||Security risk & vulnerability
|Insecure access points
|| The default configuration of access points is insecure. Access points are preconfigured with a default password, which is readily available in the public domain. By default, access points are configured to broadcast service set identifiers (SSIDs) and do not require any encryption or authentication. When deployed with default configuration, access points may facilitate unauthorized access to both the wireless and the wired corporate network.
Intruders configure their devices to function as an access point and mislead users into connecting to the same, thereby compromising the users' machine and gaining unauthorized access to critical business information as well as the machine's MAC address, SSID and other passwords.
|| Using specialized software, a global positioning system (GPS) unit, and a notebook computer with wireless capabilities, "war-drivers" move through a city while scanning the airwaves for "leaking" wireless network transmissions. War drivers scan for the SSIDs of access points and configure their devices to resemble a legitimate user of the network, thereby gaining unauthorized access.
The special war-driving software maintains information regarding the latitude, longitude, and configuration of the access points detected along the driver's route.
|| Denial-of-service (DoS) attacks prevent users from accessing network resources. DoS attacks occur at various layers of the OSI stack.
A DoS attack at the physical layer occurs when the 2.4 GHz radio frequency spectrum is flooded with noise and illegitimate traffic using any radio transmitting device. Wireless equipment based on the 802.11 standard operates at a certain signal-to-noise ratio, and when the ratio drops below that threshold, the equipment is unable to communicate, thereby denying access to all users.
Wireless clients are typically configured to connect with the access point transmitting the strongest signal. A DoS attack at the Data Link layer occurs when an attacker spoofs the SSID of an access point and transmits with increased signal strength. Clients automatically associate with the spoofed access point and are denied access to legitimate resources. Additionally, the attacker can examine the captured traffic to decipher the Wired Equivalency Protocol (WEP) key used to authenticate and encrypt traffic.
At the network layer, a DoS attack occurs when an attacker floods a wireless network with large ping requests or other unauthorized traffic.
A DoS attack may also occur if an attacker exploits the Extensible Authentication Protocol (EAP) to flood the authentication server with fake requests, thereby preventing valid users from authenticating to the wireless network. In addition, this attack may affect the enterprise-wide wired network.
|| A "man-in-the-middle" (or bucket brigade) attack breaks the network connection between authorized users and access points, resulting in eavesdropping and possible data manipulation.
An attacker sends a de-authorization command to a user machine forcing it to drop its association with its AP and search for a new AP. The user machine detects the attackers' malicious machine, configured to resemble an AP, and associates with it. Exploiting the information obtained from the captured user machine, the attacker associates its malicious machine with the legitimate network AP. As a result, all legitimate wireless network traffic is routed through the attacker's machine, enabling the attacker to access and manipulate all business-related information.
|| Companies often rely on media access control (MAC) addresses to establish the identity of authorized users over the corporate network. Attackers may change their machine's MAC address to impersonate a legitimate network user and gain unauthorized access to critical business information.
Attackers employ various methods to obtain authorized MAC addresses from the network, such as a brute force attack that deploys software to generate strings of random numbers until a valid MAC address is recognized.
|Weak security protocol
|| Security risks arise due to publicly known flaws in the WEP security protocol. WEP deploys static shared secret keys. An attacker eavesdropping on network traffic over an extended period can determine the key, rendering security measures ineffective.
Additionally, WEP offers weak encryption functionality. WEP deploys a short value range for its initialization vector (IV). As a result, the IV value is repeated over time. In a large network with heavy traffic, the IV duplication would occur sooner. An attacker capturing data frames over time may be able to decipher the encryption key.
|Rogue access points
|| Individual departments or end users may deploy personal access points to enhance wireless connectivity or to enable intra-departmental connectivity. These "rogue" access points, often not adequately configured to prevent unauthorized access and intrusion, may compromise the enterprise-wide business network.