802.11b Wireless Security Insights: WEP, Kismet, and Best Practices

In this article, Michael talks about Linux and background on wireless security, utilities to interrogate wireless networks, and the top tips you should know to improve wireless security of your network.

"Wireless" networking is not a new concept. Even end-user and hobby wireless networking has been around in various forms for well over a decade, and ham radio networks still toss packets across the airwaves today. Recently, wireless ethernet (802.11b networking, also known as WiFi) has been gaining in popularity, and in the last six or eight months has dropped in price to the point of becoming a commodity - at $80 or $100 USD for a card and $120 USD for an access point, wireless is finally becoming an option for home users looking to avoid running cable through the house for their laptops, for geeks and technophiles looking for something new to explore, and for offices looking to expand worker mobility. Unfortunately, with this wireless boom, security concerns are often overlooked, ignored, or under-supported, either through hardware and protocol limitations or through simple human oversight.

Some 802.11b background

802.11b operates in the 2.4Ghz radio frequency, and typically has a range of 150 or 200 feet indoors. It can operate in one of two modes, infrastructure mode, where all the client systems talk to an access point which typically serves as a bridge to the wired ethernet network, or in ad-hoc mode, where two 802.11b cards talk directly without an access point. 802.11b also supports WEP encryption of various key sizes. WEP, or Wired Equivalence Privacy, is designed with the goal of making the wireless network as secure as a wired network. More on WEP later. For all intents and purposes, a 802.11b wireless network functions as a shared media ethernet, which is to say, everyone can see all data on the line.

WEP, from the ground up, is not suitable as the only means of security of a wireless network. Even functioning perfectly, once a client has joined the network with the correct WEP key, it becomes a shared media unencrypted network, with all the inherent vulnerabilities and internal weaknesses. Unfortunately, this is not the only problem with WEP. Due to a flaw in the RC4 encryption, most implementations of WEP periodically generate weak packets. Once enough of these weak packets are seen, it is possible to extract the WEP key. This attack is completely passive and undetectable (until, of course, a card joins the network with the key.)

Top security oversights when building 802.11b networks

1. Completely unencrypted networks. Despite the multitude of wireless articles written, half (or more!) of the wireless networks I've encountered don't use any form of encryption whatsoever. This leaves them completely open to sniffing (at the least) and abuse of network resources and malicious attack (at the worst).

    

2. Trusting WEP. With known encryption flaws, WEP is by no means the only method of security that should be used on a network. At the least, WEP only makes your network as secure as a shared media ethernet network - anyone with the key can still get all your data.

    

3. "Dumb" bridges. These are bridges which will indiscriminately forward all your data from the wired ethernet network to the wireless, making it easily available to any sniffers in the area. At LinuxWorld Expo in NYC this year, the tutorial conference email kiosks were set up this way, happily broadcasting everyones traffic while checking email into the air.

    

4. Wireless networks installed behind firewalls. A wireless network should always be classified as an untrusted network. I have encountered at least one consumer store chain with an access point installed behind the corporate firewalls in a retail store, with no WEP, giving full access to the entire nationwide corporate network.

    

5. Trusting MAC authentication exclusively. MAC's can be faked.

Top tips for securing wireless

1. Use an applicaton-layer encryption method (SSL, SSH) for all communication, or better still, a TCP/IP layer encryption like IPSec. Encrypt ALL traffic on the wireless network.

    

2. Use a secure authentication method. 802.1x is a step in this direction, Cisco WAPs support LANE authentication, has an Open Source Linux-router authentication project. Require users to authenticate before their traffic is accepted or gatewayed to the wired LAN. (Note: Over the length of time it took me to write this article, 802.1x has been reported as vulnerable to attack.)

    

3. Use appropriate antennas. Sectors and yagis will help keep your signal going where you want it to go instead of leaking to other locations. Don't boost your signal needlessly or indiscriminately. For the extremely dedicated, shield external walls near access points.

    

802.11b sniffing theory

Network sniffing, on a wired medium, is a fairly straightforward process. Most network cards will filter traffic so that only traffic destined for that card is passed to the operating system, thereby reducing the load on the OS. By telling the card to go into “promiscuous mode”, all traffic seen is passed to the operating system. On a shared media (unswitched) network, this lets a computer spy on every packet traversing that segment.

Wireless sniffing is slightly different. While the cards can still be placed into promiscuous mode, this doesn't (generally) have the intended result. Most wireless card drivers for Linux will either do nothing, or still only return packets destined for card, and in either case, still only affect an associated network. To sniff all of the traffic on a network (or more accurately, all of the traffic in the air around you regardless of network association) a card must support RF Monitoring. Currently, Prism/2 cards (Linksys, D-Link, Compaq, etc) with the linux-wlan-ng drivers (www.linux-wlan.com) and Cisco Aironet with the default kernel drivers (aironet and aironet_cs) support RF Monitoring mode. Once a card is in RF Monitoring mode, all packets in the air are reported to the OS.

Multichannel sniffing is built into Cisco Aironet cards - when in monitor mode, traffic on all channels is reported. Prism/2 cards will report some cross-channel traffic due to the slight overlap in channel frequencies, but primarily will only report the channel they are active on. Running a channel-hopper program is one way around this, however it will reduce your chances of catching intermittent traffic.

Network detection without RF Monitoring support

Most cards that do not support RF Monitoring support can still be used to detect networks, just not capture the data within the network. By telling the card to join any network regardless of SSID, and querying the current network joined, it is possible to discover the networks in the area. In practice, I've found that this isn't nearly as reliable as RF Monitoring is to detect networks, however.

Kismet

Several utilities exist to monitor and record wireless network traffic, however as the author of Kismet I'll focus on that since I'm most familiar with it. Kismet began as most projects do, as a mongrel of other projects and a tool to scratch an itch. Kismet is designed to be the swiss-army knife of wireless monitoring and auditing, compatible across multiple wireless cards and multiple platforms while presenting a consistent feature set.

Kismet will work with nearly any Linux supported wireless card. RF Monitoring is supported Prism/2 and Cisco Airnoet, and generic SSID detection works with any card supporting the Linux-wireless extensions. It will also work on Linux-powered handhelds that use the wlan-ng drivers such as the Sharp Zaurus, and in theory the Compaq Ipaq with any of the standard PCMCIA drivers. Full handheld support is still a work in progress, but it is functional and usable in its current state.

Most other wireless tools only work with a specific card or family of cards. Kismet is designed to take input from any Linux-supported wireless card, transform it into a common format, and process all sources in the same fashion. Data can be saved in several formats:

1. Network - Detailed network info including BSSID, SSID, first and last detected GPS coordinates, Tag133 beacon info, IP range, etc.

    

2. Dump - Raw packet dump, compatible with Ethereal and TcpDump.

    

3. Cisco - Cisco infrastructure information gathered from CDP (Cisco Discovery Packet) broadcasts.

    

4. GPS - GPS coordinates of every detected packet, strength levels (if available), and the track followed. "gpsmap", included with the development versions of Kismet, interprets these files and graphs them onto downloaded maps.

Auditing 802.11b networks with Kismet

When auditing, always aim for the extreme conditions for your situation, but remember that no tool is complete, and no auditing method is guaranteed. When the theoretical horde of kiddies comes knocking at your network and servers, you can't guarantee that you have tried everything they will try. It is important to design your network from the ground up securely.

Kismet is designed to assist with auditing as much as possible, sporting automatic disassembly of ARP, UDP, and DHCP packets for IP address detection, “cloaked” SSID detection, and Cisco Discovery Packet deciphering and logging. Kismet also sports graphical mapping of networks and estimated ranges from GPS data.

The simplest way to audit your network is to set Kismet up for your hardware, start it up, and walk (or drive) through your facility. Look for dead zones, leaks outside your property, and unexpected access points or clients. BE PARANOID. Think like someone trying to break into your network for fun or profit might think. Read on for more.

What to look for when auditing - and how to think about fixing it

1. Signal range -- Does your wireless signal go way beyond the physical bounds of your property? Inversely, does the signal cover your entire installation? Remember when testing range, not all wireless cards are equal and antenna types on the client side can make a big difference.

   Solutions: Consider directional antennas and repositioning access points. Remember, proper antennas can reduce your range and keep it within your property, as well as extend it in a poor-coverage area!

    

2. Unauthorized access points -- Worried about an employee bringing an AP in and hooking it to the office network? Look for unexpected access points. This may be one of the largest exposures to your network.

   Solutions: Have a clearly defined policy regarding unauthorized network modifications. Consider some form of central network authorization if none is in place already.

    

3. Information leaks and incorrectly configured APs -- Look at the dump logs and see if the information being exposed over the wireless is the information you expect to be exposed. Incorrectly set up hardware can disclose far more information about your network than you intend, incorrectly configured clients can broadcast unencrypted information or other information about your network infrastructure.

   Solutions: Fix your access point, and restrict what information is sent over insecure network segments.

    

4. Unauthorized users -- For the extremely paranoid, it is possible to spot unauthorized users attempting to join your network, but remember -- client cards are typically not very powerful, and you'll only see attempts in your immediate area. Never rely on this for overall security.

   Solutions: Implement authenticated filtering at the router so unauthorized users cannot use the network. Implement AP-based authentication so that unauthorized users cannot join the network in the first place.

What's in Store for Kismet in the Future

Kismet is undergoing a number of changes as it creeps towards the 2.0 release. Currently in the development tree is support for the new GUI interface and GPS mapping support. Also in the works is an enhanced ncurses user interface, persistent network information and grouping, and GTK and QT Embedded interfaces.

Links and points of interest

• https://www.kismetwireless.net/ - The Kismet home page

   

• http://hackerfriendly.com/ - NoCat authentication and router project

   

• http://www.bawug.org - Bay Area Wireless Users Group

   

• - New York City Wireless Users Group

   

• http://www.linux-wlan.com/ - AbsoluteValue's wlan-ng prism/2 drivers

   

• - Creator of the Linux-wireless extentions

   

• - Turnpoint.net's antenna shootout

   

• The Shmoo Group - Airsnort WEP cracking project

   

• - h1kari's WEP attack

   

About the Author

Mike Kershaw currently lives between Albany and New York City and works for a college managing Linux and Linux/390 systems. He got interested in wireless over the sumer of 2001, discovered a disturbing lack of utilities for wireless under Linux, and hasn't really looked back since. He is completing this article while driving across New York state - of the twenty-eight networks detected thus far... twenty two are unencrypted, including major law firms, government buildings, and countless residential networks.