Rely on Wifi

8/3/2019 Rely on Wifi

http://slidepdf.com/reader/full/rely-on-wifi 1/7

Wireless Networks

WiFi—short for “wireless fidelity”—is the

commercial name for the 802.11 products

that have flooded the corporate wireless

local area network (WLAN) market and are

becoming rapidly ingrained in our daily lives via public

hotspots and digital home networks. However, because

a technology’s dependability requirements are propor-tional to its pervasiveness, newer applications mandate a

deeper understanding of how much we can rely on WiFi

and its security promises. So far, WiFi hasn’t had the best

track record: researchers and hackers easily defeated its

first security mechanism, Wired Equivalent Privacy

(WEP).1 Although the 802.11i standard (which is also

known by its commercial name, WPA2) addresses this

failure and the larger issues of confidentiality and au-

thentication,2 no ongoing standardization effort handles

WiFi availability, and problems with robustness mean

that a successful attack can block a network and its ser-

vices, at least for the attack’s duration. Another oft-ne-

glected aspect of 802.11 networks is privacy—not

payload confidentiality but node activity monitoring.

This kind of monitoring has value on its own (for exam-

ple, for contrasting user identification and location), but

it also has a strong link to dependability in attacks tar-

geted at a specific node.

To our knowledge, no current practical or theoreti-

cal framework handles WiFi dependability issues.

Moreover, no previous work has analyzed WiFi secu-

rity from this viewpoint. Most research examines WiFi

confidentiality and authentication by explaining the

problems related to native 802.11 security (WEP and

shared-key authentication) and showing how inade-

quate such mechanisms are. The same effort hasn’t been

put into analyzing a wireless net-

work’s availability and robustness: in

fact, many denial-of-service (DoS) attacks against

WLANs are known, but so far only one research effort

describes the actual implementation of two DoS attacks

and possible countermeasures.3

In this article, we present an overview of WiFi vul-nerabilities and investigate their proximate and ultimate

origins. The intended goal is to provide a foundation to

discuss WiFi dependability and its impact on current and

future usage scenarios. Although a wireless network’s

overall security depends on the network stack to the ap-

plication layer, this article focuses on specific vulner-

abilities at the physical (PHY) and data (MAC) layers of

802.11 networks.

The PHY layer WiFi uses a single narrow-band radio channel on a pub-

lic frequency. Radio communications are typically mul-

tiplexed and based on some combination of space,

frequency, time, and coding—WiFi exploits the first

three. The available power range in WiFi devices allows

for cells with an average radius of less than 100 meters

(the exact value depends heavily on obstacles and antenna

directionality, ranging from hundreds of meters with

radio bridges to a few meters in closed rooms). Generally,

WiFi uses a limited pool of narrow-band frequencies on

unlicensed bands at 2.4 and 5 GHz.

Current WiFi networks rely on two different basic

coding techniques: the Direct Sequence Spread Spectrum

(DSSS), which 11b and 11g devices use, and Orthogonal

Frequency Division Multiplexing (OFDM), which 11a

and 11g devices use. Nodes on the same frequency share a

MARCO

DOMENICO

AIME, GIORGIO

CALANDRIELLO,

AND ANTONIOLIOY

Politecnico di Torino

Dependability inWireless NetworksCan We Rely on WiFi?

PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/07/$25.00 © 2007 IEEE ■ IEEE SECURITY & PRIVACY 23

WiFi’s dependability requirements are growing as its usage

spreads to public hotspots and personal home networks.

Authentication and confidentiality are crucial issues for

corporate WiFi use, but privacy and availability tend to

dominate pervasive usage. This article discusses

dependability and its impact on WiFi usage scenarios.



Wireless Networks

single channel, which the 802.11 MAC layer serializes

through random access and contention mechanisms.

These characteristics allow for several attacks, which we’ll

discuss in more detail in the following subsections.

Interception It’s not surprising that an attacker can intercept a radio

communication, but the threat’s relevance clearly dependson the nature of the leaked information. Most crypto-

graphic protocols address content eavesdropping but pay

little attention to privacy issues. The 802.11 standard

never uses mechanisms for preventing traffic analysis, so

it’s fairly easy to infer the number of “talking” nodes, their

identities (that is, some long-living identifier for each of

them), and who’s talking to whom. This lets an attacker

violate user privacy, so we want to hide as much informa-

tion as possible—taken to the extreme, we even want to

conceal an ongoing communication’s existence.

Content eavesdropping is still an issue if cryptographic

protocols aren’t used properly. Of course, the prologue of any content-eavesdropping attack is channel selection.

Unfortunately, the limited number of channels and fre-

quencies in WiFi devices make this step trivial—more-

over, any 802.11 device has built-in capabilities to scan

and report activity on all available channels.

The 802.11 specification originally included a low-

rate (1 to 2 Mbps) PHY layer that used a frequency-

hopping transmission technique. Frequency-hopping

could make interception harder, but 802.11 designed it

for avoiding interferences only. It used 79 channels and a

set of 78 possible hopping sequences; the access point

(AP) broadcasts the hopping sequence and the dwell

time. Keeping the hopping information hidden makes

channel selection harder for casual attackers, but given a

limited number of channels and a static sequence, they

could easily recover the hidden sequence.

In general, today’s narrow-band radio technologies

can’t hide communication. Their spectral efficiency is

too low to support a sufficiently large number of high-

bit-rate channels over available bands, and it’s easy to scan

a small number of possible channels for ongoing commu-

nications. We must therefore accept that interception is

easy, especially because radio coverage area can’t be de-

limited precisely. Physical anti-interception techniques

aren’t fit for common WiFi usage scenarios, so mecha-

nisms at the MAC layer or above must prevent informa-

tion leakage, from content eavesdropping to identity

tracking and traffic analysis.

Injection

Radio transmission, as well as reception, can’t be confinedin a restricted area, so WiFi relies on logical access control

mechanisms for authorized access. However, this heavily

limits the validity of well-established security tools such as

firewalls and network intrusion detection systems, so au-

thorized traffic is instead validated as it flows over the

wireless link (the security perimeter is now spread across

every network link). In practice, though, this activity con-

strains the upper network layers in their attempt to pro-

vide specific security mechanisms. As a solution, the

MAC level could provide data source authentication for

every transmitted frame by identifying the source as a spe-

cific node or as a member of a trusted group.

Jamming Radio communications are subject to jamming, which is

cheap and easy to do in a narrow-band channel such as the

one WiFi devices occupy. Jamming can make corporate

WLANs unavailable, which is certainly annoying, or even

block a residential phone network or hospital medical in-

frastructure, which is much scarier. The WiFi nodes

themselves can easily detect a jam because each station al-

ready monitors channel quality for AP and bit-rate selec-

tion, but locating the actual attacker is a different story.

WiFi sails on unlicensed industrial, scientific, andmedical (ISM) bands—in these bands, networks of de-

vices subject to independent authorities can coexist in

the same area and share the same communication chan-

nel. The WiFi MAC layer handles overlapping cells, but

doesn’t guarantee fairness in the presence of dishonest

nodes. Even worse, transmissions are vulnerable to inter-

ference by any technology that exploits popular ISM

bands, from Bluetooth devices to microwave ovens.

Locating mobile nodes Wandering through a wireless world, an attacker can eas-

ily track MAC addresses and build a database that lists

wireless nodes, their locations, and their movements,

even for wearable devices such as PDAs. Although a

wireless node’s exact position might be hard to get, it’s

much easier to detect its presence in a large area. If the de-

vice is a personal one, this could even help someone track

the device owner’s location—for example, a burglar

could discover when a target property is empty while

staying comfortably outside its perimeter and without

performing a physical examination.

No effective solution exists yet for localizing wireless

intruders, even in networks of moderate dimension. Al-

though some recent commercial products can coordinate

APs to detect and point out naive static attackers (such as

unauthorized APs), the radio medium is intrinsically

24 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2007

We must therefore accept that

interception is easy, especially

because radio coverage area can’t

be delimited precisely.



Wireless Networks

hard to map, and intruders typically aren’t collaborative

(they can individually spoof, move, change transmission

power, use directional antennas, exploit multiple coordi-

nated probes, and so on without any help).

Access control To control access, the network must classify wireless

nodes into trusted and untrusted sets and update them in

real time. Nodes’ fast and long-range mobility makes

radio network topology highly dynamic: both the set of

nodes forming the network and their connectivity can

change rapidly over time. To allow for quick topology

change, the network must implement and carefully se-

cure two basic network functions—neighbor discovery

and node association—but, perhaps not surprisingly,

some past and present security flaws in WiFi are related

to discovery and association mechanisms. The problemlies not in selecting a suitable authentication mechanism

but in enrolling and managing proper credentials. Cur-

rent authentication infrastructures for wired networks

aren’t designed to match tight cost and usability con-

straints, but these two factors might be even more im-

portant than the overall security level in WiFi usage

outside of LANs.

Hijacking Man-in-the-middle attacks are a traditional threat

against access control solutions. Although it’s easy for at-

tackers to intercept wireless traffic and inject an attack, itisn’t trivial to hijack a wireless channel. The attacker

must ensure that the two victims can’t talk directly, thus

the targets must either lie outside each other’s radio

range or be desynchronized. An attacker can try to jam

the receiver while still being able to access the transmit-

ted traffic—for example, by using directional antennas

or a set of two probes near the sender and the receiver

(attackers can always use a coalition of nodes that utilize

a different unmonitored frequency to cooperate). Alter-

natively, the attacker can force the two targets over to

two distinct frequencies and continue to relay traffic be-

tween them—doing so makes it easy for the attacker to

manipulate them. Such threats are avoidable only by in-

cluding spatial and frequency information in the victims’

authentication mechanisms. Although secure distance

verification is an active research topic,4 WiFi authentica-

tion ignores this problem because it doesn’t convey any

spatial or frequency information. This still holds for the

802.11i standard.

Energy Batteries are a key enabling factor for mobility in radio

networks, but a limited energy supply can easily become

a perfect target for availability attacks. Although break-

throughs in energy production technology will hopefully

mitigate this problem, the short-term impact on security

is twofold: power-conservation features and their protec-

tion become vital, and any security mechanism must be

carefully evaluated against its energy cost.

The MAC layer Although it inherits the underlying PHY layer’s insecu-

rity, the 802.11 MAC layer adds some peculiar weak-

nesses of its own. Its “dangerous” features are that it

implements a shared channel, can have a star or mesh

topology, and must synchronize among different parties,

making it much more complex than Ethernet. These

three broad categories leave the network open to several

different vulnerabilities.

Shared channel When many nodes use the same channel, their traffic

must be distinguishable—accordingly, 802.11 networksuse a MAC address as a static station identifier. But even if

communication is encrypted, the header must remain in

the clear for delivery reasons, which makes statistical traf-

fic analysis—and identity tracking—feasible.

A shared channel also implies a shared bandwidth,

thus transmission speed lowers if several nodes use it si-

multaneously. It might seem that limiting the number of

users per cell would guarantee an adequate bandwidth

per node, but this doesn’t really work because the 802.11

MAC layer allows the coexistence of many independent

cells on the same physical channel, each with its own

nodes. The 802.11e standard deals with providing qualityof service over WiFi networks via traffic prioritization

mechanisms, but these mechanisms rely fully on the ex-

isting MAC layer, its rules, and, more important, its vul-

nerabilities. As such, the proposed quality-of-service

mechanisms don’t enforce availability.

Additionally, the WiFi medium has strict access

rules because it’s shared, and the 802.11 MAC layer

works properly only when the nodes observe specific

access rules (such as timing, physical and virtual chan-

nel sensing, and back-off times). Unfortunately, it’s

easy to violate these rules and cause network malfunc-

tions because many off-the-shelf devices ship with spe-

cial test modes that—if turned on—let the user access

the WiFi medium without respecting timing con-

straints. We describe our experience with a continuous

transmission mode in 802.11b cards later, but a differ-

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 25

Although it’s easy for attackers to

intercept wireless traffic and inject

an attack, it isn’t trivial to hijack a

wireless channel.



Wireless Networks

ent strategy is to set a high noise threshold so that the

channel is perceived to be free regardless of other

nodes’ activity: in both cases, the device transmits and

violates access rules. This trick can easily defeat the

clear channel assessment function of the DSSS-based

802.11b standard (researchers have shown the DSSS

physical layer to be particularly sensitive to access viola-

tions5), but we can also apply the general concept to

OFDM-based 802.11a. Customization of a device’sfirmware can fully subvert the MAC layer’s rules—un-

fortunately, programmable MAC and radio layers are

already used in research activity.

The 802.11 standard also uses a logical mechanism to

assess if the channel is free or busy; it implements this

mechanism with every frame of the protocol, and in-

cludes a duration field that indicates channel occupation

time in microseconds. This field implements a virtual

channel-sensing mechanism that can cope with signal

collisions from hidden terminals. Unfortunately, crypto-

graphic mechanisms can’t protect such information

cheaply due to its broadcast nature. This situation opensup a new vulnerability because an attacker can mangle

the duration field and fool a station into believing that the

channel is busy when it’s actually free (more information

about this and other attacks appears elsewhere3,6).

Topology We can set up WLANs in two different modes corre-

sponding to two distinct network topologies: the infra-

structure mode , in which an AP centrally coordinates the

network, which in turn assumes a virtual star topology,

and the ad hoc mode , which has no centralized coordina-

tion and a mesh topology.

In the infrastructure mode, the AP is the single re-

quired element in the network: if the AP falls, the whole

network is blocked. Recent commercial solutions miti-

gate this single point of failure through fault-tolerance

mechanisms. APs can increase their transmission power

and cover a broader area after discovering a neighbor AP

has vanished. A straightforward attack against an AP con-

sists of flooding it with false authentication requests to

exhaust its buffers and make it refuse any other legitimate

access to the network. This drawback is balanced by the

fact that a network with centralized coordination is easier

to manage from a security standpoint than a fully distrib-

uted one. Networks in the infrastructure mode, for ex-

ample, can benefit from 802.1X authentication because

the AP acts as a gateway toward a well-established secu-

rity infrastructure, whereas the native 802.11 ad hoc

mode relies only on a static shared secret.

Synchronization Anything that’s simple in a wired environment (such as

network cables plugged into wall sockets) must be emu-

lated with special frames in the wireless world, which can

lead to problems when synchronizing state transitions be-

tween two or more entities (such as client and AP, or two

peers in an ad hoc network). As in any system in which

two or more parties must remain synchronized to work, a

successful desynchronization forced by an attacker leads

to a system malfunction. This problem is especially acute

for WiFi network features such as authentication and as-

sociation, power saving, and level 2 cryptography.

Authentication and association. WiFi provides associ-

ation and authentication mechanisms to distinguish

among unauthorized nodes. The first attempt at imple-

menting it included a basic MAC-layer authentication

that exploited special frames and could either be null or a

WEP-based challenge response. Because WEP was so

easy to defeat, a new security layer was added but isn’t

compulsory. After the basic open authentication, it per-

forms the real authentication and uses normal data frames

(like any other application).

As straightforward as they seem, these solutions are

flawed because the mechanisms lack protection: the openauthentication doesn’t include any security, whereas

WEP performs only client authentication (the AP

doesn’t authenticate itself to the client), paving the way to

man-in-the-middle attacks. In addition, the logout

mechanism isn’t protected, thus allowing DoS attacks.

Moreover, the deauthentication frame isn’t, in fact, au-

thenticated, not even with the extra extensions in the

802.11i standard, so it’s easy to attack the network with

packet-injection techniques.3

Extensible Authentication Protocol (EAP; RFC

2284) suffers from similar vulnerabilities and had to be

fixed for WiFi usage: only EAP methods that provide

mutual authentication are allowed (thus we can use EAP-

TLS but not EAP-MD5), and a further exchange (the

four-way handshake) was added to prove authenticity of

the AP when separated from the authentication server.

As a result, our “robust security network” lacks robust-

ness: the EAP logout mechanism (the EAP-Logoff

frame) is unprotected, and successful desynchronization

of the basic 802.11 authentication also clears EAP au-

thentication. Depending on the actual EAP method, the

authentication process can take up to 12 times longer

than the basic 802.11 open authentication.

Power-saving capabilities. When a station is about to

go into power-saving mode, it first synchronizes with


Anything that’s simple in a wired

environment must be emulated with

special frames in the wireless world.



Wireless Networks

other parties (stations or APs) to buffer its traffic. To break

this synchronization, an attacker can induce any state

transition triggered by an unprotected event. The power-

saving mechanism is thus vulnerable to attacks such as

traffic stealing (an attacker claims another station’s traffic),artificial delay (traffic for the target is buffered even if the

station isn’t in power-saving mode, which is especially

dangerous for time-critical traffic such as multimedia

streams), and “sleep deprivation” (preventing a station

from going into power-save mode by continuously send-

ing traffic to it). In our experience, the 802.11 MAC

layer is quite effective at limiting sleep deprivation: a sta-

tion can’t be forced to violate its power-conservation pol-

icy. The impact of other attacks depends on the type of

traffic the target station exchanges.3

Cryptography at level 2. We aren’t concerned herewith classic cryptographic vulnerabilities, such as

those found in WEP—rather, we’ve found that even

unbreakable cryptographic mechanisms offer a vul-

nerable side because they might require computa-

tional and energy resources that are quite large for

small and mobile devices. The Temporary Key In-

tegrity Protocol (TKIP), the “patch” the 802.11i

standard provided for WEP’s weaknesses, adopts sim-

ple algor ithms to match available computing power.2

Because this also creates a weakness, TKIP employs

countermeasures if it suspects an attack: the attack’s

targets must stop exchanging traffic, shut down anyexisting security association, and re-establish new

ones. However, these countermeasures could also be-

come a DoS mechanism—doing so ultimately

depends on how easy it is to mount a man-in-the-

middle attack.

Eliminating or limiting cryptography doesn’t neces-

sarily yield a better global power budget because the en-

ergy that cryptography requires is just a fraction of that

used for radio communication.7 The energy related to

wireless activity is accounted for not only in the WLAN

card itself but also in the rest of the platform (mainly the

CPU and I/O bus). The processing of an incoming

packet requires both the CPU and I/O bus for power,

but if a packet is discarded, only the WiFi device re-

quires full power. Thus, discarding invalid incoming

packets as soon as possible is vital for mitigating a flood-

ing attack’s impact. Because packet verification occurs

after packet acknowledgment, an attacker can always

make the WiFi device turn on its own transmission cir-

cuitry. However, this exposure is negligible due to the

ACK frames’ shortness and the comparable power con-

sumption of WiFi-receiving and transmitting modes.

This choice avoids imposing hard timing constraints on

cryptographic operations and allows software imple-

mentations in the driver besides the hardware ones on

the card.

Upper levels Applications that deal with personal information are

extremely vulnerable to data capture and disclosure.

At first glance, home banking might seem to be the

most sensitive application, but most banks provide se-cure access through their SSL channels. The real issue

here is privacy—most services typically aren’t pro-

tected in the network stack’s upper layers and carry in-

formation that attackers can use to profile and track

potential victims.

Vulnerabilities typically narrow the available band-

width, and a narrow channel incurs delays that can hurt

real-time services—as noted earlier, multimedia streams

in particular are very sensitive to delays in packet delivery

because they directly affect quality of service. A possible

defense could be to make upper-level protocols able to

handle the radio link’s unavailability. This is a key researchfield in networking,8 and the typical goal is to distinguish

between congestion and unavailability due to the radio

medium’s coarse and variable nature.

Lab experience The analysis we’ve presented so far raises a key question:

how real are the threats we’ve outlined? To answer that

question, we built some attack tools that exploit a few of

the vulnerabilities discussed here and tested them against

a small WiFi network in our labs. Every test had three key

objectives: to understand whether the attack could really

be implemented from commercial off-the-shelf compo-nents, to determine the actual effects on WiFi activity,

and to figure out how to isolate the attack with an intru-

sion detection module.

All the attacks we tested use off-the-shelf hardware

and open source device drivers, and are fairly easy to do.

We needed a bit of expertise to design them, but we be-

lieve anyone with adequate knowledge of Linux and

wireless networks can use them effectively. Under some

attack conditions, the target network was completely

blocked for the test’s whole duration. A packet capture

engine could detect almost all the attacks, and all of them

introduced various anomalies in network behavior.

Deauthentication and EAP-Logoff We implemented our attacks via the libwlan open source

packet injection library and gradually raised the injection

rate of spoofed frames. The network was blocked at a rate


All the attacks we tested use

off-the-shelf hardware and open

source device drivers, and are fairly

easy to do.



Wireless Networks

of one spoofed frame every second for the deauthentica-

tion attack and every two seconds for the EAP-Logoff at-

tack. The re-authentication time was approximately 35

ms for 802.11 open authentication and grew 12 times for

the EAP-TLS authentication method. The observed

anomalies were a high number of deauthentication/

EAP-Logoff frames followed by a new authentication/EAP-Start sequence.

MAC-level jamming Our version of the jamming attack consisted of a spe-

cial test mode already available in the devices we used,

which gave us continuous transmission regardless of

MAC-level access rules. This caused constant collisions

with every other station in the cell, which was then to-

tally blocked. Because colliding stations back off and

don’t transmit for some time, we didn’t need to per-

form full-time jamming—we only had to send small

bursts of noise. Our tests showed that a 10 percent jam-ming period was enough to halt transmission in a cell,

and as a side effect, most of the devices cleared their as-

sociation information after missing a small number of

beacon frames from the AP. The jamming effect

spanned across three adjacent WiFi channels, but this

attack didn’t require packet injection techniques and

thus was hardly detectable with a network-layer intru-

sion detection system.

Multimedia performance By forging the appropriate frame (for example, an

empty data frame with the power management bit set),

we could make AP believe that the victim was in

power-save mode so that it could start buffering traffic

for it. This caused delays in traffic delivery, which espe-

cially hurt our real-time traffic—in fact, we could stop a

Real-Time Protocol (RTP) flow with this attack. Of

course, the victim’s precise behavior depends on the

power-save mode’s device driver implementation. But

some drivers always react upon receipt of the traffic in-

formation map (TIM; it’s part of every beacon frame

and announces the presence of buffered traffic) and tell

the AP that they’re not in power-save mode, thus miti-

gating the attack’s effects. Other drivers ignore the TIM

if the station isn’t in power-save mode and thus suffer

the attack’s whole effects.

Thus far, we’ve made it clear that WiFi isn’t ready for

critical applications, mainly because of its intrinsic

robustness problems. But next-generation wireless net-

works need modern security features, and WiFi will have

to provide extensions and changes to maintain its su-premacy among the various wireless data technologies.

Jamming attacks have so far gone unstopped, and their

effects are devastating. Researchers have suggested vari-

ous approaches to thwarting them,9 but a recent ap-

proach to detecting them is to monitor the channel and

share what each node sees, to create a “global view” of

the network.10 The idea is to detect the jam via node co-

operation because a single node can’t distinguish jam-

ming from channel saturation. Any approach that

improves wireless networks’ anonymity could also help

with robustness: the traffic related to a specific node

would be more difficult to select and jam.10,11

At the physical level, a new radio technology that can

greatly help with robustness problems is ultra wide band

(UWB).12 Despite some standardization delays, it’s ex-

pected to hit the mass market soon as a radio layer of the

USB wireless extension. UWB could potentially exploit

its extreme large bandwidth to hide communication

channels by coding or frequency hopping, which makes

interception harder and jamming at least more manifest.

Unfortunately, current UWB standardization efforts for

wireless personal area networks are heading toward a

fully shared MAC layer, which removes any formerly

available potential benefits. Nevertheless, UWB still of-fers a key security property: it supports fine-grain loca-

tion of transmitting nodes. In general, knowledge of

exact locations can help prevent man-in-the-middle at-

tacks, and inconsistencies between a node’s actual posi-

tion and the one the peer perceives can point out the

presence of an attacker in the middle. Clearly, location

verification must also be secured, but node location with

the current 802.11 technology is a complex problem.13

In corporate environments, some proprietary commer-

cial solutions for attacker location are available, but

they’re based on the coordination of several homoge-

neous, centrally managed APs.

The main research issue is how to design a robust se-

cure wireless channel, but this field lacks both theoretical

and practical literature. The general problem here is how

to identify and reject fake events at the MAC level. In

some cases (such as with man-in-the-middle attacks),

the MAC layer can quickly identify malicious events by

making security mechanisms aware of specific wireless

information, such as frequency, location, or distance. We

can easily extend some 802.11 frames (notably, the ones

for cell advertisement, node authentication, and associa-

tion) to carry additional pieces of information. We can

address other vulnerabilities, such as the deauthentica-

tion attack, with short-term fixes—for example, a

spoofed deauthentication frame can be detected (and


Clearly, location verification must

also be secured, but node location

with the current 802.11 technology

is a complex problem.



Wireless Networks

discarded) by waiting for further traffic from the victim.

We can extend the same trick to mitigate similar vulner-

abilities in EAP.

When trying to generalize the approach to detecting

fake MAC-level events, the natural direction is to extendclassic intrusion detection techniques for typical wireless

mechanisms.14 In general, anomaly-based intrusion de-

tection techniques are the most likely to be widely ap-

plied to wireless networks because they can detect new

and previously unknown attacks. Anomaly detection is

especially important in wireless networks because they’re

used with mobile nodes and in many different scenarios

that have different security policies. Anomaly detection

typically uses data-mining techniques and requires coop-

eration among all the nodes in the network, especially for

traffic monitoring and event correlation.15 However,

data mining isn’t needed when an attack’s characteristicsare well known—it’s easy to detect the desynchroniza-

tion attack, for example, by looking at some statistical

property of the resulting traffic.

Naturally, we advocate more research that ultimately

builds robust and opaque wireless channels—such fea-

tures will help WiFi become a fundamental building

block for critical applications. Research is ongoing in the

use of WiFi technology in industrial environments.16

Acknowledgments The work described in this article is part of the activities performed at the

e-security joint lab between the Politecnico di Torino and the IstitutoSuperiore Mario Boella. We especially thank Daniele Mazzocchi for

his many useful discussions on wireless network security.

References

1. N. Borisov, I. Goldberg, and D. Wagner, “Intercepting

Mobile Communications: The Insecurity of 802.11,”

Proc. 7th ACM Int’l Conf. Mobile Computing and Net-

working , ACM Press, 2001, pp. 180–189.

2. B. Potter, “Wireless Security Future,” IEEE Security &

Privacy, vol. 1, no. 4, 2003, pp. 68–72.

3. J. Bellardo and S. Savage, “802.11 Denial-of-Service

Attacks: Real Vulnerabilities and Practical Solutions,”

Proc. 11th Usenix Security Symp., Usenix Assoc., 2003,

pp. 15–28.

4. S. Capkun and J.P. Hubaux, Securing Position and Distance

Verification in Wireless Networks, tech. report EPFL/

IC/200443, Swiss Federal Inst. of Tech., May 2004.

5. C. Ware, T. Wysocki, and J.F. Chicharo, “Hidden Ter-

minal Jamming Problems in IEEE 802.11 Mobile Ad

Hoc Networks,” Proc. IEEE Int’l Conf. Communications

(ICC), IEEE CS Press, 2001, pp. 262–265.

6. V. Gupta, S. Krishnamurthy, and M. Faloutsos, “Denial

of Service Attacks at the MAC Layer in Wireless Ad Hoc

Networks,” Proc. IEEE Military Communications Conf .

(MILCOM), IEEE CS Press, 2002, pp. 1118–1123.

7. D.W. Carman, P.S. Kruus, and B.J. Matt, Constraints and

Approaches for Distributed Sensor Network Security, NAI

Labs tech. report #00-010, NAI Labs, Sept. 2000.

8. S. Mascolo et al., “TCP Westwood: Bandwidth Estima-

tion for Enhanced Transport over Wireless Links,” Proc.

7th ACM Int’l Conf. Mobile Computing and Networking (MOBICOM), ACM Press, 2001, pp. 287–297.

9. W. Xu et al., “The Feasibility of Launching and Detect-

ing Jamming Attacks in Wireless Networks,” Proc. 6th

ACM Int’l Symp. Mobile Ad Hoc Networking and Comput-

ing , ACM Press, 2005, pp. 46–57.

10. A.R. Beresford and F. Stajano, “Mix Zones: User Pri-

vacy in Location-Aware Services,” IEEE Int’l Workshop

on Pervasive Computing and Communication Security (Per-

Sec), IEEE CS Press, 2004, pp. 127–131.

11. J. Kong and X. Hong, “ANODR: ANonymous On

Demand Routing with Untraceable Routes for Mobile

Adhoc Networks,” ACM Int’l Symp. Mobile Ad-Hoc Networking and Computing , ACM Press, 2003, pp.

291–302.

12. L.E. Miller, Why UWB? A Review of Ultrawideband Tech-

nology, WCTG Report for Darpa, Nat’l Inst. Standards

and Technology Wireless Comm. Technologies Group,

Apr. 2003.

13. J.W. Branch et al., “Autonomic 802.11 Wireless LAN

Security Auditing,” IEEE Security & Privacy, vol. 2, no.

3, 2004, pp. 56–64.

14. M. Raya, J.P. Hubaux, and I. Aad, “DOMINO: A Sys-

tem to Detect Greedy Behavior in IEEE 802.11

Hotspots,” ACM MobiSys , ACM Press, 2004, pp. 84–97.15. Y. Huang and W. Lee, “A Cooperative Intrusion Detec-

tion System for Ad-Hoc Networks,” ACM Workshop on

Security of Ad-Hoc and Sensor Networks, ACM Press, 2003,

pp. 135–147.

16. D. Brevi et al., “A Methodology for the Analysis of

802.11a Links in Industrial Environments,” IEEE Int’l

Workshop on Factory Comm. Systems, IEEE CS Press, 2006,

pp. 165–174.

Marco Domenico Aime is a research assistant of computer engi-neering at the Politecnico di Torino. His research interests include wireless network security, trusted computing, and dependabil-

ity analysis of large systems. Aime has an M.Sc. and a PhD incomputer engineering from Politecnico di Torino. He is a member of the IEEE and the ACM. Contact him at [email protected].

Giorgio Calandriello has an M.Sc. in computer engineering and is a PhD student in the same field at the Politecnico di Torino. He started working on wireless security with his mas-ter’s thesis, exploring the issues of dependability and denial-of-service attacks. Contact him at [email protected].

Antonio Lioy is a professor at the Politecnico di Torino, where he leads a research group active in information systems security.His research interests are in the fields of network security, PKI,and policy-based system protection. Lioy has an MSc in elec-

tronic engineering and a PhD in computer engineering. He is a member of the IEEE and the IEEE Computer Society. Contact himat [email protected].


Rely on Wifi

Documents

Transcript of Rely on Wifi