The Police Chief, the Professional Voice of Law Enforcement
Advanced Search
August 2014HomeSite MapContact UsFAQsSubscribe/Renew/UpdateIACP

Current Issue
Search Archives
Web-Only Articles
About Police Chief
Advertising
Editorial
Subscribe/Renew/Update
Law Enforcement Jobs
buyers Your Oppinion

 
IACP
Back to Archives | Back to April 2005 Contents 

Communications:Risks and Tips for Public Safety:Use of Unlicensed 802.11 (Wi-Fi) Broadband Spectrum

By Harlin R. McEwen, Chief of Police (Retired), Ithaca, New York, and Chairman, IACP Communications and Technology Committee, and Vice Chairman, National Public Safety Telecommunications Council






s technology continues to move forward at a frantic pace, so does public safety practitioners' desire to take advantage of that technology. Nowhere is this more apparent today than in the use of commercial wireless broadband technology such as 802.11 (Wi-Fi) wireless data systems. Many public safety agencies are considering or are already deploying an 802.11 system. While there are many advantages to using commercial technology (most notable availability and price), there are some major risks that are worth talking about. This article will discuss briefly some of the risks of using 802.11 technology and share tips for using it as effectively as possible.

Many people assume when setting up a wireless network that they are immune to attack from interlopers; in fact, wireless network are often not protected and are very vulnerable to attack. Take, for example, what happened to a Lowe's hardware store in Southfield, Michigan. This store was transmitting, via a Wi-Fi network, credit card and other data from cashiers to the central network. This Wi-Fi network was hacked by three college-age men sitting just outside the store. Another example occurred in Raleigh, North Carolina, where more than 2,000 patient records were downloaded from Wake Internal Medicine Consultants. Attacks like these against high-profile targets are becoming more common every day, and law enforcement is not immune from the attacks.

Wi-Fi Protected Access and Robust Security Networks
When network security is taught in colleges, 802.11 is used as the example of what not to do. Many attacks and exploits against 802.11 have been published over the years, and the tools exploiting these security holes are more and more prevalent.






IEEE 802.11i is the first step, in what appears to be several steps, to shore up vulnerabilities identified and exploited in 802.11 networks. Approved on July 23, 2004, the 802.11i standard took about three years to produce and covers a wide variety of security-related topics. At the core of the standard are two phases: phase 1 is Wi-Fi Protected Access, and phase 2 is Robust Security Networks.

WPA is now a standard mechanism that must be implemented on all new 802.11 devices seeking certification by the Wi-Fi Alliance for 802.11 devices.2 WPA is intended to be forward compatible with 802.11i security, and is a subset of 802.11i. The portions of 802.11i that have not been implemented in WPA include secure ad hoc networking, secure fast handoff, secure de-authentication and disassociation, and enhanced encryption with the Advanced Encryption Standard (AES).3

Phase 2 of 802.11i, Robust Security Networks, provides four main benefits: enhanced authentication for end user devices, cryptographic key creation, cryptographic key management, and enhanced data encapsulation. Enhanced authentication will help solve masquerading and identity denial-of-service attacks discussed later in this article. The cryptographic key creation and management will help mitigate the privacy problems encountered with the original 802.11 standard by using AES. It will also allow for new cryptographic algorithms to be inserted into the protocol as they become available and necessary. Enhanced data encapsulation will allow for significantly improved security with respect to packet integrity, making it very difficult to successfully modify a packet in transit through the network without detection.

802.11i security is a great deal better for public safety than the original 802.11 security. Problems with eavesdropping and most of the denial of service attacks are mitigated with this enhancement.

The bottom line is this: if 802.11 technology is purchased, make sure that at the very least it uses WPA, and if possible, RSN. It is strongly recommend reconsidering the use of unlicensed 802.11 if neither of these security features is available.

802.11 Risks
Why are attacks against these networks becoming more and more common? It is partly due to the ease with which they can be set up. There are many hacking tools available on the Internet that can be downloaded, installed, and run with no more knowledge than it takes to view a Web page. In addition, 802.11 technology is widely available, and it is cheap. 802.11 subscriber radio cards cost in the neighborhood of $20. All an attacker needs is the software downloaded free from the Internet, the card, and a computer.

There are four main methods an attacker can use to damage your use of an unlicensed 802.11 network: eavesdropping, modification, masquerading, and denial of service. Each of these different methods will be discussed briefly below.

Eavesdropping
Eavesdropping is listening in on a conversation without an invitation. There are two different methods of eavesdropping on an 802.11 network that are pertinent to public safety: traffic analysis and passive eavesdropping. While each different type of eavesdropping is important, they all share the same basic characteristic: there are unauthorized people listening to the network.

With traffic analysis an attacker need not listen in on the actual conversation, instead the attacker only needed to be cognizant of the fact that there is an impending action being planned to figure out what was going on. It is the flurry of network activity prior to a law enforcement action, such as a drug raid, that alerts the attacker. The attacker needn't be able to understand the traffic in order to figure out that something big is going down.

In a public safety environment, there are several additional types of information that can be gathered with this type of attack. Through the use of a yagi, or helical directional antenna, the attacker can not only increase the distance from which this attack can be performed but also gather information about the geographical location of transmissions. This holds true for both the public safety first responders themselves and the pieces of infrastructure, whether fixed or mobile. The feasibility of such an attack is simple. Attackers can construct a yagi antenna out of nothing more exotic than a Pringles can, a steel rod, and a few washers. In fact, this technique is the same technique used by the military, with sophisticated equipment, to triangulate the position of radio communications in the field.

Passive eavesdropping will also benefit from some of the same techniques used in traffic analysis, such as the use of a yagi antenna. With this type of attack, the attacker simply monitors traffic traversing a particular link and does it from several city blocks away. From a public safety standpoint, this type of attack will be nearly impossible to prevent against a system that isn't using 802.11i. The only real way to mitigate the effects of such an attack is to use strong encryption. For these reasons, users of an unlicensed 802.11 network need to ensure that it is at least WPA-compliant and RSN-capable.4

Modification
There are two kinds of modification attacks that are pertinent to public safety wireless communications: packet modification and packet injection. Both attacks are also known as active eavesdropping. These types of attacks are intrusive attacks.

While these types of attacks are generally not feasible in the public safety environment, security protection from these attacks must be maintained. In the case of in-the-air modification, the engineering resources necessary to carry out such an attack make it infeasible. Technologies such as software defined radio (SDR) are commonly discussed as a platform with which to carry out such an attack, but such devices are expensive and hard to obtain. Should an attacker acquire one of these devices, the technical expertise required to instigate an attack with the device is considerable. This problem will continue to grow with the increasing availability of such radios, but the security against such attacks is also expected to grow. With the advent of 802.11i, this attack becomes nearly impossible, even with the right type of equipment.

Masquerading
Masquerading is the attempt of an attacker to create a deceptive appearance, taking on the appearance of a trusted public safety wireless access point. One of the most common masquerade attacks is the man-in-the-middle attack. A successful man-in-the-middle attack occurs when the attacker attempts and succeeds at masquerading as the wireless access point through which the user is trying to communicate.

The feasibility of such an attack is known. There are software packages that provide the fundamental tools necessary to perform this attack on unlicensed 802.11 networks. If public safety were to deploy an 802.11 network, the network would inherently have this vulnerability. Protection from this vulnerability is available with 802.11i. With 802.11i, this attack becomes difficult if not impossible to attempt.

Denial of Service
Denial-of-service attacks can be the most damaging of the attacks, in that these attacks completely deny authorized users access to the network resources necessary to do their job. The attacker may be able to access the network during the attack.

These types of attacks are commonly misunderstood to be attacks where the attacker floods the network with so much traffic that authorized users can't access the medium to transmit valid traffic. The denial-of-service methods do not require even that effort, instead taking advantage of security vulnerabilities in the network management itself.
There are three main types of denial-of-service attacks that will be covered here: identity attacks, Medium Access Control (MAC) attacks, and distributed denial-of-service attacks.

Identity Attacks: The identity attack takes advantage of the trust automatically generated between a user on the network and the wireless access point on the network. Management traffic sent from the wireless access point to the user nodes is sent in the clear, making it relatively easy to generate an attack based on this traffic. This type of attack is feasible due to the fact that, if encrypted, the network key need not be known to implement this attack. This type of attack can effectively shut down the entire network for any number of users that are targeted by the attacker.

Medium Access Control: MAC attacks are an attack against the unlicensed spectrum itself. In order for an 802.11 device to transmit, it first checks to see if the spectrum is free. If it is, then the device waits for a random amount of time before transmitting. If the spectrum is busy, then the device waits for a random amount of time before checking again. If the spectrum always appears to be busy, which it does with a MAC attack, then the device will never attempt to transmit.

Distributed Denial of Service: A distributed denial-of-service attack is a tool attackers use to accomplish two primary purposes: first, to physically distribute the attack, making it more difficult for public safety or Federal Communication Commission investigators to triangulate the source of an attack since there are multiple sources, and, second, it enables the attacker to maximize the resources available to each attack device by splitting the attack among all of the devices employed in an attack. Although no examples of this type of attack have been identified, this does not mean that they are not possible; they may simply not have been recognized.

Though many of the denial-of-service attacks described in this article are not feasible for an attacker to implement today, distributing a series of PDAs with 802.11 cards running a denial-of-service attack is feasible as an attack method.

Public safety networks that take advantage of 802.11, even with WPA and RSN, will be continuously vulnerable to these types of attacks, as the ability to forge certain types of traffic within the network will still be possible. By itself, the ready availability of equipment and software should throw up a red flag for public safety agencies considering unlicensed 802.11 deployment.

Quick Tips
This article has established the dangers facing use of an unlicensed 802.11 network; if the decision is made to set up an unlicensed wireless access point then these tips will help with security.5

Quick Tip 1: Change the Default Administrator Login and Password
Nearly every Wireless Access Point (WAP) or router is shipped with a default administrator login and password through which the wireless network is administered. This account gives the user complete access to the WAP itself, determining to a great degree the level of security of the network.

Manufacturers set this administrator account information at the factory. It is easy to find this default information for each vendor with nothing more complex than a few minutes using Google. Before even plugging the WAP into the network, plug a computer into WAP and change the password for the administrator. Some WAPs even allow changing the administrator login name. If this is possible, change it. Whether or not the administrator login name can be changed, it is recommended changing the administrator passwords every one to three months.

Quick Tip 2: Turn on Encryption
Members of the justice community are bound by specific Criminal Justice Information Sharing requirements with regard to the security of any justice network. This means that the original encryption mechanism for 802.11, Wireless Equivalent Privacy (WEP), doesn't work for public safety community, as it only uses a 104-bit key and is simple to hack into in any case. In addition, WEP is not certified by the National Institute of Standards and Technology.

IEEE worked to fix a lot of the problems with WEP, and in doing so created the new 80211.i standard. This standard is being rolled out in two parts: WiFi Protected Access (WPA) and Robust Security Networks (RSN) (or WPA2). While WPA fixes the problems with WEP used in the original 802.11, even using 128-bit keys, it is still not NIST-certified. RSN, on the other hand, does use an NIST-certified encryption algorithm, the Advanced Encryption Standard (AES), which uses 128-bit keys.

The challenge is finding and deploying a WAP and client devices that not only are RSN-compliant but that have also been certified by NIST. There are pending compliance dates associated with meeting the Federal Bureau of Investigation's CJIS requirements if the network accesses the FBI's CJIS databases. Also some states' criminal justice networks have requirements similar to the CJIS databases. At the very least the system must be WPA-compliant and as resources allow, move to RSN.

Quick Tip 3: Put a Firewall between the WAP and the Network
Don't make the mistake of thinking that just because there is a firewall between the internal network and the Internet that it has any effect on the wireless access point. It doesn't. Many WAPs on the market today come with built in firewalls and should be used. However some WAPs are scaling back on the functions of a true firewall so it is necessary to study features listed with the WAP under purchase consideration. To determine whether the built-in firewall is adequate, compare it to COTS firewalls available for purchase.

When setting up the firewall, determine the type of traffic allowable and make sure to limit services as severely as possible. For example, if surfing the Web is not an allowable feature, then don't allow any Hypertext Transfer Protocol (HTTP) traffic.

Quick Tip 4: Change the Default Wireless Network Name
Just as with the administrator login and password, manufacturers of WAPs ship their products with a default wireless network name. While knowing this network name doesn't, by itself, make it any easier to break into the network, it is a good start. If a hacker sees a default wireless network name being used by a Wi-Fi network, he assumes that there is a good chance that the rest of the network is also default, making it easy pickings.

Change the default wireless network name to something innocuous that uses most of the entire space allowed for the network name. Make sure you don't name it "law enforcement," which will be synonymous with "Here I am, hackers." Use both letters and numbers interspersed through the name chosen.

Quick Tip 5: Enable MAC Address Filtering
Every user device that connects to a WAP has a unique address known as the MAC address. On some devices it is possible to change the MAC address. WAPs keep track of each MAC address that a user device uses to connect with it. Some WAPs allow the administrator to create a list of MAC addresses so that only those MAC addresses listed are allowed to connect. If the WAP allows this, then by all means use it. While it is not foolproof it is another obstacle for a hacker to get through. In order to create the list, the administrator will need to collect all of the MAC addresses from each user device expected to connect to the network.

Quick Tip 6: Disable the Wireless Network Name Broadcast Altogether
The WAP has a feature that announces its network name in a cycle to every system within receiving range. This is a feature for use where users come and go often, such as at a local coffee shop. However, since an administrator supports the public safety user, this feature isn't necessary. Most WAPs today allow disabling this broadcast altogether and the public safety user should disable it.

Quick Tip 7: Assign Static IP Addresses to Devices
Many users enjoy using a WAPs ability to generate dynamic IP addresses to users that are connecting to it. It makes it more convenient to users because they don't have to configure their devices for use on the network. It also makes it convenient for hackers.

The best way to create IP addresses for users is to statically assign them. This will make it more difficult for a hacker to connect to a network. Also make sure that nonroutable IP addresses are used, such as 10.0.0.* or192.168.0.* or something similar. This will ensure that user devices cannot be reached directly by the Internet.

Quick Tip 8: Position the WAP in a Safe Place
The final tip is to make sure the WAP is in a safe place. First, only the administrator should be capable of physically touching the WAP, because most WAPs have a small button that, once pressed, returns the WAP to factory defaults, including every protection feature already discussed in this guide.

Second, because this is a wireless network, there is the good probability that the network can be heard beyond the walls of the building. While the goal is to make sure that all users can connect easily from their most likely spots, be aware that the network might be reachable from other, less desirable places. A good rule of thumb for ranges is about 150 feet from the WAP in an indoor environment and 300 feet from the WAP outdoors (using 802.11 b/g). 802.11a has an effective range of about one-third that of 802.11 b/g. These estimates are on the high side, and distances can be considerably reduced by obstructions such as brick walls or metal frames in walls.

Other Considerations
Where to purchase a WAP? It is certainly easiest to go to your local computer store and pick a WAP off the shelf, but then this method will sacrifice some security features that aren't sold with off-the-shelf devices through these stores. The best practice is to go directly to the manufacturer for advice on which device is best suited for you.

This article discussed a cross-section of issues that should be considered when deploying an unlicensed 802.11 WAP into the public safety environment. Most importantly, using unlicensed radio spectrum does not ensure the same reliability as traditional private land mobile radio (PLMR) system and it does not automatically give an expectation of privacy unless additional protective measures discussed in this article are taken. ■

1 See (http://it.ojp.gov/topic.jsp?topic_id=58).
2 See (www.wi-fi.org/opensection/protected_access_devbackup.asp).
3 See (http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf).
4 See (www.wi-fi.org/OpenSection/certified_products.asp?TID=2).
5 Bradley Mitchell from about.com has done a great job of summarizing some of the points used in this article.

References
Edney, Jon, and William A. Arbaugh. Real 802.11 Security: Wi-Fi Protected Access and 802.11i. /Addison-Wesley, 2004.
Flickenger, Rob. Wireless Hacks: 100 Industrial-Strength Tips & Tools. O'Reilly, 2003.
Gast, Matthew S. 802.11 Wireless Networks. O'Reilly, 2002.
Potter, Bruce, and Bob Fleck. 802.11 Security. O'Reilly 2003.


Top

 

From The Police Chief, vol. 72, no. 3, April 2005. Copyright held by the International Association of Chiefs of Police, 515 North Washington Street, Alexandria, VA 22314 USA.








The official publication of the International Association of Chiefs of Police.
The online version of the Police Chief Magazine is possible through a grant from the IACP Foundation. To learn more about the IACP Foundation, click here.

All contents Copyright © 2003 - International Association of Chiefs of Police. All Rights Reserved.
Copyright and Trademark Notice | Member and Non-Member Supplied Information | Links Policy

44 Canal Center Plaza, Suite 200, Alexandria, VA USA 22314 phone: 703.836.6767 or 1.800.THE IACP fax: 703.836.4543

Created by Matrix Group International, Inc.®