11.10.1999
Samuli Larvala & Jani Myyry
Department of Computer Science and Engineering
Helsinki University of Technology
slarvala@cc.hut.fi &
jpmyyry@cc.hut.fi
In this paper we discuss the problems of wireless LAN security using the IEEE 802.11 standard as an example and offer solutions how to avoid these problems. Many people consider the wireless LAN to be more vulnerable to attacks than wired LAN. We show that this belief is false and wireless LANs can be made at least as secure as traditional wired LAN.
Modern day work at the office usually means working at your desk on your workstation. Some employees who need to move around have laptops so that they can take their machine with them when they go to a meeting or to give a presentation. This freedom of movement is usually limited if you want to be connected to the company LAN. Traditionally a company network is implemented as a wired LAN. An alternative is wireless LAN (WLAN) but people are uncertain about how secure such a network would be.
The IEEE 802.11 standard for WLAN systems was developed by many experts from the LAN and computing industry. Now product vendors have a common standard that should promote interoperability between products. There are other standards such as the WLIF OpenAir standard but we will be discussing WLAN security problems in general, although we will use the IEEE 802.11 as an example.
The most obvious security risk with wireless communication is eavesdropping since we are communicating through air. The IEEE 802.11 standard defines WLAN systems using either radio frequencies or infrared light as their means of communication. For radio frequency communication the standard uses the 2.4 GHz Industrial, Scientific and Medical band (ISM) which doesn't need government licensing. The ISM band is divided into channels using either Direct Sequence Spread Spectrum (DSSS) or Frequency Hopping Spread Spectrum (FHSS) [2]. From a security point of view, intercepting DSSS is easier since the transmission is sent over a single frequency (within the band) but with frequency hopping eavesdropping becomes difficult unless one knows the order in which to hop. An opponent wanting to listen in on FHSS must monitor all the frequencies in the band and try to deduce the hoping pattern. In the IEEE 802.11, 78 different hopping sequences are defined. Predefined patterns reduce security and vendors should add the possibility to define proprietary hopping patterns [5].
One way to generate the hopping pattern would be to use a pseudo-random number generator or even a truly random source that gives a predefined table of hopping frequencies. Since the ISM band is divided into only 79 channels it is still possible for an opponent to listen to all of these frequencies and try to deduce the hopping pattern. If the opponent knows what data is being moved it is easy to follow how it hops from frequency to another. Plain FHSS is not a very good source of security although it does make eavesdropping slightly difficult. The argument that such technology is complicated and hard to construct doesn't really apply since we are dealing with mass marketed hardware. Anyone can buy similar hardware off the shelf and modify it for their own use.
Since we are using radio frequencies the transmissions are broadcasted in every direction and these signals penetrate walls and other obstacles very well. Radio frequencies are also easier to jam, although if we are using spread spectum transmissions one would need to jam all the frequencies in the ISM band in order to jam the WLAN traffic.
Using infrared light as the means of communication has the benefit that it doesn't pass through walls and therefore is easier to confine inside the office building. It is also much harder to jam from outside. Infrared (IR) can be used in various ways. It can be focused, directed or diffused. Focused IR can be used to connect two office buildings together. It is hard to eavesdrop on the focused laser beam but atmospheric conditions can easily disrupt it and jamming is easier. Directed IR, like a TV remote controller, has the problem that it needs a clear line of sight between the two communicating devices limiting the freedom of movement. A lot of modern laptops come with an IrDA standard compatible IR communications ports that uses directed IR. Diffused IR offers a nice alternative since it isn't restricted by line of sight. The room is flooded with IR that bounces off the walls so that the receiver can eventually pick it up. This is a nice compromise between directed IR and radio communication. It offers fairly free movement yet confines the IR to a specific area making eavesdropping difficult. [3]
Regardless of which communication method is used, encryption is necessary if one wants to keep things secret. We will assume that every employee has access to the LAN and in a large enough company there's always some employee that doesn't have good intentions. This employee can listen to the data moving over the LAN. By using strong enough encryption, even if the data moving on the LAN is intercepted, it can't be decrypted. The IEEE 802.11 standard defines Wired Equivalent Privacy (WEP) which is designed to provide at least the same level of security for wireless LAN as we have with wired LAN.
To achieve WEP IEEE 802.11 suggests using the encryption scheme RC4 with a 40-bit key [2]. This was chosen because it doesn't cause problems with US export regulations. This is a problem since this kind of encryption doesn't really offer any security and is thus merely cosmetic. To give some kind of estimate a big company willing to invest $10,000,000 could build a custom made chip that can crack 40-bit RC4 in about 0.005 seconds [1]. Recent attempts at cracking DES show that these figures are not just theoretical estimates [4].
Encrypting the data just for wireless communication is not enough since the malicious employee can intercept it when it's moving on the wired LAN. An attack from the inside is the most common attack against companies. The problem can be solved by encrypting the data before it is sent to the LAN. For the Internet communication one should use an IP protocol that has been upgraded with IPSec [6].
To conclude the subject we find that wireless LAN systems can be made as secure as traditional wired LAN systems. The only problem is that wireless communication is easier to jam. We should not worry about how to prevent interception of the wireless traffic since it's very difficult and the problem can be dealt by using strong enough encryption. The choise of using either radio frequencies or infrared is a matter of convenience. By encrypting the data moving on the LAN we don't have to worry about it being intercepted either from the wireless LAN or wired LAN since the data can't be decrypted without proper authorisation like a password. Because the encryption is done with software it's easier to upgrade in case the security of the current system is compromised.
| [1] | Blaze Matt & Diffie Whitfield & Rivest Ronald & Schneier Bruce &
Shimomura Tsutomu & Thompson Eric & Wiener Michael,
Minimal Key Lengths for Symmetric Ciphers to Provide
Adequate Commercial Security,
Jan 1996 [referred 11.10.1999]
< http://www.fortify.net/related/cryptographers.html > |
| [2] | Champness Angela,
Understanding the benefits of IEEE 802.11,
23.9.1999 [referred 11.10.1999]
< http://www.steinkuehler.de/wavelan_802_11_Benefits.htm > |
| [3] | Dearden James,
Wireless Networks,
6.2.1998 [referred 11.10.1999]
< http://www.jtap.ac.uk/reports/htm/jtap-014-1.html > |
| [4] | Electronic Frontier Foundation, Cracking DES, O'Reilly & Associates. Inc, Jul 1998 |
| [5] | Hassan Shaul,
Enhanced Wireless LAN Security with the BreezeNET PRO series,
11.12.1998 [referred 11.10.1999]
< http://www.wirelessdataintegrate.com/security.html > |
| [6] | Kent Stephen & Atkinson Randall,
Security Architecture for the Internet Protocol,
RFC 2401, Nov 1998
< ftp://ftp.funet.fi/rfc/rfc2401.txt > |