Section C -- Wireless Networks

C-01. What kinds of wireless data networks are there?

Wireless data networks exist in such number and variety as to be difficult to categorize and compare.

Some wireless data networks run over wireless voice networks, such as mobile telephone networks. CPDP, HSCSD, PDC-P, and GPRS are examples. Other wireless networks run on their own physical layer networks, utilizing anything from antennas built into handlheld devices to large antennas mounted on towers. 802.11, LMDS, and MMDS are examples. A few wireless networks are intended only to connect small devices over short distances. Bluetooth is an example.

Wireless network which run over other wireless networks often utilize the lower layer networks to provide security and encryption. Stand-alone wireless networks either provide their own security and encryption features or rely upon VPN's (Virtual Private Networks) to provide those features. In many cases, multiple layers of security and encryption may be desirable.

Some wireless networks are fixed, meaning that antennas do not move frequently. Other wireless networks are mobile, meaning that the antenna can move constantly. This is often a feature of the specific implementation and antenna design, instead of an inherent limitation of the wireless network specification.

Wireless networks may operate on licensed or unlicensed portions of the frequency spectrum.

C-02. What is CDPD (Cellular Digital Packet Data)?

CDPD (Cellular Digital Packet Data) is a specification for supporting wireless access to the Internet and other public packet-switched networks over callular telephone networks. CDPD supports TCP/IP and Connectionless Network Protocol (CLNP). CDPD utilizes RSA'a RC4 algorithm with for 40 bit keys for encryption.

C-03. What is HSCSD (High Speed Circuit Switched Data)?

HSCSD (High Speed Circuit Switched Data) is a specification for data transfer over GSM networks. HSCSD utilizes up to four 9.6Kb or 14.4Kb time slots, for a total bandwidth of 38.4Kb or 57.6Kb.14.4Kb time slots are only available on GSM networks that operate at 1,800Mhz. 900Mhz GSM networks are limited to 9.6Kb time slots.

EDGE (Enhanced Data-Rates for GSM Evolution) enabled GSM networks are able to implement ECSD (Enhanced Circuit Switched Data), an enhanced version of HSCSD. ECSD increases the bandwith of each timeslot to 38.4Kb.

C-04. What is PDC-P (Packet Data Cellular)?

PDC-P (Packet Data Cellular) is a packet switching message system utilized by NTT DoCoMo in Japan. PDC-P utilizes up to three 9.6Kb TDMA channels, for a total maximum bandwidth of 28.8Kb.

C-05. What is GPRS (General Packet Radio Service)?

GPRS (General Packet Radio Service) is a specification for data transfer on TDMA and GSM networks. GPRS utilizes up to eight 9.05Kb or 13.4Kb TDMA timeslots, for a total bandwidth of 72.4Kb or 107.2Kb. GPRS supports both TCP/IP and X.25 communications.

EDGE (Enhanced Data-Rates for GSM Evolution) enabled GSM networks are able to implement EGPRS (Enhanced General packet Radio Service), an enhanced version of GPRS. EGPRS increases the bandwith of each timeslot to 60Kb.

For more information on GPRS security, read GSM and GPRS Security by Chengyuan Pen.

C-06. What is Bluetooth?

Bluetooth is a specification for short distance wireless communication between two devices. Bluetooth is not really a wireless network, in that it does not connect to any external network.

C-07. What is IrDA?

IrDA defines a standard for an interoperable universal two way cordless infrared light transmission data port.

IrDA is utilized for high speed short range, line of sight, point-to-point cordless data transfer - suitable for HPCs, digital cameras, handheld data collection devices, etc...

C-08. What is LMDS (Local Multipoint Distribution Service)?

LMDS (Local Multipoint Distribution Service) is a broadband wireless point-to-multipoint specification utilizing microwave communications. LMDS operates on FCC licensed frequencies. The FCC divided the United States into 493 BTA's (Basic Trading Areas), and auctioned the rights to transmit on the LMDS bands in each of those areas to LMDS service providers. Each BTA is licensed to two LMDS service providers. The LMDS bandplan is available from the FCC at http://wireless.fcc.gov/auctions/data/bandplans/lmds.pdf.

C-09. What is MMDS (Multichannel Multipoint Distribution Service)?

MMDS (Multichannel Multipoint Distribution Service) is a broadband wireless point-to-multipoint specification utilizing UHF (Ultra High Frequency) communications. MMDS operates on FCC licensed frequencies. The FCC divided the United States into BTA's (Basic Trading Areas), and auctioned the rights to transmit on the MMDS bands in each of those areas to MMDS service providers. The MMDS bandplan is available from the FCC at http://wireless.fcc.gov/auctions/data/bandplans/mdsband.pdf.

C-10. What is 802.11?

802.11 is a suite of specifications for wireless Ethernet. 802.11 is interesting to hackers because it allows almost untraceable entry into networks.

The 802.11 standards are defined by the IEEE (Institute of Electrical and Electronic Engineers) at http://grouper.ieee.org/groups/802/11/.

C-11. What is a SSID?

The SSID (Service Set IDentifier) is a token which identifies an 802.11 network. The SSID is a secret key which is set by the network administrator. You must know the SSID to join an 802.11 network, however, the SSID can be discovered by network sniffing.

The fact that the SSID is a secret key instead of a public key creates a management problem for the network administrator. Every user of the network must configure the SSID into their system. If the network administrator seeks to lock a user out of the network, the administrator must change the SSID of the network, which requires reconfiguration of every network node. Some 802.11 NICs allow you to configure several SSIDs at one time.

Most 802.11 access point vendors allow the use of an SSID of "any" to enable an 802.11 NIC to connect to any 802.11 network. This is known to work with gear from Buffalo Technologies, Cisco, D-Link, Enterasys, Intermec, Lucent, and Proxim.

C-12. What is WEP?

WEP (Wired Equivalent Privacy) is the encryption algorithm built into the 802.11 standard. WEP used the RC4 cipher encryption algorithm with 40 or 104 bit keys with 24 bit salts.

WEP limitations include:

1. A high percentage of wireless networks have WEP disabled because of the administrative overhead of maintaining a shared WEP key.
2. WEP has the same problem as all systems based upon shared keysany secret held by more than one person soon becomes public knowledge. Take for example an employee who leaves a company - they still know the shared WEP key. The ex-employee could sit outside the company with an 802.11 NIC and sniff network traffic or even attack the internal network.
3. The initialization vector that seeds the WEP algorithm is sent in the clear.
4. The WEP checksum is linear and predictable.

For more information, read Security of the WEP Algorithm by Nikita Borisov, Ian Goldberg, and David Wagner at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

C-13. What is MAC Address Filtering?

C-14. What is a rogue access point?

802.11 utilizes SSIDs to authenticate NICs to Access Points. There is no similar protocol for authenticating Access Points. It is possible to place a rogue Access Point into an 802.11 network. This rogue Access Point can then be used to hijack the connections of legitimate network users.

C-15. Where can I get some really cool 802.11 antennae?

Antenna Systems and Supplies Inc.
http://www.antennasystems.com/broadband.html#anchor932487

Andrew
http://www.andrew.com

ComTelCo
http://www.comtelco.net/

HyperLink Technologies, Inc.
http://www.hyperlinktech.com/web/antennas_2400.html

Use a Surplus Primestar Dish as an IEEE 802.11 Wireless Networking Antenna
http://www.wwc.edu/~frohro/Airport/Primestar/Primestar.html

2.4Ghz PtMP Antenna FAQ
http://www.telexwireless.com/wlanfaq.htm

LM Electronics
http://www.lm-electronics.com/

Antenna Sources for Wireless LAN/MAN Applications
http://www.airnet.am/wlan_ant.html

C-16. What are some interesting 802.11 tools?

AirSnort, by Jeremy Bruestle and Blake Hegerle, is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

The AirSnort home page is at http://airsnort.shmoo.com

Kismet, by Mike Kershaw, is an 802.11b network sniffer and network dissector. It is capable of sniffing using most wireless cards, automatic network IP block detection via UDP, ARP, and DHCP packets, Cisco equipment lists via Cisco Discovery Protocol, weak cryptographic packet logging, and Ethereal and tcpdump compatible packet dump files. It also includes the ability to plot detected networks and estimated network ranges on downloaded maps or user supplied image files

The Kismet home page is at http://www.kismetwireless.net

Wellenreiter, by Max Moser, is a GTK/Perl program that makes the discovery and auditing of 802.11b wireless networks much easier. All three major wireless cards (Prism2, Lucent, and Cisco) are supported. It has an embedded statistics engine for the common parameters provided by wireless drivers. Its scanner window can be used to discover access-points, networks, and ad-hoc cards. It detects essid broadcasting or non-broadcasting networks in every channel. The manufacturer and WEP is automaticly detected. A flexible sound event configuration lets you work in unattended environments. An ethereal / tcpdump-compatible dumpfile can be created for the whole session. GPS is used to track the location of the discovered networks immediately. Automatic associating is possible with randomly generated MAC addreses. Wellenreiter can reside on low-resolution devices that can run GTK/Perl and Linux/BSD (such as iPaqs). Uniq Essod-bruteforcer is now included too.

The Wellenreiter home page is at http://www.remote-exploit.org/

bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a bsd-based wep cracking application, called dweputils (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access points and connected nodes, view signal to noise graphs, and interactively scroll through scanned ap's and view statistics for each. It also includes a couple other tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.

The BSD-AirTools home page is at http://www.dachb0den.com/projects/bsd-airtools.html

NetStumbler, by Marius Milner, is a Windows utility for 802.11b based wireless network auditing.

The NetStumbler home page is at http://www.netstumbler.com/

C-17. What is SMS (Short Message Service)?

SMS (Short Message Service) is a protocol for sending and receiving text messaging over digital cellular networks, including TDMA, CDMA, and GSM networks. SMS messages are limited to 160 characters.

SMS is vulnerable to DoS (Denial of Service) and identity spoofing attacks.

C-18. What is WAP (Wireless Application Protocol)?

WAP (Wireless Application Protocol) is an open specification for displaying content on wireless devices. WAP supports XHTML for message format. WAP supports WTSL (Wireless Transport Layer Security) and PKI (Public Key Infrastructure) for security.

WAP clients exist for platforms as varied as PalmOS, EPOC, Windows CE, FLEXOS, OS/9, and JavaOS. WAP rides over data networks as varied as CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX, ReFLEX, iDEN, TETRA, DECT, DataTAC, Mobitex and GRPS.

Some WAP devices support 128 bit WTLS keys, while other WAP devices do not. Security is therefore difficult for the average user to gauge.

For information regarding the security of the WTLS protocol, check Attacks Against the WAP WTLS Protocol by Markku-Juhani Saarinen.