Rely on Wifi
Transcript of Rely on Wifi
8/3/2019 Rely on Wifi
http://slidepdf.com/reader/full/rely-on-wifi 1/7
Wireless Networks
WiFi—short for “wireless fidelity”—is the
commercial name for the 802.11 products
that have flooded the corporate wireless
local area network (WLAN) market and are
becoming rapidly ingrained in our daily lives via public
hotspots and digital home networks. However, because
a technology’s dependability requirements are propor-tional to its pervasiveness, newer applications mandate a
deeper understanding of how much we can rely on WiFi
and its security promises. So far, WiFi hasn’t had the best
track record: researchers and hackers easily defeated its
first security mechanism, Wired Equivalent Privacy
(WEP).1 Although the 802.11i standard (which is also
known by its commercial name, WPA2) addresses this
failure and the larger issues of confidentiality and au-
thentication,2 no ongoing standardization effort handles
WiFi availability, and problems with robustness mean
that a successful attack can block a network and its ser-
vices, at least for the attack’s duration. Another oft-ne-
glected aspect of 802.11 networks is privacy—not
payload confidentiality but node activity monitoring.
This kind of monitoring has value on its own (for exam-
ple, for contrasting user identification and location), but
it also has a strong link to dependability in attacks tar-
geted at a specific node.
To our knowledge, no current practical or theoreti-
cal framework handles WiFi dependability issues.
Moreover, no previous work has analyzed WiFi secu-
rity from this viewpoint. Most research examines WiFi
confidentiality and authentication by explaining the
problems related to native 802.11 security (WEP and
shared-key authentication) and showing how inade-
quate such mechanisms are. The same effort hasn’t been
put into analyzing a wireless net-
work’s availability and robustness: in
fact, many denial-of-service (DoS) attacks against
WLANs are known, but so far only one research effort
describes the actual implementation of two DoS attacks
and possible countermeasures.3
In this article, we present an overview of WiFi vul-nerabilities and investigate their proximate and ultimate
origins. The intended goal is to provide a foundation to
discuss WiFi dependability and its impact on current and
future usage scenarios. Although a wireless network’s
overall security depends on the network stack to the ap-
plication layer, this article focuses on specific vulner-
abilities at the physical (PHY) and data (MAC) layers of
802.11 networks.
The PHY layer WiFi uses a single narrow-band radio channel on a pub-
lic frequency. Radio communications are typically mul-
tiplexed and based on some combination of space,
frequency, time, and coding—WiFi exploits the first
three. The available power range in WiFi devices allows
for cells with an average radius of less than 100 meters
(the exact value depends heavily on obstacles and antenna
directionality, ranging from hundreds of meters with
radio bridges to a few meters in closed rooms). Generally,
WiFi uses a limited pool of narrow-band frequencies on
unlicensed bands at 2.4 and 5 GHz.
Current WiFi networks rely on two different basic
coding techniques: the Direct Sequence Spread Spectrum
(DSSS), which 11b and 11g devices use, and Orthogonal
Frequency Division Multiplexing (OFDM), which 11a
and 11g devices use. Nodes on the same frequency share a
MARCO
DOMENICO
AIME, GIORGIO
CALANDRIELLO,
AND ANTONIOLIOY
Politecnico di Torino
Dependability inWireless NetworksCan We Rely on WiFi?
PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/07/$25.00 © 2007 IEEE ■ IEEE SECURITY & PRIVACY 23
WiFi’s dependability requirements are growing as its usage
spreads to public hotspots and personal home networks.
Authentication and confidentiality are crucial issues for
corporate WiFi use, but privacy and availability tend to
dominate pervasive usage. This article discusses
dependability and its impact on WiFi usage scenarios.
8/3/2019 Rely on Wifi
http://slidepdf.com/reader/full/rely-on-wifi 2/7
Wireless Networks
single channel, which the 802.11 MAC layer serializes
through random access and contention mechanisms.
These characteristics allow for several attacks, which we’ll
discuss in more detail in the following subsections.
Interception It’s not surprising that an attacker can intercept a radio
communication, but the threat’s relevance clearly dependson the nature of the leaked information. Most crypto-
graphic protocols address content eavesdropping but pay
little attention to privacy issues. The 802.11 standard
never uses mechanisms for preventing traffic analysis, so
it’s fairly easy to infer the number of “talking” nodes, their
identities (that is, some long-living identifier for each of
them), and who’s talking to whom. This lets an attacker
violate user privacy, so we want to hide as much informa-
tion as possible—taken to the extreme, we even want to
conceal an ongoing communication’s existence.
Content eavesdropping is still an issue if cryptographic
protocols aren’t used properly. Of course, the prologue of any content-eavesdropping attack is channel selection.
Unfortunately, the limited number of channels and fre-
quencies in WiFi devices make this step trivial—more-
over, any 802.11 device has built-in capabilities to scan
and report activity on all available channels.
The 802.11 specification originally included a low-
rate (1 to 2 Mbps) PHY layer that used a frequency-
hopping transmission technique. Frequency-hopping
could make interception harder, but 802.11 designed it
for avoiding interferences only. It used 79 channels and a
set of 78 possible hopping sequences; the access point
(AP) broadcasts the hopping sequence and the dwell
time. Keeping the hopping information hidden makes
channel selection harder for casual attackers, but given a
limited number of channels and a static sequence, they
could easily recover the hidden sequence.
In general, today’s narrow-band radio technologies
can’t hide communication. Their spectral efficiency is
too low to support a sufficiently large number of high-
bit-rate channels over available bands, and it’s easy to scan
a small number of possible channels for ongoing commu-
nications. We must therefore accept that interception is
easy, especially because radio coverage area can’t be de-
limited precisely. Physical anti-interception techniques
aren’t fit for common WiFi usage scenarios, so mecha-
nisms at the MAC layer or above must prevent informa-
tion leakage, from content eavesdropping to identity
tracking and traffic analysis.
Injection
Radio transmission, as well as reception, can’t be confinedin a restricted area, so WiFi relies on logical access control
mechanisms for authorized access. However, this heavily
limits the validity of well-established security tools such as
firewalls and network intrusion detection systems, so au-
thorized traffic is instead validated as it flows over the
wireless link (the security perimeter is now spread across
every network link). In practice, though, this activity con-
strains the upper network layers in their attempt to pro-
vide specific security mechanisms. As a solution, the
MAC level could provide data source authentication for
every transmitted frame by identifying the source as a spe-
cific node or as a member of a trusted group.
Jamming Radio communications are subject to jamming, which is
cheap and easy to do in a narrow-band channel such as the
one WiFi devices occupy. Jamming can make corporate
WLANs unavailable, which is certainly annoying, or even
block a residential phone network or hospital medical in-
frastructure, which is much scarier. The WiFi nodes
themselves can easily detect a jam because each station al-
ready monitors channel quality for AP and bit-rate selec-
tion, but locating the actual attacker is a different story.
WiFi sails on unlicensed industrial, scientific, andmedical (ISM) bands—in these bands, networks of de-
vices subject to independent authorities can coexist in
the same area and share the same communication chan-
nel. The WiFi MAC layer handles overlapping cells, but
doesn’t guarantee fairness in the presence of dishonest
nodes. Even worse, transmissions are vulnerable to inter-
ference by any technology that exploits popular ISM
bands, from Bluetooth devices to microwave ovens.
Locating mobile nodes Wandering through a wireless world, an attacker can eas-
ily track MAC addresses and build a database that lists
wireless nodes, their locations, and their movements,
even for wearable devices such as PDAs. Although a
wireless node’s exact position might be hard to get, it’s
much easier to detect its presence in a large area. If the de-
vice is a personal one, this could even help someone track
the device owner’s location—for example, a burglar
could discover when a target property is empty while
staying comfortably outside its perimeter and without
performing a physical examination.
No effective solution exists yet for localizing wireless
intruders, even in networks of moderate dimension. Al-
though some recent commercial products can coordinate
APs to detect and point out naive static attackers (such as
unauthorized APs), the radio medium is intrinsically
24 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2007
We must therefore accept that
interception is easy, especially
because radio coverage area can’t
be delimited precisely.
8/3/2019 Rely on Wifi
http://slidepdf.com/reader/full/rely-on-wifi 3/7
Wireless Networks
hard to map, and intruders typically aren’t collaborative
(they can individually spoof, move, change transmission
power, use directional antennas, exploit multiple coordi-
nated probes, and so on without any help).
Access control To control access, the network must classify wireless
nodes into trusted and untrusted sets and update them in
real time. Nodes’ fast and long-range mobility makes
radio network topology highly dynamic: both the set of
nodes forming the network and their connectivity can
change rapidly over time. To allow for quick topology
change, the network must implement and carefully se-
cure two basic network functions—neighbor discovery
and node association—but, perhaps not surprisingly,
some past and present security flaws in WiFi are related
to discovery and association mechanisms. The problemlies not in selecting a suitable authentication mechanism
but in enrolling and managing proper credentials. Cur-
rent authentication infrastructures for wired networks
aren’t designed to match tight cost and usability con-
straints, but these two factors might be even more im-
portant than the overall security level in WiFi usage
outside of LANs.
Hijacking Man-in-the-middle attacks are a traditional threat
against access control solutions. Although it’s easy for at-
tackers to intercept wireless traffic and inject an attack, itisn’t trivial to hijack a wireless channel. The attacker
must ensure that the two victims can’t talk directly, thus
the targets must either lie outside each other’s radio
range or be desynchronized. An attacker can try to jam
the receiver while still being able to access the transmit-
ted traffic—for example, by using directional antennas
or a set of two probes near the sender and the receiver
(attackers can always use a coalition of nodes that utilize
a different unmonitored frequency to cooperate). Alter-
natively, the attacker can force the two targets over to
two distinct frequencies and continue to relay traffic be-
tween them—doing so makes it easy for the attacker to
manipulate them. Such threats are avoidable only by in-
cluding spatial and frequency information in the victims’
authentication mechanisms. Although secure distance
verification is an active research topic,4 WiFi authentica-
tion ignores this problem because it doesn’t convey any
spatial or frequency information. This still holds for the
802.11i standard.
Energy Batteries are a key enabling factor for mobility in radio
networks, but a limited energy supply can easily become
a perfect target for availability attacks. Although break-
throughs in energy production technology will hopefully
mitigate this problem, the short-term impact on security
is twofold: power-conservation features and their protec-
tion become vital, and any security mechanism must be
carefully evaluated against its energy cost.
The MAC layer Although it inherits the underlying PHY layer’s insecu-
rity, the 802.11 MAC layer adds some peculiar weak-
nesses of its own. Its “dangerous” features are that it
implements a shared channel, can have a star or mesh
topology, and must synchronize among different parties,
making it much more complex than Ethernet. These
three broad categories leave the network open to several
different vulnerabilities.
Shared channel When many nodes use the same channel, their traffic
must be distinguishable—accordingly, 802.11 networksuse a MAC address as a static station identifier. But even if
communication is encrypted, the header must remain in
the clear for delivery reasons, which makes statistical traf-
fic analysis—and identity tracking—feasible.
A shared channel also implies a shared bandwidth,
thus transmission speed lowers if several nodes use it si-
multaneously. It might seem that limiting the number of
users per cell would guarantee an adequate bandwidth
per node, but this doesn’t really work because the 802.11
MAC layer allows the coexistence of many independent
cells on the same physical channel, each with its own
nodes. The 802.11e standard deals with providing qualityof service over WiFi networks via traffic prioritization
mechanisms, but these mechanisms rely fully on the ex-
isting MAC layer, its rules, and, more important, its vul-
nerabilities. As such, the proposed quality-of-service
mechanisms don’t enforce availability.
Additionally, the WiFi medium has strict access
rules because it’s shared, and the 802.11 MAC layer
works properly only when the nodes observe specific
access rules (such as timing, physical and virtual chan-
nel sensing, and back-off times). Unfortunately, it’s
easy to violate these rules and cause network malfunc-
tions because many off-the-shelf devices ship with spe-
cial test modes that—if turned on—let the user access
the WiFi medium without respecting timing con-
straints. We describe our experience with a continuous
transmission mode in 802.11b cards later, but a differ-
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 25
Although it’s easy for attackers to
intercept wireless traffic and inject
an attack, it isn’t trivial to hijack a
wireless channel.
8/3/2019 Rely on Wifi
http://slidepdf.com/reader/full/rely-on-wifi 4/7
Wireless Networks
ent strategy is to set a high noise threshold so that the
channel is perceived to be free regardless of other
nodes’ activity: in both cases, the device transmits and
violates access rules. This trick can easily defeat the
clear channel assessment function of the DSSS-based
802.11b standard (researchers have shown the DSSS
physical layer to be particularly sensitive to access viola-
tions5), but we can also apply the general concept to
OFDM-based 802.11a. Customization of a device’sfirmware can fully subvert the MAC layer’s rules—un-
fortunately, programmable MAC and radio layers are
already used in research activity.
The 802.11 standard also uses a logical mechanism to
assess if the channel is free or busy; it implements this
mechanism with every frame of the protocol, and in-
cludes a duration field that indicates channel occupation
time in microseconds. This field implements a virtual
channel-sensing mechanism that can cope with signal
collisions from hidden terminals. Unfortunately, crypto-
graphic mechanisms can’t protect such information
cheaply due to its broadcast nature. This situation opensup a new vulnerability because an attacker can mangle
the duration field and fool a station into believing that the
channel is busy when it’s actually free (more information
about this and other attacks appears elsewhere3,6).
Topology We can set up WLANs in two different modes corre-
sponding to two distinct network topologies: the infra-
structure mode , in which an AP centrally coordinates the
network, which in turn assumes a virtual star topology,
and the ad hoc mode , which has no centralized coordina-
tion and a mesh topology.
In the infrastructure mode, the AP is the single re-
quired element in the network: if the AP falls, the whole
network is blocked. Recent commercial solutions miti-
gate this single point of failure through fault-tolerance
mechanisms. APs can increase their transmission power
and cover a broader area after discovering a neighbor AP
has vanished. A straightforward attack against an AP con-
sists of flooding it with false authentication requests to
exhaust its buffers and make it refuse any other legitimate
access to the network. This drawback is balanced by the
fact that a network with centralized coordination is easier
to manage from a security standpoint than a fully distrib-
uted one. Networks in the infrastructure mode, for ex-
ample, can benefit from 802.1X authentication because
the AP acts as a gateway toward a well-established secu-
rity infrastructure, whereas the native 802.11 ad hoc
mode relies only on a static shared secret.
Synchronization Anything that’s simple in a wired environment (such as
network cables plugged into wall sockets) must be emu-
lated with special frames in the wireless world, which can
lead to problems when synchronizing state transitions be-
tween two or more entities (such as client and AP, or two
peers in an ad hoc network). As in any system in which
two or more parties must remain synchronized to work, a
successful desynchronization forced by an attacker leads
to a system malfunction. This problem is especially acute
for WiFi network features such as authentication and as-
sociation, power saving, and level 2 cryptography.
Authentication and association. WiFi provides associ-
ation and authentication mechanisms to distinguish
among unauthorized nodes. The first attempt at imple-
menting it included a basic MAC-layer authentication
that exploited special frames and could either be null or a
WEP-based challenge response. Because WEP was so
easy to defeat, a new security layer was added but isn’t
compulsory. After the basic open authentication, it per-
forms the real authentication and uses normal data frames
(like any other application).
As straightforward as they seem, these solutions are
flawed because the mechanisms lack protection: the openauthentication doesn’t include any security, whereas
WEP performs only client authentication (the AP
doesn’t authenticate itself to the client), paving the way to
man-in-the-middle attacks. In addition, the logout
mechanism isn’t protected, thus allowing DoS attacks.
Moreover, the deauthentication frame isn’t, in fact, au-
thenticated, not even with the extra extensions in the
802.11i standard, so it’s easy to attack the network with
packet-injection techniques.3
Extensible Authentication Protocol (EAP; RFC
2284) suffers from similar vulnerabilities and had to be
fixed for WiFi usage: only EAP methods that provide
mutual authentication are allowed (thus we can use EAP-
TLS but not EAP-MD5), and a further exchange (the
four-way handshake) was added to prove authenticity of
the AP when separated from the authentication server.
As a result, our “robust security network” lacks robust-
ness: the EAP logout mechanism (the EAP-Logoff
frame) is unprotected, and successful desynchronization
of the basic 802.11 authentication also clears EAP au-
thentication. Depending on the actual EAP method, the
authentication process can take up to 12 times longer
than the basic 802.11 open authentication.
Power-saving capabilities. When a station is about to
go into power-saving mode, it first synchronizes with
26 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2007
Anything that’s simple in a wired
environment must be emulated with
special frames in the wireless world.
8/3/2019 Rely on Wifi
http://slidepdf.com/reader/full/rely-on-wifi 5/7
Wireless Networks
other parties (stations or APs) to buffer its traffic. To break
this synchronization, an attacker can induce any state
transition triggered by an unprotected event. The power-
saving mechanism is thus vulnerable to attacks such as
traffic stealing (an attacker claims another station’s traffic),artificial delay (traffic for the target is buffered even if the
station isn’t in power-saving mode, which is especially
dangerous for time-critical traffic such as multimedia
streams), and “sleep deprivation” (preventing a station
from going into power-save mode by continuously send-
ing traffic to it). In our experience, the 802.11 MAC
layer is quite effective at limiting sleep deprivation: a sta-
tion can’t be forced to violate its power-conservation pol-
icy. The impact of other attacks depends on the type of
traffic the target station exchanges.3
Cryptography at level 2. We aren’t concerned herewith classic cryptographic vulnerabilities, such as
those found in WEP—rather, we’ve found that even
unbreakable cryptographic mechanisms offer a vul-
nerable side because they might require computa-
tional and energy resources that are quite large for
small and mobile devices. The Temporary Key In-
tegrity Protocol (TKIP), the “patch” the 802.11i
standard provided for WEP’s weaknesses, adopts sim-
ple algor ithms to match available computing power.2
Because this also creates a weakness, TKIP employs
countermeasures if it suspects an attack: the attack’s
targets must stop exchanging traffic, shut down anyexisting security association, and re-establish new
ones. However, these countermeasures could also be-
come a DoS mechanism—doing so ultimately
depends on how easy it is to mount a man-in-the-
middle attack.
Eliminating or limiting cryptography doesn’t neces-
sarily yield a better global power budget because the en-
ergy that cryptography requires is just a fraction of that
used for radio communication.7 The energy related to
wireless activity is accounted for not only in the WLAN
card itself but also in the rest of the platform (mainly the
CPU and I/O bus). The processing of an incoming
packet requires both the CPU and I/O bus for power,
but if a packet is discarded, only the WiFi device re-
quires full power. Thus, discarding invalid incoming
packets as soon as possible is vital for mitigating a flood-
ing attack’s impact. Because packet verification occurs
after packet acknowledgment, an attacker can always
make the WiFi device turn on its own transmission cir-
cuitry. However, this exposure is negligible due to the
ACK frames’ shortness and the comparable power con-
sumption of WiFi-receiving and transmitting modes.
This choice avoids imposing hard timing constraints on
cryptographic operations and allows software imple-
mentations in the driver besides the hardware ones on
the card.
Upper levels Applications that deal with personal information are
extremely vulnerable to data capture and disclosure.
At first glance, home banking might seem to be the
most sensitive application, but most banks provide se-cure access through their SSL channels. The real issue
here is privacy—most services typically aren’t pro-
tected in the network stack’s upper layers and carry in-
formation that attackers can use to profile and track
potential victims.
Vulnerabilities typically narrow the available band-
width, and a narrow channel incurs delays that can hurt
real-time services—as noted earlier, multimedia streams
in particular are very sensitive to delays in packet delivery
because they directly affect quality of service. A possible
defense could be to make upper-level protocols able to
handle the radio link’s unavailability. This is a key researchfield in networking,8 and the typical goal is to distinguish
between congestion and unavailability due to the radio
medium’s coarse and variable nature.
Lab experience The analysis we’ve presented so far raises a key question:
how real are the threats we’ve outlined? To answer that
question, we built some attack tools that exploit a few of
the vulnerabilities discussed here and tested them against
a small WiFi network in our labs. Every test had three key
objectives: to understand whether the attack could really
be implemented from commercial off-the-shelf compo-nents, to determine the actual effects on WiFi activity,
and to figure out how to isolate the attack with an intru-
sion detection module.
All the attacks we tested use off-the-shelf hardware
and open source device drivers, and are fairly easy to do.
We needed a bit of expertise to design them, but we be-
lieve anyone with adequate knowledge of Linux and
wireless networks can use them effectively. Under some
attack conditions, the target network was completely
blocked for the test’s whole duration. A packet capture
engine could detect almost all the attacks, and all of them
introduced various anomalies in network behavior.
Deauthentication and EAP-Logoff We implemented our attacks via the libwlan open source
packet injection library and gradually raised the injection
rate of spoofed frames. The network was blocked at a rate
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 27
All the attacks we tested use
off-the-shelf hardware and open
source device drivers, and are fairly
easy to do.
8/3/2019 Rely on Wifi
http://slidepdf.com/reader/full/rely-on-wifi 6/7
Wireless Networks
of one spoofed frame every second for the deauthentica-
tion attack and every two seconds for the EAP-Logoff at-
tack. The re-authentication time was approximately 35
ms for 802.11 open authentication and grew 12 times for
the EAP-TLS authentication method. The observed
anomalies were a high number of deauthentication/
EAP-Logoff frames followed by a new authentication/EAP-Start sequence.
MAC-level jamming Our version of the jamming attack consisted of a spe-
cial test mode already available in the devices we used,
which gave us continuous transmission regardless of
MAC-level access rules. This caused constant collisions
with every other station in the cell, which was then to-
tally blocked. Because colliding stations back off and
don’t transmit for some time, we didn’t need to per-
form full-time jamming—we only had to send small
bursts of noise. Our tests showed that a 10 percent jam-ming period was enough to halt transmission in a cell,
and as a side effect, most of the devices cleared their as-
sociation information after missing a small number of
beacon frames from the AP. The jamming effect
spanned across three adjacent WiFi channels, but this
attack didn’t require packet injection techniques and
thus was hardly detectable with a network-layer intru-
sion detection system.
Multimedia performance By forging the appropriate frame (for example, an
empty data frame with the power management bit set),
we could make AP believe that the victim was in
power-save mode so that it could start buffering traffic
for it. This caused delays in traffic delivery, which espe-
cially hurt our real-time traffic—in fact, we could stop a
Real-Time Protocol (RTP) flow with this attack. Of
course, the victim’s precise behavior depends on the
power-save mode’s device driver implementation. But
some drivers always react upon receipt of the traffic in-
formation map (TIM; it’s part of every beacon frame
and announces the presence of buffered traffic) and tell
the AP that they’re not in power-save mode, thus miti-
gating the attack’s effects. Other drivers ignore the TIM
if the station isn’t in power-save mode and thus suffer
the attack’s whole effects.
Thus far, we’ve made it clear that WiFi isn’t ready for
critical applications, mainly because of its intrinsic
robustness problems. But next-generation wireless net-
works need modern security features, and WiFi will have
to provide extensions and changes to maintain its su-premacy among the various wireless data technologies.
Jamming attacks have so far gone unstopped, and their
effects are devastating. Researchers have suggested vari-
ous approaches to thwarting them,9 but a recent ap-
proach to detecting them is to monitor the channel and
share what each node sees, to create a “global view” of
the network.10 The idea is to detect the jam via node co-
operation because a single node can’t distinguish jam-
ming from channel saturation. Any approach that
improves wireless networks’ anonymity could also help
with robustness: the traffic related to a specific node
would be more difficult to select and jam.10,11
At the physical level, a new radio technology that can
greatly help with robustness problems is ultra wide band
(UWB).12 Despite some standardization delays, it’s ex-
pected to hit the mass market soon as a radio layer of the
USB wireless extension. UWB could potentially exploit
its extreme large bandwidth to hide communication
channels by coding or frequency hopping, which makes
interception harder and jamming at least more manifest.
Unfortunately, current UWB standardization efforts for
wireless personal area networks are heading toward a
fully shared MAC layer, which removes any formerly
available potential benefits. Nevertheless, UWB still of-fers a key security property: it supports fine-grain loca-
tion of transmitting nodes. In general, knowledge of
exact locations can help prevent man-in-the-middle at-
tacks, and inconsistencies between a node’s actual posi-
tion and the one the peer perceives can point out the
presence of an attacker in the middle. Clearly, location
verification must also be secured, but node location with
the current 802.11 technology is a complex problem.13
In corporate environments, some proprietary commer-
cial solutions for attacker location are available, but
they’re based on the coordination of several homoge-
neous, centrally managed APs.
The main research issue is how to design a robust se-
cure wireless channel, but this field lacks both theoretical
and practical literature. The general problem here is how
to identify and reject fake events at the MAC level. In
some cases (such as with man-in-the-middle attacks),
the MAC layer can quickly identify malicious events by
making security mechanisms aware of specific wireless
information, such as frequency, location, or distance. We
can easily extend some 802.11 frames (notably, the ones
for cell advertisement, node authentication, and associa-
tion) to carry additional pieces of information. We can
address other vulnerabilities, such as the deauthentica-
tion attack, with short-term fixes—for example, a
spoofed deauthentication frame can be detected (and
28 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2007
Clearly, location verification must
also be secured, but node location
with the current 802.11 technology
is a complex problem.
8/3/2019 Rely on Wifi
http://slidepdf.com/reader/full/rely-on-wifi 7/7
Wireless Networks
discarded) by waiting for further traffic from the victim.
We can extend the same trick to mitigate similar vulner-
abilities in EAP.
When trying to generalize the approach to detecting
fake MAC-level events, the natural direction is to extendclassic intrusion detection techniques for typical wireless
mechanisms.14 In general, anomaly-based intrusion de-
tection techniques are the most likely to be widely ap-
plied to wireless networks because they can detect new
and previously unknown attacks. Anomaly detection is
especially important in wireless networks because they’re
used with mobile nodes and in many different scenarios
that have different security policies. Anomaly detection
typically uses data-mining techniques and requires coop-
eration among all the nodes in the network, especially for
traffic monitoring and event correlation.15 However,
data mining isn’t needed when an attack’s characteristicsare well known—it’s easy to detect the desynchroniza-
tion attack, for example, by looking at some statistical
property of the resulting traffic.
Naturally, we advocate more research that ultimately
builds robust and opaque wireless channels—such fea-
tures will help WiFi become a fundamental building
block for critical applications. Research is ongoing in the
use of WiFi technology in industrial environments.16
Acknowledgments The work described in this article is part of the activities performed at the
e-security joint lab between the Politecnico di Torino and the IstitutoSuperiore Mario Boella. We especially thank Daniele Mazzocchi for
his many useful discussions on wireless network security.
References
1. N. Borisov, I. Goldberg, and D. Wagner, “Intercepting
Mobile Communications: The Insecurity of 802.11,”
Proc. 7th ACM Int’l Conf. Mobile Computing and Net-
working , ACM Press, 2001, pp. 180–189.
2. B. Potter, “Wireless Security Future,” IEEE Security &
Privacy, vol. 1, no. 4, 2003, pp. 68–72.
3. J. Bellardo and S. Savage, “802.11 Denial-of-Service
Attacks: Real Vulnerabilities and Practical Solutions,”
Proc. 11th Usenix Security Symp., Usenix Assoc., 2003,
pp. 15–28.
4. S. Capkun and J.P. Hubaux, Securing Position and Distance
Verification in Wireless Networks, tech. report EPFL/
IC/200443, Swiss Federal Inst. of Tech., May 2004.
5. C. Ware, T. Wysocki, and J.F. Chicharo, “Hidden Ter-
minal Jamming Problems in IEEE 802.11 Mobile Ad
Hoc Networks,” Proc. IEEE Int’l Conf. Communications
(ICC), IEEE CS Press, 2001, pp. 262–265.
6. V. Gupta, S. Krishnamurthy, and M. Faloutsos, “Denial
of Service Attacks at the MAC Layer in Wireless Ad Hoc
Networks,” Proc. IEEE Military Communications Conf .
(MILCOM), IEEE CS Press, 2002, pp. 1118–1123.
7. D.W. Carman, P.S. Kruus, and B.J. Matt, Constraints and
Approaches for Distributed Sensor Network Security, NAI
Labs tech. report #00-010, NAI Labs, Sept. 2000.
8. S. Mascolo et al., “TCP Westwood: Bandwidth Estima-
tion for Enhanced Transport over Wireless Links,” Proc.
7th ACM Int’l Conf. Mobile Computing and Networking (MOBICOM), ACM Press, 2001, pp. 287–297.
9. W. Xu et al., “The Feasibility of Launching and Detect-
ing Jamming Attacks in Wireless Networks,” Proc. 6th
ACM Int’l Symp. Mobile Ad Hoc Networking and Comput-
ing , ACM Press, 2005, pp. 46–57.
10. A.R. Beresford and F. Stajano, “Mix Zones: User Pri-
vacy in Location-Aware Services,” IEEE Int’l Workshop
on Pervasive Computing and Communication Security (Per-
Sec), IEEE CS Press, 2004, pp. 127–131.
11. J. Kong and X. Hong, “ANODR: ANonymous On
Demand Routing with Untraceable Routes for Mobile
Adhoc Networks,” ACM Int’l Symp. Mobile Ad-Hoc Networking and Computing , ACM Press, 2003, pp.
291–302.
12. L.E. Miller, Why UWB? A Review of Ultrawideband Tech-
nology, WCTG Report for Darpa, Nat’l Inst. Standards
and Technology Wireless Comm. Technologies Group,
Apr. 2003.
13. J.W. Branch et al., “Autonomic 802.11 Wireless LAN
Security Auditing,” IEEE Security & Privacy, vol. 2, no.
3, 2004, pp. 56–64.
14. M. Raya, J.P. Hubaux, and I. Aad, “DOMINO: A Sys-
tem to Detect Greedy Behavior in IEEE 802.11
Hotspots,” ACM MobiSys , ACM Press, 2004, pp. 84–97.15. Y. Huang and W. Lee, “A Cooperative Intrusion Detec-
tion System for Ad-Hoc Networks,” ACM Workshop on
Security of Ad-Hoc and Sensor Networks, ACM Press, 2003,
pp. 135–147.
16. D. Brevi et al., “A Methodology for the Analysis of
802.11a Links in Industrial Environments,” IEEE Int’l
Workshop on Factory Comm. Systems, IEEE CS Press, 2006,
pp. 165–174.
Marco Domenico Aime is a research assistant of computer engi-neering at the Politecnico di Torino. His research interests include wireless network security, trusted computing, and dependabil-
ity analysis of large systems. Aime has an M.Sc. and a PhD incomputer engineering from Politecnico di Torino. He is a member of the IEEE and the ACM. Contact him at [email protected].
Giorgio Calandriello has an M.Sc. in computer engineering and is a PhD student in the same field at the Politecnico di Torino. He started working on wireless security with his mas-ter’s thesis, exploring the issues of dependability and denial-of-service attacks. Contact him at [email protected].
Antonio Lioy is a professor at the Politecnico di Torino, where he leads a research group active in information systems security.His research interests are in the fields of network security, PKI,and policy-based system protection. Lioy has an MSc in elec-
tronic engineering and a PhD in computer engineering. He is a member of the IEEE and the IEEE Computer Society. Contact himat [email protected].
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 29