WLANs faces threats similar to LANs and new security threats also which includes
- War drivers – Person drives around, trying to find APs that have no or weak security.
- Hackers – They find information or deny services and the wireless network makes easy access.
- Defaults – An new AP is being used with its defaults thus, easy to hack.
Tools used to increase security are
- Authentication – Authentication with mutual secret password.
- Encryption – Using encryption to scramble the contents of transmitted data.
- Intrusion Tools – They detect and identify rogue APs and include IDS and IPS
The initial security standard for WLANs was called Wired Equivalent Privacy (WEP) but had various problems like
- Static Pre-shared keys (PSK) – Keys used were manually configured and were static.
- Low key values – Keys were usually 64 bit and were easier to predict from frames.
But, SSID cloaking and MAC filtering helped in adding security. SSID cloaking involves steps as
- The AP sends a periodic Beacon frame (default is every 100 ms) that lists the AP’s SSID and other configuration information.
- The client listens for Beacons on all channels, learning about all APs in range.
- The client associates with the AP with the strongest signal (the default), or with the AP with the strongest signal for the currently preferred SSID.
- The authentication process occurs as soon as the client has associated with the AP.
The client learn about AP and its SSIDs via the beacon which helps in roaming and associate with new AP as needed. AP are configured with list of allowed WLAN MAC addresses and to filter rest but, it is circumvented by changing the MAC address as that of legitimate MAC address. Improved security standard called WPA and later WPA2 (also called IEEE 802.11i ) were also introduced which dynamic key exchange, preshared keys (PSK), and AES encryption. All security standards are compared as
Feature | WEP | WPA | WPA2 |
Key Distribution | Static | Static and Dynamic | Static and Dynamic |
Device Authentication | Weak | Strong | Strong |
User Authentication | No | 802.1x | 802.1x |
Encryption | Weak | TKIP | AES |
WLAN Attacks
The most common types of attack are as follows.
- Probing and discovery tools – A host of tools have emerged that take advantage of the fact that 802.11 infrastructures rely on network broadcasts to communicate with wireless clients. With these probing and discovery tools, unscrupulous individuals can easily locate, and take advantage of, wireless networks that lack strong security safeguards. One of the most common of these tools is Netstumbler, a Windows-based program that uses active scanning to detect low security access points. Once the access point is detected a number of exploits can be mounted against the network.
- MAC identity spoof attacks – In an 802.11 WLAN, MAC addresses are openly broadcasted over the air. The security implication is that potential attackers can sniff the air looking for valid MAC addresses associated with authorized WLAN users, access points and even wired infrastructure components, such as switches and routers. Once detected, programs exist to spoof these addresses, whereby intruders can masquerade as a valid WLAN client or access point. Naturally, this can compromise a WLAN if MAC authentication is the only security scheme employed.
- Denial of service attacks – Because WLANs broadcast over the unlicensed ISM & U-NII public bands with a limited number of available channels, RF interference is a common problem. As interference increases, signal quality and network availability decreases. Malicious individuals can use this to their advantage, debilitating WLAN performance. Common ways of doing this include RF frequency jamming and exploits such as Airjack and void11, which flood the WLAN.
- Man in the middle attacks – A man in the middle attack results from the interception and possible modification of traffic passing between two communicating parties, such as a wireless client and AP. Man in the middle attacks succeed if the systems can’t distinguish communications with an intended recipient from those with the intervening attacker.
- Static WEP cracking programs – Soon after it was first introduced, the Wired Equivalency Protocol (WEP) was broken due to the fact that WEP uses static keys which can be easily cracked. While these deficiencies were soon corrected with the WiFi Protected Access (WPA) protocol and 802.11i (WPA2), both of which leverage dynamic keys, many WLANs continue to use WEP-based security. As a result, they are still vulnerable to WEP cracking programs.
- Rogue access point attack programs – A number of “rogue access point attack programs” exist which allow attackers to perform a number of stealth attacks by posing as host access points on a WLAN network.
- Misconfigured clients – Due to the nature of the 802.11 specification enterprise WLANs are vulnerable to security risks when new hosts or clients enter the network and when ad-hoc networking is allowed. A wired host with an enabled WLAN adapter, for example, could unwittingly connect to an unknown WLAN. An attacker would then be able to compromise the host machine via the open WLAN adapter through routing features on Linux and Windows and mount an attack against the wired connection. Similarly, the overflow of RF signals means that accidental connections can occur with neighbouring WLANs, which can compromise the security of trusted networks.