802.11 Wireless Networks
THREATS & MITIGATION
Raviraj Doshi
MIEL- Labs
MIEL e-Security Pvt. Ltd.

Agenda:
802.11 primer
802.11 security mechanisms & flaws
Wi-Fi device driver flaws
Wi-Fi hotspot threats
MIEL e-Security Pvt. Ltd.

What is 802.11?
802.11 is a family of standards set forth by the IEEE
that define the specifications for Wireless Local Area
Networks
802.11 was established in 1997
802.11 covers following OSI layers:
The Datalink Layer
The Physical Layer
MIEL e-Security Pvt. Ltd.

802.11 standards
802.11a
Data rate: up to 54Mbps
Frequency: 5Gz
802.11b
Data rate: up to 11Mbps
Frequency: 2.4Gz
802.11g
Data rate: up to 54Mbps
Frequency: 2.4Gz
802.11n
Data rate: up to 600Mbps
Frequency: 2.4 / 5Gz
MIEL e-Security Pvt. Ltd.

802.11 hardware consists of:
Wireless Client Adapters
PCI Adapter • PCMCIA Adapter
• USB Adapter
Access Point
MIEL e-Security Pvt. Ltd.

How 802.11 works
802.11Designed to integrate easily with existing
wired networks
802.11 uses CSMA/CA to access the medium
Each device has a unique 48bit MAC address just
like 802.3 Ethernet
MIEL e-Security Pvt. Ltd.

802.11 modes of communication
Infrastructure
All client adapters associate with the Access point.
Each client adapter only communicates with the Access Point
Ad-Hoc
Wireless client adapters communicate with each other directly
MIEL e-Security Pvt. Ltd.

Nature of the medium
Unlike on wired networks, all communications are
essentially broadcasts
This makes passive sniffing and MITM easier
Therefore encryption of data is key to secure
communication
MIEL e-Security Pvt. Ltd.

802.11 inbuilt security
Wired Equivalent Privacy (WEP)
Uses RC4 Stream cipher for encryption
WiFi Protected Access (WPA or TKIP)
Uses RC4 Stream cipher for encryption
WPA2
Uses AES Block cipher for encryption
MIEL e-Security Pvt. Ltd.

Wired Equivalent Privacy
WEP implementation has many flaws
WEP encryption is easily broken
Client side attacks on WEP make it even easier
MIEL e-Security Pvt. Ltd.

Wi-Fi Protected Access
WPA or TKIP is more secure than WEP
WPA-PSK is the easiest to implement
WPA-PSK is susceptible to an offline brute-force
attack
WPA2 uses AES and is so far considered secure
MIEL e-Security Pvt. Ltd.

Wi-Fi device driver security
Wi-Fi device drivers may be vulnerable to remote
exploits and DOS
May allow remote code execution at kernel mode
One must always use the latest versions of hardware
drivers.
MIEL e-Security Pvt. Ltd.

Wi-Fi Hotspots
Hotspots offer unencrypted connectivity
MITM & sniffing is very easily implemented
Tools like SSL strip can nullify HTTPS protection
Use of VPN or higher layer encryption is
recommended
MIEL e-Security Pvt. Ltd.

Thank you