COMMUNICATIONS OF THE ACM December 2004/Vol. 47, No. 12 15In the previous column (Sep-tember 2004), I discussed thehistory and practice of wardriving. I noted the inherentinsecurities in the 802.11 proto-col standards and reported somerather frightening statistics (forexample, over 60% ofthe Wireless AccessPoints discovered in the4th Annual WorldWideWar Driving Competi-tion had no form ofencryption enabled!).I also pointed out thatthere is a perfectly lawfuland legitimate use forwireless monitoring, butwhen it is used withunlawful or unethicalintent, it is generallycharacterized as war dri-ving. I observed that wardriving is now ubiqui-tous: a good illustrationof this is provided by theWiGLE.net online database ofWAPS.Having established that thepractice of war driving is com-monplace, the extent of the riskremains to be shown. We willconsider three possible scenarioshere. But first, we address thenecessary preliminaries.Service Set IDs Since our goal is to discuss wire-less security, we’ll frame our dis-cussion in terms of a veryhigh-level overview of wirelesstechnology. We normally associate theterm wireless networks with the802.11 family of protocols, themost popular of which is the vari-ous flavors of 802.11 (aka WiFi).The foundation of an 802.11 net-work is the basic service set (BSS).Service sets may be defined as atier structure: Tier 0: Independent BSS(IBSS) or ad hoc network. Anycluster of wireless-enabled com-puters (aka stations)intercommunicatingbetween themselves.Tier 1: Infrastruc-ture BSS. A cluster ofone or more stationsconnected with aWireless Access Point(WAP, or simply AP).In this mode, all sta-tions communicatewith each otherthrough one WAP at atime—no direct sta-tion-to-station com-munication ispermitted. Tier 2: ExtendedService Set (ESS). A cluster ofBSSs where interconnected WAPsserve as bridges between serviceareas.The Service Set ID (SSID) is a32 byte or less network name of aservice set (a list of default SSIDsWireless Infidelity II: AirjackingBEATA SZPURAHal Berghel and Jacob UeckerAssessing the extent of the security risks involved in wireless networking technology by considering three possible scenarios demonstrating vulnerabilities. Digital Village16 December 2004/Vol. 47, No. 12 COMMUNICATIONS OF THE ACMis available at www.cirt.net/cgi-bin/ssids.pl). This name is usedby other network devices to initi-ate a connection. WAPs may beconfigured as “open” or “closed.”In the open mode, the WAPbroadcasts its SSID to the world;in closed mode, it does not. Acomputer with a WiFi card set toSSID=ANY will attempt toauthenticate with the open WAPswith the strongest signals. This iscalled association polling and isbuilt into XP by default whenwireless is enabled, as confirmedby the menu bar pop-up captionshown in Figure 1. Therein is our first securityconsideration. Is it advisable tobroadcast the name of the WAPto the world? Where WAPs areconcerned, the best practice is toavoid drawing any more attentionto the WAP than necessary. Dis-abling SSID broadcasting andsetting the signal strength as lowas possible without losing the sig-nal is a good first step. However, closed WAPs onlydeter primitive network beaconsniffers (for example, NetStum-bler). Beacon Sniffers (aka activesniffers) continuously broadcastprobe requests to entice WAPs torespond. Closed WAPs will notrespond unless the probe requestscontain its SSID (which means itmust be known in advance), sobeacon sniffers are both extremelynoisy (and trivial to detect) andprovide an incomplete scan. How-ever, greater stealth can beachieved by “passive” sniffers thatoperate with the network card inmonitor mode. Monitor modecaptures all traffic on a frequencyregardless of source or destinationas long as the signal strength isadequate. This is to be distin-guished from promiscuous mode,which captures all traffic on thenetwork to which you are associ-ated and is not a default option onall wireless cards.In monitor mode, passive snif-fers like AirMagnet and Kismetmonitor all wireless transmissionsclose enough to detect, irrespec-tive of source and destination,without generating any betrayingtraffic themselves. So what does a closed WAP buyus? Not much, for the seriousinvader. But shutting off the SSIDbroadcast is still worth the effort, iffor no other reason than it discour-ages casual sniffing and WAP map-ping by would-be hackers.WEPThe goal of Wired EquivalentPrivacy (WEP) was to bringsome of the security available inwired networks to WiFi. Unfor-tunately, the designers bungledthe job (see citeseer.ist.psu.edu/fluhrer01weaknesses.html). WEPsuffers from two fundamentaldeficiencies: it was poorlydesigned and it was poorly imple-mented. Other than that, it’s fine.A key WEP vulnerabilityresults from the implementationof the RC4 symmetric streamcipher algorithm. Simple streamciphers work by XORing a streamof bits (the key) with the plain-text to come up with the ciphertext that is transmitted andreversed at the other end. In itssimplest form, this stream cipherwouldn’t be secure because astring of zeros in the plaintextwould produce the actual key inthe cipher text due to the wayXOR works. The RC4 algorithmrelies on a pseudo-random num-ber generated initialization vector(IV) to control the scrambling ofthe keystream to provide thedesired robustness.The WEP implementation ofRC4 is flawed in several ways,which allows the algorithm itselfto be attacked and the key to berevealed. The first problem withWEP is that the IV is always pre-pended to the key prior to gener-ation of the keystream by theRC4 algorithm. Secondly, the IVis relatively small (3 bytes), whichproduces a lot of repetitions asthe scant 16.77 million variationsare reused to encrypt millions ofpackets. Third, some of the IVsare “weak” in the sense they maybe used to betray informationabout the key.Digital VillageFigure 1. Windows XP menu bar caption indicating enabled wireless connectivity.When the first data to beencrypted in a WEP packetis the SNAP header (aswith IP and ARP packets),the first byte of this headeris almost always 0xAA. Aweak IV has a format ofB+3::ff::X (where B is thebyte of the key to be found,ff is the constant 255, andX is irrelevant). WEP crack-ing usually relies on accu-mulated traffic produced byweak IV values. Since theIV is transmitted with thepacket in plaintext, weakIVs are easy to detect. Thekey value of B is determinedafter the B+4th iteration ofthe key scheduling algorithm.Given a sufficient amount of
View Full Document
Unlocking...