Seven Security Problems of 802.11 Wireless
Pages: 1, 2

Problem #5: MAC Spoofing and Session Hijacking

802.11 networks do not authenticate frames. Every frame has a source address, but there is no guarantee that the station sending the frame actually put the frame "in the air." Just as on traditional Ethernet networks, there is no protection against forgery of frame source addresses.

Attackers can use spoofed frames to redirect traffic and corrupt ARP tables. At a much simpler level, attackers can observe the MAC addresses of stations in use on the network and adopt those addresses for malicious transmissions.

To prevent this class of attacks, user authentication mechanisms are being developed for 802.11 networks. By requiring authentication by potential users, unauthorized users can be kept from accessing the network. (Denial of service attacks will still be possible, though, because nothing can keep attackers from having access to the radio layer.)

The basis for the user authentication mechanism is the 802.1x standard ratified in June 2001. 802.1x can be used to require user authentication before accessing the network, but additional features are necessary to provide all of the key management functionality wireless networks require. The additional features are currently being ironed out by Task Group I for eventual ratification as 802.11i.

Attackers can use spoofed frames in active attacks as well. In addition to hijacking sessions, attackers can exploit the lack of authentication of access points. Access points are identified by their broadcasts of Beacon frames. Any station that claims to be an access point and broadcasts the right service set identifier (SSID, also commonly called a network name) will appear to be part of an authorized network.

Attackers can, however, easily pretend to be an access point because nothing in 802.11 requires an access point to prove it really is an access point. At that point, the attacker could potentially steal credentials and use them to gain access to the network through a man-in-the-middle (MITM) attack.

Fortunately, protocols that support mutual authentication are possible with 802.1x. Using methods based on TLS, access points will need to prove their identity before clients provide authentication credentials, and credentials are protected by strong cryptography for transmission over the air.

Related Reading

Building Wireless Community Networks
Implementing the Wireless Web
By Rob Flickenger

Session hijacking will not be completely solved until the 802.11 MAC adopts per-frame authentication. Until that point, if session hijacking is a concern, you must deploy a cryptographic protocol on top of 802.11 to protect against hijacking.

Problem #6: Traffic Analysis and Eavesdropping

802.11 provides no protection against attacks that passively observe traffic. The main risk is that 802.11 does not provide a way to secure data in transit against eavesdropping. Frame headers are always "in the clear" and are visible to anybody with a wireless network analyzer. Security against eavesdropping was supposed to be provided by the much-maligned Wired Equivalent Privacy specification.

A great deal has been written about the flaws in WEP. It protects only the initial association with the network and user data frames. Management and control frames are not encrypted or authenticated by WEP, leaving an attacker wide latitude to disrupt transmissions with spoofed frames.

Early WEP implementations are vulnerable to cracking by tools such as AirSnort and WEPCrack, but the latest firmware releases from most vendors eliminate all known attacks. The latest products go one step farther and use key management protocols to change the WEP key every 15 minutes. Even the busiest wireless LAN does not generate enough data for known attacks to recover the key in 15 minutes.

Whether you rely on WEP solely, or layer stronger cryptographic solutions on top of it is largely a question of risk management. The latest product releases have no known vulnerabilities. While that is some comfort, the same claim could have been made in July 2001 before release of the current generation of WEP-cracking tools. If your wireless LAN is being used for sensitive data, WEP may very well be insufficient for your needs. Strong cryptographic solutions like SSH, SSL, and IPSec were designed to transmit data securely over public channels and have proven resistant to attack over many years, and will almost certainly provide a higher level of security.

Problem #7: Higher Level Attacks

Previously in the Series

Wireless LAN Security: A Short History

Easy 802.11b Wireless for Small Businesses

NoCatAuth: Authentication for Wireless Networks

Once an attacker gains access to a wireless network, it can serve as a launch point for attacks on other systems. Many networks have a hard outer shell composed of perimeter security devices that are carefully configured and meticulously monitored. Inside the shell, though, is a soft, vulnerable (and tasty?) center.

Wireless LANs can be deployed quickly if they are directly connected to the vulnerable backbone, but that exposes the network to attack. Depending on the perimeter security in place, it may also expose other networks to attack, and you can bet that you will be quite unpopular if your network is used as a launch pad for attacks on the rest of the world. The solution is straightforward in theory: treat the wireless network as something outside the security perimeter, but with special access to the inside of the network. Although security diligence is time consuming, so is being sued.


Although wireless LAN security can seem challenging because of the press it has generated, most of the challenges can be addressed by reasonable security precautions. Network designs will, of course, continue to be affected by the development of new technologies and user demands.

The next wave of wireless LANs is likely to be driven by mobility. 802.11 provides link-layer mobility. Users can move transparently within an IP subnet with no effect on their applications or connection. Once you leave the cozy confines of a single network segment, though, all bets are off. For now, I'll leave mobility to the realm of new technology that is just over the horizon, as well as the network engineers who will need to make sense of it when it arrives.

Matthew Gast is the director of product management at Aerohive Networks responsible for the software that powers Aerohive's networking devices.

802.11 Wireless Networks: The Definitive Guide

Related Reading

802.11 Wireless Networks: The Definitive Guide
Creating and Administering Wireless Networks
By Matthew Gast

O'Reilly & Associates published 802.11 Wireless Networks: The Definitive Guide by Matthew Gast in April, 2002.

You can also look at the Full Description of the book.

For more information, or to order the book, click here.

Return to the Wireless DevCenter.