LIVING IN THE JUNGLE: LEGITIMATE USERS IN LEGITIMATE, INSECURE WIRELESS NETWORKS

Abstract— Security in wireless networks has been much debated in recent years. Although the general understanding of the technologies that provide secure networks has reached very high levels, the fact remains that the security of some networks currently in use is below standard. It is not at all unusual for a legitimate user to have to access a legitimate, insecure network.These connections multiply the risks involved in data transmission for legitimate users, since the security provided by the infrastructure is insufficient. This article describes the risks and protection options that a legitimate user of a legitimate, although insecure wireless network, can resort to. This document analyses the environments in which a legitimate user may be at risk, exposed to attacks from malicious network users, and the practices that help to increase security for your work within the network. A monitoring tool has been developed to provide assistance in this task, by allowing the user to monitor network activity, and thereby gaining greater security.

Terms used— WEP, WPA, WPA2, Computer security, Wireless network risks, TKIP, AES, Wireless network protection.

I. INTRODUCTION

{0>E<}0{>T<0}HE IEEE

802.11[1] standard, published in 1997, marked the dawn of wireless networks. Computer networks that employ this technology, also known as WIFI, have seen a consistent growth in size and number. Wireless networks have continued to multiply despite the security problems they involve, which were discovered at the time of their creation. More recent developments in wireless security, such as the IEEE 802.11i standards and the WPA and WPA2 specifications, have made it possible to bring the security of wireless networks up to the same level as that of their wired counterparts. Nonetheless, insecure wireless networks abound, and in many cases, users, particularly if they are outside of their habitual place of work, have no option but to make legitimate use of such networks.

This document studies what a legitimate user of a legitimate, insecure network can do to assess whether he/she is at risk, thus obtaining the necessary elements to take an informed decision on whether to continue using the network, and minimising the risks involved in any course of action taken. These elements can allow a user to ascertain whether a network has been compromised or whether other network users are acting inappropriately or in a way that represents a security hazard.

We have developed a monitoring tool by way of illustration

for this article and to serve as proof of concept. This instrument uses Centrino laptop computers with Intel Pro/Wireless 2200BG chipsets. These devices were chosen for their capacity to offer a clear presentation of the work carried out, although other technologies can be used for the same purpose.

II. WIRELESS NETWORK SECURITY MODELS

There are three security models currently co-existing in the real world: IEEE 802.11 (WEP [Wireless Equivalent Privacy]), WPA (Wireless Protected Access) and IEEE 802.11i (WPA2 [Wireless Protected Access 2]).

A. The IEEE 802.11 (WEP[2]) standard

The IEEE 802.11 provides the following security options:

- Client authentication through PSK (Pre-Shared Key) or no authentication

- Communication encryption and message integrity through use of WEP, which uses the RC4 algorithm with 40 and 104-bit keys.

The 802.11standard allows, as extra security features, the possibility of not disclosing the name of the wireless network (SSID [Service Set Identifier]) and/or filtering clients connecting to the network through the hardware address of the device seeking access (MAC address).

This security model soon became insecure[3] as a result of the discovery of a number of security deficiencies in the implementation and use of the RC4[4] algorithm. Moreover, the design of the extra security features made them insecure, and it was a simple task for an attacker to discover the SSID of a wireless network or of a valid MAC address, which could then easily be mimicked or "spoofed".

B. Wifi Alliance – WPA[5]

By the year 2001, the security model defined by the IEEE 802.11 standard was deemed completely unsafe, and IEEE started work on a new secure wireless network standard, which would become known as IEEE 802.11i[6]. In the

Living in the jungle: Legitimate users in legitimate, insecure wireless networks

Alejandro Martín, Rodolfo Bordón Villar, José María Alonso, Antonio Guzmán

1

LIVING IN THE JUNGLE: LEGITIMATE USERS IN LEGITIMATE, INSECURE WIRELESS NETWORKS

interim period before this standard was approved, the Wifi Alliance, a group of companies sharing an interest in secure wireless technologies, defined the WPA (Wireless Protected Access). WPA certifies wireless devices that include tested security technologies, such as TKIP [Temporal Key Integrity Protocol] [7] or MIC [Michael][8].

C. IEEE 802.11i (Wifi Alliance - WPA2[9])

Once the IEEE 802.11i had been approved, Wifi-Alliance certified it under the name WPA2. IEEE 802.11i and WPA2 technologies provide improved security mechanisms for client authentication and communication encryption.

EAP [Extensible Authentication Protocol][10] was the chosen authentication protocol. This allows virtually any method of authentication, such as passwords, digital IDs for users or hardware, tokens, etc. It also allows using RADIUS [Remote Authentication Dial-In User Service] to validate credentials by means of the 802.1x[11] protocol. For extra security, EAP can be operated through an SSL communications channel created with a digital server certificate. This security feature, known as PEAP (Protected EAP), allows the entire EAP transaction to be encrypted.

In addition to EAP, a shared key authentication method is also supported. This mechanism, known as WPA2-PSK (or WPA-PSK), has nevertheless proved a weak point for the protocol, since its strength depends on the password chosen and on the policy on password change. A weak password implies weak security.

TKIP is used as the data encryption protocol in both WPA and WPA2. In the latter, however, it is only used as a backward compatibility option, given that AES (Advanced Encryption Standard[12]) is the chief encryption protocol in WPA2. Security in these systems is dependent on security in the transmission and processing of the encryption keys. It has been proven that in a WPA-PSK or WPA2-PSK environment, an attacker who succeeded in capturing the entire key exchange can gain access to the content of the communication.

III.INSECURE WIRELESS NETWORKS

In view of what has been laid out above, the following wireless network architectures are currently considered insecure:

- Open networks: Networks with no authentication and/or no data encryption protocol.

- WEP networks: There is a wide variety of resources for

gaining unauthorised access to this type of networks, which prey on RC4 security flaws. There is ample documentation on procedures for cracking WEP passwords[13] and there are even studies on how they can be obtained in less than sixty seconds[14].

- WPA-PSK and WPA2-PSK networks: If an attacker who is not authenticated in the network captures the authentication frames of another client and the access key is not strong enough, he/she can easily compromise the security of the entire network through a dictionary or brute force attack[15][16]. Access point simulation attacks also allow attackers to deceive a client in order to obtain the authentication frames.

IV.WHY ARE INSECURE NETWORKS STILL IN USE?

Even though there is widespread awareness of secure network architecture, insecure networks still exist. This section lays out the causes for their persistence.

- Obsolete hardware: Not all hardware currently in use is compatible with secure wireless technologies. It is easy to find access points, routers and WLAN cards that do not provide for WPA or WPA2. Such networks are most commonly found in home environments or in small and medium companies with low IT systems management maturity.

- High compatibility: In some wireless networks, the prevailing functional element of design is not security, but offering service to a large number of users who may demand access from a wide range of devices and operating systems, eg mobile devices, laptop computers, desktop computers, mp3/mp4 devices, etc. In such networks, where connectivity takes precedence over security, the architecture tends to be open or WEP, due to its compatibility with most wireless devices. These networks are often found in hotels, airports, conference centres, etc., where the users have free access or pay only for the time they use the connection.

- Financial reasons: Private individuals and small companies usually cannot afford secure wireless technologies such as RADIUS servers, which allow implementing secure authentication systems, like for instance PEAP-TLS or PEAP with passwords. In these environments, shared-key authentication systems, ie WEP, WPA-PSK or WPA2-PSK are the most widely used.

- Unawareness: The last reason for the persistence of insecure networks lies in the fact that those who design them may not be aware of the risks and hazards they involve, and lack the expertise needed to implement a secure network. Such networks still represent a large percentage of all networks currently in operation.

2

LIVING IN THE JUNGLE: LEGITIMATE USERS IN LEGITIMATE, INSECURE WIRELESS NETWORKS

V.SECURITY HAZARDS

The hazards to which a wireless networks user is exposed arise from the potential attacks to which he/she is open. These affect the three main pillars of security: confidentiality, integrity and availability. Wireless technology is susceptible to all the hazards that affect conventional LAN networks, with the addition of further hazards as a result of its inherent characteristics:

- Traffic sniffing/analysis[17]: An attacker can capture all the data traffic flowing through a network to which a legitimate user is connected. This operation does not require the attacker to be connected to the network, since there are programmes that allow setting the WLAN card to "promiscuous mode" or "monitoring mode", depending on whether or not the computer is connected to the network, in order to capture and process all traffic. If the legitimate user's communications are not securely encrypted, any sensitive information he/she exchanges through the network may be captured.

- Session hijacking: This is possible when the credentials for connecting to a wireless network are sent unencrypted.This type of security is usually offered in wireless networks such as those in internet hotspots, where the client is validated through his/her physical address. The attacker captures the ID credentials and "spoofs" the physical address of the legitimate client to make use of the connection.

- Access point spoofing: In open wireless networks where authentication involves filtering MAC addresses of the devices seeking access, an attacker can set up an access point with the same SSID and MAC address. Any users accessing this network instead of the legitimate network will provide the attacker with the credentials of the legitimate network.

- Man-in-the-middle attack: This hazard, which is more serious than those described above, involves an attacker placing himself between the client and the access point, masquerading as the legitimate access point to the client and as the legitimate client to the access point. The attacker intercepts all traffic flowing in both directions, thereby being in a position to capture sensitive information even if the user is using encrypted communication. This attack method can be implemented in open connections, connections with MAC address filtering and in networks with WEP or WPA/WP2-PSK encryption. In order to carry out this attack successfully, the attacker must be connected to the network before commencing the attack.

- Information manipulation: An attacker may, in addition

to monitoring the network for different purposes, intercept the traffic flowing through it, modify it, and then forward it to its intended addressee. Thus, the integrity of the communication is compromised through manipulating the communication of a legitimate user with its addressee.Denial of service: Another potential hazard for legitimate users of legitimate networks is being denied access to the network. This is usually a symptomatic attack resulting from the weakness of the infrastructure and in most cases it is indicative that the network is under attack for different purposes.

VI. HAZARDS MATRIX

Point IV above contains a description of the different types of insecure networks which a legitimate user can connect to. These are: open, WEP, WPA/PSK and WPA2/PSK with weak keys. The table below shows where each of the attacks described in point V can be successful.

Open WEP WPA-PSK WPA2-PSKTraffic sniffing/analysis X X1 X2 X2

Session hijacking X X3 X3 X3

Access point spoofing X X4 X4 X4

Man-in-the-middle X X1 X2 X2

Information manipulation5 X X

Denial of service X X X X

Figure 1: Matrix of insecure network hazards

(1) The user needs to have the WEP password (legitimately or by cracking it)

(2) The attacker needs to have previously cracked the WPA/WPA2[18] password and captured all the packets exchanged in the password stage between the client and the access point. There is a proof of concept for this with the CommView for WiFi chipset, which supports WPA and WPA2 deciphering in PSK key mode using the Temporary Key Integrity Protocol (TKIP) or CBC-MAC Advanced Encryption Standard / Counter Protocol (AES/CCMP). This requires providing the WPA/WPA2 password. In order to decipher traffic encrypted in WPA, CommView for WiFi must be in operation and capturing data during the password exchange stage. Passwords are exchanged through the EAPOL (EAP over LAN) protocol, and therefore all EAPOL packets need to be captured in full.

(3) This involves capturing and deciphering the network traffic.

3

LIVING IN THE JUNGLE: LEGITIMATE USERS IN LEGITIMATE, INSECURE WIRELESS NETWORKS

(4) This involves obtaining the WEP/WPA-PSK/WPA2-PSK passwords so that they may be requested from the victim users, thereby allowing them to log on correctly. Their traffic can then be diverted.

(5) WPA and WPA2 use MIC (Message Integrity Code) to monitor message integrity. This method, also known as Michael code, has some well-known shortcomings in its design, since it is invertible and not clash-free. Nonetheless, Jianyong Huang, Willy Susilo and Jennifer Seberry expose the difficulty of actually taking advantage of these weaknesses in their article "Observations on the Message Integrity Code in IEEE 802.11 Wireless LANs"[19].

VI. ASSESSMENT OF NETWORK SECURITY

This section describes the procedures that should be followed to evaluate the security and risks associated to any wireless network.

A. Wireless security model used

As may be seen in the matrix above, the hazards affecting a wireless network depend on its security model. Therefore, the first step for assessing network security is establishing whether an insecure model is in use, ie open, WEP, WPA-PSK or WPA2-PSK. To do this, the monitoring tool checks the characteristics of the network to which the user is connected.

Figure 2: Security model of the network to which the user is connected

B. Strength of the network key

Once the security model of the wireless network has been established, it is possible to determine the strength of the key being used. In WEP networks, the length or complexity of the

password is not a determining factor, since simplicity to crack such keys depends on the traffic captured and not the strength of the key. Thus, the strength of any WEP key is always LOW. In WPA and WPA2 networks, however, the method for cracking the key is based on dictionary or brute force attacks.The longer and more complex a WPA or WPA2 key is, the greater the security it provides. These two factors allow us to evaluate WPA and WPA2 key strength. A completely random and dispersed key that is 63 characters long, offers the maximum possible strength, while a password shorter than 8 characters or which may be found in dictionaries is the weakest possible key.

The time used to crack a WPA or WPA2 key varies according to the method used and the calculation capacity. Using dictionary text files and one single computer will only achieve a few hundred tries per second, while using pre-calculated tables and specially-designed tools[16] achieves several tens of thousands of tries per second. This explains the importance of the length and complexity of the password used.The chart below shows the number of possible combinations according to the length and complexity of the key.

Figure 3: Strength of WPA/WPA2 passwords (Combinations axis in logarithmic scale with base 10)

C. Network neighbours

The existence of hazards for an insecure network does not depend on whether the potential attackers are connected to the network or not. However, as may be seen in the Hazards Matrix, many of these hazards require the attacker to be logged on, which means that a network with no users connected is a more secure environment. Furthermore, the

4

LIVING IN THE JUNGLE: LEGITIMATE USERS IN LEGITIMATE, INSECURE WIRELESS NETWORKS

likelihood of an attacker appearing depends on many factors, but the number of neighbours is a key element in this respect.

Knowing the number and characteristics of a network's neighbours helps to determine its risk level. In order to do this, the monitoring programme detects the computers logging on and off in real time and their public characteristics, including their physical address, IP address and the name they are using.This requires analysing the network traffic.

Figure 4: Detecting network neighbours

Maintaining this list of neighbours allows us to know who shares our environment. It also provides information on networks that are in our physical vicinity and the computers connected to them. Nevertheless, this has not proved to be a reliable, useful method for practical risk analysis.

D. Anomalous behaviour

Monitoring and analysing network traffic allows detecting anomalous behaviour patterns and raising an alarm when somebody is making improper or dangerous use of the network. With this aim, the following can be detected by monitoring the elements mentioned above and the network traffic:

- Alert 1: MAC spoofing: An attacker can access a network that employs MAC address filtering using the MAC of a legitimate user, which he/she obtains through network traffic capturing. The monitoring tool detects instances of various IPs using a single MAC, which allows sending warnings for MAC spoofing attacks. This would imply the intrusion of an attacker into the network.

- Alert 2: MAC and IP spoofing: In some environments, not only MAC addresses are filtered, but a firewall also checks the computer's IP address. This situation can always be detected if two computers share an IP address but have different names. This is indicative of an illegal inclusion in the network and therefore the presence of an attacker.

- Alert 3: Packet injection: In a network whose security model is based on WEP, an attacker may be monitoring the traffic with a view to cracking the WEP password. This requires capturing a minimum amount of traffic, which is currently in the region of 80,000 packets. Hence, an attacker needs to wait for sufficient traffic to build up. However, there are certain techniques for illegally injecting traffic into the network in order to generate the necessary number of packets quickly. There are a number of techniques used to generate such traffic. The monitoring tool allows us to detect illegal injections denoting the presence of an attacker.

- Man-in-the-middle attack: These attacks may be performed by MAC spoofing, which would trigger alerts 1 or 2, or by modifying the ARP tables, which would indicate that more than one IP address are being used with one single MAC address. Both cases would prompt alerts 1 or 2.

Figure 5: Alert system

VII. CONCLUSIONS AND FUTURE WORK

The use of insecure networks always involves a risk. This article simply evaluates this risk in order to offer legitimate users the most comprehensive information on the potential hazards associated to a particular network.

There is no scarcity of well-documented solutions to secure

5

LIVING IN THE JUNGLE: LEGITIMATE USERS IN LEGITIMATE, INSECURE WIRELESS NETWORKS

wireless networks from the point of view of the network architect, and the network user also has methods at his/her disposal to ensure that connections are secure, such as Virtual Private Networks (VPN).

Virtual private networks allow establishing a secure channel between the network client and the server. This solution is common in companies employing a mobile workforce and among users of insecure wireless networks who are concerned about security. However, there are certain environments where it is not possible to implement these secure solutions.

Virtual private networks use special connection ports. Those based on PPTP (Point to Point Tunneling Protocol) or L2TP (Layer2 Tunneling Procol) for instance, require the wireless network not to disable the PPTP server and IKE (Internet Key Exchange) ports, which are used to establish the connection between client and server. In most pay-per-use wireless networks, these ports are disabled, and therefore it is not possible to establish this type of connections.

Another solution for tackling insecurity is provided by virtual private networks operating over the http-s protocol. These connections, known as VPN-SSL, are easier to establish in most pay-per use wireless networks, although they cannot be used in networks where either SSL connections routing or the Bridging http-s service have been configured, since this implies utilisation of the digital certificates.

In conclusion, there are certain environments where a secure connection through a legitimate, insecure wireless network cannot be assured, due to the setup of the network or to the fact that the user does not have access to a virtual private network server. The aim of this article is therefore to provide legitimate users with as much information as possible in order that they may suitably appraise the risks involved.

We are currently working on a quantitative scheme that will allow evaluating the risks associated to a particular connection according to the factors that have been described in this article, ie security model, strength of credentials, network neighbours and hazards. The latter would be evaluated according to their seriousness, ease and probability of appearance.

The final aim is to offer legitimate users the highest possible degree of assurance in legitimate connections to insecure wireless networks.

REFERENCES

[1] “IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture”, IEEE Computer Society, http://standards.ieee.org/getieee802/download/802-2001.pdf

[2] WEP

[3] “Weaknesses in the Key Scheduling Algorithm of RC4”, Scott Fluhrer1, Itsik Mantin2, and Adi Shamir, http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf

[4] “A Stream Cipher Encryption Algorithm "Arcfour”” , K.Kaukonen, R.Thayer, http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt

[5] “WPA”, Wifi-Alliance, http://www.wi-fi.org/knowledge_center/wpa/[6] “Establishing Wireless Robust Security Networks: A Guide to IEEE

802.11i”, Pauline Bowen, Joan Hash and Mark Wilson, NIST.[7] “802.11 Security Series. Part II: The Temporal Key Integrity Protocol”,

Jesse Walker, http://cache-www.intel.com/cd/00/00/01/77/17769_80211_part2.pdf

[8] “Michael: an improved MIC for 802.11 WEP,”, Ferguson, N., IEEE 802.11 doc 02-020r0, http://grouper.ieee.org/groups/802/11/

[9] “WPA2”, Wifi-Alliance, http://www.wi-fi.org/knowledge_center/wpa2/ [10] “EAP, Extensible Authentication Protocol”, Networksorcery,

http://www.networksorcery.com/enp/protocol/eap.htm [11] “802.1X-2004 - Port Based Network Access Control“, IEEE Computer

Society, http://www.ieee802.org/1/pages/802.1x-2004.html [12] “AES Proposal: Rijndael”, Joan Daemen, Vincent Rijmen,

http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf [13] “A Key Recovery Attack on the 802.11b Wired Equivalent Privacy

Protocol (WEP)”, Adam Stubblefield, John Joannidis and Aviel D. Rubin, http://www.cs.jhu.edu/~rubin/courses/sp04/wep.pdf

[14] “Breaking 104 bit WEP in less than 60 seconds”, Erik Tews and Ralf-Philipp Weinmann and Andrei Pyshkin. http://eprint.iacr.org/2007/120.pdf

[15] “Weakness in Passphrase Choice in WPA Interface” , Robert Moskowitz, http://www.wifinetnews.com/archives/002452.html

[16] “CoWPAtty: Ataque por diccionario sobre claves WPA/WPA2”, Robert Moskowitz,.http://www.wirelessdefence.org/Contents/coWPAttyMain.htm

[17] “Intercepting Mobile Communications: The Insecurity of 802.11”, Nikita Borisov, Ian Goldberg, David Wagner, http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

[18] “Analysis of the 802.11i 4-Way Handshake” Jianyong Huang, Willy Susilo and Jennifer Seberry. (2004) Analysis of the 802.11i 4-way handshake , Proceedings of the 3rd ACM workshop on Wireless security

[19] “Observations on the Message Integrity Code in IEEE802.11Wireless LANs”, Jianyong Huang, Willy Susilo and Jennifer Seberry, http://www.uow.edu.au/~jennie/WEB/WEB04/SeberryObser.pdf

AUTHORS

6