Affordability, ease of use, and convenience of wireless devices, wireless local-area networks (WLAN), and related technologies have caused a substantial increase in their usage over recent years. At the same time, the number of reported attacks on wireless devices and networks has surged. Hackers have access to affordable wireless devices, wireless sniffers, and other tools. Unfortunately, the default wireless security settings are usually open and vulnerable to intrusion and attacks. For example, if encryption is not enabled, sensitive and private information sent over a wireless LAN can easily be sniffed (captured). One of the common methods that hackers use is called war driving. War driving refers to the process whereby someone drives around with a laptop equipped with a wireless network interface card (NIC), looking for vulnerable wireless devices and networks. Best practices require that authentication and encryption be used to protect wireless client data from security and privacy breaches. User authentication allows the network devices to check and ensure legitimacy of a user and protect the network from unauthorized users trying to gain access to the network and all the confidential data/files. Encryption is used so that, if someone captures data during transit through sniffing, for example, he cannot read it. The illegitimate capturer of data needs to know the key and the algorithm used to encrypt the data to decrypt it.
WLAN Security Issues
The main security problem with wireless LANs is and has been that the available security features are not enabled and used. However, for those who have been interested and keen to secure their wireless networks, the available features have not always been as sophisticated as they are today.
Service Set Identifier (SSID) is the method for naming a wireless network. The SSID configuration of a client must match the SSID of the wireless access point (AP) for the client to communicate with that AP. However, if the client has a null SSID, it can request and acquire the SSID from the AP. Unless the AP is configured not to broadcast its SSID, the AP responds to the wireless client request and supplies the SSID to the client; the client can then associate to that AP and access the wireless network. Some people mistakenly think that if the AP is configured not to broadcast its SSID, they have a secure wireless LAN; that is not true. When a legitimate wireless client with the correct SSID attempts to associate with its AP, the SSID is exchanged over the air unencrypted; that means that an illegitimate user can easily capture and use the SSID. The conclusion is that SSID should not be considered a wireless security tool. SSID is used to logically segment wireless clients and APs into groups.
Rogue APs impose threats to wireless LANs. A rogue AP is illegitimate; it has been installed without authorization. If an attacker installs a rogue AP and clients associate with it, he can easily collect sensitive information such as keys, usernames, passwords, and MAC addresses. Unless the client has a way of authenticating the AP, a wireless LAN should have a method to detect rogue APs so that they can be removed. Furthermore, attackers sometimes install rogue APs intending to interfere with the normal operations and effectively launch denial of service (DoS) attacks.
Some wireless LANs use MAC filters. Using MAC filters, the wireless LANS check the wireless MAC address of a client against a list of legitimate MAC addresses before granting the client access to the network. Unfortunately, MAC addresses can be easily spoofed, rendering this technique a weak security feature.
The 802.11 Wired Equivalent Privacy (WEP), or basic 802.11 security, was designed as one of the first real wireless security features. WEP has several weaknesses; therefore, it is not recommended for use unless it is the only option available. For example, with enough data captured, hacking software can deduct the WEP key. Because of this weakness, usage of initialization vector (IV) with WEP has become popular. The initialization vector is sent to the client, and the client uses it to change the WEP key, for example, after every packet sent. However, based on the size of the IV, after so much data is sent, the cycle begins with the initial key again. Because the IV is sent to the client in clear text and the keys are reused after each cycle, with enough data captured, the hacker can deduct the WEP key. WEP has two other weaknesses. First, it is vulnerable to dictionary attacks because, using dictionary words, the hackers keep trying different WEP keys and might succeed in guessing the correct WEP key. Second, using WEP, the wireless client does not authenticate the AP; therefore, rogue APs can victimize the client.
Evolution of WLAN Security Solutions
802.11 WEP using 40-bit keys shared between the wireless AP (AP) and the wireless client was the first-generation security solution to wireless authentication and encryption that IEEE offered. WEP is based on the RC4 encryption algorithm (a stream cipher) and supports encryption up to 128 bits. Some vendors, such as Cisco Systems, supported both 40-bit and 128-bit keys on their wireless devices; an example would be Cisco Aironet 128-bit devices. RC4 vulnerabilities, plus the WEP usage of static keys, its weak authentication, and its nonscalable method of manually configuring WEP keys on clients, soon proved to be unacceptable, and other solutions were recommended.
To address the shortcomings of WEP, from 2001 to 2002, Cisco Systems offered a wireless authentication and encryption solution that was initially called Lightweight Extensible Authentication Protocol (LEAP). LEAP had negative connotations for some people; therefore,
Cisco Systems decided to rename it Cisco Wireless EAP. In brief, this solution offered the following improvements over WEP:
■ Server-based authentication (leveraging 802.1x) using passwords, one-time tokens, Public Key Infrastructure (PKI) certificates, or machine IDs
■ Usage of dynamic WEP keys (also called session keys) by reauthenticating the user periodically and negotiating a new WEP key each time (Cisco Key Integrity Protocol, or CKIP)
■ Mutual authentication between the wireless client and the RADIUS server
■ Usage of Cisco Message Integrity Check (CMIC) to protect against inductive WEP attacks and replays
In late 2003, the Wi-Fi Alliance Group provided WPA as an interim wireless security solution until the IEEE 802.11i standard becomes ready. WPA requires user authentication through preshared key (PSK) or 802.1x (EAP) server-based authentication prior to authentication of the keys used. WPA uses Temporal Key Integrity Protocol (TKIP) or per-packet keying, and message integrity check (MIC) against man-in-the-middle and replay attacks. WPA uses expanded IV space of 48 bits rather than the traditional 24-bits IV. WPA did not require hardware upgrades and was designed to be implemented with only a firmware or software upgrade.
In mid-2004, IEEE 802.11i/WPA2 became ready. The main improvements to WPA were usage of Advanced Encryption Standard (AES) for encryption and usage of Intrusion Detection System (IDS) to identify and protect against attacks. WPA2 is more CPU-intensive than WPA mostly because of the usage of AES; therefore, it usually requires a hardware upgrade.
