WLAN RISK AND SECURITY 1
Running Head: WLAN RISK AND SECURITY
The Risks and Security Standards of Wireless Local Area Network Technologies: Bluetooth and Wireless Fidelity Wireless Interfaces
Lindsey Landolfi
Towson University
Network Security
Professor Charles Pak
July 2011
WLAN RISK AND SECURITY 2
Mobile information access has become an increasingly prominent aspect of network
communications. Mobile devices use wireless technology to communicate with each other, these
devices can range from cellular phones, personal digital assistants (PDA), to laptop computers.
User demand for mobile access drives constant technological advancements in mobile devices;
currently many devices are equipped with specialized hard-ward and soft-ware to enhance
functioning. Many consumers overlook the fact that mobile devices function similarly to
computers and that having private data stored or accessed through a mobile device exposes data
to manipulation, theft, or other forms of attack. This document provides an overview of the risks
associated with wireless local area network (WLAN) technologies and the security standards
established to counter potential threats, specifically Bluetooth and Wireless Fidelity (Wi-Fi)
wireless interfaces.
Wi-Fi is a widely utilized technology used to establish a wireless connection between
electronic devices. Specifications for Wi-Fi operations are based on the Institute of Electrical and
Electronics Engineers (IEEE) 802.11 wireless local area networking standard. Each Wi-Fi
network established will communicate exclusively on one of the 11 possible channels defined by
the IEEE. It is necessary for all devices connecting to a single WLAN to employ to same service
set identifier (SSID) in order to communicate with each other; however it is not necessary to be
on the same channel. The default SSID contains information about the device manufacture and
modem, with this knowledge an attacker can employ any well known related exploits against the
device. To enhance security users should change a devices pre-defined SSID. Also, regularly
changing the SSID can deter rouge clients from joining a network. “Wi-Fi and Bluetooth
products both operate in the unlicensed 2.4GHz ISM band.” (Shoemake, 2001) However, Wi-Fi
products are processed to the direct sequence spread spectrum (DSSS), while Bluetooth transmits
WLAN RISK AND SECURITY 3
through FHSS technology. Wi-Fi technology is inherently vulnerable to electromagnetic
interference (EMI), since it utilizes radio frequencies to transmit data to and from signal
receivers.
There are two possible WLAN configurations ad hoc and infrastructure, both formats
require the use of a wireless network interface controller (WNIC) in order to connect a device to
the WLAN. The infrastructure configuration requires the use of additional Wi-Fi hardware.
Specifically, a centralized device that receives the incoming radio signals from Wi-Fi stations
this device is known as the wireless access point (WAP). WAP is responsible for data relay
between wireless devices and a wired network at the data-link layer, typically through a router or
Ethernet switch. Basically, WAP is the wireless version of a switch but instead of copper or
fiber-glass wires it connects all devices to the central switch or router via electromagnetic radio
waves. A wireless router is essentially a combination of WAP and a router; it is responsible for
directing the communication between wireless device and the next hop towards the data’s final
destination. Wireless network adapters allow for mobile devices to connect with the wireless
network, many devices come installed with internal adapters such as laptop computers. The
wireless adapters must be configured for either ad hoc or infrastructure mode. Wireless ad hoc
networks establish a connection between devices without the use of a WAP. It is necessary for
the devices to be in range of each other’s signal, without major interference. Additionally, the
wireless adapters must be configured to the same SSID and channel. The ad hoc network peer-to-
peer communication configuration for Wi-Fi functions is similar to the data exchange with
Bluetooth ad hoc networks.
Multiple interconnected WAPs are known as a Wi-Fi hotspot. Many major mobile
service providers such as AT&T, T-Mobile or Verizon are creating Wi-Fi hotspots in order to
WLAN RISK AND SECURITY 4
provide high-speed wireless internet access to their customers. The potential for commercial
profit has spurred the growth of WLAN incorporation into public venues such as airports or
cafes. According to a report analyzing WLAN market opportunities, "Broadband Wireless LAN:
Public Space and the Last Mile" approximately $9.5 billion in public WLAN service revenue
would be generated during 2007; the continuing expansion of the WLAN market was projected.
Wi-Fi popularity has led to the development of hotspot directories which allow users to
locate free commercial wireless services. Wardriving software uses radio signals to locate and
collect information on Wi-Fi network sources. While wardriving itself is not malicious it can
support attacks such as WAPjacking, WAPkitting, or social engineering attacks. WAPkitting
“refers to any malicious alteration to the wireless access point’s configuration or firmware over
the wireless connection.” (Tsow, n.d.) For example, WAPkitting could execute a man in the
middle attack by redirecting traffic in the router away from a legitimate webpage login request
towards a malicious server that will store or disclose the unsuspecting user credentials.
WAPjacking modifies firmware settings to the hackers benefit. A Wi-Fi network router
compromised by WAPjacking can provide an attacker the ability to execute DNS spoofing
attacks resulting in data monitoring or theft. “There are two general approaches to identifying
WAPkitting and WAPjacking attacks: direct firmware analysis and external behavioral analysis.”
(Tsow, n.d.) Turning down the transmitter signal strength (dBm) to the lowest possible radius for
coverage of a desired range will minimize the possibility of detecting WLAN location and
compromising data.
The most common Wi-Fi encryption standard is the wired equivalent privacy (WEP)
developed by IEEE. WEP operates on the data link and physical layers of the OSI model using
the RC4 stream cipher to encrypt data. “WEP uses an Integrity Check (IC) field within the data
WLAN RISK AND SECURITY 5
packet to ensure that it has not been modified in transit, and an Initialisation Vector (IV) is used
to augment the shared secret key and produce a different RC4 key for each packet.” (Gunter
Ollmann, 2007) See appendix A, figure 1 for a visual of the WEP security protocol. However,
there are implementation flaws in these security mechanisms that render them less useful. Even a
properly configured WEP is relatively easy to crack; WEP weakness is evident in the
authentication sequence due to the lack of key management. For example, an attacker could
employ a brute force attack to decrypt the relatively short key, then discover MAC address and
proceed to spoof into the network disguised as an authorized address.
The Wi-Fi Alliance developed a second generation security protocol known as Wi-Fi
Protected Access (WPA) in 2003. WPA resolved many of the issues in the previous WEP
encryption scheme and weakness in link layer security. WPA reduces the risk of attack through
the temporal key integrity protocol (TKIP); the concept behind TKIP is to ensure key integrity.
Additional security is provided by the Message Integrity Check (MIC), “the protocol itself was
created to help fight against the many message modification attacks that were prevalent in the
WEP protocol.” (TechDuke, 2007) WPA also implemented a frame counter to help avoid replay
attacks and enhanced authentication measures with the Extensible Authentication Protocol
(EAP). The transition from WEP to WPA was relatively easy; it did not require additional
hardware, only small upgrades in the firmware. WPA is currently a widely used and effective
security protocol, however due to the nature of encryption WPA technology is susceptible to
broken cryptography algorithms. To ensure future data protection, the Wi-Fi Alliance further
advanced the WPA protocol when it released WPA2. The robust security network (RSN) is the
principle development in WPA2 supporting enhancements in secure communications. As an
alternative to TKIP, WPA2 “uses AES (Advanced Encryption Standard), which is a much more
WLAN RISK AND SECURITY 6
secure encryption algorithm.” (Ottaway, 2002) RSN executes AES processing via the counter
mode with cipher block chaining message authentication code protocol (CCMP). The Wi-Fi
Alliance developed and introduced the Wi-Fi Protected Setup (WPS) protocol to simplify the
process of configuring WPA security options for users.
Typically public Wi-Fi networks will disable encryption of the source wireless router in
order to optimize the ease of set-up. Additionally, it is common for WAP physical access
controls to not require additional authorization, therefore trusting all users in the local network.
This means that Wi-Fi enabled devices can connect to an already authorized network without
authentication measures. The majority Wi-Fi networks do not encrypt Internet communications,
defaulting to open communications places the mobile device and its data at risk. “Such an open
environment would not only facilitate application development and allow flexibility in choosing
devices and applications from other sources, but it would also expedite malware development
and potentially provide more attractive avenues of attack to exploit.” (Jansen, 2008) Augmenting
a mobile device with alternative security measures will enhance protection against malicious
attacks.
Virtual Private Networks (VPNs) can provide secure communications when using Wi-Fi
with open data communication. Instead of using the WEP or WPA encryption protocols the data
will be processed through VPN protocols such as, Point-to-Point Tunneling Protocol (PPTP),
Layer Two Forwarding Protocol (L2f), Layer Two Tunneling Protocol (L2TP), and Internet
Protocol Security (IPsec). VPN supports stronger security measures than Wi-Fi protocols. For
example, IPsec uses the Internet key exchange protocol to establish cryptographic authentication
and data encryption on the network layer of the OSI model. Using protocols that require public-
key cryptography and certificate authority signatures such as secure socket layer (SSL), secure
WLAN RISK AND SECURITY 7
hypertext transfer protocol (HTTPS), or file transfer protocol (FTP), support secure and
confidential web traffic. Firewalls or routers can also be used to encrypt and monitor data. These
techniques are not limited to WLAN; they function across a variety of network medias as a
comprehensive form of prevention and protection.
Bluetooth technology provides wireless, point to point and point to multi point
connections between Bluetooth enabled devices via radio frequencies. For example, wireless
connection between a headset and a mobile phone. Bluetooth technology can also be used to
create temporary, decentralized, wireless networks known as wireless ad hoc networks.
“Bluetooth-enabled devices will outnumber Wi-Fi devices five to one, with over 77% of cell-
phones, 60% of PDAs, and 67% of notebooks having built-in Bluetooth radios.” (J. Su, 2006) It
is necessary for Bluetooth to employ similar security precautions as devices that use centralized
security control to prevent security breaches. Attacks on Bluetooth communications range from
man-in-the-middle attacks, denial-of service attacks, worms, to data theft and monitoring.
Bluetooth employs a variety of protocols to ensure the secure processing of Bluetooth system
communications.
Data transmission requires an active link between Bluetooth enabled devices, unique link
keys are created via a key-generating algorithm. “Once a link is formed, data can be exchanged
using a socket-based interface in a manner similar to Internet-based protocols.” (J. Su, 2006) The
Link Controller (LC) uses baseband protocols to ensure a secure connection between sources. LC
is responsible for validating the physical link, the device address, handling packets, controller
states, and the connection setup and modes. The Link Manager Protocol (LMP) handles link
setups, controls, and security. “The LMP is responsible for the pairing procedure and handles the
challenge response procedure for authentication purposes.” (Niem, 2002) LMP also monitors the
WLAN RISK AND SECURITY 8
piconets; a piconet is an established network linking a master device to its slave devices via
Bluetooth protocols. “The messages in LMP, since the link controller (LC) provides a reliable
link, do not have to be acknowledged.” (Xiao, 2007) Bluetooth employs additional protocols
such as the service discovery protocol (SDP), object Exchange protocol (OBEX), or the radio
frequency communications protocol (RFCOMM) which enables simultaneous connections
between Bluetooth devices through serial port emulation. See appendix A, figure 2 for a visual of
the layout of a Bluetooth protocol stack.
Incorporation of application layer security is necessary to support a comprehensive
Bluetooth security policy. Bluetooth has established security measures at the baseband level
which allow for greater user flexibility when designing application layer security. “Employing
application layer security and a public key infrastructure limits the Bluetooth devices that have
access to certain infrastructure services and provides a means of authentication/authorization
above that which Bluetooth provides.” (Niem, 2002) For example, application level security
could enhance the Bluetooth authentication standards by establishing additional password
controls. Standard Bluetooth authentication protocols require device verification but do not
authenticate the user. Additional authentication precautions would assist in the prevention of
malicious attacks by ensuring that the devices attempting to connect are actually who they claim
to be.
The process of establishing a Bluetooth connection is known as pairing. Connections are
established by a key exchange mechanism; this mechanism is responsible for the authentication,
encryption and decryption of all subsequent payload transmissions. Encryption does not occur
until after the link and encryption keys are created and the initial connection is established. See
appendix A, figure 3 for a visual of the link level security parameters. It is not possible for a
WLAN RISK AND SECURITY 9
hacker to decrypt packet payloads without determining the link and encryption keys. “It is
important to note that the pairing procedure is the weakest process in the Bluetooth Baseband
level security specification since all data is transmitted in clear-text until an initialization key is
established [2;4].” (Niem, 2002) Previously established pairing relationships are stored in the
Bluetooth device; this creates an inherent risk to all paired devices if a one device is
compromised. Frequently changing the device PIN makes it more difficult for hackers to
successfully infect established connections since “changing the PIN requires that any Bluetooth
devices that the user regularly employs will need to be re-paired.” (Browning, 2009)
Encryption and authentication security measures are employed to protect traffic in a
wireless ad hoc network. The master device is responsible for establishing a connection between
slave devices and forming the combination keys which are used to encrypt the packets
transmitted within an ad hoc network. However, ad hoc networks are subject to security issues
due to the direct communication between Bluetooth devices with-in the network. Data stored on
the Bluetooth devices in the ad hoc network are exposed to everyone else participating in a
particular network. Unauthorized access to a network can be easily achieved by using devices
designed to eavesdrop at Bluetooth radio frequency range. Signal jamming is a possible
technique to execute a denial-of-service attack. Bluetooth has developed security features to
counter the risks of eavesdropping and interference. The channel access code (CAC), derived
from the Bluetooth device address (BD_ADDR), selects a communication channel from the 79
available bands in the frequency-hopping-spread-spectrum (FHSS) algorithm. The FHSS is used
to “minimize interference from other devices using the 2.4 GHz range of the ISM band.” (Niem,
2002) As a precautionary measure users should avoid using the BD_ADDR as the link key since
WLAN RISK AND SECURITY 10
a compromised BD_ADDR can be used to impersonate a trusted device. Additionally, a hacker
can use a unit key with a faked BD_ADDR to crack the encryption key and monitor traffic.
The Bluetooth protocol is vulnerable to malicious codes such as worms and viruses.
Malicious codes are capable of altering data and operating systems on the device. An infected
mobile device can transmit malware across a network. With Bluetooth, the interacting devices
need to be within the proximity of the radio signal of the infected source to transmit the
malicious code. Many malicious codes are spread through social engineering techniques. The
computer worm Cabir was designed to infect the Symbian mobile operating system; once a
device is infected with Cabir it would search for other visible Bluetooth devices to send the
infected file. “Setting your phone into non-discoverable (hidden) Bluetooth mode will protect
your phone from the Cabir worm.” (F-Secure Corporation, 2009)
There are four major categories of Bluetooth hacks including Bluejacking, Bluesnarfing,
Bluebugging, and Bluetoothing. “All take advantage of weaknesses in Bluetooth that allow an
attacker unauthorized access to a victim's phone.” (Browning, 2009) Bluejacking is an attack
which sends unsolicited messages such as advertisements to a Bluetooth receiver; Bluejacking is
a relatively simple process that exploits the OBEX protocol. Bluesnarfing is unauthorized access
of information from the Bluetooth device; it can result in undetected tracking of device
communications. Bloover II is popular software used to exploit Bluetooth connections; this
technology is also capable of sever kinds of attacks including BlueSnarf and Bluebug.
Bluebugging allows the hacker to access and take control over device operations by issuing AT
commands. Bluetoothing enables an attacker to locate a Bluetooth device in a particular vicinity
and time frame; this is a form of localized social networking or mobile social software
(MoSoSo). There are many tools to assist with Bluetooth hacking, “web sites such as E-Stealth
WLAN RISK AND SECURITY 11
(http://www.e-stealth.com/) and FlexiSPY (http://www.flexispy.com/) offer commercial products
to allow one party to eavesdrop or attack another party's Bluetooth device.” (Browning, 2009)
An example of hacker Bluetoothing software is BlueSniff which is used to help locate
discoverable and hidden Bluetooth enabled devices. Bluetooth devices with hidden visibility
settings can still be attacked if the hacker can crack the MAC address though methods such as
conducting an exhaustive key search.
In general, mobile devices face an increased risk of physical compromise due to their size
and nature. A stolen device can be physically accessed allowing for security breaches. An
attacker can reconfigure security controls in order to create security holes for example, disabling
authentication or encryption protocols. If a master device is compromised the data stored on that
device and any additional devices accessible though the master device would be at risk.
Additionally, a stolen device is subject to the exposure of valuable information stored in the
device memory card such as, private personal, Bluetooth pairing or Wi-Fi connection
information. Removing a memory card is easy and typically a single card will function in many
other devices. Protective software is available to encrypt onboard storage. Onboard storage is the
data stored within the mobile device such as the random access memory (RAM) and the read
only memory (ROM). There is also security software designed to protect external storage such
as, subscriber identity module (SIM) cards, multimedia cards (MMC), and secure digital (SD)
cards.
The security technology used in mobile devices and WLAN standards such as Bluetooth
and Wi-Fi is relatively new; therefore there are greater opportunities for undiscovered
vulnerabilities to be exploited. Additionally, the increased mobility of wireless devices is
positively correlated with increased vulnerability against attacks. Ideally wireless
WLAN RISK AND SECURITY 12
communications would achieve the same security goals as wired networked systems. To ensure
security mobile devices should authenticate the user and the user’s credentials via access
controls. It should also authenticate the data source and ensure that the data has not been
compromised during transit. Finally, it should have an auditing system.
WLAN RISK AND SECURITY 13
References
Alexander Resources. (2002, January 7). Broadband wireless LAN: public space and the last mile. Retrieved from Juniper Research website: http://juniperresearch.com/reports.php?id=72&stream=72
Browning, D., & Kessler, G. (2009, May). Bluetooth hacking: a case study. Journal of Digital Forensics, Security and Law, 4(2), 57-71. Retrieved from http://www.garykessler.net/library/bluetooth_hacking_browning_kessler.pdf
F-Secure Corporation. (2009). Bluetooth-Worm:SymbOS/Cabir. Retrieved from http://www.f-secure.com/v-descs/cabir.shtml
Gunter Ollmann. (2007). Securing WLAN technologies secure configuration advice on wireless network setup. Retrieved from http://www.technicalinfo.net/papers/SecuringWLANTechnologies.html
Jansen, W., & Scarfone, K. (2008, October). Guidelines on cell phone and PDA security.National Institute of Standards and Technology Special Publication 800-124. Retrieved February 24, 2009, from http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf
J. Su, K. K. W. Chan, A. G. Miklas, K. Po, A. Akhavan, S. Saroiu, E. de Lara, and A. Goel. (2006, November 3). A preliminary investigation of worm infections in a Bluetooth environment. . Retrieved from University of Toronto website: citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.79.3889&rep=rep1&type=pdf
Niem, T. C. (2002, November 4). Bluetooth and its inherent security issues. Retrieved from SANS Institute InfoSec Reading Room website: http://www.sans.org/reading_room/whitepapers/wireless/bluetooth-inherent-security-issues_945
Ottaway, W. (2002). Mobile security: cause for concern? Retrieved from QinetiQ Ltd website: http://apps.qinetiq.com/perspectives/pdf/EP_White_Paper4_Mobile_Sec.pdf
Shoemake, M. (2001, February). Wi-Fi (IEEE 802.11b) and Bluetooth: coexistence issues and solutions for the 2.4 GHz ISM band. Retrieved from Texas Instruments website: http://focus.ti.com/pdfs/vf/bband/coexistence.pdf
Temporal key integrity protocol (TKIP) - wireless security. (2007, September 30). TechDuke. Retrieved from http://www.techduke.com/2007/09/30/temporal-key-integrity-protocol-tkip-wireless-security/
Tsow, A., Jakobsson, M., Yang, L., & Wetzel, S. (n.d.). Warkitting: the drive-by subversion of wireless home routers. Retrieved from http://www.indiana.edu/~phishing/papers/warkit.pdf
WLAN RISK AND SECURITY 14
Xiao, Y. (2007). Security in distributed, grid, mobile and pervasive computing. Retrieved fromgen.lib.rus.ec/get?md5=f8fe845dbfdc6152190638e7d46e53fa
WLAN RISK AND SECURITY 15
Appendix A
Figure 1: Wired Equivalent Privacy Security Protocol
Figure 2: Bluetooth protocol stack (Browning, 2009)
WLAN RISK AND SECURITY 16
Figure 3: Link Level Security Parameters
Top Related