How many of us would allow complete strangers to walk into our homes and listen to our daily conversations? No one that I know would. Ditto for the office, and especially any office where the information we discuss is vital to our success or survival. Let's try a third tack. How many network administrators do you know who would allow a complete stranger to walk into their wiring closet and plug a laptop to their company's network?
I doubt that anyone would, but the virtual equivalent is probably happening across America at this very moment. These strangers aren't physically plugging into networks, though. They are attaching to networks using wireless network technology, which grants the same level of access afforded by a physical connection. In this article, we'll look at some of the ups and downs of wireless network security, Wired Equivalent Privacy (WEP), work by various groups on wireless security issues, and some advice for securing your wireless networks.
I first wrote about 802.11 wireless networking in the Winter 2000 issue of CHIPS. I believed then, and I still believe now, that we will move toward wireless systems over the next 10 years. Before we launch into our wireless security discussion, though, let's briefly review what a wireless network is. Wireless Ethernet networks are built using radio waves. The Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard defines the physical layer and media access control (MAC) layer for wireless local area networks (LANs).
As with our wireless telephone networks, the basic building block of the 802.11 architecture is the cell, also known as the Basic Service Set (BSS). A BSS typically contains one or more wireless stations and a central base station. Base stations are the access points to the network and may be either fixed or mobile.
All the base stations in a particular wireless network communicate with each other using the IEEE 802.11 wireless MAC protocol. Multiple base stations may also be connected together using wired Ethernet or another wireless channel to form a distribution system that appears as a single 802 network in much the same way that a bridged, wired (IEEE 802.3) Ethernet network appears as a single network.
Like cellular telephone service, the cells in a wireless network overlap to provide coverage over an area larger than that covered by an individual cell. If a mobile user moves from one cell to another, the base stations should hand-off the user from one cell to another.
You can also get IEEE 802.11 stations together to form an ad hoc network with no central control and no connections to the outside world. The workstations form into a network simply because they happen to find they are in proximity (within the broadcast range) of other mobile devices that communicate in the same way even though there's no pre-existing network infrastructure (e.g., a pre-existing 802.11 BSS with an access point) in the area.
There has been explosive growth in the deployment of 802.11b networks over the last year. Much of the appeal of 802.11b networks can probably be credited to the Wireless Ethernet Compatibility Alliance (WECA), which developed the wireless fidelity (WI-FI) interoperability standard. Commercial products that bear the WI-FI logo must pass a suite of basic interoperability tests. When people plug into a WI-FI certified access point, it should work with any other WI-FI certified technology.
Other growth factors are low cost and ease of installation. With close to 100 vendors offering the technology, prices have plummeted to under $100 for notebook cards and as low as $150 for access points. Physical deployment is extremely simple. All you have to do to install an access point out is take it out of the box, plug it into your wired Ethernet segment and turn it on. The combination of low cost and simplicity are powerful attractions.
Unfortunately for organizations with extensive wired networks, adding wireless access points to their network can subvert their entire security system because they are inside their network perimeter behind their firewall. WECA’s goal for the Wi-Fi standard was interoperability and ease of use, not security.
The 802.11b standard does include a provision for encryption called WEP. Depending on the manufacturer and the model of the network interface card (NIC) and access point, there are two levels of WEP commonly available—one is based on a 40-bit encryption key and 24-bit initialization vector (IV). It is also called 64-bit encryption and is generally considered unsecure. The other is a 104-bit key plus the 24-bit IV—also called 128-bit encryption, while stronger, is no longer considered completely unsecure.
There has been a lot of buzz in the computer and technology press over the last year about the basic insecurity of WEP. I got a first-hand exposure to this during my last visit to Chez Zip. My wife and I arrived for our monthly dinner with Zippy and Zippette to hear some joyful news: they’re expecting. Sometime in May, Zippette will deliver a new member a new member to the Zip clan.
The fun began when they offered to show us the new nursery. It was a wonderful little room, full of bright colors, beautiful new baby furniture, and a Linux super-computing cluster. Yes, Zippy had taken a simple concept, like a baby monitor, and once again elevated it to a project rivaling ballistic missile defense.
The crib, changing table, mobiles, and stuffed toys were wired to the gills with networked sensors monitored and controlled by a computing system better than anything owned by Johns Hopkins University or the North American Aerospace Defense Command (NORAD). The sensors could monitor heart rate, blood pressure, brain wave activity, blood sugar, and a host of other activities too numerous, trivial, or disgusting to mention.
And, just to show off, Zippy demonstrated that it could monitor a fly walking on the wall above the crib while simultaneously winning eight straight games of Internet-speed chess against the British international grandmaster, Nigel Short. At that moment, I remembered something odd I had seen on the way in. There were at least six vans parked on the street, each with at least two or three large antennas pointed toward Zippy’s house. When I asked about them, Zippy grinned. “Oh, yeah,” he said, “they are a few friends Zippette invited to help check security on our baby monitoring system.”
Zippette has some interesting friends, considering the vans included people from such diverse groups, as the Federal Bureau of Investigation, AT&T and the Central Intelligence Agency. When the pizza delivery guy arrived with dinner, the vans emptied and we all sat down for pizza and a discussion of wireless security.
One of the vans wasn’t there by invitation though. It turned out to be a group from the SETI (Search for Extraterrestrial Intelligence) Institute who thought they had finally found intelligence extraterrestrial life. They were very disappointed when Zippy told them they had been listening to housefly breathe. As the evening unfolded, I got a real education on the trials and tribulations of security in the wireless networking world.
Tools of the Trade
There are apparently several ways to uncover patterns in packets of information passing over wireless LANs. These patterns can be used to figure out the WEP encryption keys, which is the number used to scramble the data being transmitted. Once the key is recovered, it can be used to decrypt messages.
A first tool in the wireless hackers’ arsenal might be a wireless network scanner. AirSnort, one wireless scanner, can allegedly discover WEP keys through passive monitoring. According to information located on the AirSnort Web site, AirSnort can determine WEP keys in less than a second after listening to 100 MB to 1 GB of traffic. And since many implementations of WEP are based on static keys that do not change over time, you can eventually sift out whatever data you need to crack the key—if you listen long enough.
Another interesting scanner is NetStumbler, a shareware program, which “sniffs” for wireless networks. When NetStumbler identifies an 802.11b signal, it logs the MAC address of the access point, the network name, service set identifier (SSID), manufacturer, channel that it was heard on, whether or not WEP is enabled, signal strength, and signal to noise ratio.
In addition, if you have GPS that outputs standard the National Marine Electronics Association (NMEA) standards for data communication between marine instruments data, the latitude and longitude data points are also entered into the log file. This can paint a very accurate picture of the entire wireless implementation simply by “war driving” around the perimeter and locating the access points.
Remember the movie “War Games” where the kid set his computer to dial every telephone number in the area in sequence until he hit one associated with a computer? War driving is stocking up on good antennas and driving around randomly discovering wireless access points.
Many people assume that the 802.11b signals only travel relatively short distance—maybe a 100 feet or so. The actually travel much farther, but are too weak to be detected by the tiny antennas in laptop cards. But with an external gain antenna, 802.11b signals can be detected at a much greater distance. If you want to try this out for yourself, get an ORiNOCO Gold Card, a 14 dBI Yagi antenna, and a 3dBI magnetic mount omnidirectional antenna. These antennas are not expensive.
You can buy a Yagi antenna for about $130 and an omnidirectional antenna for about $100… so you can see it is really inexpensive for a potential hacker to scan your network.
A wireless cracker will mount a Yagi on a tripod and sweep the area for access points and wireless routers in surrounding buildings. The first thing hackers look for is where or not WEP is enabled. If it is, then they work on cracking the encryption. If not, it’s like a welcome mat. Once they receive and Internet Protocol (IP) address from any server on the network, they’ll look to see if the SSID is set to the manufacturer’s default password. If that’s the case, the network is as good as cracked.
The crackers can now change the router configuration, surf the Web using the wireless network’s Internet connection, and keep dissecting the compromised network to their hearts’ content.
To map wireless access points, the cracker will use a GPS receiver and log latitude and longitude information about the access points, extract the entry with the strongest signal for each access point, determine if the access point had WEP enabled or not, and plot the data using publically available mapping systems to give them a detailed geographic map of everything wireless you own. It’s so easy, even Zippy can do it.
Locking Virtual Doors
Wireless network security is much like the physical security at the entrance of a building—anyone with enough time, interest and resources is going to be able to gain access. The trick is limiting the damage so the only things they see are what you want them to see. First, and foremost, we must treat wireless networks as publically accessible at all times. We cannot assume that wireless traffic, in any media, is private and secure simply because the signal is always out there for someone to intercept.
Second, always enable WEP. Yes, WEP isn’t considered totally secure at this point, but at least it’s a first hurdle for people to cross. It’s also free, so it costs you nothing to employ. Third, always change the default SSID. …Probably the best way to deal with SSID is to disable “broadcast SSID” on your system. By disabling that feature, the SSID configured in the client must match the SSID of the access point.
Fourth, change the default password on your access point or wireless router. Any good cracker will know the manufacturer’s passwords and will try them first. Since programs like NetStumbler identify the manufacturer based on the MAC address, it doesn’t take much work to figure out what type of device it is even if you do change the SSID.
Finally, periodically survey your network using a tool like NetStumbler to see if any rogue access points pop up. It’s not hard for some well-intentioned soul to go buy a couple of wireless cards and an access point and plug them into your wireless network. All your best efforts for security could be wasted if a rogue access point is plugged into your network behind your firewall.
Also, take a laptop equipped with NetStumbler and an external antenna outside your perimeter and check what someone outside might “see.” You will be surprised how far the signal radiates. You might only connect at 1 to 2 MBps but it’s still a potential security breach.
An Alternative to WEP
Since WEP has been written off as the principal source of security for wireless networking, various groups have been searching for alternatives. NASA seems to have found, at least for now, a working solution. The network security group in NASA, the Advanced Supercomputing Division at Ames Research Center, believes that WEP provides no substantial security protection for the following reasons, some of which have already been examined: (1) Wireless card hardware addresses cannot be trusted as tools to identify a user; (2) The signal coverage perimeter cannot be easily limited to conform to an organization’s physical control perimeter; (3) WEP encryption of data sent between a laptop and an access point can be cracked, regardless of key length; (4) Well-documented cases have shown that deriving WEP encryption key from hacked cypher text and decrypting WEP traffic can be done without needing to derive the key.
In their implementation of the Wireless Firewall Gateway (WFG), the NASA Advanced Supercomputing
Division disabled all 802.11b network security features. Instead, all the services reached via the wireless network provide their own authentication. The WFG acts as a router between the wireless and external networks. It can dynamically change firewall filters as users authenticate themselves for authorized access.
The WFG is also responsible for handing out IP addresses to users, running a Web site in which users can authenticate and maintain a recorded account of who is on the network and when.
As with any segment of technology, there are people trying to secure systems and people trying to crack them. Be prepared but not paranoid. We depend on our networks more and more, adding more eggs to the basket every day.
To paraphrase Mark Twain, if you put all your eggs in one basket—you better watch that basket!
Long is a retired Air Force communication and information officer.
The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States government.