Real World Wireless Security

"Every matter requires prior knowledge."

—Du Mu

"If you can find out the real conditions, then you will know who will prevail."

—Mei Yaochen

Rather than concentrating on the basics of general information security or wireless networking, this introductory chapter focuses on something grossly overlooked by many "armchair experts": The state of wireless security in the real world. Before getting down to it, though, there is a need to tell why we are so keen on the security of 802.11 standards-based wireless networks and not other packet-switched radio communications. Figure 1-1 presents an overview of wireless networks in the modern world, with 802.11 networks taking the medium circle.

Figure 1.1. An overview of modern wireless networks.

As shown, we tend to use the term 802.11 wireless network rather than 802.11 LAN. This particular technology dissolves the margin between local and wide area connectivity: 802.11b point-to-point links can reach beyond 50 miles in distance, efficiently becoming wireless wide area network (WAN) connections when used as a last mile data delivery solution by wireless Internet service providers (ISPs) or long-range links between offices. Thus, we consider specifying the use of 802.11 technology to be necessary: Local area networks (LANs) and WANs always had and will have different security requirements and approaches.

Why Do We Concentrate on 802.11 Security?

The widespread area of 802.11 network coverage zones is one of the major reasons for rising security concerns and interest: An attacker can be positioned where no one expects him or her to be and stay well away from the network's physical premises. Another reason is the widespread use of 802.11 networks themselves: By 2006 the number of shipped 802.11-enabled hardware devices is estimated to exceed 40 million units (Figure 1-2), even as the prices on these units keep falling. After 802.11g products hit the market, the price for many 802.11b client cards dropped to the cost level of 100BaseT Ethernet client cards. Of course there is a great speed disadvantage (5–7 Mbps on 802.11b vs. 100 Mbps on switched fast Ethernet), but not every network has high-speed requirements, and in many cases wireless deployment will be preferable. These cases include old houses in Europe protected as a part of the National Heritage. In such houses, drilling through obstacles to lay the cabling is prohibited by law. Another case is offices positioned on opposite sides of a busy street, highway, or office park. Finally, the last loop provider services via wireless are basically a replacement for the cable or xDSL link and 802.11b "pipe" is not likely to be a bottleneck in such cases, taking into account common xDSL or cable network bandwidth.

Figure 1.2. The growth of the 802.11 wireless market.

802.11 networks are everywhere, easy to find, and, as you will see in this book, often do not require any effort to associate with. Even if they are protected by WEP (which still remains the most common security countermeasure on 802.11 LANs), the vulnerabilities of WEP are very well publicized and known to practically anyone with a minimal interest in wireless networking. On the contrary, other wireless packet-switched networks are far from being that common and widespread, do not have well-known and "advertised" vulnerabilities, and often require obscure and expensive proprietary hardware to explore. At the same time, 802.11 crackers commonly run their own wireless LANs (WLANs) and use their equipment for both cracking and home and community networking.

Attacks on GSM and GPRS phones are mainly related to unit "cloning," which lies outside the realm of network hacking to which this book is devoted. On the personal area network (PAN) side, the hacking situation is far more interesting to dive into from a network security consultant's viewpoint.

Attacks on infrared PANs are a form of opportunistic cracking based on being in the right place at the right time—a cracker would have to be close to the attacked device and be in a 30-degree zone from its infrared port. Because the infrared irradiation power is limited to 2 mW only, the signal is not expected to spread further than two meters. An exemption to the 30 degrees/2 mW limitations is the case when an infrared access point (e.g., Compex iRE201) is deployed in an office or conference hall. In such a situation, all that a cracker needs to sniff traffic and associate with the infrared PAN is to be in the same room with the access point. There is no layer 2 security in Infrared Data Association (IrDA) PANs and unless higher layers' encryption or authentication means are deployed, the infrared network is open for anyone to exploit. Windows 2000 and Windows XP clients automatically associate with other IrDA hosts and Linux IrDA project stack (http://irda.sourceforge.net/) provides a remote IrDA host discovery option (do irattach -s) as well as irdadump, which is a utility similar to tcpdump. Irdaping has been used to freeze dead unpatched Windows 2000 machines before the Service Pack 3 release (see the Bugtraq post at http://www.securityfocus.com/archive/1/209385/2003-03-11/2003-03-17/2). If you want to dump layer 2 IrDA frames under Windows 2000, an infrared debugger interface in rCOMM2k (a port of Linux IrDA stack, http://www.stud.uni-hannover.de/~kiszka/IrCOMM2k/English/) will do a decent job. However, no matter how insecure the infrared networks are, their limited use and physically limited spread means that scanning for data over light will never be as popular as scanning for data over radio frequency (RF) waves.

As such, warnibbling or looking for Bluetooth networks will gain much higher popularity than looking for infrared connections and might one day compete with wardriving in popularity. The tools for Bluetooth network discovery such as Redfang from @Stake and a graphical user interface (GUI) for it (Bluesniff, Shmoo Group) are already available to grab and use and more tools will no doubt follow suit.

Three factors limit the spread of Bluetooth hacking. One is the still limited use of this technology, but that is very likely to change in a few years. Another factor is the limited (if compared to 802.11 LANs) coverage zone. However, Class 1 Bluetooth devices (output transmission power up to 100 mW) such as Bluetooth-enabled laptops and access points can cover a 100-meter radius or greater if high-gain antennas are used. Such networks are de facto WLANs and can be suitable targets for remote cracking. The third factor is the security mechanisms protecting Bluetooth PANs against both snooping and unauthorized connections. So far there are no known attacks circumventing the E0 streaming cipher used to encrypt data on Bluetooth PANs. However, only time will determine if this proprietary cipher will stand Kerckhoffs's assumption and whether the famous story of the unauthorized Cypherpunks mail list disclosure of the RC4 algorithm structure will not repeat itself again (see Chapter 11 if you find this example confusing). There are already theoretical observations of possible Bluetooth security mechanism weaknesses (see http://www.tcs.hut.fi/~helger/crypto/link/practice/bluetooth.html). Besides, even the best security countermeasure is useless unless it is implemented, and Bluetooth devices are usually set to the first (lowest) security mode out of the three Bluetooth security modes available and have the default of "0000" as the session security PIN. It is also common to use the year of birth or any other meaningful (and guessable) four-digit number as a Bluetooth PIN. This happens for convenience reasons, but the unintended consequence is that it makes the cracker's job much easier. In our observations, about 50 percent of Bluetooth-enabled devices have the default PIN unchanged. There are also devices that have default PINs prewired without any possibility of changing them: all the attacker would have to do is find the list with the default PINs online. Although this provides a great opportunity for the potential attacker, we have yet to meet a real flesh-and-bone "warnibbler" who goes beyond sending prank messages via Bluetooth on the street. At the same time, security breaches of 802.11 networks occur on a daily, if not hourly, basis bringing us back to the main topic: Why and, most important, how they take place.

Getting a Grip on Reality: Wide Open 802.11 Networks Around Us

As mentioned, in the majority of cases an attacker does not have to do anything to get what he or she wants. The safe door is open and the goods are there to be taken. The Defcon 2002 wardriving contest showed that only 29.8 percent of 580 access points located by the contesters had WEP enabled. As much as 19.3 percent had default ESSID values, and (not surprisingly) 18.6 percent of discovered access points did not use WEP and had default ESSIDs. If you think that something has changed since then, you are mistaken. If there were any changes, these were the changes for the worse, because the Defcon 2003 wardrive demonstrated that only approximately 27 percent of networks in Las Vegas are protected by WEP. Because one of the teams employed a lateral approach and went to wardrive in Los Angeles instead, this number also includes some statistics for that city.

The Defcon wardrive observations were independently confirmed by one of the authors wardriving and walking around Las Vegas on his own.

Are things any better on the other side of the Atlantic? Not really. We speculated that only around 30 percent of access points in the United Kingdom would have WEP enabled. To validate this for research purpose, one of the authors embarked for a London Sightseeing Tour in the famous open-top red double-decker bus armed with a "debianized" laptop running Kismet, Cisco Aironet LMC350 card, and 12 dBi omnidirectional antenna. During the two-hour tour (exactly the time that laptop's batteries lasted), 364 wireless networks were discovered, of which 118 had WEP enabled; 76 had default or company name and address ESSIDs. Even worse, some of the networks discovered had visible public IP addresses of wireless hosts that were pingable from the Internet side. If you are a wireless network administrator in central London and are reading this now, please take note. Of course, in the process of collecting this information, no traffic was logged to avoid any legal complications. The experiment was "pure" wardriving (or rather "warbusing") at its best. Not surprisingly, warwalking in central London with a Sharp Zaurus SL-5500 PDA, D-Link DCF-650W CF 802.11b card (wonderful large antenna, never mind the blocked stylus slot), and Kismet demonstrated the same statistics. A similar level of 802.11 WLAN insecurity was revealed in Bristol, Birmingham, Plymouth, Canterbury, Swansea, and Cardiff.

Crossing the English Channel does not help either. One of the authors has driven from Warsaw to London with another Zaurus/D-Link CF card/Kismet kit and found a similar ratio of WEP/noWEP 802.11 networks, including very powerful unencrypted point-to-point links crossing the countryside motorways in the middle of nowhere. Another author has evaluated 802.11 security in Riga, Latvia. Curiously, the wireless networks in Riga were so abundant that it was practically impossible to use the middle ISM band (2.4–2.45 GHz) and many networks moved to the UNII (5.15–5.35 and 5.725–5.825 GHz) or even licensed ~24 GHz bands. Many legacy Breeznet and 802.11 FHSS networks were present. The wireless boom in Riga can be explained by old, noisy, Soviet-period phone lines incapable of carrying xDSL traffic without a significant packet loss/retransmission rate. Yet, despite the popularity of 802.11 networks, hardly anyone used WEP.

If you think that the majority of these unprotected wireless networks were home user access points, wireless community networks, or public access hot spots, you are wrong. Many of the wide open networks we have observed "in the wild" belong to government organizations (foreign governments included) and large corporations (multinationals included). In fact, some of these corporations are major information technology (IT) enterprises or IT-related consultancies, which is particularly shameful! We don't even dare to think how many of the 802.11 networks located had implemented proper security measures beyond the standard ("crackable") WEP and MAC address filtering. Single-digit percentage values surely come to mind. Considering that both WEP and MAC filtering are not difficult to circumvent with a bit of patience, it is not surprising that security remains the major concern restricting the spread and use of wireless technology around the world. At the same time, there are efficient wireless security solutions available, including powerful and affordable free and Open Source-based wireless safeguards that we describe in the second part of this book. Unfortunately, very few wireless network engineers and administrators are aware of the existence of these solutions. As always, human factor proves to be the weakest link.

The Future of 802.11 Security: Is It as Bright as It Seems?

Will the new 802.11 standards alleviate this situation? Again, only time will tell. While this book was being written, many manufacturers started to release 802.11g equipment onto the market, even though the 802.11g standard was not complete (see Figure 1-3 for reference on 802.11g development process). A great deal of these pre-802.11g products were advertised as "ultrasecure due to the new standard." In reality, 802.11g has nothing to do with security at all. In a nutshell, it is an implementation of the 802.11a orthogonal frequency division multiplexing (OFDM) physical layer modulation method for a middle ISM band to provide 802.11a speed (54 Mb/s is a standard-defined maximum), thus achieving both high connection speed and 802.11b or even the original 802.11 direct sequence spread spectrum (DSSS) standards compatibility. Therefore, the marketing attempts trying to link 802.11g and security were blatantly false.

On the other hand, the 802.11i standard (still in draft at the time of this writing) is the new wireless security standard destined to replace WEP and provide much stronger wireless security according to its developers. 802.11i was supposed to be released together with 802.11g, but we are not living in a perfect world. Wireless Protected Access (WPA) WiFi Alliance certification version 1 implements many of the current 802.11i development features, but not every 802.11g product currently sold is WPA certified. At the moment, there are many 802.11g networks deployed that still run old, insecure versions of WEP, and we have observed 802.11g LANs without any data encryption enabled by security-unaware administrators. A detailed description of 802.11i is beyond the reach of this introductory chapter and impatient readers are referred to Chapter 10 for the 802.11i structure and function discussion.

What deserves to be mentioned here are the issues of wireless hardware replacement, backward compatibility, personnel training, and falling prices on older 802.11 equipment (combined with higher prices on newly released 802.11g with 802.11i support products) mean that the old vulnerable WEP is with us to stay. This will happen even if 802.11i finally makes it and is unbreakable (very few security safeguards are, if any). Just as in the previously mentioned case of Bluetooth security, there will be users and even system administrators who forget to turn 802.11i security features on or leave the default or obvious key value unchanged. Also, as you will see, WLANs will still remain vulnerable to denial of service (DoS) attacks on both the first and second layers. A vile and determined attacker can use this to his or her advantage, bringing down the network only when 802.11i security features are enabled, thus playing a "Pavlovian game" against the wireless administrator. (When the authentication or encryption is on, the network doesn't work properly!) Thus, an opportunity for a cracker to sneak in will always remain a specific threat to wireless networks to be reckoned with.