The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireless Fidelity Wireless Interfaces

WLAN RISK AND SECURITY 1

Running Head: WLAN RISK AND SECURITY

The Risks and Security Standards of Wireless Local Area Network Technologies: Bluetooth and Wireless Fidelity Wireless Interfaces

Lindsey Landolfi

Towson University

Network Security

Professor Charles Pak

July 2011


Mobile information access has become an increasingly prominent aspect of network

communications. Mobile devices use wireless technology to communicate with each other, these

devices can range from cellular phones, personal digital assistants (PDA), to laptop computers.

User demand for mobile access drives constant technological advancements in mobile devices;

currently many devices are equipped with specialized hard-ward and soft-ware to enhance

functioning. Many consumers overlook the fact that mobile devices function similarly to

computers and that having private data stored or accessed through a mobile device exposes data

to manipulation, theft, or other forms of attack. This document provides an overview of the risks

associated with wireless local area network (WLAN) technologies and the security standards

established to counter potential threats, specifically Bluetooth and Wireless Fidelity (Wi-Fi)

wireless interfaces.

Wi-Fi is a widely utilized technology used to establish a wireless connection between

electronic devices. Specifications for Wi-Fi operations are based on the Institute of Electrical and

Electronics Engineers (IEEE) 802.11 wireless local area networking standard. Each Wi-Fi

network established will communicate exclusively on one of the 11 possible channels defined by

the IEEE. It is necessary for all devices connecting to a single WLAN to employ to same service

set identifier (SSID) in order to communicate with each other; however it is not necessary to be

on the same channel. The default SSID contains information about the device manufacture and

modem, with this knowledge an attacker can employ any well known related exploits against the

device. To enhance security users should change a devices pre-defined SSID. Also, regularly

changing the SSID can deter rouge clients from joining a network. “Wi-Fi and Bluetooth

products both operate in the unlicensed 2.4GHz ISM band.” (Shoemake, 2001) However, Wi-Fi

products are processed to the direct sequence spread spectrum (DSSS), while Bluetooth transmits


through FHSS technology. Wi-Fi technology is inherently vulnerable to electromagnetic

interference (EMI), since it utilizes radio frequencies to transmit data to and from signal

receivers.

There are two possible WLAN configurations ad hoc and infrastructure, both formats

require the use of a wireless network interface controller (WNIC) in order to connect a device to

the WLAN. The infrastructure configuration requires the use of additional Wi-Fi hardware.

Specifically, a centralized device that receives the incoming radio signals from Wi-Fi stations

this device is known as the wireless access point (WAP). WAP is responsible for data relay

between wireless devices and a wired network at the data-link layer, typically through a router or

Ethernet switch. Basically, WAP is the wireless version of a switch but instead of copper or

fiber-glass wires it connects all devices to the central switch or router via electromagnetic radio

waves. A wireless router is essentially a combination of WAP and a router; it is responsible for

directing the communication between wireless device and the next hop towards the data’s final

destination. Wireless network adapters allow for mobile devices to connect with the wireless

network, many devices come installed with internal adapters such as laptop computers. The

wireless adapters must be configured for either ad hoc or infrastructure mode. Wireless ad hoc

networks establish a connection between devices without the use of a WAP. It is necessary for

the devices to be in range of each other’s signal, without major interference. Additionally, the

wireless adapters must be configured to the same SSID and channel. The ad hoc network peer-to-

peer communication configuration for Wi-Fi functions is similar to the data exchange with

Bluetooth ad hoc networks.

Multiple interconnected WAPs are known as a Wi-Fi hotspot. Many major mobile

service providers such as AT&T, T-Mobile or Verizon are creating Wi-Fi hotspots in order to


provide high-speed wireless internet access to their customers. The potential for commercial

profit has spurred the growth of WLAN incorporation into public venues such as airports or

cafes. According to a report analyzing WLAN market opportunities, "Broadband Wireless LAN:

Public Space and the Last Mile" approximately $9.5 billion in public WLAN service revenue

would be generated during 2007; the continuing expansion of the WLAN market was projected.

Wi-Fi popularity has led to the development of hotspot directories which allow users to

locate free commercial wireless services. Wardriving software uses radio signals to locate and

collect information on Wi-Fi network sources. While wardriving itself is not malicious it can

support attacks such as WAPjacking, WAPkitting, or social engineering attacks. WAPkitting

“refers to any malicious alteration to the wireless access point’s configuration or firmware over

the wireless connection.” (Tsow, n.d.) For example, WAPkitting could execute a man in the

middle attack by redirecting traffic in the router away from a legitimate webpage login request

towards a malicious server that will store or disclose the unsuspecting user credentials.

WAPjacking modifies firmware settings to the hackers benefit. A Wi-Fi network router

compromised by WAPjacking can provide an attacker the ability to execute DNS spoofing

attacks resulting in data monitoring or theft. “There are two general approaches to identifying

WAPkitting and WAPjacking attacks: direct firmware analysis and external behavioral analysis.”

(Tsow, n.d.) Turning down the transmitter signal strength (dBm) to the lowest possible radius for

coverage of a desired range will minimize the possibility of detecting WLAN location and

compromising data.

The most common Wi-Fi encryption standard is the wired equivalent privacy (WEP)

developed by IEEE. WEP operates on the data link and physical layers of the OSI model using

the RC4 stream cipher to encrypt data. “WEP uses an Integrity Check (IC) field within the data


packet to ensure that it has not been modified in transit, and an Initialisation Vector (IV) is used

to augment the shared secret key and produce a different RC4 key for each packet.” (Gunter

Ollmann, 2007) See appendix A, figure 1 for a visual of the WEP security protocol. However,

there are implementation flaws in these security mechanisms that render them less useful. Even a

properly configured WEP is relatively easy to crack; WEP weakness is evident in the

authentication sequence due to the lack of key management. For example, an attacker could

employ a brute force attack to decrypt the relatively short key, then discover MAC address and

proceed to spoof into the network disguised as an authorized address.

The Wi-Fi Alliance developed a second generation security protocol known as Wi-Fi

Protected Access (WPA) in 2003. WPA resolved many of the issues in the previous WEP

encryption scheme and weakness in link layer security. WPA reduces the risk of attack through

the temporal key integrity protocol (TKIP); the concept behind TKIP is to ensure key integrity.

Additional security is provided by the Message Integrity Check (MIC), “the protocol itself was

created to help fight against the many message modification attacks that were prevalent in the

WEP protocol.” (TechDuke, 2007) WPA also implemented a frame counter to help avoid replay

attacks and enhanced authentication measures with the Extensible Authentication Protocol

(EAP). The transition from WEP to WPA was relatively easy; it did not require additional

hardware, only small upgrades in the firmware. WPA is currently a widely used and effective

security protocol, however due to the nature of encryption WPA technology is susceptible to

broken cryptography algorithms. To ensure future data protection, the Wi-Fi Alliance further

advanced the WPA protocol when it released WPA2. The robust security network (RSN) is the

principle development in WPA2 supporting enhancements in secure communications. As an

alternative to TKIP, WPA2 “uses AES (Advanced Encryption Standard), which is a much more


secure encryption algorithm.” (Ottaway, 2002) RSN executes AES processing via the counter

mode with cipher block chaining message authentication code protocol (CCMP). The Wi-Fi

Alliance developed and introduced the Wi-Fi Protected Setup (WPS) protocol to simplify the

process of configuring WPA security options for users.

Typically public Wi-Fi networks will disable encryption of the source wireless router in

order to optimize the ease of set-up. Additionally, it is common for WAP physical access

controls to not require additional authorization, therefore trusting all users in the local network.

This means that Wi-Fi enabled devices can connect to an already authorized network without

authentication measures. The majority Wi-Fi networks do not encrypt Internet communications,

defaulting to open communications places the mobile device and its data at risk. “Such an open

environment would not only facilitate application development and allow flexibility in choosing

devices and applications from other sources, but it would also expedite malware development

and potentially provide more attractive avenues of attack to exploit.” (Jansen, 2008) Augmenting

a mobile device with alternative security measures will enhance protection against malicious

attacks.

Virtual Private Networks (VPNs) can provide secure communications when using Wi-Fi

with open data communication. Instead of using the WEP or WPA encryption protocols the data

will be processed through VPN protocols such as, Point-to-Point Tunneling Protocol (PPTP),

Layer Two Forwarding Protocol (L2f), Layer Two Tunneling Protocol (L2TP), and Internet

Protocol Security (IPsec). VPN supports stronger security measures than Wi-Fi protocols. For

example, IPsec uses the Internet key exchange protocol to establish cryptographic authentication

and data encryption on the network layer of the OSI model. Using protocols that require public-

key cryptography and certificate authority signatures such as secure socket layer (SSL), secure


hypertext transfer protocol (HTTPS), or file transfer protocol (FTP), support secure and

confidential web traffic. Firewalls or routers can also be used to encrypt and monitor data. These

techniques are not limited to WLAN; they function across a variety of network medias as a

comprehensive form of prevention and protection.

Bluetooth technology provides wireless, point to point and point to multi point

connections between Bluetooth enabled devices via radio frequencies. For example, wireless

connection between a headset and a mobile phone. Bluetooth technology can also be used to

create temporary, decentralized, wireless networks known as wireless ad hoc networks.

“Bluetooth-enabled devices will outnumber Wi-Fi devices five to one, with over 77% of cell-

phones, 60% of PDAs, and 67% of notebooks having built-in Bluetooth radios.” (J. Su, 2006) It

is necessary for Bluetooth to employ similar security precautions as devices that use centralized

security control to prevent security breaches. Attacks on Bluetooth communications range from

man-in-the-middle attacks, denial-of service attacks, worms, to data theft and monitoring.

Bluetooth employs a variety of protocols to ensure the secure processing of Bluetooth system

communications.

Data transmission requires an active link between Bluetooth enabled devices, unique link

keys are created via a key-generating algorithm. “Once a link is formed, data can be exchanged

using a socket-based interface in a manner similar to Internet-based protocols.” (J. Su, 2006) The

Link Controller (LC) uses baseband protocols to ensure a secure connection between sources. LC

is responsible for validating the physical link, the device address, handling packets, controller

states, and the connection setup and modes. The Link Manager Protocol (LMP) handles link

setups, controls, and security. “The LMP is responsible for the pairing procedure and handles the

challenge response procedure for authentication purposes.” (Niem, 2002) LMP also monitors the


piconets; a piconet is an established network linking a master device to its slave devices via

Bluetooth protocols. “The messages in LMP, since the link controller (LC) provides a reliable

link, do not have to be acknowledged.” (Xiao, 2007) Bluetooth employs additional protocols

such as the service discovery protocol (SDP), object Exchange protocol (OBEX), or the radio

frequency communications protocol (RFCOMM) which enables simultaneous connections

between Bluetooth devices through serial port emulation. See appendix A, figure 2 for a visual of

the layout of a Bluetooth protocol stack.

Incorporation of application layer security is necessary to support a comprehensive

Bluetooth security policy. Bluetooth has established security measures at the baseband level

which allow for greater user flexibility when designing application layer security. “Employing

application layer security and a public key infrastructure limits the Bluetooth devices that have

access to certain infrastructure services and provides a means of authentication/authorization

above that which Bluetooth provides.” (Niem, 2002) For example, application level security

could enhance the Bluetooth authentication standards by establishing additional password

controls. Standard Bluetooth authentication protocols require device verification but do not

authenticate the user. Additional authentication precautions would assist in the prevention of

malicious attacks by ensuring that the devices attempting to connect are actually who they claim

to be.

The process of establishing a Bluetooth connection is known as pairing. Connections are

established by a key exchange mechanism; this mechanism is responsible for the authentication,

encryption and decryption of all subsequent payload transmissions. Encryption does not occur

until after the link and encryption keys are created and the initial connection is established. See

appendix A, figure 3 for a visual of the link level security parameters. It is not possible for a


hacker to decrypt packet payloads without determining the link and encryption keys. “It is

important to note that the pairing procedure is the weakest process in the Bluetooth Baseband

level security specification since all data is transmitted in clear-text until an initialization key is

established [2;4].” (Niem, 2002) Previously established pairing relationships are stored in the

Bluetooth device; this creates an inherent risk to all paired devices if a one device is

compromised. Frequently changing the device PIN makes it more difficult for hackers to

successfully infect established connections since “changing the PIN requires that any Bluetooth

devices that the user regularly employs will need to be re-paired.” (Browning, 2009)

Encryption and authentication security measures are employed to protect traffic in a

wireless ad hoc network. The master device is responsible for establishing a connection between

slave devices and forming the combination keys which are used to encrypt the packets

transmitted within an ad hoc network. However, ad hoc networks are subject to security issues

due to the direct communication between Bluetooth devices with-in the network. Data stored on

the Bluetooth devices in the ad hoc network are exposed to everyone else participating in a

particular network. Unauthorized access to a network can be easily achieved by using devices

designed to eavesdrop at Bluetooth radio frequency range. Signal jamming is a possible

technique to execute a denial-of-service attack. Bluetooth has developed security features to

counter the risks of eavesdropping and interference. The channel access code (CAC), derived

from the Bluetooth device address (BD_ADDR), selects a communication channel from the 79

available bands in the frequency-hopping-spread-spectrum (FHSS) algorithm. The FHSS is used

to “minimize interference from other devices using the 2.4 GHz range of the ISM band.” (Niem,

2002) As a precautionary measure users should avoid using the BD_ADDR as the link key since


a compromised BD_ADDR can be used to impersonate a trusted device. Additionally, a hacker

can use a unit key with a faked BD_ADDR to crack the encryption key and monitor traffic.

The Bluetooth protocol is vulnerable to malicious codes such as worms and viruses.

Malicious codes are capable of altering data and operating systems on the device. An infected

mobile device can transmit malware across a network. With Bluetooth, the interacting devices

need to be within the proximity of the radio signal of the infected source to transmit the

malicious code. Many malicious codes are spread through social engineering techniques. The

computer worm Cabir was designed to infect the Symbian mobile operating system; once a

device is infected with Cabir it would search for other visible Bluetooth devices to send the

infected file. “Setting your phone into non-discoverable (hidden) Bluetooth mode will protect

your phone from the Cabir worm.” (F-Secure Corporation, 2009)

There are four major categories of Bluetooth hacks including Bluejacking, Bluesnarfing,

Bluebugging, and Bluetoothing. “All take advantage of weaknesses in Bluetooth that allow an

attacker unauthorized access to a victim's phone.” (Browning, 2009) Bluejacking is an attack

which sends unsolicited messages such as advertisements to a Bluetooth receiver; Bluejacking is

a relatively simple process that exploits the OBEX protocol. Bluesnarfing is unauthorized access

of information from the Bluetooth device; it can result in undetected tracking of device

communications. Bloover II is popular software used to exploit Bluetooth connections; this

technology is also capable of sever kinds of attacks including BlueSnarf and Bluebug.

Bluebugging allows the hacker to access and take control over device operations by issuing AT

commands. Bluetoothing enables an attacker to locate a Bluetooth device in a particular vicinity

and time frame; this is a form of localized social networking or mobile social software

(MoSoSo). There are many tools to assist with Bluetooth hacking, “web sites such as E-Stealth


(http://www.e-stealth.com/) and FlexiSPY (http://www.flexispy.com/) offer commercial products

to allow one party to eavesdrop or attack another party's Bluetooth device.” (Browning, 2009)

An example of hacker Bluetoothing software is BlueSniff which is used to help locate

discoverable and hidden Bluetooth enabled devices. Bluetooth devices with hidden visibility

settings can still be attacked if the hacker can crack the MAC address though methods such as

conducting an exhaustive key search.

In general, mobile devices face an increased risk of physical compromise due to their size

and nature. A stolen device can be physically accessed allowing for security breaches. An

attacker can reconfigure security controls in order to create security holes for example, disabling

authentication or encryption protocols. If a master device is compromised the data stored on that

device and any additional devices accessible though the master device would be at risk.

Additionally, a stolen device is subject to the exposure of valuable information stored in the

device memory card such as, private personal, Bluetooth pairing or Wi-Fi connection

information. Removing a memory card is easy and typically a single card will function in many

other devices. Protective software is available to encrypt onboard storage. Onboard storage is the

data stored within the mobile device such as the random access memory (RAM) and the read

only memory (ROM). There is also security software designed to protect external storage such

as, subscriber identity module (SIM) cards, multimedia cards (MMC), and secure digital (SD)

cards.

The security technology used in mobile devices and WLAN standards such as Bluetooth

and Wi-Fi is relatively new; therefore there are greater opportunities for undiscovered

vulnerabilities to be exploited. Additionally, the increased mobility of wireless devices is

positively correlated with increased vulnerability against attacks. Ideally wireless


communications would achieve the same security goals as wired networked systems. To ensure

security mobile devices should authenticate the user and the user’s credentials via access

controls. It should also authenticate the data source and ensure that the data has not been

compromised during transit. Finally, it should have an auditing system.


References

Alexander Resources. (2002, January 7). Broadband wireless LAN: public space and the last mile. Retrieved from Juniper Research website: http://juniperresearch.com/reports.php?id=72&stream=72

Browning, D., & Kessler, G. (2009, May). Bluetooth hacking: a case study. Journal of Digital Forensics, Security and Law, 4(2), 57-71. Retrieved from http://www.garykessler.net/library/bluetooth_hacking_browning_kessler.pdf

F-Secure Corporation. (2009). Bluetooth-Worm:SymbOS/Cabir. Retrieved from http://www.f-secure.com/v-descs/cabir.shtml

Gunter Ollmann. (2007). Securing WLAN technologies secure configuration advice on wireless network setup. Retrieved from http://www.technicalinfo.net/papers/SecuringWLANTechnologies.html

Jansen, W., & Scarfone, K. (2008, October). Guidelines on cell phone and PDA security.National Institute of Standards and Technology Special Publication 800-124. Retrieved February 24, 2009, from http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf

J. Su, K. K. W. Chan, A. G. Miklas, K. Po, A. Akhavan, S. Saroiu, E. de Lara, and A. Goel. (2006, November 3). A preliminary investigation of worm infections in a Bluetooth environment. . Retrieved from University of Toronto website: citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.79.3889&rep=rep1&type=pdf

Niem, T. C. (2002, November 4). Bluetooth and its inherent security issues. Retrieved from SANS Institute InfoSec Reading Room website: http://www.sans.org/reading_room/whitepapers/wireless/bluetooth-inherent-security-issues_945

Ottaway, W. (2002). Mobile security: cause for concern? Retrieved from QinetiQ Ltd website: http://apps.qinetiq.com/perspectives/pdf/EP_White_Paper4_Mobile_Sec.pdf

Shoemake, M. (2001, February). Wi-Fi (IEEE 802.11b) and Bluetooth: coexistence issues and solutions for the 2.4 GHz ISM band. Retrieved from Texas Instruments website: http://focus.ti.com/pdfs/vf/bband/coexistence.pdf

Temporal key integrity protocol (TKIP) - wireless security. (2007, September 30). TechDuke. Retrieved from http://www.techduke.com/2007/09/30/temporal-key-integrity-protocol-tkip-wireless-security/

Tsow, A., Jakobsson, M., Yang, L., & Wetzel, S. (n.d.). Warkitting: the drive-by subversion of wireless home routers. Retrieved from http://www.indiana.edu/~phishing/papers/warkit.pdf


Xiao, Y. (2007). Security in distributed, grid, mobile and pervasive computing. Retrieved fromgen.lib.rus.ec/get?md5=f8fe845dbfdc6152190638e7d46e53fa


Appendix A

Figure 1: Wired Equivalent Privacy Security Protocol

Figure 2: Bluetooth protocol stack (Browning, 2009)


Figure 3: Link Level Security Parameters