Should we concentrate on 802.11 Wireless Security?

The widespread area of 802.11 network coverage zones is one of the major reasons for rising security concerns and interest: An attacker can be positioned where no one expects him or her to be and stay well away from the network's physical premises. Another reason is the widespread use of 802.11 networks themselves: By 2006 the number of shipped 802.11-enabled hardware devices is estimated to exceed 40 million units, even as the prices on these units keep falling. After 802.11g products hit the market, the price for many 802.11b client cards dropped to the cost level of 100BaseT Ethernet client cards. Of course there is a great speed disadvantage (5–7 Mbps on 802.11b vs. 100 Mbps on switched fast Ethernet), but not every network has high-speed requirements, and in many cases wireless deployment will be preferable. These cases include old houses in Europe protected as a part of the National Heritage. In such houses, drilling through obstacles to lay the cabling is prohibited by law. Another case is offices positioned on opposite sides of a busy street, highway, or office park. Finally, the last loop provider services via wireless are basically a replacement for the cable or xDSL link and 802.11b "pipe" is not likely to be a bottleneck in such cases, taking into account common xDSL or cable network bandwidth.

802.11 networks are everywhere, easy to find, and, as you will see, often do not require any effort to associate with. Even if they are protected by WEP (which still remains the most common security countermeasure on 802.11 LANs), the vulnerabilities of WEP are very well publicized and known to practically anyone with a minimal interest in wireless networking. On the contrary, other wireless packet-switched networks are far from being that common and widespread, do not have well-known and "advertised" vulnerabilities, and often require obscure and expensive proprietary hardware to explore. At the same time, 802.11 crackers commonly run their own wireless LANs (WLANs) and use their equipment for both cracking and home and community networking.

Attacks on GSM and GPRS phones are mainly related to unit "cloning," which lies outside the realm of network hacking to which this book is devoted. On the personal area network (PAN) side, the hacking situation is far more interesting to dive into from a network security consultant's viewpoint.

Attacks on infrared PANs are a form of opportunistic cracking based on being in the right place at the right time—a cracker would have to be close to the attacked device and be in a 30-degree zone from its infrared port. Because the infrared irradiation power is limited to 2 mW only, the signal is not expected to spread further than two meters. An exemption to the 30 degrees/2 mW limitations is the case when an infrared access point (e.g., Compex iRE201) is deployed in an office or conference hall. In such a situation, all that a cracker needs to sniff traffic and associate with the infrared PAN is to be in the same room with the access point. There is no layer 2 security in Infrared Data Association (IrDA) PANs and unless higher layers' encryption or authentication means are deployed, the infrared network is open for anyone to exploit. Windows 2000 and Windows XP clients automatically associate with other IrDA hosts and Linux IrDA project stack (http://irda.sourceforge.net/) provides a remote IrDA host discovery option (do irattach -s) as well as irdadump, which is a utility similar to tcpdump. Irdaping has been used to freeze dead unpatched Windows 2000 machines before the Service Pack 3 release (see the Bugtraq post at http://www.securityfocus.com/archive/1/209385/2003-03-11/2003-03-17/2). If you want to dump layer 2 IrDA frames under Windows 2000, an infrared debugger interface in rCOMM2k (a port of Linux IrDA stack, http://www.stud.uni-hannover.de/~kiszka/IrCOMM2k/English/) will do a decent job. However, no matter how insecure the infrared networks are, their limited use and physically limited spread means that scanning for data over light will never be as popular as scanning for data over radio frequency (RF) waves.