Review on Wireless Security and Loopholes

Ravindra Saini, Mahesh Kumar Saini, Mukesh Jakhar

Department of Information Technology RCERT, Jaipur (Raj) India
ravindra89saini@gmail.com mahesh.saini.niit@gmail.com mukesh9660@gmail.com

Abstract Wireless technologies have emerged and been refined to the point where they are capable of providing service levels that are comparable to their hard-wired alternatives and new - and superior technologies. Wireless Local Area Networks (WLANs) are gaining popularity as they are fast, cost effective, flexible and easy to use. They are, however, faced with some serious security challenges and the choice of security protocol is a critical issue for IT administrators. The goal of this paper is to make the aware of the disadvantages and threats of the wireless security protocols. WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access) attacks are examined in this respect. Then they are compared via the common features in order to give some insight to those who work with WLANs. This is a compilation of the wireless security weaknesses and counter measures that are put forward until recently. We believe that a thorough understanding of this paper makes the nonspecialist reader have a complete review of wireless security and vulnerabilities associated with it.

messages using radio waves through the air, where any receiver can intercept. Traffic can be passively observed without any protection. The main risk is that IEEE 802.11 does not provide a way to secure data in transit against eavesdropping. Thats why Wireless network faces some security challenges and this is where encryption standard come into the picture. And this becomes a major issue to secure our intellectual properties and information from attackers and the choice of security protocol is a critical issue for IT administrators. In the next section we are explaining in brief wireless security protocol (WEP, WPA, WPA2), cracking of Wireless network, vulnerable security loopholes and finally concluding WLAN security safeguards. II. S ECURITY M ECHANISM IN IEEE 802.11 AND IEEE 802.11 I As Wireless network data signals are transmitted over the air, it makes them vulnerable to eavesdropping. Thus, confidentiality of transmitted data must be protected, at any cost, by mean of encryption. The IEEE 802.11 standards define security mechanisms WEP, WPA, WPA2. This provides an easyto-manage, secure solution with strong authentication and encryption of network traffic. A. Wired Equivalent Privacy Wired equivalent privacy is a standard encryption for wireless networking. WEP provides security to WLAN by encrypting the information transmitted over the air, so that only the receivers who have the correct encryption key can decrypt the information. If a user activates WEP, the network interface card encrypts each 802.11 frame, before transmission, using an RC4 stream cipher provided by RSA security. WEP performs encryption of information as follows: Plaintext (P) = Message (M) + Integrity Check Sum of Message(C (M)) 1. Keystream = RC4(v, k), where v is the Initialization Vector of 24 bit(IV) and k is the Shared Key

I. INTRODUCTION As mobile computing is getting more popular each day, the use of wireless local area network (WLAN) is becoming ever more relevant. If we are connected to a wired network, our mobility is undoubtedly affected. Wireless Network provides mobile users with access to real-time information so that they can roam around in the network without getting disconnected from the network. This mobility supports productivity and service opportunities not possible with wired networks. While the initial investment required for wireless network hardware can be higher than the cost of wired network hardware, overall installation expenses and life-cycle costs can be significantly lower in dynamic environments. Wireless systems can be configured in a variety of topologies to meet the needs of specific applications and installations. Configurations can be easily changed and range from peerto-peer networks suitable for a small number of users to large infrastructure networks that enable roaming over a broad area. One thing is clear, wireless technologies will continue to evolve and offer organizations and end users higher standard of life by making us more mobile and increasing our ability to interact with each other, removing distance as a barrier. A major problem with wireless networks is the ease of signal interception. Wireless network broadcast

2. 3.

Cipher text(C) = plaintext(p) + Keystream Transmitted data = v + cipher text

The decryption is done by using the reverse process as follows: 1. Cipher text(c ) + Keystream Plaintext(P)

1). Security loopholes with WEP: Static nature of the wireless keys in WEP is its biggest weakness. Hence this gives an attacker plenty of time to find out the encryption key of the network. Since the Initialization Vector is only 24 bits, mathematically speaking there can be approx. 16.7 million possible values, which is actually not that much. This means that there can`t be a unique in generated each time a packet is sent, after sometime there is a high probability that the same IV is generated and a duplicate WEP key may be generated. This makes WEP quite vulnerable to being targeted by attackers. The biggest problem with WEP is that it transmits the IV in plaintext along with all the encrypted data that it sends. Hence an attacker can passively sniff all traffic on a WEP network and easily can sniff the plaintext IV for each & every encrypted data packet being sent. After some time, the IVs that an attacker is able to sniff enough data packets by which WEP can be determined. Once the IV is determined, attacker can find pre-shared- key using data sniffer (wireshark) which record the plaintext and encrypted text (data). Another common vulnerability with WEP is the fact that there are some known weak keys that allow an obvious correlation b/w the encrypted data and plaintext data. It is possible for an attacker to use a data sniffer to specifically record those weak keys and try to crack WEP. WEP faces several attacks passively. It also suffers through brute force attack where IV is generated by the pseudo random generator. 2). Cracking of WEP is done by aircrack-2.41: Both the 64-bit WEP and 128-bit WEP key cracking were tested and analyzed by us. The cracking was done using a laptop with aircrack-2.41 software. Thus, WEP does not use RC4 encryption algorithm in a proper way, in that it exposes the protocol the weak key attacks. It is most vulnerable to Cafe -Latte attack, fake authentication attack, MAC filtering, passive sniffing, ARP poisoning etc.

Fig. 1. Cracking of WEP using Aircrack-ng

3). Configuring the WEP in a more secure way: Provide pre-shared key only to the authenticated users. Enable highest security available by configuring 128-bit encryption key. Change the encryption key dynamically if it is possible. Use combination of MAC address and encryption key for authentication. Use WPA or WPA2 security aspects for better data confidentiality.

B. Wi-Fi Protected Access It is improved version of WEP. It provides better data encryption using the TKIPT (Terminal Key Integrity Protocol) that scrambles the key using a hashing algorithm and also checks the integrity of the key to detect any tempering. It provides better user authentication through the extensible authentication protocol (EAP) which is uses a robust public key encryption system to ensure only authorized user can connect to the network. Typically in WPA-TKIP, the router is given a plain English passphrase. TKIP then uses this passphrase and the SSID of the network to generate a unique encryption keys for each client on the network. TKIP is able to achieve more than 500 trillion possible combinations of the keys. This passphrase is changed regularly. Moreover these encryption keys for the clients are constantly changed after every data frame transfer to make it harder for an attacker to crack them. C. Wi-Fi Protected Acess2 It is upgraded version of WPA. It has increased level of security. It uses Advanced Encryption standard (AES) to provide stronger encryption. WPA2 uses a unique key for each client to encrypt every data packet sent over the network and avoids reuse. It is as of now most secure implementation of encryption over wireless network.

III. SOME VULNERABLE ATTACKS ON THE WIRELESS

NETWORK

A. Session Hijacking By configuring a wireless station to work as an access point, attacker can launch more efficient attacks. They can the flood the airwaves with continuous disassociate commands. That compels all stations within range to disconnect from the network, reconnected and disassociated again. Session hijacking is said to occur when an attacker causes the user to lose his connection, and the attacker assumes his identity and privileges for a period. An attacker temporarily disables the user`s system, by any attack. Then attacker takes identity of the user. The attacker now has all the access that the user has.

attacker may any how manages to get necessary information to connect to the network. Hence authentication and de-authentication techniques can be used to execute DOS attacks against a wireless network. D. Dictionary Based Attacks It is possible to execute dictionary based attacks against the WPA password, attacker need to use a data sniffer to record data packet exchange when a client connects to the target AP or attacker can use the dissociation attack to force a client do disconnect and reconnect to the target Access Point. Once attacker has recorded the data exchange between a client and target Access point while connection is getting established, then you can use an offline dictionary based attack to crack the WPA password. IV. WIRELESS NETWORK SECURITY SAFEGUARDS Wireless networks can never be security-risk free. Being risk free is an ideal concept that just does not exist. But we can try our best to minimize the possible attacks. If a WEP security protocol is used then highest encryption technology with pre-shared key (PSK) should be used and authentication should allow only to the necessary user on the basis of MAC enabled security mechanism. Turn off the SSID broadcast by AP and configure the AP not to respond to probe requests with SSID any by setting your own SSID. Limiting DHCP clients can restrict the number of clients that can get hooked to the WLAN. The DHCP server can be configured to limit the number of client. Change default settings may even help to securing the wireless network. Enabling the log can play an important role to find intruder who ever tried to enter in the WLAN. By applying physical constraints on WLAN for any kind of resource access. Intruder software can help to monitor the network activity and can help to trace to unauthorized user. Creating honeypots can play an important role to save WLAN or data base from any kind of attacker by making them fool. Use as much possible WPA and WPA2 most protection enabled security aspects. Understand the types of attacks that can be made on wireless networks: active and passive, WEP, authentication, client side etc. Using firewall between AP and the wired LAN can secure the wired LAN from further intrusion. Firewall can be configured to filter based on IP address, port numbers, MAC address, and so forth.

Fig. 2. Block diagram of Session Hijacking

B. MAC Filtering Attacks Many wireless networks are configured in such a way that Aps will allow only a list of trusted MAC addresses to connect. All requests sent by other MAC addresses will be ignored.in that case attacker finds a trusted Mac address using any sniffer and use it to connect to that network.

Fig. 3. MAC Filtering Attacks

C. Denial of service (DOS) In this type attack, it is possible to flood with the Aps with infinite authentication requests from spoofed addresses. This will lead to a clogging up of all processing power of Aps. It is possible to send spoofed deauthentication packets that seem to originate at the AP to all clients on the network, hence disconnecting them

V. CONCLUSION Although we cannot make any network fully secure, we can try our best to minimize the anticipated attacks. A wireless LAN security checklist would include checking on features like access control, access point, antenna operation, authentication, encryption, firewall, network scan, physical security and VPN. The challenge ahead is to make the network and system administrators security conscious; thereby, allowing them to use the highest level of security in an implemented wireless LAN. Many a time, ignorance holds the key to various information thefts and other attacks, and eventual loss to businesses in hefty sums. The authors feel, as a general precaution, that an intelligent intrusion, detection, or prevention software can help locate many mischiefs in a wireless network. ACKNOWLEDGMENT The seminar Review on Wireless Security and Loopholes is outcome of guidance, moral support and devotion bestowed on me throughout my work. For

this I acknowledge and express my profound sense of gratitude and thanks to everybody who have been a source of inspiration during the seminar preparation. The consistent guidance and support provided by Mr. Chandra pal, Associate professor RCERT, Sitapura, Jaipur is very thankfully acknowledged for key role played by him in providing me with his precious ideas, suggestions and help that enabled in shaping the seminar work. Above all I would like to thank my parents without whose blessings; I would not have been able to accomplish my goal. REFERENCES www.google.com www.wikipedia.com www.ankitfadia.com www.aircrack-ng.org Andrew S. Tanenbaum Computer Networks 4th ed. Person education. nd [6] Ankit Fadia Network security 2 ed. [1] [2] [3] [4] [5]