BAB VIII

Keamanan Wireless
Pengertian Wi-FI
• Wi-Fi merupakan kependekan dari Wireless Fidelity, yang
memiliki pengertian yaitu kelompok standar yang digunakan
untuk Jaringan Lokal Nirkabel (Wireless Local Area Networks -
WLAN) yang didasari pada spesifikasi IEEE 802.11. Standar
terbaru dari spesifikasi 802.11a atau b, seperti 802.11 g, saat ini
sedang dalam penyusunan, spesifikasi terbaru tersebut
menawarkan banyak peningkatan mulai dari luas cakupan yang
lebih jauh hingga kecepatan transfernya
• Awalnya Wi-Fi ditujukan untuk penggunaan perangkat nirkabel
dan Jaringan Area Lokal (LAN), namun saat ini lebih banyak
digunakan untuk mengakses internet. Hal ini memungkinan
seseorang dengan komputer dengan kartu nirkabel (wireless
card) atau personal digital assistant (PDA) untuk terhubung
dengan internet dengan menggunakan titik akses (atau dikenal
dengan hotspot) terdekat.
Standar Perangkat Wi-Fi
• Dalam teknologi Wireless ada dua standar yang
digunakan yakni :
1. 802.11 standar indoor yang terdiri dari :
• 802.11 - 2,4 GHz 2 Mbps
• 802.11a - 5 GHz 54 Mbps
• 802.11a - 2X 5 GHz 108 Mbps
• 802.11b - 2,4 GHz 11 Mbps
• 802.11g - 2.4 GHz 54 Mbps
• 802.11n - 2,4 GHz 120 Mbps
2. 802.16 standar outdoor salah satunya adalah WiMAX
(World Interoperability for Microwave Access) yang
sedang marak penggunaannya di Indonesia.
Kelebihan Wi-Fi
• Kemudahan akses
• Tanpa kabel, praktis dan effisien.
• Dapat digunakan selama 24 jam sehari, 7 hari
seminggu tanpa pulsa telpon.
• Koneksi Internet ke Backbone International dan
koneksi ke Indonesia Internet Exchange (IIX)
Kekurangan Wi-Fi
• Biaya peralatan mahal
• Delay yang sangat besar
• Kesulitan karena masalah propagasi radio
• Mudah untuk terinterferensi
• Kapasitas jaringan kecil karena keterbatasan
spektrum (pita frekuensi yang tidak dapat diperlebar)
• Keamanan/kerahasiaan data kurang terjamin
Macam Perangkat Wi-Fi
• Access Point
Merupakan pusat dari client atau node yang terhubung ke
jaringan dengan menggunakan gelombang radio atau
wireles. Untuk memiliki jaringan Wi-Fi, terlebih dahulu harus
terpasang Access Point sebagai pusat akses jaringan
tersebut.
• Wireless Adapter untuk Desktop
Perangkat ini yang digunakan untuk 'berkomunikasi'
secara wireless, dengan Access Point menggunakan
desktop.

- Wi-Fi PCI Adapter

Dipasangkan pada Slot PCI pada motherboard, di dalam
CPU. Perangkat ini adalah wi-fi internal adapter.
 - Wi-fi USB Adapter
Merupakan External Adapter yang dihubungkan langsung
melalui port USB.

- PCMCIA dan ISA Card

Jika kita sudah memiliki wi-fi PCMCIA dan tidak ingin
membeli perangkat baru untuk Wi-Fi, dapat menggunakan
ISA / PCI PCMCIA Converter.
• Wireless Router
Wireless router adalah perangkat yang melakukan
fungsi sebuah router , tetapi juga mencakup fungsi
sebuah titik akses nirkabel dan switch jaringan . Mereka
umumnya digunakan untuk memungkinkan akses ke
internet atau jaringan komputer tanpa memerlukan koneksi
kabel. Hal ini dapat berfungsi dalam kabel LAN , WLAN ,
atau Wireless.
Mode Jaringan Wi-Fi
• Adhoc
• Sistem Adhoc bisa disebut sistem peer to
peer, dalam arti satu computer
dihubungkan ke 1 computer dengan
saling mengenal SSID. Bila digambarkan
mungkin lebih mudah membayangkan
sistem direct connection dari 1 computer
ke 1 computer lainnya dengan
mengunakan Twist pair cable tanpa
perangkat HUB. Jadi terdapat 2
computer dengan perangkat WIFI dapat
langsung berhubungan tanpa alat yang
disebut access point mode. Pada sistem
Adhoc tidak lagi mengenal sistem central
(yang biasanya difungsikan pada Access
1 buahSistem
Point). computer yang
Adhoc hanya memiliki nama
memerlukan
SSID atau sederhananya nama sebuah
network pada sebuah card/computer.
• Infrasructure
• Sistem Infra Structure membutuhkan sebuah perangkat yaitu
Access point bila mengunakan jenis Wireless Network dengan
perangkat PCI card. Access Point berfungsi sebagai pengatur lalu
lintas data, sehingga memungkinkan banyak Client dapat saling
terhubung melalui jaringan (Network).
Keamanan Jaringan Wireless
• Saat ini perkembangan teknologi wireless sangat
signifikan sejalan dengan kebutuhan sistem informasi yang
mobile. Banyak penyedia jasa wireless seperti
hotspot komersil, ISP, Warnet, kampus-kampus
maupun perkantoran sudah mulai memanfaatkan wireless
pada jaringan masing masing, tetapi sangat sedikit yang
memperhatikan keamanan komunikasi data pada jaringan
wireless tersebut.

• Jaringan Wireless memiliki lebih banyak kelemahan

dibandingkan dengan jaringan kabel.
Kelemahan Jaringan Wireless
1. Kelemahan Wireless Pada Lapisan Fisik

Wifi menggunakan gelombang radio pada frekwensi milik umum yang

bersifat bebas digunakan oleh semua kalangan dengan batasan batasan
tertentu. Setiap wifi memiliki area jangkauan tertentu tergantung power
dan antenna yang digunakan. Tidak mudah melakukan pembatasan area
yang aktifitas aktifitas antara lain:

a.Interception atau penyadapan

Hal ini sangat mudah dilakukan, dan sudah tidak asing lagi bagi para hacker. Berbagai tools
dengan mudah di peroleh di internet. Berbagai teknik kriptografi dapat di bongkar oleh tools
tools tersebut.

b.Injection
Pada saat transmisi melalui radio, dimungkinkan dilakukan injection karena berbagai
kelemahan pada cara kerja wifi dimana tidak ada proses validasi siapa yang sedang
terhubung atau siapa yangmemutuskan koneksi saat itu.
Kelemahan Jaringan Wireless
c.Jamming
Jamming sangat dimungkinkan terjadi, baik disengaja maupun tidak disengaja karena
ketidaktahuan pengguna wireless tersebut. Pengaturan penggunaan kanal frekwensi
merupakan keharusan agar jamming dapat di minimalisir. Jamming terjadi karena
frekwensi yang digunakan cukup sempit sehingga penggunaan kembali channel sulit
dilakukan pada area yang padat jaringan nirkabelnya.

d.Locating Mobile Nodes

Dengan berbagai software, setiap orang mampu melakukan wireless site survey dan
mendapatkan informasi posisi letak setiap Wifi dan beragam konfigurasi masing- masing.
Hal ini dapat dilakukan dengan peralatan sederhana seperti PDA atau laptop dengan di
dukung GPRS sebagai penanda posisi.

e.Access Control
Dalam membangun jaringan wireless perlu di design agar dapat memisahkan node atau
host yang dapat dipercaya dan host yang tidak dapat dipercaya. Sehingga diperlukan
access control yang baik.

f. Hijacking
Serangan MITM (Man In The Middle) yang dapat terjadi pada wireless karena berbagai
kelemahan protokol tersebut sehingga memungkinkan terjadinya hijacking atau
pengambillalihan komunikasi yang sedang terjadi dan melakukan pencurian atau
modifikasi informasi.
Kelemahan Jaringan Wireless
2. Kelemahan Pada Lapisan MAC (Data Layer).

Pada lapisan ini terdapat kelemahan yakni jika sudah terlalu banyak node
(client) yang menggunakan channel yang sama dan terhubung pada AP
yang sama, maka bandwidth yang mampu dilewatkan akan menurun.
Selain itu MAC
address sangat mudah di spoofing (ditiru atau di duplikasi) membuat
banyak permasalahan keamanan.
Lapisan data atau MAC juga digunakan dalam otentikasi dalam
implementasi keamanan wifi berbasis WPA Radius (802.1x plus
TKIP/AES).
Solusi Jaringan Wireless
Kelemahan jaringan wireless secara umum dapat dibagi menjadi 2 jenis,
yakni kelemahan pada konfigurasi dan kelemahan pada jenis
enkripsi yang digunakan.
Berikut adalah kegiatan atau aktifitas yang dilakukan untuk pengamanan
jaringan wireless
•Menyembunyikan SSID
•VPN dan Firewall
•Menggunakan Enkripsi
•Ganti Password Administrator standar
•Matikan AP Saat Tidak Dipakai
•Ubah default SSID
•Memakai MAC Filtering
•Mengisolasi Wireless Network dari LAN
•Mengontrol Signal Wireless
•Memancarkan Gelombang pada Frekuensi yang Berbeda
• WEP (Wired Equivalent Privacy)
• WPA( WI-FI Protected Access)
• MAC Filtering
Solusi Jaringan Wireless
Kelemahan jaringan wireless secara umum dapat dibagi
menjadi 2 jenis, yakni kelemahan pada konfigurasi dan
kelemahan pada jenis enkripsi yang digunakan.

Berikut adalah kegiatan atau aktifitas yang dilakukan untuk

pengamanan jaringan wireless

• WEP (Wired Equivalent Privacy)

• WPA( WI-FI Protected Access)
• MAC Filtering
WEP (Wired Equivalent Privacy)
WEP adalah suatu metode pengamanan jaringan nirkabel,
merupakan standar keamanan & enkripsi pertama yang
digunakan pada wireless

Enkripsi WEP menggunakan kunci yang dimasukkan (oleh

administrator) ke klien maupun access point. Kunci ini
harus cocok dari yang diberikan akses point ke client,
dengan yang dimasukkan client untuk authentikasi menuju
access point, dan WEP mempunyai standar 802.11b.
Alasan Memilih WEP dan Fungsi WEP
WEP merupakan sistem keamanan yang lemah. Namun
WEP dipilih karena telah memenuhi standar dari 802.11
yakni
Exportable
Reasonably strong
Self-Synchronizing
Computationally Efficient
Optional

•WEP ini dapat digunakan untuk verifikasi identitas

pada authenticating station.

•WEP dapat digunakan untuk data encryption.

Proses WEP
Kelebihan WEP

Saat user hendak mengkoneksikan laptopnya, user

tidak melakukan perubahan setting apapun, semua serba
otomatis, dan saat pertama kali hendak browsing, user
akan diminta untuk memasukkan Username dan password

Hampir semua komponen wireless sudah

mendukung protokol ini.
Kelemahan WEP

•Masalah kunci yang lemah, algoritma RC4 yang

digunakan dapat dipecahkan.
•WEP menggunakan kunci yang bersifat statis
•Masalah initialization vector (IV) WEP
•Masalah integritas pesan Cyclic Redundancy
Check (CRC-32)
WPA( WI-FI Protected Access)
Suatu sistem yang juga dapat diterapkan untuk
mengamankan jaringan nirkabel.

Metoda pengamanan dengan WPA ini diciptakan untuk

melengkapi dari sistem yang sebelumnya, yaitu WEP.

WPA mengimplementasikan layer dari IEEE, yaitu layer

802.11i. Nantinya WPA akan lebih banyak digunakan pada
implementasi keamanan jaringan nirkabel.
WPA( WI-FI Protected Access)
Teknik WPA didesain menggantikan metode keamanan
WEP, yang menggunakan kunci keamanan statik, dengan
menggunakan TKIP (Temporal Key Integrity Protocol) yang
mampu berubah secara dinamis.

Protokol TKIP akan mengambil kunci utama sebagaistarting

point yang kemudian secara reguler berubah sehingga tidak
ada kunci enkripsi yang digunakan dua kali.
Kelebihan WPA
Meningkatkan enkripsi data dengan teknik Temporal Key
Integrity Protocol (TKIP). enkripsi yang digunakan masih
sama dengan WEP yaitu RC4, karena pada dasarnya WPA
ini merupakan perbaikan dari WEP dan bukan suatu level
keamanan yang benar – benar baru, walaupun beberapa
device ada yang sudah mendukung enkripsi AES yaitu
enkripsi dengan keamanan yang paling tinggi.
Kelemahan WPA
Kelemahan WPA sampai saat ini adalah proses
kalkulasi enkripsi/dekripsi yang lebih lama dan data
overhead yang lebih besar.

Dengan kata lain, proses transmisi data akan menjadi

lebih lambat dibandingkan bila Anda menggunakan
protokol WEP

Belum semua wireless mendukung, biasanya butuh

upgrade firmware, driver atau bahkan menggunakan
software tertentu
MAC Filter
MAC Address Filtering merupakan metoda filtering untuk
membatasi hak akses dari MAC Address yang
bersangkutan

Hampir setiap wireless access point maupun router

difasilitasi dengan keamanan MAC Filtering.

MAC filters ini juga merupakan metode sistem keamanan

yang baik dalam WLAN, karena peka terhadap jenis
gangguan seperti:
•pencurian pc card dalam MAC filter dari suatu access
point
•sniffing terhadap WLAN
Fungsi MAC Filter
MAC filter fungsinya untuk menseleksi komputer
mana yang boleh masuk kedalam jaringan berdasarkan
MAC Address. Bila tidak terdaftar, tidak akan bisa masuk ke
jaringan

MAC filter Address akan membatasi user dalam

mengakses jaringan wireless. Alamat MAC dari perangkat
komputer user akan didaftarkan terlebih dahulu agar bisa
terkoneksi dengan jaringan wireless,
Kelemahan MAC Filter
MAC Address bisa di ketahui dengan software kisMAC.
Setelah diketahui MAC Address bisa ditiru dan tidak konflik
walau ada banyak MAC Address sama terkoneksi dalam
satu AP
 Wireless Security of 802.11

 The IEEE 802.11 specification identified several services to provide a secure

operating environment. The security services are provided largely by the
Wired Equivalent Privacy (WEP) protocol to protect link-level data during
wireless transmission between clients and access points. WEP does not
provide end-to-end security, but only for the wireless portion of the
connection
 Basic security services defined by IEEE

 The three basic security services defined by IEEE for the WLAN
environment are as follows:
 Authentication—A primary goal of WEP was to provide a security service
to verify the identity of communicating client stations. This provides access
control to the network by denying access to client stations that cannot
authenticate properly. This service addresses the question, “Are only
authorized persons allowed to gain access to my network?”
 Confidentiality—Confidentiality, or privacy, was a second goal of WEP. It
was developed to provide “privacy achieved by a wired network.” The intent
was to prevent information compromise from casual eavesdropping (passive
attack). This service, in general, addresses the question, “Are only authorized
persons allowed to view my data?”
 Integrity—Another goal of WEP was a security service developed to ensure
that messages are not modified in transit between the wireless clients and the
access point in an active attack. This service addresses the question, “Is the
data coming into or exiting the network trustworthy—has it been tampered
with?”
 Authentication

 The IEEE 802.11 specification defines two means to “validate” wireless

users attempting to gain access to a wired network: open-system
authentication and shared-key authentication.
 One means, shared-key authentication, is based on Cryptography, and the other is not.
The open-system authentication technique is not truly authentication; the access point
accepts the mobile station without verifying the identity of the station. It should be
noted also that the authentication is only one-way: only the mobile station is
authenticated. The mobile station must trust that it is communicating to a real AP.
 Privacy

 The 802.11 standard supports privacy (confidentiality) through the use of

cryptographic techniques for the wireless interface. The WEP cryptographic
technique for confidentiality also uses the RC4 symmetric key, stream cipher
algorithm to generate a pseudo-random data sequence.
 Integrity

 The IEEE 802.11 specification also outlines a means to provide data integrity for
messages transmitted between wireless clients and access points. This security service
was designed to reject any messages that had been changed by an active adversary “in
the middle.” This technique uses a simple encrypted Cyclic Redundancy Check
(CRC) approach.
 IEEE 802.11 Basic Security Mechanisms

 Service Set Identifier (SSID)

 MAC Address filtering

 Wired Equivalent Privacy (WEP) protocol

802.11 products are shipped by the vendors with all security

mechanisms disabled !!
 Security Threats

 Network security attacks are typically divided into passive and

active attacks. These two broad classes are then subdivided into
other types of attacks.
 Passive Attack

 Passive Attack—An attack in which an unauthorized party gains access to

an asset and does not modify its content (i.e., eavesdropping). Passive attacks
can be either eavesdropping or traffic analysis (sometimes called traffic flow
analysis). These two passive attacks are described below.
 Eavesdropping—The attacker monitors transmissions for message content.
An example of this attack is a person listening into the transmissions on a
LAN between two workstations or tuning into transmissions between a
wireless handset and a base station.
 Traffic analysis—The attacker, in a more subtle way, gains intelligence by
monitoring the transmissions for patterns of communication. A considerable
amount of information is contained in the flow of messages between
communicating parties.
 Active Attack
 Active Attack—An attack whereby an unauthorized party makes
modifications to a message, data stream, or file. It is possible to detect this
type of attack but it may not be preventable. Active attacks may take the form
of one of four types (or combination thereof): masquerading, replay, message
modification, and denial-of-service (DoS).
 Masquerading—The attacker impersonates an authorized user and thereby
gains certain unauthorized privileges.
 Replay—The attacker monitors transmissions (passive attack) and
retransmits messages as the legitimate user.
 Message modification—The attacker alters a legitimate message by
deleting, adding to, changing, or reordering it.
 Denial-of-service—The attacker prevents or prohibits the normal use or
management of communications facilities.
 Technical Countermeasures

 Technical countermeasures involve the use of hardware and

software solutions to help secure the wireless environment.
 Software countermeasures include proper AP configurations
(i.e., the operational and security settings on an AP), software
patches and upgrades, authentication, intrusion detection
systems (IDS), and encryption.
 Hardware solutions include smart cards, VPNs, public key
infrastructure (PKI), and biometrics. It should be noted that
hardware solutions, which generally have software components,
are listed simply as hardware solutions.
Service Set Identifier (SSID) and their limits!
 Limits access by identifying the service area covered by the
access points.
 AP periodically broadcasts SSID in a beacon.
 End station listens to these broadcasts and chooses an AP to
associate with based upon its SSID.
 Use of SSID – weak form of security as beacon management
frames on 802.11 WLAN are always sent in the clear.
 A hacker can use analysis tools (eg. AirMagnet, Netstumbler,
AiroPeek) to identify SSID.
 Some vendors use default SSIDs which are pretty well known
(eg. CISCO uses tsunami)
 MAC Address Filtering

The system administrator can specify a list of MAC addresses

that can communicate through an access point.
Advantage :
 Provides a little stronger security than SSID
Disadvantages :
 Increases Administrative overhead
 Reduces Scalability
 Determined hackers can still break it
 Wired Equivalent Privacy (WEP)
 Designed to provide confidentiality to a wireless network similar to that of
standard LANs.
 WEP is essentially the RC4 symmetric key cryptographic algorithm (same
key for encrypting and decrypting).
 Transmitting station concatenates 40 bit key with a 24 bit Initialization Vector
(IV) to produce pseudorandom key stream.
 Plaintext is XORed with the pseudorandom key stream to produce ciphertext.
 Ciphertext is concatenated with IV and transmitted over the Wireless
Medium.
 Receiving station reads the IV, concatenates it with the secret key to produce
local copy of the pseudorandom key stream.
 Received ciphertext is XORed with the key stream generated to get back the
plaintext.
WEP has its cost!
 WEP – vulnerability to attack

 WEP has been broken! Walker (Oct 2000), Borisov et. al. (Jan 2001),
Fluhrer-Mantin -Shamir (Aug 2001).
 Unsafe at any key size : Testing reveals WEP encapsulation remains
insecure whether its key length is 1 bit or 1000 or any other size.
 More about this at:
http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-
362.zip
 WEP Overview
 WEP relies on a shared key K between communicating parties
1. Checksum: For a message M, we calculate c(M). The plaintext is
P={M,c(M)}
2. Encryption: The plaintext is encrypted using RC4. RC4 requires an
initialization vector (IV) v, and the key K. Output is a stream of bits
called the keystream. Encryption is XOR with P.
C  P  RC4( v, K )
3. Transmission: The IV and the ciphertext C are transmitted.

Message CRC

RC4(v,K)

Transmit
v Ciphertext
 WEP Security Goals
 WEP had three main security goals:
– Confidentiality: Prevent eavesdropping
– Access Control: Prevent inappropriate use of 802.11 network, such
as facilitate dropping of not-authorized packets
– Data Integrity: Ensure that messages are not altered or tampered
with in transit
 The basic WEP standard uses a 40-bit key (with 24bit IV)
 Additionally, many implementations allow for 104-bit key (with
24bit IV)
 None of the three goals are provided in WEP due to serious
security design flaws and the fact that it is easy to eavesdrop on
WLAN
 WEP (Vernam) Key Stream Reuse
 Vernam-style stream ciphers are susceptible to attacks when same IV
and key are reused:
C1  P1  RC4( v, K )
C 2  P2  RC4( v, K )
C1  C 2  P1  RC4( v, K )  P2  RC4( v, K )
 P1  P2

 Particularly weak to known plaintext attack: If P1 is known, then P2 is

easy to find (as is RC4).
– This might occur when contextual information gives P1 (e.g. application-
level or network-level information reveals information)
 Even so, there are techniques to recover P1 and P2 when just (P1 XOR P2) is
known (frequency analysis, crib dragging)
– Example, look for two texts that XOR to same value
 WEP’s Proposed Fix
 WEP’s engineers were aware (it seems??) of this weakness and required a
per-packet IV strategy to vary key stream generation
 Problems:
– Keys, K, typically stay fixed and so eventual reuse of IV means eventual
repetition of keystream!!
– IVs are transmitted in the clear, so its trivial to detect IV reuse
– Many cards set IV to 0 at startup and increment IV sequentially from
there
– Even so, the IV is only 24 bits!
 Calculation: Suppose you send 1500 byte packets at 5Mbps, then 224 possible
IVs will be used up in 11.2 hours!
 Even worse: we should expect to see atleast one collision after 5000 packets
are sent!
 Thus, we will see the same IV again… and again…
 WEP Decryption Dictionaries
 Once a plaintext is known for an IV collision, the adversary can
obtain the key stream for that specific IV!
 The adversary can gather the keystream for each IV collision he
observes
– As he does so, it becomes progressively easier to decrypt future
messages (and he will get improved context information!)
– The adversary can build a dictionary of (IV, keystream)
 This dictionary attack is effective regardless of keysize as it only
depends on IV size!
 WEP Weakness in Message Authentication

 The checksum used by WEP is CRC-32, which is not a cryptographic

checksum (MAC)
– Purpose of checksum is to see if noise modified the message, not to
prevent “malicious” and intelligent modifications
 Property of CRC: The checksum is a linear function of the message
c ( x  y )  c( x )  c ( y )
 This property allows one to make controlled modifications to a ciphertext
without disrupting the checksum:
– Suppose ciphertext C is:
C  RC4( v, K )  {M, c(M )}
– We can make a new ciphertext C’ that corresponds to an M’ of our
choosing
– Then we can spoof the source by: AB: {v,C’}
 WEP: Spoofing the Source
 Our goal: Produce an M’=M+d, and a corresponding checksum that will pass
checksum test. (Hence, we will need to make a plaintext P’={M’,c(M’)} and a
corresponding ciphertext C’)
 Start by choosing our own d value, and calculate checksum.
 Observe:
C'  C  {d, c(d)}
 RC4( v, K )  {M, c(M )}  {d, c(d)}
 RC4( v, K )  {M  d, c(M)  c(d)}
 RC4( v, K )  {M' , c(M  d)}
 RC4( v, K )  {M' , c(M' )}
 Thus, we have produced a new plaintext of our choosing and made a
corresponding ciphertext C’
 Does not require knowledge of M, actually, we can choose d to flip bits!
 WEP Message Injection (No Access Control!)

 Property: The WEP checksum is an unkeyed function of the message.

 If attacker can obtain an entire plaintext corresponding to a frame, he will
then be able to inject arbitrary traffic into the network (for same IV):

1. Get RC4(v,K)
2. For any message M’ form C'  RC4( v, K )  {M ' , c(M' )}

 Why did this work? c(M) only depended on M and not on any key!!!
 (Note: An adversary can easily masquerade as an AP since there are no
mechanisms to prevent IV reuse at the AP-level!)
 Other Security Problems of 802.11

 Easy Access
 "Rogue" Access Points
 Unauthorized Use of Service
 Traffic Analysis and Eavesdropping
 Higher Level Attacks
Drive By Hacking (War Driving)

iPaq Notebook

Less than 1500ft Server

Main Corporate Backbone

*

Access Port Switch

Server

Server

PalmPilot
If the distance from the Access Point to the
street outside is 1500 feet or less, then a
Intruder could also get access – while sitting
Mobile Phone
outside
WarWalking
 WarChalking

 Jika di depan rumah tiba-tiba terlihat tanda-tanda ini, artinya seorang

"warrior" barusan lewat. Bila Anda sempat bertemu dengan orangnya jangan
lupa menjitak kepalanya karena telah mengotori rumah Anda !
 War-driving expeditions
In one 30-minute journey using the Pringles can antenna, witnessed by
BBC News Online, the security company I-SEC managed to find and gain
information about almost 60 wireless networks.
 War Chalking

 Practice of marking a series of symbols

on sidewalks and walls to indicate nearby
wireless access. That way, other computer
users can pop open their laptops and
connect to the Internet wirelessly.
 What are the major security risks to 802.11b?

 Insertion Attacks (Intrusions!)

 Interception and monitoring wireless traffic
 Misconfiguration
 Jamming
 Client to Client Attacks (Intrusions also!)
Packet Sniffing
 Jamming (Denial of Service)

 Broadcast radio signals at the same frequency as the wireless

Ethernet transmitters - 2.4 GHz
 To jam, you just need to broadcast a radio signal at the same
frequency but at a higher power.
 Waveform Generators
 Microwave
 Replay Attack

Good guy Alice

Good guy Bob

Authorized WEP Communications

Eavesdrop and Record

Play back selections

Bad guy Eve

 Measures to strengthen WLAN security

Recommendations
Wireless LAN related Configuration
 Enable WEP, use 128bit key*
 Using the encryption technologies
 Disable SSID Broadcasts
 Change default Access Point Name
 Choose complex admin password
 Apply Filtering
 Use MAC (hardware) address to restrict access
 The Use of 802.1x
 Enable firewall function
 Other proposed countermeasures

 Adopt personal identification system for physical access control.

 Disable file and directory sharing on PCs.
 Ensure that sensitive files are password protected and encrypted.
 Turn off all unnecessary services on the AP.
 If practical, power off the AP(s) when not in use.
 If the AP supports logging, turn it on and review the logs regularly.
 Secure AP configuration as follows:
– Choose robust password to ensure a higher level of security.
– Use 128-bit encryption.
– Create MAC ACLs and enable checking in APs.
– Change SSID from default setting and suppress its broadcast.
– Change WEP keys from default settings.
– Disable remote SNMP.
 Conduct site survey and strategically place wireless APs.
 Deploy VPN overlay (gateway and client) with integral firewall.
 Establish comprehensive security policies regarding use of
wireless devices.
 Deploy personal firewalls and antivirus software on the wireless
clients.
 Investigate 802.11 products with best long-term wireless
security strategy and longevity in marketplace.
 Select products with SNMPv3 (or other encrypted management
capabilities) on the APs and the integrated firewall-VPN device.
 Wireless Network tools

 MAC Spoofing
 http://aspoof.sourceforge.net/
 http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp
 http://www.klcconsulting.net/smac/
 WEP Cracking tools
 http://www.backtrack-linux.org/
 http://www.remote-exploit.org/articles/backtrack/index.html
 http://wepattack.sourceforge.net/
 http://wepcrack.sourceforge.net/
 Wireless Analysers
 http://www.kismetwireless.net/

 http://www.netstumbler.com/

Wireless Network Security

 Major Papers on 802.11 Security

 Intercepting Mobile Communications: The Insecurity of

802.11(Borisov, Goldberg, and Wagner 2001)
 Your 802.11 Wireless Network Has No Clothes (Arbaugh, Shankar,
and Wan 2001)
 Weaknesses in the Key Scheduling Algorithm of RC4(Fluhrer,
Mantin, and Shamir 2001)
 The IEEE 802.11b Security Problem, Part 1 (Joseph Williams,2001
IEEE)
 An IEEE 802.11 Wireless LAN Security White Paper (Jason S. King,
2001)