Wireless networking — specifically IEEE 802.11b, the standard that was ratified last year — has dropped in price over the past few months to the point where small offices are deploying it casually. I have seen three networks installed in the last fortnight that did not exist a quarter ago. The price point appears to be the breakthrough.
This is going to be the next major shift in network architecture. Worth writing down what I currently understand, because next year I expect to be writing about specific attacks, and the foundation will be useful.
What 802.11b does, and what it does not
802.11b is a standard for wireless local-area networking. The basic capability: an access point sits on a wired Ethernet, broadcasts a radio signal, and clients with compatible radios can join the network without being plugged in.
The nominal throughput is 11 Mbit/s, in the 2.4 GHz unlicensed band. Real-world throughput is more like 5-7 Mbit/s after protocol overhead. Range is a few tens of metres indoors, more outdoors with line of sight.
The specification includes an encryption mechanism called WEP — Wired Equivalent Privacy — which is supposed to provide confidentiality equivalent to a wired Ethernet. The name was a hostage to fortune; the design has substantial weaknesses.
What the security model looks like
At the link layer, an 802.11b network has three relevant security mechanisms.
SSID — the network name. Clients have to know the name to join. Networks can either advertise the name in beacons (so it is visible to anyone listening) or run "hidden" with the name not advertised. Hidden networks are not actually hidden — clients still send the name in association requests, which any attacker listening can capture. SSID is identification, not authentication.
MAC filtering — the access point can be configured to accept only specific MAC addresses. Clients with other MACs are refused.
WEP encryption — packets between the client and the access point are encrypted with a shared symmetric key.
This is the shape of the security claim: that clients with the right MAC, knowing the right SSID, with the right WEP key, can join the network and communicate confidentially.
Why none of this works the way the marketing implies
SSID is broadcast. The access point sends beacon frames every hundred milliseconds containing, among other things, the SSID. An attacker with a wireless card in monitor mode can capture the SSID in seconds. Hiding the SSID slows them down by minutes — not the attack-resistance the term might imply.
MAC filtering is bypassable. MAC addresses are sent in cleartext on the wire. An attacker who captures any packet from a legitimate client knows that client's MAC. They then change their own card's MAC to match — which most wireless cards support trivially — and they are now indistinguishable from the legitimate client to the access point. MAC filtering is, in security terms, a speed bump.
WEP has, on the available analyses, several structural weaknesses. I have been reading Borisov, Goldberg, and Wagner's analysis, among others. The specific issues:
- The initialisation vector (IV) is 24 bits and is sent in the clear with each packet. A 24-bit IV space is small enough that on a busy network, IVs will start repeating within hours. Repeated IVs allow several attacks against the encryption.
- The integrity check (called ICV in the standard) uses CRC-32, which is not a cryptographic hash. Bit-flip attacks on the encrypted payload that produce predictable changes in the ICV are possible.
- The key management is shared-static. Every client uses the same WEP key. Compromise of any single client compromises the network.
- Some IV values are known to produce weak RC4 keystreams. Specifically, IVs of the form
(N+3, 255, *)where N is a key byte index leak information about the key. This is the FMS attack, still being formalised.
The research community has not yet — as of writing — produced a fully practical attack on a normal WEP deployment. They are clearly close. I expect a public, easy-to-run tool that can recover WEP keys within a year, possibly two.
What this means for defenders
A few things, in roughly increasing order of severity.
Wireless networks are physically discoverable. Anyone within radio range — which is to say, anyone in the building, the carpark, the street outside, possibly the building next door — can detect the network. Conventional perimeter security based on "only people inside the building" no longer holds.
Authentication on wireless cannot be link-layer alone. Whatever 802.11b's mechanisms claim, they are insufficient for a network you actually want to be private. The right architecture is to treat the wireless network as untrusted at the link layer and apply higher-layer authentication — VPN, SSH, SSL — for any communication that matters.
WEP, alone, is insufficient. It raises the bar above eavesdropping by a casual party with no special equipment. It does not raise the bar enough to defeat a determined attacker with a wireless card and a few hours.
The deployment landscape is going to be horrible for the next several years. Most wireless networks will be deployed by people who do not know any of the above. WEP will be turned on (sometimes), MAC filtering will be turned on (sometimes), and the deployers will believe the network is secure. Attackers are going to find this an extremely target-rich environment.
What I am doing about it
For the small wireless deployments I have set up — for myself and for friends — the architecture is:
- Wireless network is treated as the equivalent of an open public network. Same trust level as the internet at large. No internal services exposed on it.
- All traffic from wireless clients goes through a VPN tunnel to a wired infrastructure inside the building. The tunnel uses IPSEC or SSH-based tunnelling, with proper authentication.
- WEP is turned on anyway, with the longest key the hardware supports, as a small additional speed-bump against drive-by attackers. The expectation is that WEP buys hours, not weeks.
- The wireless segment is firewalled from internal segments, so even if WEP is broken and a tunnel is compromised, the attacker is on an isolated network with no direct route to anything sensitive.
- Every wireless client device has its own SSH/VPN credentials. No shared credentials. Clients can be revoked individually.
This is more discipline than most deployments have. It is, as far as I can see, the minimum that is actually defensible.
What I expect over the next two or three years
A short list:
Public WEP-cracking tool released in 2000 or 2001. Practical, push-button, easy to use against any normal deployment. The research community is converging on this; the tool will follow.
A new wireless security standard will emerge. The IEEE working groups are already discussing what comes next. Whatever it is — probably something with proper authentication, proper key management, and proper integrity protection — it will take years to deploy widely.
Casual wireless deployments will grow much faster than informed deployments. The home-office and small-business market will install equipment in millions of locations, mostly without security beyond out-of-the-box defaults. This will be the rich substrate of compromise for the next several years.
Wireless penetration testing will become a real discipline. "Wardriving" — driving around with a wireless card in monitor mode — is already a small subculture. It will become an established part of the security professional's toolkit.
For my own future writing: I am going to keep paying attention to this. Wireless is large enough as a category, and fragile enough in its current state, that it will produce its own steady drumbeat of security incidents. I expect to be writing about wireless attacks regularly within twelve to eighteen months.