Project Proposal: Security Threats for

Wireless Devices

Matt Fratkin

April 11th, 2005

E6886

Project Overview

To investigate the current security threats among Wireless LANS, Wireless Personal Area Networks (Bluetooth), and Wireless Handheld devices

To describe the various problems associated with the built in security features for each of these devices

Wireless Technology Overview

Wireless technology can be defined as the ability for more than one device to communicate with each other without having any sort of physical connection

Wireless Technology Threats Overview

Since wireless technology does not use cables for transmission, it relies on radio frequencies to transmit the data

This makes it susceptible for intruders to intercept the signal and interfere with it how ever they want whether it be eavesdropping, stealing information, or causing damage to the network

Wireless LANs Overview

Connects user’s computers to the network using an access point device

The access point connects with devices equipped with wireless network adapters (wired Ethernet LAN via an RJ-45 port)

These access points usually have coverage areas of up to 300 feet

Some of these access points can be linked together so users can remained linked through multiple access points

Wireless Personal Area Networks Overview (Bluetooth) These are networks that are supposed to dynamically

connect devices such as cell phones, laptops, PDAs These ad-hoc networks have random network

configurations and rely on a master-slave system connected by wireless links to allow devices to communicate with one another

Since the devices move in an unpredictable way the networks need to be reconfigured on the go in order to handle the change

The routing that the Bluetooth uses allows the master to establish and maintain these ever shifting networks

Bluetooth Network Example

Bluetooth enabled mobile phone connecting to mobile phone network, synching with a PDA address book, and downloading email

Wireless Handheld Devices

These devices can broken down into two categories: PDAs and Smart Phones

PDAs operate on a proprietary networking standard that sends email to remote servers by accessing the corporate network

Smart Phones are mobile phones that contain information processing and data networking capabilities

Wireless LAN Security Features

There are three different types of security features for Wireless LANs

1. Authentication

2. Confidentiality

3. Integrity

Wireless LAN Security Features - Authentication

Provides a service to the users by needing to verify the identity of the users for each communicating station

Denies access to those who can not properly authenticate themselves

Therefore only authorized personal are allowed to use the communicating client stations

Wireless LAN Security Features- Confidentiality

This feature provides privacy to any user on the network

Supposed to prevent eavesdropping by outsiders

Therefore only authorized people are allowed to view the data on the network

Wireless LAN Security Features - Integrity

This feature is used to ensure that the data coming in is the data that was transmitted

Makes sure that no alterations of the data has been made while it is in transit

Therefore users should feel confident that they are viewing the data that was meant for them to see, not some altered version

Wireless LAN Security Diagram

Problems with the Wireless LAN Security Features The standardization of Wireless LAN security is the

IEEE 802.11Standard Security This provides for cryptographic keys of 40-bits However, some vendors have implemented products with

keys of up to 104 and 128-bit keys Many users in a network often share these

cryptographic keys so if one becomes lost or stolen then the whole network can be at risk

Also, the eavesdropper usually knows 24-bits of every packet key, so this combined with the weakness in the key schedule allows for an analytical attack

Problems with the Wireless LAN Security Features- cont. The analytical attack recovers the key after only

analyzing a small amount of traffic in the key schedule (RC4)

This attack is a very public attack similar to an attack script and open source code

Since the integrity is checked by a Cyclic Redundancy Check (CRC) along with checksums, the integrity can be challenged due to the fact that the checksums are noncryptographic

This leads to vulnerabilities in the system, allowing the attacker to be able to systematically decrypt the incoming packets and those change the information

RC4 Algorithm used for privacy protection

Diagram of Possible Wireless LAN attacks

Bluetooth Security Features

There are some built in security features for Bluetooth technology that address the following topics

1. Authentication

2. Confidentiality

3. Authorization

Bluetooth Security Features - Authentication

The purpose of this feature is to be able to verify the identity of who the device is communicating with

There is also an abort feature in case the device does not authenticate properly

Bluetooth Security Features - Confidentiality

This feature once again protects the privacy of the user

It is intended to prevent others from viewing/eavesdropping on the information being sent to and from the user

Therefore the user can feel safe that only authorized users are seeing the data

Bluetooth Security Features – Authorization

This feature addresses the question as to whether or not the device is authorized to use the service

This prevents non-authorized users from stealing resources intended for authorized users

Bluetooth Security Modes

On top of the built in security features, Bluetooth can operate in the following three security modes

1. Security Mode 1: Nonsecure mode

2. Security Mode 2: Service-level enforced security mode

3. Security Mode 3: Link-level enforced security mode

Bluetooth Security Modes

Bluetooth Security Diagram

Problems with Bluetooth Security Features

Based on a table generated by the National Institute of Standards and Technology (NIST), some of the problems/vulnerabilities with the Bluetooth Technology are:

The random number generator may produce static or periodic numbers that reduce the effectiveness of the authentication scheme

Short PINS are allowed for generating link and encryption keys. These short PINS can be guessed and therefore decreases the security

There is no way clear way to generate and distribute PINS, therefore in networks with many users it is difficult to keep secure PINS from being guessed

Problems with Bluetooth Security Features - cont

Authentication can be repeated- there is no limit set for the number of times a user can attempt to become authenticated

The key length used for encryption doesn’t have a set minimum length, causing some to have short/weak keys

Security is not maintained all the way through the system- individual links are encrypted and authenticated and data is decrypted at intermediate points. There is no encryption and decryption maintained all the way through the system

Wireless Handheld Device Security Features

There are not a lot of built in security features in wireless handheld device, but their security can be threatened as well in the following areas:

Confidentiality Integrity Availability

Wireless Handheld Devices Security Threats - Confidentiality

The information contained on the wireless devices can be compromised at a variety of different levels whether it be on the handheld device itself, the storage module, the PC, or while being sent over Bluetooth, USB, or serial communication ports

PDAs are susceptible during the period when data is being transmitted as the data being sent is unencrypted so anyone in close proximity can retrieve that information

Likewise, a Bluetooth device that is not properly configured is liable to have the data stolen from someone who has a Bluetooth-enabled device

Wireless Handheld Devices Security Threats - Integrity

Handheld devices face the same problems as Wireless LANs as the transmitted data can be altered before it reaches the user or device thus interfering with the integrity of the transmitted data

The handheld hardware must be protected from the insertion or replacement of the read-only-memory (ROM) by outside parties

Handheld applications must be protected from the installation of software from unauthorized sources that may contain malicious software (malware)

Wireless Handheld Devices Security Threats - Availability

The wireless handheld devices need to also be protected from attacks that limit their computational or network resources thus making these devices unusable for certain periods of time

These attacks can be in the form of Trojan horses, worms, viruses and other malware that effect the networks

All types of wireless handheld devices are targets for these types of attacks

Conclusion

As it is evident from the previous slides wireless technology is a wonderful feature for many of today's most common devices

However, since information is being transmitted through radio frequencies it is open to interception and tampering from outside parties

Although many of these devices are built with security features it seems like many of these features are not good enough to protect the transmitted data

Conclusion- cont

Encryption keys for the networks seem to be built using very small amount of bits, even though the vendors are building the devices with large amounts of bits

PINS over large networks with many users are no good as short PINS are used which can easily be guessed

With the ever changing technology the wireless technology needs to make security a huge priority to protect the customers

Questions/Comments

I can be contacted at mbf2106@columbia.edu if you have any questions or comments

References

Karygiannis, Tom and Owens, Les, “Wireless Network Security: 802.11, Bluetooth and Handheld Devices,” http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf, 2002.

Uskela, Sami, “Security in Wireless Local Area Networks,” http://www.tml.hut.fi/Opinnot/Tik-110.501/1997/wireless_lan.html, 1997

V-One Corporation, “Smart Security for Wireless Communications,” http://www.v-one.com/docs/whitepaper_wireless.pdf, 2003.

References -Diagrams

All diagrams were taken from the Wireless Network Security Publication by Tom Karygiannis and Les Owens