A popular wireless-communication standard opens the door to attackers
Through the miracle of wireless communication technology, you can send secure confidential information over open, shared airwaves. In its 802.11 wireless LAN (WLAN) standard, the IEEE has included built-in security mechanisms to provide confidentiality, access control, and data integrity for information that travels through the air. But is the technology as secure as it promises to be?
Recent discoveries suggest that the 802.11 standard has serious security flaws that can permit attackers to perform simple attacks to gain access to your confidential information. These discoveries seriously undermine both the IEEE's claims about its standard and many vendors' claims about the security of wireless products that use the 802.11 standard. To understand 802.11's flaws, you need to delve into the inner workings of the Wired Equivalent Privacy (WEP) protocol and the protocol's RC4 encryption algorithm.
Challenging WEP
Wireless communication has been around for years, but only recently has it ascended to the status of a mainstream communication method. Portable devices (e.g., PDAs, cell phones, laptops) have proliferated, giving mobile users access to email accounts, Internet sites, online banking, and the stock exchange. This proliferation has led to WLAN vendors scurrying to develop proprietary wireless network solutions and application vendors hurrying to code new wireless programs.
Wireless communication devices use a different protocol stack and different programming languages from those of wired-LAN PCs and servers. The need for a different protocol stack is due to these devices' lack of resources (e.g., CPU power, memory, storage) and limited power and display capabilities. In an attempt to provide a connection as secure as that of an equivalent wired communication path, the 802.11 standard implements the WEP protocol, which uses a cyclical redundancy check (CRC) for data integrity and the RC4 stream cipher for encryption and decryption. WEP's developers claim that because WEP handles only encrypted messages, the protocol obstructs eavesdropping attempts and controls access to the destination computer.
Challenging these claims, a research group at the University of California, Berkeley, has demonstrated how specific attacks can compromise any wireless communication that uses WEP. (For a detailed analysis of this group's findings, go to http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html.) The group used passive eavesdropping attacks to intercept and decrypt traffic, redirected IP traffic from a wireless connection to the group's computers, used dictionary attacks to decrypt traffic in realtime, and used active attacks to inject new traffic from unauthorized wireless devices. Using only a laptop, a wireless Ethernet interface card, and a NIC driver, the group modified the driver and was able to decrypt and read data traveling from a wireless device to a base station.
CRC and Data Integrity
When a user sends information from an 802.11 wireless device to a destination computer, the message passes through a CRC function—an error-detection mechanism that returns a checksum value—before the message is encrypted. The same algorithm processes the decrypted message at the destination computer to obtain a value. If the values at both ends of the transmission are the same, the destination computer assumes that no one modified the message during transmission and accepts the message. The CRC process is designed to ensure data integrity.
If an attacker can compromise the CRC functionality (by flipping certain bits within the message), he or she can modify the original plaintext message—and the receiving computer won't detect the modification. The Berkeley group demonstrated that successful modification of the plaintext message and the CRC value is possible—which means that an attacker can alter a message during transmission and that the recipient would be unaware of the intrusion.
The ramifications of this discovery are twofold: First, if an attacker captures a packet over the airwaves, he or she can change the packet's contents and the receiving computer wouldn't recognize a problem until the computer had suffered the damage that the encryption and CRC should have protected it from. For example, the attacker could change the contents of a packet that contained the command
cd\
to
echo y | format C: /s
which would format the C drive. Second, the attacker can redirect traffic. If the attacker captured data during transmission and changed the sending IP address, any replies to that packet's request would go to the attacker instead of the intended user.
RC4 Encryption
After a wireless device runs a message through the CRC function for data-integrity purposes, it must encrypt the message before sending it to the base station (which is the access point to the network) or another wireless device. Various encryption algorithms and schemes are used all over the Internet and on individual LANs. WEP uses the RC4 stream cipher as its encryption algorithm. Although each algorithm's mathematics are unique and each encryption scheme depends on different components—an initialization vector (IV), an integrity check value (ICV), a key, a keystream—each algorithm has the same basic functionality: to protect the transmission of confidential information. All stream encryption algorithms use a keystream to transform the plaintext message into an undecipherable form called ciphertext.
Most algorithms are publicly available. Therefore, you need to make your keystream as complex as possible. Unfortunately, the 802.11 standard doesn't specify the necessary steps you need to take to ensure the input of random components (i.e., the key and IV), which would result in a complex and more random keystream. Therefore, vendors commonly implement methods that use redundant keys and IV values, resulting in a noncomplex keystream.
Previous
Register
Sidney Moore May 21, 2002