Wireless Security

“Proper online security habits must become second nature to protect our privacy and the broader interests o f society. These include all o f the obvious things that we should do, but often don’t: changing passwords; disconnecting from the Internet when it is not in use; running anti-virus software daily; changing the default password whenever a new device is purchased; and using appropriate security and encryption services. Nowhere is the development o f this new security culture more important than in the wireless theatre o f operations. ” J. M. McConnell, Vice Admiral, USN (Retired)

Former Director o f the National Security Agency (NSA), 1992-1996 [ 15].

The employment of the air as a medium for data transfer has many advantages but at the same time introduces restrictions unknown to the wired world. One of the main advantages of wireless communication is the plethora of the different types available. This gives the ability to cover a wide range o f communication needs from the simpler (telephone conversation) to the most complex (video conference based on the handheld device).

Wireless communications have made a tremendous impact on both businesses and personal life. They may thus be considered successful and offer considerable benefits. It is of greater importance at next to analyse thee drawbacks of current technology in an attempt to offer further improvement by identifying potential

37 Data Security fo r Third Generation Telecommunication Systems

vulnerabilities. Disadvantages such as health concerns, bit error rate and fading are of great interest but fall outside of this research work focus, thus will not be described here. Interested readers are referred to [19, 20],

The limited bandwidth, memory and processing capabilities of wireless devices such as mobile phones, pagers and personal digital assistants (PDAs) will here be seen through the security dimension and treated as the reasons making them ‘weaker’

than their wired counterparts. Wireless security, by its nature, violates fundamental security principles such as authentication and nonrepudiation, by not ensuring the identity of the user and the device, nor preventing the sender of the message from denial of service attacks. Although the fact that wireless has less physical assets to protect, at the same time, the very nature of the airwaves, makes it easier to hack.

Travelling through the air gives many users ready access to the transmission medium. Given the right equipment, the wireless signal could be intercepted and/or modified.

It is safe to state that security is the largest challenge facing wireless computing. The ease of Wireless Local Area Networks’ (WLAN) deployment helps in the continuing growth in popularity. Organisations are rapidly deploying wireless infrastructures based on the IEEE 802.11 standard [21]. It is the most mature wireless protocol and supports numerous WLAN technologies in the unlicensed bands of 2.4 and 5 GHz. It utilises the same Medium Access Control (MAC) for two physical layer (PHY)

38 Data Security fu r Third Generation Telecommunication Systems

specifications namely Direct-Sequence Spread Spectrum (DSSS) and Frequency- Hopping Spread Spectrum (FHSS).

The 802.11 standard uses Wired Equivalent Privacy (WEP) protocol, responsible for enhancing authentication (preventing unauthorised access) and privacy (preventing data tampering and compromise). WEP aims to ensure that WLAN systems have a level of privacy and authentication that is equivalent to that of a wired connection. It secures the confidentiality and integrity of data on 802.11 WLAN systems and provides access control through authentication.

Unfortunately, WEP contains significant flaws in the design [22, 23], Particularly, the ones described in [2 2] comprise the protocol’s ability to protect the network.

Some other vulnerabilities in the two access control mechanisms that exist in access points built using Orinoco/Lucent 802.11 Wavelan PCMCIA cards, and a simple eavesdropping attack against the 802.11 specified shared authentication mechanism are described in [24]. The above technical and implementation weaknesses, which can be exploited by hackers, resulted in the recently issued draft specification [25]

intended to enhance the security of these networks.

The supplementary draft addressed many concerns related to compromise and alteration of data and unauthorised access of the current design. Nevertheless, these will be ineffective in preventing denial of service attacks against 802.11 wireless systems. As it is stated in the same document, KERBEROS (a trusted third-party

39 Data Security fo r Third Generation Telecommunication Systems

authentication protocol, initially designed for TCP/IP networks) is invoked as an upper layer protection measure. However, KERBEROS does not prevent denial-of- service attacks [26].

The discussion of WEP protocol, emphasising mostly its vulnerabilities, can be summarised in the following statement from the Wireless Ethernet Compatibility Alliance (WECA):

“It is important to emphasise that WEP was never intended to be a complete end-to-end security solution. It protects the wireless link between the client machine and access points. Whenever the value of the data justifies such concerns, both wired and wireless... should be supplemented with additional higher level security mechanisms such as access control, end-to-end encryption, password protection, authentication, virtual private networks, or firewalls.” [27]

It has to be clear, at this point of the thesis, that the digital communication community faces many difficulties and threats in wired communication, which actually become even tougher when the communication medium is the air (wireless).

Methods of encryption should stay relatively low-level to accommodate the power and speed constraints imposed by wireless devices. As chip technology advances (longer battery life and higher performance), it is evident that the level of security will also increase.

40 Dala Security fa r Third Generation Telecommunication Systems

An appropriate epilogue for this section is the presentation of the specification that a secure mobile device should have namely:

Relatively low computing power (compared to desktop PCs).

Limits to the type of cryptographic algorithms a device can support.

- Limited storage capabilities.

Power conservation imposed by functionality limitations.

- Fundamental restrictions on bandwidth, error rate, latency, and variability.

Small footprint and compact I/O.

Limited display capabilities; GUI becomes more challenging with different display form factors

Usability and user experience issues.

- Throughput sensitivities to protocol overhead and compression.

Most existing security technologies, protocols and standards have been designed for the wired/high bandwidth environment. In many cases they are not well suited for the wireless mobile environment because they have too much overhead and exhibit tight timeouts [15].