Presented at the BIMA 2007 International Conference of the Business Information Management Academy, American University of Sharjah, March 18 – 19, 2007 Sharjah, United Arab Emirates.

 

Wi-Fi Security Precautions

by

Dr. George Kostopoulos

 

INTRODUCTION

 

            Wi-Fi, Wireless Fidelity, is the commercial name of a data communications protocol developed by the IEEE, and it is technically known as the IEEE 802.11 - Multi-rate DSSS[1]. Wi-Fi is the wireless equivalent of the IEEE 802.3 wired Ethernet protocol [1]. Major technology developers and OEM companies, have formed WECA[2], to support certification of Wi-Fi equipment.  The WECA alliance was established by  industry’s network and microchip giants including  3Com, Cisco, Sony, Intel, Motorola, Nokia and Toshiba, and it is now serving as a Wi-Fi equipment clearing house with a present membership of over 250 [2]. The 802.11 protocol provides a universal wireless LAN infrastructure standard, through which, interoperability among “. . . Wi-Fi certified products. .” is guaranteed [3].

            Wi-Fi security features were originally established by the WEP[3], followed by the WPA[4], currently defined by

the WPA2[5], with the next generation of access protection to be covered by 802.11w. This latest standard is expected to be published in 2008.

 

            There are presently three versions of the Wi-Fi standard; namely, the 802.11a, 802.11b and 802.11g. Versions “a” and “g” offer a data rate of 54Mbps, using a 5GHz and a 2.4GHz band respectively. Version “b”, the oldest standard, has an 11Mbps data rate operating at a 2.4GHz band [4]. Being unlicensed, the 5.0GHz band is a very busy one. However, application of the 802.11h standard, which supports Dynamic Frequency Selection and Transmit Power Control ensures “. . . coexistence between Wi-Fi and other types of radio frequency devices . . . “[5]. The next version projected to be formally announced at the end of 2007 is the 802.11n. It is expected that the “n” standard will not only quadruple the data throughput, bringing it to the 200-600 Mbps range, but will also be backward compatible with legacy versions “a”, “b” and “g”. The “n” version capitalizes on the availability of a sufficient bandwidth and through “. . . multiple antennas, (and) cleverer encoding . . .  (aims) to achieve raw data rates up to 600 Mbps.” [6]. Appendix A displays the basic differences between the four 802.11 versions [5, 6].         

            In a wireless Wi-Fi system, excluding the software, there are two components; the access point, AP[6], and the wireless interface unit, which is a card or USB device. The system’s central component is the AP which interfaces the “wired” world with the wireless one.

            The AP, on one side, communicates with the organization’s network, and on the other with its clients serving as a router meeting the data needs of the wireless stations (PC’s, laptops, printers, projectors, etc.). The AP provides shared LAN/Internet access using Network Address Translation, NAT. 

            In a non-protected Wi-Fi environment, a WD[7], wardriver, can use a victim’s bandwidth to access whatever is accessible; as a minimum the Internet or Intranet, and as a maximum all files in the victim’s computer and in any other place that accessible by the victim’s computer. In other words, in a non-protected Wi-Fi environment, a WD can take full control of the victim’s computer. Worth mentioning is that any visit to the Internet by the WD will bear the victim’s computer identity, which may implicate the victim beyond possible proof of Wi-Fi hijacking. There are numerous cases of Wi-Fi hijacking covered in the media most too sad to mention.

 

Wi-Fi PRECAUTIONS AT A HOME

 

            One: Turn Off IBSS[8] mode. In this mode the mobile unit is open to communication without any restriction. Hackers may link and silently access sensitive information. Such risks can be eliminated if the IBSS is disabled. Also, turn off Wi-Fi connection as soon as finished.

 

            Two: Turn On the Infrastructure mode. The infrastructure mode enables Wi-Fi clients to access resources on the other side of the access point (printers, servers, etc.).

 

            Three: Turn Off SSID[9] Broadcasting. Since in the home environment one does not anticipate unexpected Wi-Fi devices, it is not necessary for the access point to broadcast its SSID identity to the world. Usually, this ID is entered manually once during Laptop login and it is remembered afterwards.

 

            Four: Change Router’s Access. The router, located in the access point, is accessible via a name and a password. They are set at the initial installation, but can be reconfigured at anytime. These two parameters should be changed on intervals. Also, the default fictitious local IP address, which may have come as 192.168.1.1, can be changed to any other, as long as the numbers in the four fields range from 0 to 224, without leading zeroes. “There is no need to keep the default router name.” To the contrary, any change from the default values will contribute to the security posture. The default values are the same for all access points of a given manufacturer and are usually known to intruders [7].

 

            Five: Turn On the Encryption. The Wi-Fi specification includes the so called Wired Equivalent Protection, WEP. The encryption algorithm comes in 40 and 64 bits. A latter version, the WPA2, comes in 128 bits. Each time a mobile unit logs on to a Wi-Fi access point, the unit’s login name and password can be easily captured by a “sniffer”.  One way to prevent that is to use PKI[10] where each side knows the other side’s public key, and a “passkey” can be established under encryption without exposing any non-encrypted information.  The latest version of the Wi-Fi security protocol, WPA2, provides PKI. It needs to be pointed out that the encryption dissolves once the data reach their destination. That is, WPA2 is for the air-transit only. Furthermore, “. . . the underlying (encryption) algorithm is flawed and subject to relatively easy cracking.” There are even websites that provide the steps necessary to crack a WEP. [8].

            Six: Turn On the MAC[11] Address Filtering. Usually, Wi-Fi access points contain a gateway that has MAC filtering capabilities. One may allow the filter to pass traffic only from devices of known MAC addresses. These devices may be in the infrastructure (on the wired side of the access point), and they may be printers or other computers; or may be in the wireless space - the Wi-Fi card of the laptop, a Wi-Fi PDA, and the like. If in a wireless network, the SSID is known, then “…Without MAC address filtering, any wireless client can join . . .” [9]. This though, will not deter the advanced hacker who knows how to capture packets and extract the SSID and MAC addresses from them.

 

            Seven: Scout the Airwaves. Using specialized software, like the packet sniffer freeware Ethereal, one must frequently scout the airwaves for unexpected Wi-Fi access points or Wi-Fi clients. Such tools, like the Ethereal, can capture data “. . . of-the-wire from live network connections . . . can read captured files . . . decompress them on the fly . . . (and can currently dissect) . . . 759 protocols. “ [10].

 

Wi-Fi PRECAUTIONS AT A HOTSPOT

 

            For the convenience of clients, public hotspots do not use any of the possible security features of the Wi-Fi (WEP or WPA encryption) or networking (MAC filtering). To facilitate clients’ connection, Wi-Fi access points actually broadcast their Service Set Identifier, SSID. In a hotspot, clients start by turning on their Wi-Fi option, connect to the access point, submit a valid credit card number, and the link is established. For a mobile unit to communicate with the access point, knowledge of the SSID of the access point is necessary.

 

            For a Wi-Fi client to be hacked it is not necessary that the mobile unit be in communication with any access point. The mere fact that the Wi-Fi feature is on is sufficient to establish vulnerability. Wi-Fi clients in, either public or corporate, hotspots need to take several precautions to maximize the defense of their sensitive information from intruders. Below are precautions that need to be taken while at a hotspot.

 

            One: Hotspot Legitimacy. Hackers would set up a fake access point in the vicinity of a legitimate public hotspot, and would attempt to lure connection seekers. Through such connections, hackers would capture sensitive information (user names, passwords, credit card numbers, etc.) making subsequent illegal use. Wi-Fi clients need to absolutely ascertain that the hotspot is a legitimate one. Usually the facility associated with the hotspot service (waiting rooms, coffee shop, etc) would have appropriate signs posted. There are several websites that list known legitimate hotspots worldwide. [11].

 

            Two: File Encryption. Files including emails should be encrypted prior to transmission. There are numerous encryption options using dedicated software or using features embedded in applications such as word processors and email clients. One may install an encryption application that “. . . automatically encrypts all . . .  inbound and outbound Internet traffic.” [12].

 

            Three: File Sharing. While in a hotspot, keeping the file sharing option off would eliminate this mode of files transfer.

 

            Four: Turn the VPN[12] on. This way, intercepted data render useless because of encryption.

 

            Five: Firewall Use. A hotspot, most probably, uses a single static IP address to serve, maybe 200 clients. That is, all clients are in the same subnet, making it easier for a client-intruder to snoop on other clients. That problem can be minimized with the use of a “personal firewall”. One may purchase a firewall, or may use the one provided by the Windows XP. Through the firewall one may restrict traffic, and block or permit “. . . communications that might . . .  be dangerous. . . “. [13].

 

            Six: Rules of Thumb. Regardless if one is accessing the outside world wired or wirelessly, certain additional precautions also apply. Use of the latest anti-virus software, use of the most updated version of the operating system, use of Web based secure (https) email, individual password protection for sensitive files, and last but not least to have a computer password mechanism that locks the computer if there is no keyboard or mouse activity for x minutes.

 

Wi-Fi PRECAUTIONS AT THE ENTERPRISE

 

            Corporate Wi-Fi security demands a much more serious tackling of the Wi-Fi vulnerabilities. For such cases advanced protocols and Virtual Private Networks, are in order. In the enterprise environment the Wi-Fi security precautions may include all the above described, as well as ones below.

 

            One: Perimetric Fencing. Solutions are currently available where positioning of RF sensors, can geometrically determine if a client is within the authorized physical area. Such technologies, which need onsite terrain training and fine tuning, have offered 100% security in testing. Using perimetric fencing,  . . . Wi-Fi environments can be protected in a 3-D air space . .  . (to an accuracy of) . . . about 5 feet.”[15].      

 

            Two: Advanced Authentication. Rather than relying on the nominal security features of the Wi-Fi, an enterprise may use advanced authorization/authentication protocols, such as the DIAMETER[13].

 

CONCLUSION

 

            Wi-Fi has by now become a cornerstone technology in wireless communications. Its major vulnerabilities – session hijacking, man-in-the-middle, and denial-of-service – are being continuously mitigated through advances in security technologies and through increased security awareness on the users’ side. With the increase ineffective data rates to exceed 200Mbps, there will be plenty of bandwidth for advanced encryption techniques and for sophisticated authorization/authentication protocols. It is expected that security standard 802.11w, with the per packet encryption key and additional powerful features, will significantly enhance Wi-Fi security and “ . . . will  . . .  reduce (successful intruder)  . . .  attacks.” [J].

 

 


Appendix A.  802.11 Wireless LAN Basic Characteristics [4, 5]


 


IEEE WLAN Standard

Over-the-Air Data Rate

Media Access Control Layer Data Rate

Operating Frequency

802.11b

11 Mbps

5 Mbps

2.4 GHz

802.11g

54 Mbps

25 Mbps

2.4 GHz

802.11a

54 Mbps

25 Mbps

5 GHz

802.11n

200-540 Mbps

100- 200 Mbps

2.4 GHz or 5 GHz


 

 

 

 

REFERENCES (Availability of all references was last confirmed on December 10, 2006)

 

 

[1]   802.11 Working Group for Wireless Local Area Networks

http://standards.ieee.org/wireless/overview.html

 

[2] Wi-Fi Alliance

http://www.weca.net/about_overview.php?lang=en

 

[3] Wi-Fi Claims Lead in Wireless Standard Race http://www.wirelessnewsfactor.com/perl/story/4805.html 

 

[4] Category: 802.11n

http://wifinetnews.com/archives/cat_80211n.html

           

[5] Wi-Fi Glossary

http://www.wi-fi.org/glossary.php

 

[6] Quadrupling Wi-Fi speeds with 802.11n

http://www.deviceforge.com/articles/AT5096801417.html

 

 [7] Wireless Network Defense

http://www.windowsecurity.com/articles/WiFi-security-Part1.html

 

[8] WEP Cracking

http://cowifi.personalwireless.org/showthread.php?p=148

[9] Enable MAC Address Filtering on Wireless Access Points and Routers

http://compnetworking.about.com/cs/wirelessproducts/qt/macaddress.htm

 

[10] Free DLNA Analyzer

http://www.ethereal.com/introduction.html


[11] JiWire's Wi-Fi Hotspot Finder

http://www.jiwire.com/search-hotspot-locations.htm

 

[12] JiWire's Wi-Fi hotspot-helper

http://www.jiwire.com/hotspot-helper.htm

 

[13] Using Windows Firewall

http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx

 

[14] Wi-Fi Watchdog Review

http://www.techworld.com/mobility/reviews/index.cfm?ReviewID=185

 

[15] 802.11w Fills Wireless Security Holes

http://www.computerworld.com.au/index.php/id;1882045007;fp;4;fpid;18



[1] DSSS: Direct Sequence Spread Spectrum is a telecommunication modulation technique where the original signal is multiplied by a “known noise” to cover the entire given bandwidth and is then transmitted. At the destination a counterpart demodulation technique retrieves the original signal.

[2] WECA: Wireless Ethernet Compatibility Alliance is a consortium of electronics and computer companies that promote and regulate the Wi-Fi technology.

[3] WEP: Wired Equivalent Privacy is a Wi-Fi optional encryption standard. When activated, WEP encrypts the data that are wirelessly communicated. WEP provides a 40 or 64bit encryption key based on which secure communication takes place between a radio NIC and its respective access point.

NIC: Network Interface Card Connects a computer to a network wired or wirelessly.

[4] WPA: Wi-Fi Protected Access. This is a 128bit key WEP.

[5] WPA2 (802.11i): Wi-Fi Protected Access 2. A 128bit key WEP, which has provisions for PKI authentication.

 

[6] AP. Access Point interfaces the wired network infrastructure to the wireless one. Contains radio interface, logic and router.

[7] WD. Wardriver, an intruder who drives by Wi-Fi areas with a laptop trying to areas with a laptop trying to access the Internet for free and/or to snoop on Wi-Fi clients sensitive data.

[8] IBSS: Independent Basic Service Set mode, commonly known as ad-hoc mode. In this mode, Wi-Fi clients can connect to each other directly without the need for an access point. This can be useful in a secure environment, like conference room, where participants can set up an “ad-hoc” network to communicate with each other.

[9] SSID: The identifier of a Wi-Fi network – a secret key - established by the network’s administrator. The SSID is included in the header of all communicated packets.

 

[10]  PKI. Public Key Infrastructure. An encryption scheme based on digital certificates.

[11] MAC: Media Access Control is the 32bit address of a unit’s Network Interface Card, NIC. An intelligent access point allows access to clients of authorized MAC addresses.

 

[12] VPN: Virtual Private Network is a security concept using IPSec.

IPSec. Internet Protocol Security. This protocol provides encrypted tunneling with header and payload encryption, and transport with payload encryption only. Also provides advanced authentication features.

Tunneling. Tunneling is a security concept where data are first encapsulated in a private protocol (such as IPSec) and afterwards are encapsulated again in a public protocol for transportation via any standard networks (Internet, Intranet, etc.)

 

 

[13] DIAMETER. An advanced communications protocol providing increased wireless security. It is the successor of the RADIUS, Remote Authentication Dial In User Service, protocol.