The Limits of Wireless Security

By Jim Geier

Security becomes vitally important when your mobile applications traverse wireless networks. This is primarily because the communications signals are openly available as they propagate outside the controlled area of homes or office buildings. Corresponding security threats are the mischievous monitoring of data packets, unauthorized access to network applications, and denial of service (DoS). When you're developing wireless mobile applications, be certain to consider the impacts and solutions for each of these security issues.

An experienced hacker or even casual snooper can easily monitor wireless data packets using tools such as AirMagnet and AiroPeek, which fully disclose the contents of wireless data packets. For example, many of us have been successful at monitoring all transactions occurring over the wireless portion of the network several hundred feet away from a building that has a wireless LAN. Of course, the issue here is that just about anyone can read your emails, identify user names and passwords, and so on. In fact, "war drivers" even post their finds on web sites, just for fun.

To combat those who might monitor your application's movement of information, implement an effective form of encryption. Wired Equivalent Privacy (WEP) is the standard encryption for 802.11 wireless LANs. The problem with WEP, however, is that it's broken. WEP uses common, static encryption keys on the client and wireless access point, which are fairly easy to break using freely available Airsnort and WEPCrack software.

Wi-Fi Protected Access (WPA) is an upgrade to WEP that offers dynamic key encryption and mutual authentication. WPA clients utilize different encryption keys that change periodically. This makes it more difficult to crack the encryption.

Utilize WPA if your clients will remain within the confines of a single company. A significant issue with WPA, though, is that it only encrypts packets that travel over the wireless portion of the network. As a result, the packets are sent in the clear as they pass through the wired infrastructure. This offers a major security problem when clients are interfacing with public networks.

Thus, strongly consider virtual private network (VPN) solutions, especially those based on Secure Sockets Layer (SSL), when developing mobile applications interfacing with public networks. Even though VPNs are not foolproof, they provide an effective means of end-to-end encryption. VPNs are also effective when clients roam across different types of wireless networks because they operate above the dissimilar network connection levels.

Similar to monitoring a wireless application, someone can effortlessly access a corporate wireless network from outside the facility. An ill-behaved person, for example, can sit in a car in a parking lot and associate with one of the wireless access points located inside a building. Of concern is the fact that many companies deploy their wireless networks using the default, unsecured access points configurations, making it possible for anyone to interface with their application servers.

Implement mutual authentication mechanisms (such as 802.1x combined with EAP-TLS or EAP-TTLS) to counter unauthorized access issues. Current versions of browsers support these elements, and you can easily integrate them within client software. Of course, you'll also need to include an authentication server (such as RADIUS) on the network to perform validations.

However, even with a good authentication system, a hacker sitting in a car can successfully perform a "man-in-the-middle attack" by exploiting the address resolution protocol (ARP). ARP is a mandatory network protocol that a sending wireless or wired client uses to discover the Medium Access Control (MAC) address of a destination client.

With ARP, the sending client broadcasts an ARP request containing the IP address in question. The station that has a MAC address corresponding with the IP address broadcasts an ARP response that indicates the MAC-and-IP address pairing. The sending client and other clients on the network then store this information for a period of time or until receiving an update.

This opens a severe security risk. The hacker can fool a client by broadcasting a fictitious ARP response that includes a MAC address of a rogue device mapping to the IP address of a legitimate network device (such as a wireless access point or router). This causes all legitimate clients and servers on the network to automatically update their ARP tables with the false mapping, and to start sending packets to the rogue device. The hacker can then manipulate user sessions and obtain passwords, capture sensitive data, and even interface with corporate servers as if the hacker were one of the legitimate users.

To circumvent ARP-based attacks, you can implement secure tunnels between each client and the wireless system, which ignores any ARP responses not associated with the authorized clients. Therefore, only legitimate ARP responses provide the basis for updating ARP tables.

However, the use of secure tunnels requires the installation of special wireless software on each client that must interface with a wireless access point or router able to handle the tunnels. Unfortunately, not many of the wireless network vendors support the applicable access point or router side of the solution. In fact, OptimumPath is the only vendor I know of that implements this secure form of ARP in a wireless router. As a result, this solution is not practical when your application must operate over public networks.

A DoS attack is an assault that can cripple or disable a wireless network. Whether through the form of strong interference or protocol tricks, it's very easy to implement a devastating DoS attack. For example, the continual transmission of specially fabricated clear-to-send packets on a wireless LAN will disable all other wireless clients from accessing the network.

In terms of mobile wireless application development, there's really no way of countering all types of DoS attacks. If someone really wants to bring down the application, they may eventually succeed. This is why there's a great deal of merit in having a "Plan B." Consider a backup plan of switching to batch processing or paper-based methods if the application is subjected to a severe DoS attack. You certainly don't want potential weaknesses in the wireless network to bring down your company!