Wireless Networking Security

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 6 months ago)


Wireless Networking Security

…those who would sacrifice freedom for security deserve neither…
” Benjamin

Why go wireless

The popularity of wireless network is clearly on the increase. But what are the hidden
costs of going wireless? Are we giving
up our security?

The main benefits of wireless networking are:



The main drawbacks are:



General Security Issues of Wireless

Network security issues, whether wired or wireless, fall into three main categories:
ailability, confidentiality and integrity:


is the information being sent across the network transmitted
in such a way that only the intended recipient(s) can read it.


is the information reaching the recipient intact


is the network available to users whenever it is supposed to be


The main way to ensure that data is not disclosed to unauthorised users is by
encrypting it during transit, and wireless networks are able to do this in just the same
way a
s wired networks. However, encryption is meaningless without authentication,
since an unauthorised user could authenticate themselves onto the network and then
be given the key with which to decrypt the data.

The traditional model for authorisation is to
have some form of centralised system
which stores access control lists. This model is fine for use in networks which have a
relatively static set of users, and so is suitable for Wi
Fi, but in other networks such as
Bluetooth networks, which are much more
hoc in nature, this approach becomes
impractical. In ad
hoc networks, not only does the dynamically changing set of users
make updating access control lists infeasible in terms of cost, but there is also no
guarantee that these devices would be able to
access any central system. In these
systems, a better approach is to form secure transient associations between devices,
where the decision on who to trust is made either by each device, or by one master
device which instructs the slave devices on how to b

There is a lot of interest in this model for applications such as controlling police
weapons. In America, a large proportion of injuries to police officers come from
stolen police guns. If each officer had a very short range ring (the master) assoc
with the gun (the slave) it would prevent anyone other than that officer from using the


Because packets of data in wireless networks are sent through the air, they can be
intercepted and modified quite easily by malicious users. T
his means that wireless
networks are more vulnerable to attacks on the integrity of data. However, the current
methods used by wired networks to ensure the integrity of packets, such as
checksums, are perfectly adequate for ensuring the integrity of packet
s in wireless
networks, and so no novel solutions have been adopted.


Wireless networks are particularly susceptible to DoS (Denial of Service) attacks.
Unlike wired networks, which require the attacker to be physically connected to the
rk in some way before they can launch such an attack, with wireless networks
an attacker only has to be within a certain range of the network (usually 100m) to be
able to launch such an attack. These kind of attacks are particularly difficult to stop
e network providers want to allow legitimate users to initiate communications
with the network, and cannot stop malicious users from exploiting this to cause a
denial of service.

Another way in which malicious users can potentially restrict the availabili
ty of the
wireless networks is through radio jamming. This involves sending out a lot of noise
on the same frequency as the network uses. However, there are techniques, such as
frequency hopping which can make this kind of attack more difficult. Also, this

is less relevant in the non
military world since the 'jammer' could be reported to the
police and arrested.

One kind of attack on the availability of wireless networks which has arisen in the last
few years is battery exhaustion attacks. Because m
any wireless network devices are
portable and therefore battery powered, malicious users can repeatedly send messages
to the device. This prevents it from going into its sleep mode, and the battery runs
down much faster.

Fi (Wireless Fidelity)


Like with most new geeky technologies there is currently a mish mash of standards.


original 1997 2.4Ghz wireless Ethernet standard

data rate 1 or 2Mbps


5Ghz frequency less susceptible to interference

not compatible with 802.11b

data rat
e of 54Mbps

uses OFDM (Orthogonal Frequency Division Multiplexing)

short range (60 feet)


most widely used standard

up to 11Mbps

2.4Ghz frequency is subject to interference

uses direct sequence spread spectrum modulation

long range (300 feet)


regarded by most as an extension to the life of 802.11b

uses the OFDM bit of 802.11a and 2.4Ghz bit of 802.11b

same frequency as 802.11b and so backwards compatible

data rate of 54Mbps

802.11i (coming soon)

IEEE certified security specification

not a wireless protocol as such

offers improved security for data in transit

better control of who can use the network


technical specifications of low level standards

Fi (maybe coming, but not soon)

theoretically 2Gbps can be

achieved at frequencies of 56Ghz [

Stream and Block Ciphering Overview

Block Ciphers

A block cipher is a symmetric cipher that operates on a fixed size block of bytes at a
time. The stream of binary digits that make up a me
ssage are divided into blocks of a
standard size (typically 64 or 128 bits long) and then the encryption algorithm is
applied so that all the bits of each block are encrypted at the same time using the same

Example: Using blocks of 8
bits and a 10
it key...

block 1
block 2
encrypted using shared secret key

Following transmission the ciphertext is decrypted a block at a time at the receiver by
applying the reverse transformation using the same, shared secret key.

Examples of block ciphers are DES, triple DES (3DE
S), AES and Blowfish.

Stream Ciphers

A stream cipher is a symmetric (secret key) cipher that operates on small units of data
(as small as a single bit) at a time.

Sender and receiver both share the secret key

To send a message the sender uses the key t
o produce an
keystream. The keystream is then logically combined with the plaintext, typically via
an operation such as XOR to produce ciphertext.

At the other end of the network, the receiver uses the shared secret key to produce a
identical keystream to the sender. This is then XOR
ed with the incoming ciphertext
to reproduce the original plaintext.

Example of Stream Cipher: RC4

Regardless of the type of symmetric cipher being used it is important
to keep
changing the key used for encryption. If an attacker can obtain two different cipher
texts encrypted using the same key, statistical analysis of the text’s can be applied to
break the encryption and determine the contents of the shared key.


In reality an infinite keystream is obviously never produced. The keystream is
simply as long as the message being sent.

Security flaws with first generation Wi

Pre 802.11i hardware manufacturers are/were free to provide which ever level of
security th
at they saw fit. The baseline security protocol for Wi
Fi is WEP (Wired
Equivalent Privacy) this was first used in the early 802.11 wireless standard and also
exists in 802.11b unchanged [

Run down of WEP

Optional encryption
standard implemented in the MAC layer.

Encryption in WEP:

uses a secret key, k (40 or 128 bit).

k is shared between the access point and the mobile node.

does not specify how k is established

so this is done manually for the

k is used to encrypt
packets before transmission.

integrity check (CRC
32) is used to ensure that packets are not modified in

To compute an encrypted frame:


the plaintext frame data, M, is first concatenated with its ICV (integrity check
value) or checksum, c(M),
to produce
M + c(M).

ICV used after decryption to check that the frame hasn’t been
tampered with in transit.

If the receiver calculates and ICV that doesn’t match the one found
in the frame the receiving station can reject it or flag the user.


an initiali
sation vector (IV) is joined to the secret key to create the packet key,
(IV + k)

a random 24bit IV lengthens the life of the secret key because it
can be changed for each frame transmission.

The IV is included unencrypted in the frame so it can be used f


the RC4 cipher is constructed using the packet key
RC4(IV + k)


the cipher is
ed with the checksummed plaintext to get the ciphertext
(encrypted data):

C = (M + c(M)) XOR RC4(IV + k)




The small space of possible initial
isation vectors means that a collision is


CRC and RC4

The combination of CRC and RC4 means it is possible to
change the message while flipping appropriate bits in the checksum to keep
the packet valid.

Types of attack


Passive attacks to decry
pt traffic based on statistical analysis.


Active attack to inject new traffic from unauthorised mobile stations, based on
known plaintext.


Active attack to decrypt traffic by tricking the access point.


Dictionary building attack that after a day’s worth of

traffic, allows real time
automated decryption of traffic.

Passive Attack

A passive eavesdropper intercepts all wireless traffic, until an IV collision occurs. By
XORing two packets that use the same IV, the attacker obtains the XOR of the two
plaintext m
essages. The resulting XOR can be used to infer data about the contents of
the two messages. IP traffic is often very predictable and includes a lot of redundancy.
This redundancy can be used to eliminate many possibilities for the contents of
messages. Fu
rther educated guesses about the contents of one or both of the messages
can be used to statistically reduce the space of possible messages, and in some cases it
is possible to determine the exact contents [

An extension of t
his attack uses a host on the Internet to send known messages to a
wireless network station. Because the attacker knows the contents of these messages
he will easily be able to decrypt all packets that are sent using the same initialisation

Attack to inject new traffic

If an attacker knows the exact plaintext for one encrypted message, this can be used to
construct correct encrypted packets. This procedure involves calculating the
checksum for a new message and performing bit flips on the ori
ginal encrypted
message to change the plaintext to the new message. The basic property is that
RC4(X) XOR X XOR Y = RC4(Y). This new packet can now be sent to a mobile
station or access point and will be accepted as a valid packet.

Active Attack to decrypt


If the attacker is able to guess part of the header of a packet then he may be able to
flip appropriate bits to change the destination IP address of the packet. The address
could be changed to a match the address of a machine somewhere on the Inte
rnet that
the attacker controls. The attacker could then broadcast the modified packet from a
rogue mobile station. As most wireless network installations have Internet
connectivity the packet will be successfully decrypted by the access point and
d unencrypted to the attackers machine on the Internet!

Dictionary Building Attack

The small space of initialisation vectors allows an attacker to quite quickly build a
table of key streams with an entry for each IV. Once a key stream is identified it can
be used to decrypt all other packets that use the same IV. Remember that the IV is
sent unencrypted in the packet header. Over time the attacker can build an exhaustive
table of IVs and corresponding key streams. Once built the attacker can easily decrypt
every packet sent over the wireless link, without actually ever knowing the secret key,
by looking up the correct key stream in the table. As the initialisation vector in WEP
is only a 24
bit field a busy access point will exhaust every possible IV in just


Wired Equivalent Privacy isn’t equivalent to the privacy over a wired

Solutions to the short comings of
original Wi
Fi security

Fi Protected Access (WPA)

Fi Protected Access (WPA) is a subset of the forthcoming IEEE 802.11i s
standard (also known as WPA2) and is designed to overcome all of the weaknesses
identified in WEP. WPA works with existing 802.11 based hardware using firmware
upgrades and will offer full forward compatibility with the new standard following its
ventual certification.

Features of WPA

Enhanced encryption scheme: Temporal Key Integrity Protocol (TKIP)

Message Integrity Checks (MIC)

Strong User Authentication using one of the standard Extensible
Authentication Protocol (EAP) types available


One of WEP’s chief weaknesses was that it used a small (40
bit) static key to initiate
encryption. This key is entered manually on the AP (Access Point) and on all clients
that communicate with it. It never changes unless it is manually re
entered o
n all

A 24
bit initialization vector is then appended to this to produce a 64
bit key that is
used for encryption. On busy networks, the initialization may need to be repeated in a
matter of hours meaning that encr
yption keys are often re

TKIP replaces the single static key with keys that are dynamically generated
each time a wireless client connects to the network.

Key size increased from 40 to 128 bits

Initialisation Vector increased from 24 to 48

A un
ique encryption key is generated for every packet

After accepting a user’s credentials an authentication server produces a unique master
key which is valid for the current computing session only.

“TKIP distributes this key to the client and the AP and s
ets up a key hierarchy and
management system, using the pairwise key to dynamically generate unique data
encryption keys to encrypt every data packet that is wirelessly communicated during
that user’s session” Wi
Fi Alliance white paper, 2003

Message Integrity Checks

Designed to prevent an attacker from capturing data packets, altering and then re
sending them.

The MIC provides a strong mathematical function that is calculated by both
sender and receiver

The receiver compar
es its calculated value with the contents of the packet

If the calculated value does not match what is found inside the packet, the
packet is assumed tampered with and discarded


Home Environments

Shared Key:

This method for authenti
cation uses a statically configured pass
phrase on both the client workstations and on the access point. This allows users of
the network to be authenticated at the access point without the need for an
authentication server, which is unlikely to be availab
le in home or small office

Enterprise Security

Access to the network is controlled by an authentication server. This holds user
credentials (e.g. user names and passwords) and authenticates wireless users before
they gain access to the netw
ork. One of the Extensible Authentication Protocol (EAP)
types available is then used to carry out the authentication.

Extensible Authentication Protocol (EAP)

EAP is a general protocol for authentication of network users. It does not select a
specific a
uthentication mechanism upon establishing a link, preferring to wait until a
separate authentication phase. “
This allows the authenticator to request more
information before determining the specific authentication mechanism.”

A number of mech
anisms are supported under this scheme including digital
certificates (already widely used in Internet security), unique usernames and
passwords, smart cards, secure IDs, or any other identity credential that the IT
administrator is comfortable deploying.

802.11i Security (WPA2)

Why bother?

While WPA offers significantly better security than WEP it can still be strengthened.
It uses static keys for user authentication and the RC4 encryption algorithm is known
to be vulnerable to some analytic attacks. I
n addition, one in every 256 keys generated
using the RC4 algorithm is likely to be ‘weak’

one or more bytes of the generated
ciphertext are strongly correlated with a few bytes of the key”. www.ncat.edu

802.11i Features

New method for encryption: Adva
nced Encryption Standard (AES)

Combines encryption with authentication using dynamic keys for both

Scheduled for certification September 2004


Trivia: named after Danish king Harald "Bluetooth" (Blåtand) 950
986, who united

Bluetooth, l
ike Wi
Fi, is a standard for wireless network communications. However,
unlike Wi
Fi, which is designed to replace existing, high bandwidth, long range wired
networks Bluetooth is designed primarily for short range, low bandwidth 'Personal
Area Networks'. T
he idea is to provide a common communication specification to
allow completely dissimilar devices, such as PDAs, mobile phones, printers and even
fridges to communicate with each other. Unlike Wi
Fi, Bluetooth has to be available
to devices with low comput
ational power.

Bluetooth devices are divided up into 3 power categories:

Category 1 devices have a range of between 0.1 and 1m. These devices might include
mobile phone headsets, where the communicating devices are most likely to be in
close proximity

tegory 2 devices have a range of between 1 and 10m. This is the most common
power range for Bluetooth devices. Most suitable for PAN’s since it provides
sufficient range for most applications, but is limited range enough to provide a certain
level of secur
ity from potential listeners.

Category 3 devices have a range of up to 100m. This is equivalent to most current Wi
Fi networks, but given the low bandwidth of Bluetooth(1Mbps theoretical, ~700Kbps
actual with Forward Error Correction) is not a direct comp

Another difference to Wi
Fi is the ad
hoc nature of Bluetooth networks. Although
Fi networks are designed with a certain amount of flexibility, they are generally
fairly static. In contrast, Bluetooth devices (which are most often mobile) are de
to be able to move in and out of networks as the owner moves around. This difference
means that the same security procedures that are used in Wi
Fi are not suited to
Bluetooth, and new measures have been adopted.

Bluetooth Security

In Bluetooth, th
ere are three security modes

Security Mode 1:

In this mode, the device does not implement any security
procedures, and allows any other device to initiate connections with it

Security Mode 2:
In mode 2, security is enforced after the link is established,
llowing higher level applications to run more flexible security policies.

Security Mode 3:
In mode 3, security controls such as authentication and
encryption are implemented at the Baseband level before the connection is
established. In this mode, Bluetoot
h allows different security levels to be
defined for devices and services.


Devices are other Bluetooth devices that wish to use the services you provide. These
devices are divided into two categories: trusted and untrusted

Trusted devices have a f
ixed relationship with your device. They generally
have unrestricted access to all services, although this can be refined to set
different access policies for each ser

Untrusted devices have no permanent fixed relationship with your device (but
may ha
ve a temporary one) or have a permanent relationship but are
considered untrustworthy. They are generally limited as to the services they
can access.


Services are the services you provide to other devices, and are divided into three

ervices that require authorisation and authentication: Only trusted devices
have automatic access; all other devices require manual authorisation

Services that require authentication only: authorisation is not required

Services that are open to all: access

to services is granted without the need for

Service level security

In security mode 2, security is handled by higher level applications rather than at the
link level, and is enforced after the communication is established

Fig 1: The Bluetoot
h architecture

Because Bluetooth uses the RFCOMM protocol it is able to use existing protocols
such as TCP, UDP and WAP, and can use the security measures built into these.

Link level

In security mode 3, security is enforced before a communications link
is established.
Security in Bluetooth, like in other networks is based on authentication and

In Bluetooth security there are four main identifiers


48 bit unique IEEE Bluetooth device address (BD_ADDR)


128 bit Link key, used for authentication


128 bit symmetric encryption key


128 bit random numbers (RAND) generated as required


To authenticate devices in Bluetooth, a link key is generated for the connection,
followed by a challenge
response strategy to ensure that the claimant d
evice knows
the link key. There are four types of link key defined in the Bluetooth specification:
unit keys, initialisation keys, combination keys and master keys. In addition,
Bluetooth defines four algorithms (E1, E21, E22 and E3) for key generation and

authentication. They are all based on the SAFER+ block cipher algorithm.

Unit key:

The unit key is generated in the device when it is first turned on, using the E21 key
generating algorithm. Once generated, it is stored in the non
volatile memory of the
device and rarely changes. The unit key can be used as a link key between two
devices, however it is a last resort since sharing the unit key allows the device to be
'spoofed'. For example, if device A communicates with device B using A's unit key as
the l
ink key, device B then has a copy of A's unit key. Device B can then pretend to
be device A and start a communication with device C, or can intercept and decode
communications between A and C if A's unit key is used as the link key. In general,
the unit ke
y is only used as a link key when one of the devices has very limited
memory and is not capable of remembering any extra keys.

Fig 2: The E21 key generation algorithm used in generating unit and combination

Initialisation key:

The initialisation
key is needed for two devices who have never communicated
before. A PIN code of between 1 and 16 octets in length is entered into both devices,
and an initialisation key is generated using the E22 key generating algorithm. The
algorithm is given the PIN (a
ugmented with the BD_ADDR of the claimant device),
and a 128bit random number from the verifying device. This key is then used for key
exchange during the generation of a link key after which it is discarded.

Fig 3: The E22 key generation algorithm, u
sed in generating initialisation and master

Combination key:

The combination key is generated using another key, usually the initialisation key,
and is the most secure of the four keys. Firstly, each unit generates a temporary key
using the same meth
od as used for unit key creation (e.g. device 1 inputs RAND1 and
BD_ADDR1 into the E21 algorithm to produce KEY1, device 2 inputs RAND2 and
BD_ADDR2 to produce KEY2). Device 1 then XORs its temporary key (KEY1) with
the current link key and sends it to dev
ice 2. Similarly, device 2 XORs KEY2 and
sends it to device 1. Each device then decrypts the random number, and using the
BD_ADDR of the other device, calculates the other temporary key. Both devices then
XOR KEY1 and KEY2 to produce the combination key.

Master key:

This key is the only temporary key and is generated when one device needs to
communicate with several others (one master, several slaves). Firstly, the master key
is created (by the master) by putting two random numbers into the E22 key genera
algorithm. The master then sends another random number to each slave. The master
and all the slaves then put the current link key and the random number into the key
generating algorithm to produce an overlay. The master then XORs the master key
with t
hat overlay and transmits it to all of the slaves. The slaves (which each have a
copy of the overlay) can then calculate the master key.

Once the link key has been established, Bluetooth uses a challenge
response scheme
for authentication, and relies on
both parties sharing the same secret key. Firstly, the
verifier sends the claimant a 128 bit random number. The claimant inputs this
number, the current link key and its own BD_ADDR into the authentication algorithm
E1, and sends the output back to the ver
ifier. If the response matches the value
calculated by the verifier, the claimant is authenticated. A by
product of the
authentication algorithm is the ACO (Authenticated Ciphering Offset) which is stored
by both devices for use later on in the encryption

Fig 4: The E1 authentication algorithm


To encrypt payloads of their packets, Bluetooth devices uses private encryption key
derived from the current link key, the 96 bit COF (Ciphering Offset Number

on the ACO generated durin
g the authentication process) and a 128 bit random

This encryption key, along with the device clock, the device address and a random
number are fed into the E0 stream cipher algorithm (based on the Massey and
Rueppel summation stream cipher genera
tor). The encryption key is regenerated
every new packet transmission.

Fig 5: Encryption in Bluetooth

Since the encryption key size varies from 8 bits to128 bits, the devices have to
negotiate the length of the encrytpion key. Firstly, the master sends

a suggested length
to the slave. The slave can then accept this, or reject it and send back a suggestion for
another length. This continues until a consensus is reached, or until one of the devices
aborts the negotiation.

Weaknesses with Bluetooth


are three main types of attacks on Bluetooth connections

Attacks on the confidentiality

It has been suggested that the E0 stream cipher can be broken in 2^66 in some
circumstances. However, the fact that Bluetooth devices resynchronise the stream
every packet means that malicious users attempting to break the encryption in
this way would not have sufficient time to succeed.

If a device's unit key is used as the link key, trusted devices can spoof that device and
can initiate communications posing a
s that device, or can intercept communications
between that device and another which use the unit key as a link key.

The fact that Bluetooth uses 4 digit pins for the initialisation key is a weakness. With
only 10000 possibilities, PINs can be exhaustivel
y searched and the key broken. In
addition to this, research has shown that 50% of PINs are ‘0000’, putting the security
of PINs further into question. One way to avoid this threat is by only pairing devices
in secure locations. Given that the range of mos
t Bluetooth devices is only 10m (less
when the signal has to travel through walls) this is not too inconvenient, and generally
only prohibits users from pairing in busy locations such as stations or airports.

Attacks on the availability

Bluetooth uses the

unlicensed and heavily used, 2.45Ghz frequency. This makes it
susceptible to interference from other devices, such as microwaves. However, to
combat this it uses the technique of frequency hopping. This improves the clarity and
also discourages casual eav
esdropping, since only synchronised devices can

Another form of denial of service attack, the battery exhaustion attack, is one that
Bluetooth devices are susceptible to. Unfortunately, it is very difficult to prevent this
kind of attack with
out restricting the usability of the device. For example, users can
choose to turn off Bluetooth until they need it, but this is irritating for the user. Work
is underway by the Bluetooth Special Interest Group to find a solution, but currently
there is no

effective defence.

Attacks on user privacy

Another issue with Bluetooth is that of user privacy. Since the address of the device is
freely available, once it is associated with an individual it can be used to carry out
profiling, and other more questiona
ble forms of monitoring, violating user privacy.

Bluejacking is where users can send anonymous, unsolicited messages to other
Bluetooth users Bluetooth in the form of business cards, exploiting the Bluetooth
standard of accepting them. Although currently
this is a relatively small and
innocuous craze, the same property could be used by unscrupulous marketers to target
passing customers (and indeed in some places, this is already happening). The
combination of these two attacks on privacy could prove to be
extremely annoying
and intrusive to end users. For example, companies with your details (including the
address of your Bluetooth device) on record could bombard you with personalised
adverts and offers whenever you are near their store.



Wired Eq
uivalent Privacy is vulnerable to attack, has many weaknesses and is
difficult to use.


We think that the flaws with WEP are due to it being rushed to market
to create demand for wireless networks.


The security specification was not certified before being p
ut into
production, this mistake must be learnt from.


Fi Protected Access is more resilient to attack and is easier to use.


WPA greatly improves on the security of WEP, but is only a stopgap
for 802.11i




Security is sufficient for personal use,

but for more security critical
applications improvements need to be made

In general, the biggest threat to the security of the network is the incompetence of the
network administrators or users. The existing standards are strong enough to protect
s from all but the most determined of hackers, yet in many wireless networks
these measures are not implemented. If users are considering going wireless, they
need to worry less about the about the existing standards, and more about their own



Glenn Fleishman




Nikita Borisov, Ian Goldberg, and David Wagner


Security of the
WEP algorithm




Adam Stubblefield, John Ioannidis, Aviel D. Rubin


Using the
Fluhrer, Mantin, and Shamir Attack to Break WEP

AT&T Labs Technical
Report TD


Jim Geier


802.11 WEP: Concepts and Vul





Security considerations for a short
range wireless




Juha T. Vainio


ooth Security


Helsinki University of


Frank Stajano, Ross Anderson


The Resurrecting Duckling: Security
Issues for Ad
hoc wireless networks


Thomas Xydis (2000)

Security Comparison: Bluetooth Communications vs
”, (


Thomas Muller (1999), “Bluetooth Security Architecture”,


Christian Gehrmann (2002)
, “Bluetooth Security White Paper”,



Fi Alliance (2003), “Wi
Fi Protected Access: Strong, standards
interoperable security for today’s Wi
Fi networks”


HP (2002), “Wi
Fi Security

Addressing Concerns”