or a laptop equipped with a wireless card and appropriate software and broadcasts
the same SSID, but with a higher RF signal strength than the target AP, causing the wireless
clients to associate themselves to this rogue AP. Most client cards will, by default, switch over
to the more powerful AP to ensure connectivity. Typically, the clients will automatically
authenticate with the new AP, thus providing the attacker with a set of valid credentials which
can then be used to connect with the real AP. The attacker who controls the malicious AP also
has the opportunity to exploit any security weakness that may be present on the clients devices
falsely associated with the rogue base station. AP cloning is more difficult than simply denying
clients access to a base station because it requires the physical deployment of a modified AP or
laptop and wireless card that has a more powerful output or is located physically closer than the
original AP.

5.2.4 RF Jamming
An RF jamming attack is not the same type of attack as overloading of network resources.
Instead of creating spurious data to overwhelm the processing capability of network devices, RF
jamming overwhelms the medium used for transmission, in this case, radio waves. An attacker
with very simple tools can easily flood the medium for the network (in the case of 802.11b/g/n,
the 2.4GHz radio frequency band) with noise. RF jamming is very effective because it works
against all WLAN security safeguards. When noise is injected at the WLAN operating
frequency, signal-to-noise ratio drops below acceptable level and the network simply ceases to
function.

May 2009 30

802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (16)

Semelhante a 802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A)

Semelhante a 802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A) (20)

802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A)