In a traditional wired LAN, all communication is confined to a physical link between the workstations. If we protect the workstations and the physical link, we can prevent unauthorised access to the network. But in WLAN, communication is not through a physical link, but is broadcast through the air in all directions simultaneously. It is a bit like tossing a stone into a pond and watching the ripples spread outwards. But while physical obstacles can stop the ripples, wireless broadcasts pass straight through walls, doors, fences, etc. This means that when you send an e-mail to the CEO wirelessly, that e-mail can be received by anybody with the right kind of receiving equipment within the range of ripples. Th e range is generally between 20 and 50 metres without a booster and with a booster it could well be anything up to 500 metres.
Typical wireless security attacksThere are several possible wireless security attacks, such as:
WEP cracking: Wired Equivalent Policy (WEP), the primary security algorithm currently in use, is vulnerable because the encryption keys remain static. The encryption key used by
WEP, regardless of its length, never changes unless it is periodically and manually changed by the administrator on all devices. An attacker uses a relatively inexpensive wireless packet sniffer to collect packets. After gathering five to 10 million packets, the attacker runs readily available tools that can determine encryption keys in a few minutes, enabling him to decrypt
and read all data passing between the client and the access point.
MAC attack: Medium Access Control (MAC) addresses can be cracked in much the same way as WEP encryption keys. Once the encryption key is deciphered, all packet data, including the MAC ID, is exposed. If no encryption is used, the MAC ID can be simply plucked from the air. Once a valid MAC address has been obtained, hackers can program their computer to spoof a valid user by programming a computer to broadcast the stolen ID
Man-in-the-middle attacks: This type of attack characterises a hacker situated between the client and access point, intercepting all traffic. The hacker captures and decrypts the frames sent back and forth between a user’s wireless NIC and AP (access point) during the association process. This provides essential information about the wireless NIC and AP, such as the IP addresses for both devices, the wireless NICs association ID and the network’s SSID (Service Set Identifier). With this information, anyone can set up a rogue access point on a different wireless channel closer to a particular user, to force the user’s wireless NIC to re-associate with the bogus access point. Both the client and the server believe they are connected directly to each other, but instead they are connected to a man in the middle. The attacker has access to all data passed between the two entities, including login information
Dictionary attacks: This kind of attack relies on conventional names and words being used as login names and passwords. The attacker gathers a challenge and response exchange from password-based protocols. Using open source tools based on a dictionary of hundreds of thousands of words, names and phrases, an offline computer tries essentially every name-password combination, until the login information is decrypted. Once a name and password have been cracked, the attacker has access to the WLAN with all the rights and privileges of that user.
Session hijacking: When an attacker is capable of not only listening to network traffic but also inserting his information, then a session is susceptible to hijacking—redirecting it away
