by Rik Farrow
If you're involved in networking, you've probably had a front-row seat at the three-ring circus called wireless security. You likely know more than you ever wanted to about the problems surrounding wireless access points (APs).
In one ring, there's WEP (Wired Equivalent Privacy), part of the initial IEEE standard for wireless. WEP is a scheme that includes encryption and integrity checking, and was supposed to make wireless networks as safe to use as wired ones. But WEP was based on a flawed design (more on this later).
Now, the IEEE 802.11 standards committee is at work again, seeking to do things right the second time around. The draft standard, 802.11i, scheduled for a vote later this year, corrects the known problems with WEP. An interim solution, WPA (Wi-Fi Protected Access), has been agreed upon by wireless hardware vendors, so they can continue shipping existing products, although older products won't support the new standard.
You can take in more of the carnival atmosphere surrounding wireless security by searching the Web for hot spots (APs that allow open access to the Internet). Or, you could look around for war driving maps, and find organizations that probably don't even know they're providing open access to their networks. Ironically, if they'd only bothered using the much maligned WEP, they'd have been better off.
Every circus has its clowns, and wireless security is no exception. Enter the war drivers--fearless people who actually more closely resemble the court jesters of old, in that they're more than willing to point out that there's something very wrong with the current state of affairs. In this case, that means drawing attention to problems with the way many organizations have set up wireless networks.
The Third WorldWide WarDrive, an event in which security professionals and other interested parties attempt to find and gather statistics on APs, which ended on July 5, 2003, showed that less than 30% of all wireless APs are using WEP, the current standard for wireless protection.
While WEP received a black eye as a failed technology, it's not totally useless. A wireless AP without WEP usually means not only a free Internet connection, but connection to a network on the inside of the firewall. WEP raises the bar from the current situation in which would-be intruders can simply find an open network using one of the many free or commercial wireless sniffing tools. Now, they must actually perform some cryptanalysis before being able to transmit any traffic over that network, or decrypt sniffed traffic. While there are also free tools for performing that cryptanalysis (such as Airsnort), using them requires time and energy. Using an open wireless network requires nothing more than a laptop with wireless support. Organizations that use WEP with hexadecimal keys will take longer to crack than those who use password-based ones. The bottom line is that WEP works well enough for most small/home offices that it is a viable option.
There are other techniques you can use to keep your APs from appearing on a war driving map. One simple one is to set the beacon broadcast interval to its maximum value of 67 seconds, which might be long enough for a war driver to pass right by your building. Also, war driving software sends out probe requests, and you can thwart these attempts by disabling probe responses in your APs.
Another key to protecting your network lies in the service set identifier (SSID), which is sent in every wireless transmission but never encrypted. Set your SSID to a value that won't make your organization more easily identifiable to outsiders. Although it's a fairly common practice, leaving your SSID at its default value (for example, tsunami for Cisco Aironet products) is asking for trouble.
Over time, the weaknesses of WEP have become more apparent, and wireless vendors have added new features to control access. Now, you can configure many APs to limit access to a known list of MAC addresses. Every networking device has a hardcoded MAC (Media Access Control) address, but most of them can be changed via software control. This technique--called MAC filtering--can stop the clueless from gaining access to your AP, but not the determined. All the mildly determined need to do is set their wireless card's MAC address to one they have sniffed (once it is no longer active).
More effective approaches require the use of authentication. APs can be configured to work with RADIUS (Remote Authentication Dial-In User Service) and force any wireless station requesting access to authenticate via the RADIUS server. This requires a database of usernames and passwords (or other, stronger forms of authentication), but you can use open-source RADIUS servers, or those included with Microsoft's Active Directory.
These methods can be combined so that a would-be intruder would have to use a device with a known MAC address, authenticate via RADIUS, and know the shared key used by WEP before he or she could take advantage of your wireless network. This involves more work than just setting up an AP, but it'll help you keep out most unwanted visitors.
But in addition to its previously described problems, WEP also failed as a cryptographic protocol. For example, many vendors chose to use the same algorithm for generating from passwords the 40- or 104-bit keys used by WEP. At the BlackHat conference in 2001, Tim Newsham demonstrated how to crack these keys in less than two minutes or so by exploiting weaknesses in the algorithm used to generate them.
The most widely publicized weaknesses of WEP involve the use of a fixed, shared secret key; a short initialization vector (IV); and the integrity check value (ICV). WEP uses the RC4 encryption algorithm, which requires the use of a different key with each frame (think packet) sent. WEP creates a "new" key each time by prepending the IV to the secret key, but since the IV is only 24 bits long, it will be repeated after 2 to the 24th packets (over 16 million), and often sooner. Most APs start the IV=1, and increment by a value of 1, and they'll also reset the IV to 1 if a wireless station is temporarily disassociated from the AP. As a result, IVs can be repeated quite often, which means that same key gets used with RC4 much too often.
WEP's ICV turned also out to have exploitable flaws. A hacker could flip bits in the encrypted data, and calculate the correct bits to flip in the ICV, since it was just a simple checksum. This might seem an ineffectual attack, but if the flipped bits were part of the destination address of the packet, they could redirect the packet to an attacker who would receive the unencrypted version (since the AP decrypts the packet before copying it to the wired network).
WiFi Protected Access (WPA) was designed to correct these flaws, and has additional security features. WPA version 1 allows you to continue using your current hardware, with software and firmware updates, to achieve many of the benefits of WPA.
IEEE 802.11i, on the other hand, will require hardware upgrades because of its use of the Advanced Encryption Standard (AES). Encryption is compute intensive, and the new standard requires AES because it's required by the U.S. government. In addition, older APs and wireless cards won't be able to encrypt data with AES. The firmware in some wireless cards is designed to be upgradeable, but not all. AES is actually a more efficient algorithm than what is used in WEP, so the newer WPA is not only more secure, but works faster as well.
WPA first requires 802.1x authentication and key exchange. The 802.1x implementation in WPA uses EAP (Extension Authentication Protocol), which works well with the types of RADIUS servers mentioned earlier. But instead of simply allowing authentication, as earlier WEP implementations did, WPA makes it a requirement. WPA can still be used with a shared secret key, but this weakens WPA's security.
After 802.1x authentication and key exchange, WPA uses TKIP (Temporal Key Integrity Protocol). TKIP changes both the paired key (the key used between an AP and a wireless station after some amount of data has been exchanged), and the global key (or group key, in Cisco's terminology). The group key is used for broadcast and multicast messages.
In addition to incorporating the use of TKIP, WPA also provides for a longer IV. Some of the additional bits in the IV can be used as a packet counter, preventing replay attacks.
Finally, for stronger protection against integrity attacks, MIC (message integrity code, also called Michael), has been created. The new MIC gets placed before the old ICV, and features a true cryptographic integrity code, instead of a communications engineer's checksum. The MIC (and the old ICV) are still included in the encrypted part of the frame.
But it turns out the MIC has troubles of its own. In revisions of the draft of 802.11i, errors in integrity detected by MIC indicate that an AP or one of its stations was under attack. If two errors appear within a 60 second period, all wireless stations are disassociated (cut off) for a 60 second period, just to make the attacker's attempts more difficult.
Not only do errors in the MIC make life difficult for an attacker, they can also wind up making life difficult for anyone using a WPA-protected wireless network. It should be possible to inject spoofed packets with incorrect MICs, and at the rate of just two every minute, making an AP unusable.
Denial of service (DoS) is not a new feature of wireless networks. Besides the annoyances sustained due to the fact that 802.11 shares the same frequencies with other devices such as cell phones and microwave ovens, the 802.11 standard includes two mechanisms for DoS. Both appear in the unencrypted frame, and are sent as flags. The first flag tells the receiver to disassociate the session between the wireless station and the AP. The second can be used to put a wireless station in power saving mode, presumably because there is currently no traffic.
While these features may sound harmless, I've seen their impact demonstrated at security conferences. At the recent USENIX (www.usenix.org) conference, William Arbaugh of the University of Maryland used a simple tool to send disassociate messages to all 14 channels used by APs during a presentation, deftly knocking down most of the wireless connections in a large ballroom at the event. I also saw this done by Mike Schiffman, author of several books on security, including Hacker's Challenge 2, at Black Hat 2002 in Las Vegas, while he was demonstrating library routines for creating arbitrary wireless frames.
WPA appears to solve most of WEP's problems, with two exceptions. The first problem is DoS, which will always be an issue for wireless communications (although dissociation may eventually become a big enough issue that we might see 802.11j).
The other problem, which is exacerbated by WPA, is complexity. War driving has proven that most organizations aren't currently using WEP. Many organizations advertise their presence on the ether as well through poorly chosen SSIDs. But if users haven't implemented WEP, there's little hope that they'll embrace WPA, which is more complex and requires (at minimum) the addition of RADIUS authentication server, setup of user accounts, and configuration of every AP and wireless station that will be using WPA.
Given wireless users' lousy security track record, the efforts the IEEE has put into migration from WEP to WPA may be ignored by most users. You can use both WEP and WPA in the same SSID and/or AP (see Resources), although this dilutes some of WPA's strengths. The real question is whether many users will actually take the time to sit down, read the documentation, and change the configurations on all their APs and wireless devices. If not, the wireless three-ring circus is likely to get even more new acts in the future.
To access William Arbaugh's Web site, which has lots of good links about
wireless security, go to:
www.cs.umd.edu/~waa/wireless.html
For more information on the Third WorldWide WarDrive, go to: www.worldwidewardrive.org
Microsoft Knowledge Base article about updated support for WPA: http://support.microsoft.com/?kbid=815485
Cisco Web page about authentication methods for the company's APs: www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12211ja/i12211sc/s11auth.htm