Professional Documents
Culture Documents
Dependability in
Wireless Networks
Can We Rely on WiFi?
WiFis dependability requirements are growing as its usage
spreads to public hotspots and personal home networks.
Authentication and confidentiality are crucial issues for
corporate WiFi use, but privacy and availability tend to
dominate
pervasive
usage.
This
article
discusses
MARCO
DOMENICO
AIME, G IORGIO
CALANDRIELLO,
AND ANTONIO
LIOY
Politecnico di
Torino
23
Wireless Networks
JANUARY/FEBRUARY 2007
Injection
Radio transmission, as well as reception, cant be confined
in a restricted area, so WiFi relies on logical access control
mechanisms for authorized access. However, this heavily
limits the validity of well-established security tools such as
firewalls and network intrusion detection systems, so authorized traffic is instead validated as it flows over the
wireless link (the security perimeter is now spread across
every network link). In practice, though, this activity constrains the upper network layers in their attempt to provide specific security mechanisms. As a solution, the
MAC level could provide data source authentication for
every transmitted frame by identifying the source as a specific node or as a member of a trusted group.
Jamming
Radio communications are subject to jamming, which is
cheap and easy to do in a narrow-band channel such as the
one WiFi devices occupy. Jamming can make corporate
WLANs unavailable, which is certainly annoying, or even
block a residential phone network or hospital medical infrastructure, which is much scarier. The WiFi nodes
themselves can easily detect a jam because each station already monitors channel quality for AP and bit-rate selection, but locating the actual attacker is a different story.
WiFi sails on unlicensed industrial, scientific, and
medical (ISM) bandsin these bands, networks of devices subject to independent authorities can coexist in
the same area and share the same communication channel. The WiFi MAC layer handles overlapping cells, but
doesnt guarantee fairness in the presence of dishonest
nodes. Even worse, transmissions are vulnerable to interference by any technology that exploits popular ISM
bands, from Bluetooth devices to microwave ovens.
Wireless Networks
is twofold: power-conservation features and their protection become vital, and any security mechanism must be
carefully evaluated against its energy cost.
Access control
Although it inherits the underlying PHY layers insecurity, the 802.11 MAC layer adds some peculiar weaknesses of its own. Its dangerous features are that it
implements a shared channel, can have a star or mesh
topology, and must synchronize among different parties,
making it much more complex than Ethernet. These
three broad categories leave the network open to several
different vulnerabilities.
Hijacking
Man-in-the-middle attacks are a traditional threat
against access control solutions. Although its easy for attackers to intercept wireless traffic and inject an attack, it
isnt trivial to hijack a wireless channel. The attacker
must ensure that the two victims cant talk directly, thus
the targets must either lie outside each others radio
range or be desynchronized. An attacker can try to jam
the receiver while still being able to access the transmitted trafficfor example, by using directional antennas
or a set of two probes near the sender and the receiver
(attackers can always use a coalition of nodes that utilize
a different unmonitored frequency to cooperate). Alternatively, the attacker can force the two targets over to
two distinct frequencies and continue to relay traffic between themdoing so makes it easy for the attacker to
manipulate them. Such threats are avoidable only by including spatial and frequency information in the victims
authentication mechanisms. Although secure distance
verification is an active research topic,4 WiFi authentication ignores this problem because it doesnt convey any
spatial or frequency information. This still holds for the
802.11i standard.
Shared channel
When many nodes use the same channel, their traffic
must be distinguishableaccordingly, 802.11 networks
use a MAC address as a static station identifier. But even if
communication is encrypted, the header must remain in
the clear for delivery reasons, which makes statistical traffic analysisand identity trackingfeasible.
A shared channel also implies a shared bandwidth,
thus transmission speed lowers if several nodes use it simultaneously. It might seem that limiting the number of
users per cell would guarantee an adequate bandwidth
per node, but this doesnt really work because the 802.11
MAC layer allows the coexistence of many independent
cells on the same physical channel, each with its own
nodes. The 802.11e standard deals with providing quality
of service over WiFi networks via traffic prioritization
mechanisms, but these mechanisms rely fully on the existing MAC layer, its rules, and, more important, its vulnerabilities. As such, the proposed quality-of-service
mechanisms dont enforce availability.
Additionally, the WiFi medium has strict access
rules because its shared, and the 802.11 MAC layer
works properly only when the nodes observe specific
access rules (such as timing, physical and virtual channel sensing, and back-off times). Unfortunately, its
easy to violate these rules and cause network malfunctions because many off-the-shelf devices ship with spe-
Energy
wireless channel.
25
Wireless Networks
the AP acts as a gateway toward a well-established security infrastructure, whereas the native 802.11 ad hoc
mode relies only on a static shared secret.
Synchronization
Topology
We can set up WLANs in two different modes corresponding to two distinct network topologies: the infrastructure mode, in which an AP centrally coordinates the
network, which in turn assumes a virtual star topology,
and the ad hoc mode, which has no centralized coordination and a mesh topology.
In the infrastructure mode, the AP is the single required element in the network: if the AP falls, the whole
network is blocked. Recent commercial solutions mitigate this single point of failure through fault-tolerance
mechanisms. APs can increase their transmission power
and cover a broader area after discovering a neighbor AP
has vanished. A straightforward attack against an AP consists of flooding it with false authentication requests to
exhaust its buffers and make it refuse any other legitimate
access to the network. This drawback is balanced by the
fact that a network with centralized coordination is easier
to manage from a security standpoint than a fully distributed one. Networks in the infrastructure mode, for example, can benefit from 802.1X authentication because
26
JANUARY/FEBRUARY 2007
Wireless Networks
Upper levels
Applications that deal with personal information are
extremely vulnerable to data capture and disclosure.
At first glance, home banking might seem to be the
most sensitive application, but most banks provide secure access through their SSL channels. The real issue
here is privacymost services typically arent protected in the network stacks upper layers and carry information that attackers can use to profile and track
potential victims.
Vulnerabilities typically narrow the available bandwidth, and a narrow channel incurs delays that can hurt
real-time servicesas noted earlier, multimedia streams
in particular are very sensitive to delays in packet delivery
because they directly affect quality of service. A possible
defense could be to make upper-level protocols able to
handle the radio links unavailability. This is a key research
field in networking,8 and the typical goal is to distinguish
between congestion and unavailability due to the radio
mediums coarse and variable nature.
Lab experience
The analysis weve presented so far raises a key question:
how real are the threats weve outlined? To answer that
question, we built some attack tools that exploit a few of
the vulnerabilities discussed here and tested them against
a small WiFi network in our labs. Every test had three key
objectives: to understand whether the attack could really
be implemented from commercial off-the-shelf components, to determine the actual effects on WiFi activity,
and to figure out how to isolate the attack with an intrusion detection module.
All the attacks we tested use off-the-shelf hardware
and open source device drivers, and are fairly easy to do.
We needed a bit of expertise to design them, but we believe anyone with adequate knowledge of Linux and
wireless networks can use them effectively. Under some
attack conditions, the target network was completely
blocked for the tests whole duration. A packet capture
engine could detect almost all the attacks, and all of them
introduced various anomalies in network behavior.
27
Wireless Networks
of one spoofed frame every second for the deauthentication attack and every two seconds for the EAP-Logoff attack. The re-authentication time was approximately 35
ms for 802.11 open authentication and grew 12 times for
MAC-level jamming
Our version of the jamming attack consisted of a special test mode already available in the devices we used,
which gave us continuous transmission regardless of
MAC-level access rules. This caused constant collisions
with every other station in the cell, which was then totally blocked. Because colliding stations back off and
dont transmit for some time, we didnt need to perform full-time jammingwe only had to send small
bursts of noise. Our tests showed that a 10 percent jamming period was enough to halt transmission in a cell,
and as a side effect, most of the devices cleared their association information after missing a small number of
beacon frames from the AP. The jamming effect
spanned across three adjacent WiFi channels, but this
attack didnt require packet injection techniques and
thus was hardly detectable with a network-layer intrusion detection system.
Multimedia performance
By forging the appropriate frame (for example, an
empty data frame with the power management bit set),
we could make AP believe that the victim was in
power-save mode so that it could start buffering traffic
for it. This caused delays in traffic delivery, which especially hurt our real-time trafficin fact, we could stop a
Real-Time Protocol (RTP) flow with this attack. Of
course, the victims precise behavior depends on the
power-save modes device driver implementation. But
some drivers always react upon receipt of the traffic information map (TIM; its part of every beacon frame
and announces the presence of buffered traffic) and tell
the AP that theyre not in power-save mode, thus mitigating the attacks effects. Other drivers ignore the TIM
if the station isnt in power-save mode and thus suffer
the attacks whole effects.
28
JANUARY/FEBRUARY 2007
hus far, weve made it clear that WiFi isnt ready for
critical applications, mainly because of its intrinsic
robustness problems. But next-generation wireless networks need modern security features, and WiFi will have
to provide extensions and changes to maintain its supremacy among the various wireless data technologies.
Jamming attacks have so far gone unstopped, and their
effects are devastating. Researchers have suggested various approaches to thwarting them,9 but a recent approach to detecting them is to monitor the channel and
share what each node sees, to create a global view of
the network.10 The idea is to detect the jam via node cooperation because a single node cant distinguish jamming from channel saturation. Any approach that
improves wireless networks anonymity could also help
with robustness: the traffic related to a specific node
would be more difficult to select and jam.10,11
At the physical level, a new radio technology that can
greatly help with robustness problems is ultra wide band
(UWB).12 Despite some standardization delays, its expected to hit the mass market soon as a radio layer of the
USB wireless extension. UWB could potentially exploit
its extreme large bandwidth to hide communication
channels by coding or frequency hopping, which makes
interception harder and jamming at least more manifest.
Unfortunately, current UWB standardization efforts for
wireless personal area networks are heading toward a
fully shared MAC layer, which removes any formerly
available potential benefits. Nevertheless, UWB still offers a key security property: it supports fine-grain location of transmitting nodes. In general, knowledge of
exact locations can help prevent man-in-the-middle attacks, and inconsistencies between a nodes actual position and the one the peer perceives can point out the
presence of an attacker in the middle. Clearly, location
verification must also be secured, but node location with
the current 802.11 technology is a complex problem.13
In corporate environments, some proprietary commercial solutions for attacker location are available, but
theyre based on the coordination of several homogeneous, centrally managed APs.
The main research issue is how to design a robust secure wireless channel, but this field lacks both theoretical
and practical literature. The general problem here is how
to identify and reject fake events at the MAC level. In
some cases (such as with man-in-the-middle attacks),
the MAC layer can quickly identify malicious events by
making security mechanisms aware of specific wireless
information, such as frequency, location, or distance. We
can easily extend some 802.11 frames (notably, the ones
for cell advertisement, node authentication, and association) to carry additional pieces of information. We can
address other vulnerabilities, such as the deauthentication attack, with short-term fixesfor example, a
spoofed deauthentication frame can be detected (and
Wireless Networks
Acknowledgments
The work described in this article is part of the activities performed at the
e-security joint lab between the Politecnico di Torino and the Istituto
Superiore Mario Boella. We especially thank Daniele Mazzocchi for
his many useful discussions on wireless network security.
References
1. N. Borisov, I. Goldberg, and D. Wagner, Intercepting
Mobile Communications: The Insecurity of 802.11,
Proc. 7th ACM Intl Conf. Mobile Computing and Networking, ACM Press, 2001, pp. 180189.
2. B. Potter, Wireless Security Future, IEEE Security &
Privacy, vol. 1, no. 4, 2003, pp. 6872.
3. J. Bellardo and S. Savage, 802.11 Denial-of-Service
Attacks: Real Vulnerabilities and Practical Solutions,
Proc. 11th Usenix Security Symp., Usenix Assoc., 2003,
pp. 1528.
4. S. Capkun and J.P. Hubaux, Securing Position and Distance
Verification in Wireless Networks, tech. report EPFL/
IC/200443, Swiss Federal Inst. of Tech., May 2004.
5. C. Ware, T. Wysocki, and J.F. Chicharo, Hidden Terminal Jamming Problems in IEEE 802.11 Mobile Ad
Hoc Networks, Proc. IEEE Intl Conf. Communications
(ICC), IEEE CS Press, 2001, pp. 262265.
6. V. Gupta, S. Krishnamurthy, and M. Faloutsos, Denial
of Service Attacks at the MAC Layer in Wireless Ad Hoc
Networks, Proc. IEEE Military Communications Conf.
(MILCOM), IEEE CS Press, 2002, pp. 11181123.
7. D.W. Carman, P.S. Kruus, and B.J. Matt, Constraints and
29