The huge convenience of wireless networking tends to overshadow its high degree of vulnerability to attack. For marketing purposes, vendors are understandably keen to promote the convenience; unfortunately, the complexity of the measures necessary to use wireless connections safely and securely are often glossed over.
This is reminiscent of the early days of the web, when internet service providers sold connections without mentioning the need for security measures like firewalls. Wireless products were — and often still are — sold with a setup that by default leaves any encryption turned off, because this ensures a greater likelihood of a successful connection after the initial install.
Manufacturers are now making greater efforts to encourage users to configure at least a basic level of security from the start. Even so, wireless products either need to pack more sophisticated security measures behind a straightforward user interface or users need to become far more educated about security issues, for an acceptable level of security to be achieved.
Even when they are implemented, some studies have shown that around 40 per cent of passwords and keys are weak and easily guessed or broken. Keys and passwords can be attacked in two ways; via simple brute force and guesswork, often based on prior knowledge, or using software tools and statistical algorithms. Current WEP-cracking tools such as Aircrack or WeLab can often crack keys in a matter of only seconds.
Unfortunately, wireless networking, like networking in general, is laden with cryptic jargon and acronyms. The way that these are used in software and driver settings often leaves it unclear what information is required, making it difficult for users to select the appropriate security settings. For example a 64-bit WEP key may also be referred to as a 40-bit key (see the 'WLAN Encryption' section below).
The common term for wireless networking is 'Wi-Fi'. The technology involved is covered by the 802.11 group of around 19 standards drafted by the IEEE. The first level of security for wireless networks is encryption and the encryption methods currently in use include; Wired Equivalency Privacy (WEP) and Wi-Fi Protected Access (WPA and WPA2).
Wireless networks are built around a base station, or Wireless Access Point (WAP) which often connects to a wired network. Individual PCs, often notebooks, connect to the wireless network using Wireless Network Interface Controllers (WNICs). This arrangement of components is sometimes referred to as a Basic Service Set or BSS. A wireless local area network (WLAN) that uses multiple access points to extend coverage is known as an Extended Service Set or ESS.
Wireless connections can also be operated in ad-hoc mode, also referred to as an Independent Basic Service Set (IBSS) or peer-to peer mode, where devices communicate directly with each other, without the use of an access point. This is useful for establishing a network where wireless infrastructure does not exist or where services, such as an internet connection, are not required.
Wireless networks are identified by the Service Set Identifier (SSID), sometimes also referred to as the 'network name'. Windows' 'Network Connections' menu choice displays the SSID as the name that appears to identify each WLAN that’s within range. It’s a 32-character (maximum} 'unique' non-encrypted ID that’s attached to the header of each packet sent over a WLAN; clients must provide the SSID to be able to connect to a specific network. Most WAPs provide a setting to hide the SSID if required, but this isn’t particularly effective as a security measure since SSIDs can be extracted in plain text from wireless packets using a sniffer.
A key is required to encrypt and decrypt WLAN communications. For WEP this is simply referred to as a shared key, while for WPA it’s often more formally known as a Pre-Shared Key or PSK.
A PSK is a secret key phrase or number string that's shared by some secure means between communicating parties. A PSK can be entered into a WAP’s memory and users of the WLAN must then also have this PSK entered into their wireless software to be able to access the WLAN. PSKs can be of different length, longer keys being harder to crack and therefore providing stronger security.
WEP keys can be either 64 or 128 bits in length. User keys are actually 40 bits and 104 bits long, with the other 24 bits representing a variable called the Initialization Vector or IV. The 128-bit keys obviously provide greater protection, but the WEP scheme is fairly flawed because, rather than being used to generate a second temporary key, the original key is used directly. Also, after a period of time, the encryption pattern repeats.
WEP supports only its native encryption, while the variations of WPA often provide a choice of encryption methods — usually AES and/or TKIP are supported. Advanced Encryption Standard (AES) is a general-purpose cypher also known as Rijndael (although AES is really a subset of Rijndael) and was preceded by the Data Encryption Standard or DES cypher. Temporal Key Integrity Protocol (TKIP) was designed to replace WEP encryption while allowing backwards compatibility with legacy hardware. Unlike WEP, TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism. With TKIP, every data packet is sent with its own unique encryption key, which is not the case with WEP. One of WEP’s largest security weaknesses is that it just concatenates the IV and the key to form the traffic key, while TKIP hashes them.
Authentication supposedly provides a means of checking the identity of the station at either end of a wireless link. Unfortunately, authentication is yet another example of confusion caused by the imprecise use of network terminology. In practice, a Wi-Fi link always operates with some kind of authentication: for example, even in a completely open service set, with encryption disabled, any station transmitting the right SSID requests authentication from the access point and the access point grants it (sometimes this is referred to as 'null algorithm authentication'). Similarly, authentication also takes place when a single key is used.
Authentication is normally only specifically mentioned in Wi-Fi driver settings to refer to two-factor authentication, where both a pre-shared key known to the user and a second key, unknown to the user and stored on some variety of smartcard, is used.
WPA with only one key (single secret) is sometimes referred to as 'WPA Personal', while WPA with two-factor authentication may be referred to as 'WPA Enterprise', on the assumption that only a business would implement two-factor authentication. Two-factor authentication provides a much higher level of security than single key.
Protected Extensible Authentication Protocol (PEAP) is an authentication option that may also appear in Wi-Fi drivers. Using PEAP requires a network that includes a Remote Authentication Dial In User Service (RADIUS) authentication server.
Since it's possible for anyone with a Wi-Fi equipped PC to attempt to connect to any other Wi-Fi equipment that’s in range, it’s extremely common for networks to be hijacked for either malicious or mischievous purposes.
The practice of attempting to hijack wireless network access while mobile is known as wardriving, and those who engage in it often use dedicated wardriving software such as Aerosol, coupled with a GPS unit to plot vulnerable networks on a map. Network locations can then be matched against known physical locations of businesses and banks. Many who admit to any involvement in, or knowledge of, these activities claim they do it in order to expose the weaknesses of a system, and therefore to increase the security of legitimate users. However, there is also a known underground market where such information is traded and exchanged for considerable sums of money. Much of the same hardware and software that's used for diagnosing WLAN problems and checking for unauthorised connections can also be used for attacking WLANs.
Security measures for wireless networks
In order of importance, here are some recommendations that can be followed to secure a wireless network:
1. Turn on the encryption WPA2 (also known as 802.11i) encryption is the most secure choice if it’s supported by the hardware. WPA encryption is the next best choice. WEP isn’t very secure, but it’s an improvement on no encryption at all. The biggest risk is with using public-access hotspots which may be completely open and use no encryption at all. In this situation it’s often difficult or impossible to be sure if a connection has been made with the legitimate hotspot or with a hacker’s access point that's masquerading as the real one by broadcasting the same SSID. Such bogus APs are sometimes referred to as the evil twin.
2. Change the default password needed to access a wireless device Default passwords are set by the manufacturer and are therefore common knowledge. Changing the default password blocks hijackers from easily accessing and changing network settings. Lists of manufacturers' default passwords are available from a number of web sites, including this one.
3. Change the default SSID, or network name The default names of the different brands of equipment are often easily recognisable. Obvious use of a default name is a giveaway that the network probably has not been secured. Ideally it should be changed to something that makes it easy for legitimate users to identify the correct network, although network operators, such as banks, may find it sensible to use a name that's not obviously associated with their business, to avoid being specifically targeted.
4. If print and/or file sharing aren’t needed, disable them If a hijacker does circumvent the encryption, this can restrict their ability to steal sensitive data or access private resources.
5. Try to restrict wireless coverage If your wireless network transmissions travel far outside any required coverage areas, it just makes it easier for hijackers to find and gain access to your network. This can be done by using perimeter-mounted directional aerials with their signals directed inwards. Also, the signal strength on some access points can be reduced to limit signal spread. The typical range indoors is between 50m to 100m. Outdoors, with a clear line of sight, the range can be over 300m.
6. Segment your LAN Hackers can be prevented from accessing a wired network via a wireless connection by dividing networks into wired and wireless segments, separated by a firewall.
7. Monitor the wireless spectrum This can be done using a wireless intrusion prevention system to protect against active attacks and the connection of unauthorised access points. Most brute-force or subtle attacks can be detected and stopped using such a system; they also provide diagnostic information that can be used to solve WLAN problems and improve performance.
8. And finally... Two precautions that can be taken, which will at least deter the casual hacker but aren’t proof against determined attacks, are to hide your network SSID and to enable MAC address filtering. As already mentioned, hiding the SSID will stop immediate identification of your network, while MAC address filtering limits connection only to MAC addresses on the access list. However, both the hidden SSID and MAC addresses can be extracted from broadcast network traffic. A hacker can read the SSID in plain text and simply change their MAC to match a valid address.
WLANs and UK law
At the moment you can be prosecuted under the UK's Communications Act 2003 for using wireless networking equipment to connect to and use WLANs operated by other private individuals or by companies, other than those you have the right to access. Exactly what constitutes ‘use’ may not be clear. For instance, using a utility like NetStumbler simply to read the IP addresses of other networks may technically be illegal.