A new set of security measures aimed at making 802.11-type wireless LANs safe from hackers is fundamentally flawed, according to researchers from the University of Maryland.
Professor William Arbaugh and Arunesh Mishra say in a paper published last week that the new 802.1X security system has two basic problems -- one where a hacker can hijack an existing connection, and another where they can interpose themselves during authentication and steal access information as it's being set up.
In the first case, the hacker monitors the transmissions and when a session is established between a client and an access point, the hacker sends a fake packet to the client purporting to be from the access point saying "Session closed". The client just reconnects with a new session: meanwhile, the legitimate access point thinks the old session is still open and the hacker can use it.
The other way -- a 'man in the middle' attack -- again involves the hacker pretending to be an access point, this time relaying messages between the client and the real access point while monitoring their contents, having "... completely bypassed any higher-layer authentication and render(ing) the authentication mechanism ineffective," according to Arbaugh and Mishra.
The paper, An Initial Security Analysis of the IEEE 802.1X Standard, says that the standard needs to be modified to include symmetric authentication -- where the client and the access point both prove to each other who they are --- and better handling of access point authentication. Without this, it says, 802.1X and 802.11 cannot provide sufficient levels of security. The 802.1X standard itself -- and its associated standard, Extensible Authentication Protocol -- is already in use for wireless networking in Cisco 802.11b products, for example. 802.1X has already been under investigation for its vulnerability to a number of different potential attacks, including several potential denial-of-service flaws.