A survey of WiMAX security threatsTrung Nguyen, [email protected] (A project report written under theguidance of Prof. Raj Jain)DownloadAbstract:As a promising broadband wireless technology, WiMAX has many salient advantages over such as: high datarates, quality of service, scalability, security, and mobility. Many sophisticated authentication and encryptiontechniques have been embedded into WiMAX but it still exposes to various attacks in. This report is a surveyof security vulnerabilities found in WiMAX network. Vulnerabilities and threats associated with both layers inWiMAX (physical and MAC layers) are discussed along with possible solutions.Keywords:IEEE 802.16, WiMAX, wireless network, threat analysis, vulnerabilities analysis, security, network security,PKM, PKMv2, authentication, encryption, man-in-the-middle attacks, DoS attacks, WiMAX attacks.Table of Contents1. Introduction2. WiMAX protocol architecture and security solutions2.1. IEEE 802.16 protocol architecture2.2. WiMAX security solutions3. WiMAX security vulnerabilities and countermeasures3.1. Threats to the PHY layer3.1.1. Jamming attack3.1.2. Scrambling attack3.1.3. Water torture attack3.1.4. Other threats:3.2. Threats to the MAC layers:3.2.1. Threats to Mac Management message in Initial network entry3.2.2. Threats to Access network Security3.2.3. Threats to authentication3.2.4. Other threats:4. Summary5. List of Acronyms6. References1. IntroductionEstablished by IEEE Standards Board in 1999, the IEEE 802.16 is a working group on Broad Wireless AccessA survey of WiMAX security threatshttp://www.cse.wustl.edu/~jain/cse571-09/ftp/wimax2/index.html 1 of 15(BWA) developing standards for the global deployment of broadband Wireless Metropolitan Area Networks[Wiki_802.16]. In December 2001, the first 802.16 standard which was designed to specialize point-to-multipoint broadband wireless transmission in the 10-66 GHz spectrum with only a light-of-sight (LOS)capability. But with the lack of support for non-line-of-sight (NLOS) operation, this standard is not suitable forlower frequency applications. Therefore in 2003, the IEEE 802.16a standard was published to accommodatethis requirement. Then, after being revised several times, the standard was ended in the final standard:802.16-2004 which corresponds to revision D. These standards define the BWA for stationary and nomadicuse which means that end devices cannot move between base stations (BS) but they can enter the network atdifferent locations. In 2005, an amendment to 802.14-2004, the IEEE 802.16e was released to address themobility which enable mobile stations (MB) to handover between BSs while communicating. This standard isoften called “Mobile WiMAX7#8221;. The following table provides a summary of the IEEE 802.16 family ofstandards.Table 1. Summary of the IEEE 802.16 family of standards.Based on the IEEE 802.16 standard, the WiMAX (Worldwide Inter-operability for Microwave Access) is “atelecommunications technology that provides wireless transmission of data using a variety of transmissionmodes, from point-to-multipoint links to portable and fully mobile internet access”[Wiki_WiMAX]. TheWiMAX is supported by the WiMAX forum, which is a non-profit organization formed to promote theadoption of WiMAX compatible products and services [WiMAXABT]. WiMAX is a very promisingtechnology with many key features over other wireless technologies [Jain08]. For instance, WiMAX networkhas the capability of working on many bands: 2.3 GHz, 2.5 GHz, etc, and provides scalability and mobility withhigh data rates with NLOS operation. It also provides strong security and strong QoS guaranteed services fordata, voice, video, etc. However, in order for WiMAX to achieve a maturity level and become a successfultechnology, more research on security threats and solution to these threats need to be conducted.This report is organized as follows. In section 2, WiMAX protocol architecture and security solutions arepresented to provide background and detailed information about WiMAX securities specifications in thesecurity sub-layer. Then vulnerabilities in WiMAX security will be discussed in section 3. In this section,some possible threats or vulnerabilities are discussed along with some proposed solutions to them. Finally,section 4 concludes the report.A survey of WiMAX security threatshttp://www.cse.wustl.edu/~jain/cse571-09/ftp/wimax2/index.html 2 of 152. WiMAX: protocol architecture and security solutionsIn order to understand WiMAX security issues, we first need to understand WiMAX architecture and howsecurities specifications are addressed in WiMAX. This section provides background and detailed informationabout WiMAX securities specifications in the security sub-layer.2.1. IEEE 802.16 protocol architecture:The IEEE 802.16 protocol architecture is structured into two main layers: the Medium Access Control (MAC)layer and the Physical (PHY) layer, as described in the following table [Jain08]:Figure 1. The IEEE 802.16 Protocol structureMAC layer consists of three sub-layers. The first sub-layer is the Service Specific Convergence Sub-layer (CS),which maps higher level data services to MAC layer service flow and connections [Elleithy08]. The secondsub-layer is Common Part Sub-layer (CPS), which is the core of the standard and is tightly integrated with thesecurity sub-layer. This layer defines the rules and mechanisms for system access, bandwidth allocation andconnection management. The MAC protocol data units are constructed in this sub-layer. The last sub-layer ofMAC layer is the Security Sub-layer which lies between the MAC CPS and the PHY layer, addressing theauthentication, key establishment and exchange, encryption and decryption of data exchanged between MACand PHY layers.The PHY layer provides a two-way mapping between MAC protocol data units and the PHY layer framesreceived and transmitted through coding and modulation of radio frequency signals.2.2. WiMAX security solutions:By adopting the best technologies available today, the WiMAX, based on the IEEE 802.16e standard, providesstrong support for authentication, key management, encryption and decryption, control and management ofplain text protection and security protocol optimization. In WiMAX, most of security issues are addressed andhandled in the MAC security sub-layer as described in the following figure:Figure 2 . MAC Security sub-layerTwo main entities in WiMAX, including Base Station (BS) and Subscriber Station