The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireless Fidelity Wireless Interfaces


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireless Fidelity Wireless Interfaces

  1. 1. WLAN RISK AND SECURITY 1Running Head: WLAN RISK AND SECURITY The Risks and Security Standards of Wireless Local Area Network Technologies: Bluetooth and Wireless Fidelity Wireless Interfaces Lindsey Landolfi Towson University Network Security Professor Charles Pak July 2011
  2. 2. WLAN RISK AND SECURITY 2 Mobile information access has become an increasingly prominent aspect of networkcommunications. Mobile devices use wireless technology to communicate with each other, thesedevices can range from cellular phones, personal digital assistants (PDA), to laptop computers.User demand for mobile access drives constant technological advancements in mobile devices;currently many devices are equipped with specialized hard-ward and soft-ware to enhancefunctioning. Many consumers overlook the fact that mobile devices function similarly tocomputers and that having private data stored or accessed through a mobile device exposes datato manipulation, theft, or other forms of attack. This document provides an overview of the risksassociated with wireless local area network (WLAN) technologies and the security standardsestablished to counter potential threats, specifically Bluetooth and Wireless Fidelity (Wi-Fi)wireless interfaces. Wi-Fi is a widely utilized technology used to establish a wireless connection betweenelectronic devices. Specifications for Wi-Fi operations are based on the Institute of Electrical andElectronics Engineers (IEEE) 802.11 wireless local area networking standard. Each Wi-Finetwork established will communicate exclusively on one of the 11 possible channels defined bythe IEEE. It is necessary for all devices connecting to a single WLAN to employ to same serviceset identifier (SSID) in order to communicate with each other; however it is not necessary to beon the same channel. The default SSID contains information about the device manufacture andmodem, with this knowledge an attacker can employ any well known related exploits against thedevice. To enhance security users should change a devices pre-defined SSID. Also, regularlychanging the SSID can deter rouge clients from joining a network. “Wi-Fi and Bluetoothproducts both operate in the unlicensed 2.4GHz ISM band.” (Shoemake, 2001) However, Wi-Fiproducts are processed to the direct sequence spread spectrum (DSSS), while Bluetooth transmits
  3. 3. WLAN RISK AND SECURITY 3through FHSS technology. Wi-Fi technology is inherently vulnerable to electromagneticinterference (EMI), since it utilizes radio frequencies to transmit data to and from signalreceivers. There are two possible WLAN configurations ad hoc and infrastructure, both formatsrequire the use of a wireless network interface controller (WNIC) in order to connect a device tothe WLAN. The infrastructure configuration requires the use of additional Wi-Fi hardware.Specifically, a centralized device that receives the incoming radio signals from Wi-Fi stationsthis device is known as the wireless access point (WAP). WAP is responsible for data relaybetween wireless devices and a wired network at the data-link layer, typically through a router orEthernet switch. Basically, WAP is the wireless version of a switch but instead of copper orfiber-glass wires it connects all devices to the central switch or router via electromagnetic radiowaves. A wireless router is essentially a combination of WAP and a router; it is responsible fordirecting the communication between wireless device and the next hop towards the data’s finaldestination. Wireless network adapters allow for mobile devices to connect with the wirelessnetwork, many devices come installed with internal adapters such as laptop computers. Thewireless adapters must be configured for either ad hoc or infrastructure mode. Wireless ad hocnetworks establish a connection between devices without the use of a WAP. It is necessary forthe devices to be in range of each other’s signal, without major interference. Additionally, thewireless adapters must be configured to the same SSID and channel. The ad hoc network peer-to-peer communication configuration for Wi-Fi functions is similar to the data exchange withBluetooth ad hoc networks. Multiple interconnected WAPs are known as a Wi-Fi hotspot. Many major mobileservice providers such as AT&T, T-Mobile or Verizon are creating Wi-Fi hotspots in order to
  4. 4. WLAN RISK AND SECURITY 4provide high-speed wireless internet access to their customers. The potential for commercialprofit has spurred the growth of WLAN incorporation into public venues such as airports orcafes. According to a report analyzing WLAN market opportunities, "Broadband Wireless LAN:Public Space and the Last Mile" approximately $9.5 billion in public WLAN service revenuewould be generated during 2007; the continuing expansion of the WLAN market was projected. Wi-Fi popularity has led to the development of hotspot directories which allow users tolocate free commercial wireless services. Wardriving software uses radio signals to locate andcollect information on Wi-Fi network sources. While wardriving itself is not malicious it cansupport attacks such as WAPjacking, WAPkitting, or social engineering attacks. WAPkitting“refers to any malicious alteration to the wireless access point’s configuration or firmware overthe wireless connection.” (Tsow, n.d.) For example, WAPkitting could execute a man in themiddle attack by redirecting traffic in the router away from a legitimate webpage login requesttowards a malicious server that will store or disclose the unsuspecting user credentials.WAPjacking modifies firmware settings to the hackers benefit. A Wi-Fi network routercompromised by WAPjacking can provide an attacker the ability to execute DNS spoofingattacks resulting in data monitoring or theft. “There are two general approaches to identifyingWAPkitting and WAPjacking attacks: direct firmware analysis and external behavioral analysis.”(Tsow, n.d.) Turning down the transmitter signal strength (dBm) to the lowest possible radius forcoverage of a desired range will minimize the possibility of detecting WLAN location andcompromising data. The most common Wi-Fi encryption standard is the wired equivalent privacy (WEP)developed by IEEE. WEP operates on the data link and physical layers of the OSI model usingthe RC4 stream cipher to encrypt data. “WEP uses an Integrity Check (IC) field within the data
  5. 5. WLAN RISK AND SECURITY 5packet to ensure that it has not been modified in transit, and an Initialisation Vector (IV) is usedto augment the shared secret key and produce a different RC4 key for each packet.” (GunterOllmann, 2007) See appendix A, figure 1 for a visual of the WEP security protocol. However,there are implementation flaws in these security mechanisms that render them less useful. Even aproperly configured WEP is relatively easy to crack; WEP weakness is evident in theauthentication sequence due to the lack of key management. For example, an attacker couldemploy a brute force attack to decrypt the relatively short key, then discover MAC address andproceed to spoof into the network disguised as an authorized address. The Wi-Fi Alliance developed a second generation security protocol known as Wi-FiProtected Access (WPA) in 2003. WPA resolved many of the issues in the previous WEPencryption scheme and weakness in link layer security. WPA reduces the risk of attack throughthe temporal key integrity protocol (TKIP); the concept behind TKIP is to ensure key integrity.Additional security is provided by the Message Integrity Check (MIC), “the protocol itself wascreated to help fight against the many message modification attacks that were prevalent in theWEP protocol.” (TechDuke, 2007) WPA also implemented a frame counter to help avoid replayattacks and enhanced authentication measures with the Extensible Authentication Protocol(EAP). The transition from WEP to WPA was relatively easy; it did not require additionalhardware, only small upgrades in the firmware. WPA is currently a widely used and effectivesecurity protocol, however due to the nature of encryption WPA technology is susceptible tobroken cryptography algorithms. To ensure future data protection, the Wi-Fi Alliance furtheradvanced the WPA protocol when it released WPA2. The robust security network (RSN) is theprinciple development in WPA2 supporting enhancements in secure communications. As analternative to TKIP, WPA2 “uses AES (Advanced Encryption Standard), which is a much more
  6. 6. WLAN RISK AND SECURITY 6secure encryption algorithm.” (Ottaway, 2002) RSN executes AES processing via the countermode with cipher block chaining message authentication code protocol (CCMP). The Wi-FiAlliance developed and introduced the Wi-Fi Protected Setup (WPS) protocol to simplify theprocess of configuring WPA security options for users. Typically public Wi-Fi networks will disable encryption of the source wireless router inorder to optimize the ease of set-up. Additionally, it is common for WAP physical accesscontrols to not require additional authorization, therefore trusting all users in the local network.This means that Wi-Fi enabled devices can connect to an already authorized network withoutauthentication measures. The majority Wi-Fi networks do not encrypt Internet communications,defaulting to open communications places the mobile device and its data at risk. “Such an openenvironment would not only facilitate application development and allow flexibility in choosingdevices and applications from other sources, but it would also expedite malware developmentand potentially provide more attractive avenues of attack to exploit.” (Jansen, 2008) Augmentinga mobile device with alternative security measures will enhance protection against maliciousattacks. Virtual Private Networks (VPNs) can provide secure communications when using Wi-Fiwith open data communication. Instead of using the WEP or WPA encryption protocols the datawill be processed through VPN protocols such as, Point-to-Point Tunneling Protocol (PPTP),Layer Two Forwarding Protocol (L2f), Layer Two Tunneling Protocol (L2TP), and InternetProtocol Security (IPsec). VPN supports stronger security measures than Wi-Fi protocols. Forexample, IPsec uses the Internet key exchange protocol to establish cryptographic authenticationand data encryption on the network layer of the OSI model. Using protocols that require public-key cryptography and certificate authority signatures such as secure socket layer (SSL), secure
  7. 7. WLAN RISK AND SECURITY 7hypertext transfer protocol (HTTPS), or file transfer protocol (FTP), support secure andconfidential web traffic. Firewalls or routers can also be used to encrypt and monitor data. Thesetechniques are not limited to WLAN; they function across a variety of network medias as acomprehensive form of prevention and protection. Bluetooth technology provides wireless, point to point and point to multi pointconnections between Bluetooth enabled devices via radio frequencies. For example, wirelessconnection between a headset and a mobile phone. Bluetooth technology can also be used tocreate temporary, decentralized, wireless networks known as wireless ad hoc networks.“Bluetooth-enabled devices will outnumber Wi-Fi devices five to one, with over 77% of cell-phones, 60% of PDAs, and 67% of notebooks having built-in Bluetooth radios.” (J. Su, 2006) Itis necessary for Bluetooth to employ similar security precautions as devices that use centralizedsecurity control to prevent security breaches. Attacks on Bluetooth communications range fromman-in-the-middle attacks, denial-of service attacks, worms, to data theft and monitoring.Bluetooth employs a variety of protocols to ensure the secure processing of Bluetooth systemcommunications. Data transmission requires an active link between Bluetooth enabled devices, unique linkkeys are created via a key-generating algorithm. “Once a link is formed, data can be exchangedusing a socket-based interface in a manner similar to Internet-based protocols.” (J. Su, 2006) TheLink Controller (LC) uses baseband protocols to ensure a secure connection between sources. LCis responsible for validating the physical link, the device address, handling packets, controllerstates, and the connection setup and modes. The Link Manager Protocol (LMP) handles linksetups, controls, and security. “The LMP is responsible for the pairing procedure and handles thechallenge response procedure for authentication purposes.” (Niem, 2002) LMP also monitors the
  8. 8. WLAN RISK AND SECURITY 8piconets; a piconet is an established network linking a master device to its slave devices viaBluetooth protocols. “The messages in LMP, since the link controller (LC) provides a reliablelink, do not have to be acknowledged.” (Xiao, 2007) Bluetooth employs additional protocolssuch as the service discovery protocol (SDP), object Exchange protocol (OBEX), or the radiofrequency communications protocol (RFCOMM) which enables simultaneous connectionsbetween Bluetooth devices through serial port emulation. See appendix A, figure 2 for a visual ofthe layout of a Bluetooth protocol stack. Incorporation of application layer security is necessary to support a comprehensiveBluetooth security policy. Bluetooth has established security measures at the baseband levelwhich allow for greater user flexibility when designing application layer security. “Employingapplication layer security and a public key infrastructure limits the Bluetooth devices that haveaccess to certain infrastructure services and provides a means of authentication/authorizationabove that which Bluetooth provides.” (Niem, 2002) For example, application level securitycould enhance the Bluetooth authentication standards by establishing additional passwordcontrols. Standard Bluetooth authentication protocols require device verification but do notauthenticate the user. Additional authentication precautions would assist in the prevention ofmalicious attacks by ensuring that the devices attempting to connect are actually who they claimto be. The process of establishing a Bluetooth connection is known as pairing. Connections areestablished by a key exchange mechanism; this mechanism is responsible for the authentication,encryption and decryption of all subsequent payload transmissions. Encryption does not occuruntil after the link and encryption keys are created and the initial connection is established. Seeappendix A, figure 3 for a visual of the link level security parameters. It is not possible for a
  9. 9. WLAN RISK AND SECURITY 9hacker to decrypt packet payloads without determining the link and encryption keys. “It isimportant to note that the pairing procedure is the weakest process in the Bluetooth Basebandlevel security specification since all data is transmitted in clear-text until an initialization key isestablished [2;4].” (Niem, 2002) Previously established pairing relationships are stored in theBluetooth device; this creates an inherent risk to all paired devices if a one device iscompromised. Frequently changing the device PIN makes it more difficult for hackers tosuccessfully infect established connections since “changing the PIN requires that any Bluetoothdevices that the user regularly employs will need to be re-paired.” (Browning, 2009) Encryption and authentication security measures are employed to protect traffic in awireless ad hoc network. The master device is responsible for establishing a connection betweenslave devices and forming the combination keys which are used to encrypt the packetstransmitted within an ad hoc network. However, ad hoc networks are subject to security issuesdue to the direct communication between Bluetooth devices with-in the network. Data stored onthe Bluetooth devices in the ad hoc network are exposed to everyone else participating in aparticular network. Unauthorized access to a network can be easily achieved by using devicesdesigned to eavesdrop at Bluetooth radio frequency range. Signal jamming is a possibletechnique to execute a denial-of-service attack. Bluetooth has developed security features tocounter the risks of eavesdropping and interference. The channel access code (CAC), derivedfrom the Bluetooth device address (BD_ADDR), selects a communication channel from the 79available bands in the frequency-hopping-spread-spectrum (FHSS) algorithm. The FHSS is usedto “minimize interference from other devices using the 2.4 GHz range of the ISM band.” (Niem,2002) As a precautionary measure users should avoid using the BD_ADDR as the link key since
  10. 10. WLAN RISK AND SECURITY 10a compromised BD_ADDR can be used to impersonate a trusted device. Additionally, a hackercan use a unit key with a faked BD_ADDR to crack the encryption key and monitor traffic. The Bluetooth protocol is vulnerable to malicious codes such as worms and viruses.Malicious codes are capable of altering data and operating systems on the device. An infectedmobile device can transmit malware across a network. With Bluetooth, the interacting devicesneed to be within the proximity of the radio signal of the infected source to transmit themalicious code. Many malicious codes are spread through social engineering techniques. Thecomputer worm Cabir was designed to infect the Symbian mobile operating system; once adevice is infected with Cabir it would search for other visible Bluetooth devices to send theinfected file. “Setting your phone into non-discoverable (hidden) Bluetooth mode will protectyour phone from the Cabir worm.” (F-Secure Corporation, 2009) There are four major categories of Bluetooth hacks including Bluejacking, Bluesnarfing,Bluebugging, and Bluetoothing. “All take advantage of weaknesses in Bluetooth that allow anattacker unauthorized access to a victims phone.” (Browning, 2009) Bluejacking is an attackwhich sends unsolicited messages such as advertisements to a Bluetooth receiver; Bluejacking isa relatively simple process that exploits the OBEX protocol. Bluesnarfing is unauthorized accessof information from the Bluetooth device; it can result in undetected tracking of devicecommunications. Bloover II is popular software used to exploit Bluetooth connections; thistechnology is also capable of sever kinds of attacks including BlueSnarf and Bluebug.Bluebugging allows the hacker to access and take control over device operations by issuing ATcommands. Bluetoothing enables an attacker to locate a Bluetooth device in a particular vicinityand time frame; this is a form of localized social networking or mobile social software(MoSoSo). There are many tools to assist with Bluetooth hacking, “web sites such as E-Stealth
  11. 11. WLAN RISK AND SECURITY 11( and FlexiSPY ( offer commercial productsto allow one party to eavesdrop or attack another partys Bluetooth device.” (Browning, 2009)An example of hacker Bluetoothing software is BlueSniff which is used to help locatediscoverable and hidden Bluetooth enabled devices. Bluetooth devices with hidden visibilitysettings can still be attacked if the hacker can crack the MAC address though methods such asconducting an exhaustive key search. In general, mobile devices face an increased risk of physical compromise due to their sizeand nature. A stolen device can be physically accessed allowing for security breaches. Anattacker can reconfigure security controls in order to create security holes for example, disablingauthentication or encryption protocols. If a master device is compromised the data stored on thatdevice and any additional devices accessible though the master device would be at risk.Additionally, a stolen device is subject to the exposure of valuable information stored in thedevice memory card such as, private personal, Bluetooth pairing or Wi-Fi connectioninformation. Removing a memory card is easy and typically a single card will function in manyother devices. Protective software is available to encrypt onboard storage. Onboard storage is thedata stored within the mobile device such as the random access memory (RAM) and the readonly memory (ROM). There is also security software designed to protect external storage suchas, subscriber identity module (SIM) cards, multimedia cards (MMC), and secure digital (SD)cards. The security technology used in mobile devices and WLAN standards such as Bluetoothand Wi-Fi is relatively new; therefore there are greater opportunities for undiscoveredvulnerabilities to be exploited. Additionally, the increased mobility of wireless devices ispositively correlated with increased vulnerability against attacks. Ideally wireless
  12. 12. WLAN RISK AND SECURITY 12communications would achieve the same security goals as wired networked systems. To ensuresecurity mobile devices should authenticate the user and the user’s credentials via accesscontrols. It should also authenticate the data source and ensure that the data has not beencompromised during transit. Finally, it should have an auditing system.
  13. 13. WLAN RISK AND SECURITY 13 ReferencesAlexander Resources. (2002, January 7). Broadband wireless LAN: public space and the last mile. Retrieved from Juniper Research website:, D., & Kessler, G. (2009, May). Bluetooth hacking: a case study. Journal of Digital Forensics, Security and Law, 4(2), 57-71. Retrieved from Corporation. (2009). Bluetooth-Worm:SymbOS/Cabir. Retrieved from http://www.f- Ollmann. (2007). Securing WLAN technologies secure configuration advice on wireless network setup. Retrieved from, W., & Scarfone, K. (2008, October). Guidelines on cell phone and PDA security. National Institute of Standards and Technology Special Publication 800-124. Retrieved February 24, 2009, from 124.pdfJ. Su, K. K. W. Chan, A. G. Miklas, K. Po, A. Akhavan, S. Saroiu, E. de Lara, and A. Goel. (2006, November 3). A preliminary investigation of worm infections in a Bluetooth environment. . Retrieved from University of Toronto website:, T. C. (2002, November 4). Bluetooth and its inherent security issues. Retrieved from SANS Institute InfoSec Reading Room website: issues_945Ottaway, W. (2002). Mobile security: cause for concern? Retrieved from QinetiQ Ltd website:, M. (2001, February). Wi-Fi (IEEE 802.11b) and Bluetooth: coexistence issues and solutions for the 2.4 GHz ISM band. Retrieved from Texas Instruments website: key integrity protocol (TKIP) - wireless security. (2007, September 30). TechDuke. Retrieved from tkip-wireless-security/Tsow, A., Jakobsson, M., Yang, L., & Wetzel, S. (n.d.). Warkitting: the drive-by subversion of wireless home routers. Retrieved from
  14. 14. WLAN RISK AND SECURITY 14Xiao, Y. (2007). Security in distributed, grid, mobile and pervasive computing. Retrieved from
  15. 15. WLAN RISK AND SECURITY 15Appendix AFigure 1: Wired Equivalent Privacy Security ProtocolFigure 2: Bluetooth protocol stack (Browning, 2009)
  16. 16. WLAN RISK AND SECURITY 16Figure 3: Link Level Security Parameters