• No results found

The Limitations of Wireless Security

Cellular-based networks and wireless LANs experience similar challenges when faced with the problem of security.While security standards and certifying bodies are making great strides in educating those deploying networks on the security risks of deploying new technologies, issues still remain over how security is to be applied and audited.

Sound security policies and implementation guidelines need to be devised, maintained, and updated to meet the changing requirements of the organizations and the individuals using the systems.

The issue of fraud is, by far, one of the farthest reaching for the wireless ser- vice provider, corporation, and individual. Fraud occurs in many forms but is generally categorized as the unauthorized and/or illegal use of a resource. A resource could consist of a cellular telephone, wireless network, or even airtime.

To gain a better understanding of the scope fraud has on our lives, as well as how we should secure our networks, it helps to review some glaring fraud statistics:

Identity theft According to the Federal Bureau of Investigation, there

are 350,000 to 500,000 instances of identity theft each year. (Source: Congressional Press Release, September 12, 2000)

International credit card fraud The Association for Payment

Clearing Services (APACS) recently found that counterfeit [credit card] fraud grew by 89 per cent last year, and card-not-present fraud committed over the Internet, telephone, or fax grew by a staggering 117 percent. (Source: M2 PRESSWIRE, September 11, 2000)

Communications fraud A National Fraud Center study revised in

November of 2000, estimated communications fraud at over 1 billion dol-

lars. Subscriber fraud is estimated to reach $473 million by 2002.

(Source: International Data Corporation)

Corporate fraud The same National Fraud Center study estimated

corporate fraud including intellectual property and pirated software totaling more than 622 billion dollars.

Some of the biggest issues currently plaguing wireless deployments include the flip side of convenience and security. For example, most wireless devices are small and convenient.This fact also makes them susceptible to being easily lost or stolen. Database updates containing the lists of valid and invalid wireless device serial numbers can take between 48 and 72 hours to come into effect and be propagated to the rest of the network.This cannot easily be remedied.

Other issues include insider attacks, where someone working for the service provider or company deploying the wireless network can obtain secret information on the use of keys and other sensitive information.This can lead to the cloning of wireless devices without knowledge of genuine users or service providers.

Wireless networks are also susceptible to man-in-the-middle attacks where mali- cious users can logically situate themselves between a source and a target, and effectively appear to be a “real” base station while in fact relaying information both ways.With this type of attack, the malicious user is not required to physi- cally be located directly adjacent to the users, or within the “secured” area of the building or facility. Provided they are within radio range, this attack can be initi- ated with success.

Lastly, with wireless technology deployments being so new to most users and even network administrators, the use of “trust” relationships and other social engineering attacks can lead malicious users to obtain secret keys, passwords, and other sensitive information to gain access to or even destroy information.

Unfortunately, the threat is not limited to these forms of attacks.With the advent of more powerful and feature-rich devices on the horizon, a new breed of wireless security vulnerabilities will soon be plaguing the wireless deployments. The availability of more intelligent devices introduces new options for attacking:

Advanced wireless devices will possess greater intelligence, greater processing capabilities and will ultimately become susceptible to malicious code the way PCs have become vulnerable to attack by viruses,Trojans, and worms over the last 15 years.These, in turn, can be used as the launching pad for creating com- plex and timed client-to-client and distributed client-to-network attacks. Increased processing power can also lead to real-time brute force attacks.

A host of cheap enhanced radio transceivers will spawn more sophisticated tools for the attackers.These will include interception attacks, insertion attacks, wireless channel flood attacks, denial of service attacks, and signal jamming attacks.

One source of attacks that should not be understated results from the relative complexity involved in the deployment and lockdown of wireless resources.To many, wireless technologies will provide new alternatives for networking that were unavailable before. Many will rush to implement these solutions without

spending time to understand all of the possible threats and security precautions that should be taken to mitigate them. As a result, misconfigurations will likely result in the downfall of security within many wireless environments.

When addressing the main issues in security, organizations and individuals resort to identification and authentication. Identification is the process whereby a network recognizes a user’s identity. Identification usually comes in the form of a user ID or Personal Identification Number (PIN).

Authentication is the process whereby the network verifies the claimed iden- tity of a user for authorized use. Credentials, databases, and validation systems are employed to provide users with their list of usage privileges.

As with all Identification and Authentication mechanisms, wireless networks need to balance complexity, user friendliness, effectiveness, reliability, and timeli- ness with performance requirements and costs.