#hack FAQ Home | Computers | Data Networks | Wireless Networks | Telephony | Mobile Telephony
Radio | Television | Resources | 2600 | Smart Cards and Magnetic Cards | Miscellaneous

Section C -- Wireless Networks


C-01. What kinds of wireless data networks are there?

Wireless data networks exist in such number and variety as to be difficult to categorize and compare.

Some wireless data networks run over wireless voice networks, such as mobile telephone networks. CPDP, HSCSD, PDC-P, and GPRS are examples. Other wireless networks run on their own physical layer networks, utilizing anything from antennas built into handlheld devices to large antennas mounted on towers. 802.11, LMDS, and MMDS are examples. A few wireless networks are intended only to connect small devices over short distances. Bluetooth is an example.

Wireless network which run over other wireless networks often utilize the lower layer networks to provide security and encryption. Stand-alone wireless networks either provide their own security and encryption features or rely upon VPN's (Virtual Private Networks) to provide those features. In many cases, multiple layers of security and encryption may be desirable.

Some wireless networks are fixed, meaning that antennas do not move frequently. Other wireless networks are mobile, meaning that the antenna can move constantly. This is often a feature of the specific implementation and antenna design, instead of an inherent limitation of the wireless network specification.

Wireless networks may operate on licensed or unlicensed portions of the frequency spectrum.

CDPDCellular Digital Packet Data
HSCSDHigh Speed Circuit Switched Data
PDC-PPacket Data Cellular
GPRSGeneral Packet Radio Service
Bluetooth 
IrDA 
LMDSLocal Multipoint Distribution Service
MMDSMultichannel Multipoint Distribution Service
802.11 

C-02. What is CDPD (Cellular Digital Packet Data)?

Fixed/MobileMobile
Circuit/PacketPacket (A circuit switched variant, CS-CDPD, does exist.)
Max Bandwidth19.2Kb
RangeCoverage area of host network
FrequencyFrequency of host network
Host NetworkCellular
DefinerCTIA (Cellular Telecommunications and Internet Association)
URLhttp://www.wow-com.com/

CDPD (Cellular Digital Packet Data) is a specification for supporting wireless access to the Internet and other public packet-switched networks over callular telephone networks. CDPD supports TCP/IP and Connectionless Network Protocol (CLNP). CDPD utilizes RSA'a RC4 algorithm with for 40 bit keys for encryption.

CDPD is defined in the IS-732 standard.


C-03. What is HSCSD (High Speed Circuit Switched Data)?

Fixed/MobileMobile
Circuit/PacketCircuit
Max Bandwidth57.6Kb
RangeCoverage area of host network
FrequencyFrequency of host network
Host NetworkGSM
DefinerETSI (European Telecommunications Standards Institute)
URLhttp://www.etsi.org/

HSCSD (High Speed Circuit Switched Data) is a specification for data transfer over GSM networks. HSCSD utilizes up to four 9.6Kb or 14.4Kb time slots, for a total bandwidth of 38.4Kb or 57.6Kb.14.4Kb time slots are only available on GSM networks that operate at 1,800Mhz. 900Mhz GSM networks are limited to 9.6Kb time slots.

EDGE (Enhanced Data-Rates for GSM Evolution) enabled GSM networks are able to implement ECSD (Enhanced Circuit Switched Data), an enhanced version of HSCSD. ECSD increases the bandwidth of each timeslot to 38.4Kb.


C-04. What is PDC-P (Packet Data Cellular)?

Fixed/MobileMobile
Circuit/PacketPacket
Max Bandwidth28.8Kb
RangeCoverage area of host network
FrequencyFrequency of host network
Host NetworkNTT DoCoMo i-mode
DefinerNTT DoCoMo
URLhttp://www.nttdocomo.com/

PDC-P (Packet Data Cellular) is a packet switching message system utilized by NTT DoCoMo in Japan. PDC-P utilizes up to three 9.6Kb TDMA channels, for a total maximum bandwidth of 28.8Kb.


C-05. What is GPRS (General Packet Radio Service)?

Fixed/MobileMobile
Circuit/PacketPacket
Max Bandwidth107.2Kb
RangeCoverage area of host network
FrequencyFrequency of host network
Host NetworkTDMA, GSM
DefinerETSI (European Telecommunications Standards Institute)
URLhttp://www.etsi.org/

GPRS (General Packet Radio Service) is a specification for data transfer on TDMA and GSM networks. GPRS utilizes up to eight 9.05Kb or 13.4Kb TDMA timeslots, for a total bandwidth of 72.4Kb or 107.2Kb. GPRS supports both TCP/IP and X.25 communications.

EDGE (Enhanced Data-Rates for GSM Evolution) enabled GSM networks are able to implement EGPRS (Enhanced General packet Radio Service), an enhanced version of GPRS. EGPRS increases the bandwidth of each timeslot to 60Kb.

For more information on GPRS security, read GSM and GPRS Security by Chengyuan Pen.


C-06. What is Bluetooth?

Fixed/MobileMobile
Circuit/PacketBoth
Max Bandwidth1Mb
Range10 meters
Frequency2.40Ghz-2.483.5Ghz (U.S. and Europe) or 2.472Ghz-2.497Ghz (Japan)
Host NetworkNone
DefinerBluetooth SIG
URLhttp://www.bluetooth.org/

Bluetooth is a specification for short distance wireless communication between two devices.

Bluetooth provides three types of power classes, although class 3 devices are not in general availability.

TypePower LevelOperating Range
Class 3 Devices100mWUp to 100 meters
Class 2 Devices10mWUp to 10 meters
Class 1 Devices1mW0.1-10 meters

Bluetooth security is based upon device authentication, not user authentication. Each device is either trusted or untrusted. Bluetooth devices are identified by unique 48-bit identifiers, much like Ethernet MAC addresses.

Bluetooth features three security modes.

ModeNameDescription
1 Non-secure No security is implemented
2 Service-level security Access is granted to individual services
3 Link-level security Security is enforced at a common level for all applications at the beginning of the connection

Bluetooth features three possible security levels.

ModeDescription
3 No authentication or authorization is required
2 Authentication is required; authoriation is not required
1 Authorization and authentication are required

Bluetooth weakness include:

For more information on Bluetooth security, refer to the Bluetooth Security Overview by Haihui Huang, Bluetooth Protocol and Security Architecture Review by Korak Dasgupta, or Overview of Ad Hoc and Bluetooth Networks.


C-07. What is IrDA?

Fixed/MobileMobile
Circuit/PacketPoint to Point
Max Bandwidth16Mb
Range1M
FrequencyInfrared
Host NetworkNone
DefinerThe Infrared Data Association
URLhttp://www.irda.org/

IrDA defines a standard for an interoperable universal two way cordless infrared light transmission data port.

IrDA is utilized for high speed short range, line of sight, point-to-point cordless data transfer - suitable for HPCs, digital cameras, handheld data collection devices, etc...

The IrDA standards does not specify any security measures.


C-08. What is LMDS (Local Multipoint Distribution Service)?

Fixed/MobileFixed
Circuit/Packet:n/a
Max Bandwidth1.5Gb downstream, 200Mb upstream
Range4 miles
Frequency27.5Ghz-28.35Ghz, 29.1Ghz-29.25Ghz, 31.075Ghz-31.225Ghz, 31.Ghz-31.075Ghz, 31.225Ghz-31.3Ghz
Host NetworkNone
DefinerIEEE (Institute of Electrical and Electronic Engineers)
URLhttp://grouper.ieee.org/groups/802/16/

LMDS (Local Multipoint Distribution Service) is a broadband wireless point-to-multipoint specification utilizing microwave communications. LMDS operates on FCC licensed frequencies. The FCC divided the United States into 493 BTA's (Basic Trading Areas), and auctioned the rights to transmit on the LMDS bands in each of those areas to LMDS service providers. Each BTA is licensed to two LMDS service providers. The LMDS bandplan is available from the FCC at http://wireless.fcc.gov/auctions/data/bandplans/lmds.pdf.

LMDS and MMDS have adapted the DOCSIS (Data Over Cable Service Inferface Specification) from the cable modem world. The version of DOCSIS modified for wireless broadband is known as DOCSIS+.

Data-transport security is accomplished by encrypting traffic flows between the broadband wireless modem and the WMTS (Wireless Modem Termination System) located in the base station of the providers network using Triple DES.

DOCSIS+ reduces theft-of-service vulnerabilities by requiring that the WMTS enforce encryption, and by employing an authenticated client/server key-management protocol in which the WMTS controls distribution of keying material to broadband wireless modems.

LMDS and MMDS wireless modems utilize the DOCSIS+ key-management protocol to obtain authorization and traffic encryption material from a WMTS, and to support periodic reauthorization and key refresh. The key-management protocol uses X.509 digital certificates, RSA public key encryption, and Triple DES encryption to secure key exchanges between the wireless modem and the WMTS.


C-09. What is MMDS (Multichannel Multipoint Distribution Service)?

Fixed/MobileFixed
Circuit/Packetn/a
Max Bandwidth10Mb
Range70 miles
Frequency2.5Ghz-2.686Ghz
Host NetworkNone
DefinerIEEE (Institute of Electrical and Electronic Engineers)
URLhttp://grouper.ieee.org/groups/802/16/

MMDS (Multichannel Multipoint Distribution Service) is a broadband wireless point-to-multipoint specification utilizing UHF (Ultra High Frequency) communications. MMDS operates on FCC licensed frequencies. The FCC divided the United States into BTA's (Basic Trading Areas), and auctioned the rights to transmit on the MMDS bands in each of those areas to MMDS service providers. The MMDS bandplan is available from the FCC at http://wireless.fcc.gov/auctions/data/bandplans/mdsband.pdf.

LMDS and MMDS have adapted the DOCSIS (Data Over Cable Service Inferface Specification) from the cable modem world. The version of DOCSIS modified for wireless broadband is known as DOCSIS+.

Data-transport security is accomplished by encrypting traffic flows between the broadband wireless modem and the WMTS (Wireless Modem Termination System) located in the base station of the providers network using Triple DES.

DOCSIS+ reduces theft-of-service vulnerabilities by requiring that the WMTS enforce encryption, and by employing an authenticated client/server key-management protocol in which the WMTS controls distribution of keying material to broadband wireless modems.

LMDS and MMDS wireless modems utilize the DOCSIS+ key-management protocol to obtain authorization and traffic encryption material from a WMTS, and to support periodic reauthorization and key refresh. The key-management protocol uses X.509 digital certificates, RSA public key encryption, and Triple DES encryption to secure key exchanges between the wireless modem and the WMTS.


C-10. What is 802.11?

802.11 is a suite of specifications for wireless Ethernet. 802.11 is interesting to hackers because it allows almost untraceable entry into networks.

The 802.11 standards are defined by the IEEE (Institute of Electrical and Electronic Engineers) at http://grouper.ieee.org/groups/802/11/.

Standard Speed Frequency Modulation
802.11 2Mb 2.4Ghz Phase-Shift Keying
802.11a 54Mb 5Ghz Orthogonal Frequency Division Multiplexing
802.11b 11Mb 2.4Ghz Complementary Code Keying
802.11g 54Mb 2.4Ghz Orthogonal Frequency Division Multiplexing

The most common 802.11 specification, 802.11b, defines twelve channels. These channels utilize overlapping frequencies. Channels one, six, and eleven do not overlap.

ChannelUS FrequencyEuropean FrequencyJapanese Frequency
12412  
22417  
324222422 
424272427 
524322432 
624372437 
724422442 
824472447 
924522452 
1024572457 
1124622462 
12  2484


C-11. What is a SSID?

The SSID (Service Set IDentifier) is a token which identifies an 802.11 network. The SSID is a secret key which is set by the network administrator. You must know the SSID to join an 802.11 network, however, the SSID can be discovered by network sniffing.

The fact that the SSID is a secret key instead of a public key creates a management problem for the network administrator. Every user of the network must configure the SSID into their system. If the network administrator seeks to lock a user out of the network, the administrator must change the SSID of the network, which requires reconfiguration of every network node. Some 802.11 NICs allow you to configure several SSIDs at one time.

Most 802.11 access point vendors allow the use of an SSID of "any" to enable an 802.11 NIC to connect to any 802.11 network. This is known to work with gear from Buffalo Technologies, Cisco, D-Link, Enterasys, Intermec, Lucent, and Proxim.

The SSID is also referred to as the ESSID (Extended Service Set IDentifier).


C-12. What is WEP (Wired Equivalent Privacy)?

Wired Equivalent Privacy is the encryption algorithm built into the 802.11 standard. WEP uses the RC4 cipher encryption algorithm with 40 or 104 bit keys and a 24 bit initialization vector.

WEP limitations include:

  1. A high percentage of wireless networks have WEP disabled because of the administrative overhead of maintaining a shared WEP key.
  2. WEP has the same problem as all systems based upon shared keys: any secret held by more than one person soon becomes public knowledge. Take for example an employee who leaves a company - they still know the shared WEP key. The ex-employee could sit outside the company with an 802.11 NIC and sniff network traffic or even attack the internal network.
  3. The initialization vector that seeds the WEP algorithm is sent in the clear.
  4. The WEP checksum is linear and predictable.

For more information, read Security of the WEP Algorithm by Nikita Borisov, Ian Goldberg, and David Wagner at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html


C-13. What is MAC Address Filtering?

Most 802.11 access points allow the network administrator to enter a list of MAC (Media Access Control) addresses that are allowed to communicate on the network. On the other hand, most 802.11 NICs allow you to configure the MAC address of the NIC in software. Therefore, if you can sniff the MAC address of an existing network node, it is possible to join the network using that nodes MAC address.


C-14. What is a rogue access point?

802.11 utilizes SSIDs to authenticate NICs to Access Points. There is no similar protocol for authenticating Access Points. It is possible to place a rogue Access Point into an 802.11 network. This rogue Access Point can then be used to hijack the connections of legitimate network users.


C-15. Where can I get some really cool 802.11 antennae?

Antenna Systems and Supplies Inc.
http://www.antennasystems.com/broadband.html#anchor932487

Andrew
http://www.andrew.com

ComTelCo
http://www.comtelco.net/

HyperLink Technologies, Inc.
http://www.hyperlinktech.com/web/antennas_2400.html

Use a Surplus Primestar Dish as an IEEE 802.11 Wireless Networking Antenna
http://www.wwc.edu/~frohro/Airport/Primestar/Primestar.html

2.4Ghz PtMP Antenna FAQ
http://www.telexwireless.com/wlanfaq.htm

LM Electronics
http://www.lm-electronics.com/

Antenna Sources for Wireless LAN/MAN Applications
http://www.airnet.am/wlan_ant.html


C-16. What are some interesting 802.11 tools?

AirSnort

AirSnort, by Jeremy Bruestle and Blake Hegerle, is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

The AirSnort home page is at http://airsnort.shmoo.com

Kismet

Kismet, by Mike Kershaw, is an 802.11b network sniffer and network dissector. It is capable of sniffing using most wireless cards, automatic network IP block detection via UDP, ARP, and DHCP packets, Cisco equipment lists via Cisco Discovery Protocol, weak cryptographic packet logging, and Ethereal and tcpdump compatible packet dump files. It also includes the ability to plot detected networks and estimated network ranges on downloaded maps or user supplied image files

The Kismet home page is at http://www.kismetwireless.net

Wellenreiter

Wellenreiter, by Max Moser, is a GTK/Perl program that makes the discovery and auditing of 802.11b wireless networks much easier. All three major wireless cards (Prism2, Lucent, and Cisco) are supported. It has an embedded statistics engine for the common parameters provided by wireless drivers. Its scanner window can be used to discover access-points, networks, and ad-hoc cards. It detects essid broadcasting or non-broadcasting networks in every channel. The manufacturer and WEP is automaticly detected. A flexible sound event configuration lets you work in unattended environments. An ethereal / tcpdump-compatible dumpfile can be created for the whole session. GPS is used to track the location of the discovered networks immediately. Automatic associating is possible with randomly generated MAC addreses. Wellenreiter can reside on low-resolution devices that can run GTK/Perl and Linux/BSD (such as iPaqs). Uniq Essod-bruteforcer is now included too.

The Wellenreiter home page is at http://www.remote-exploit.org/

BSD AirTools

bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a bsd-based wep cracking application, called dweputils (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access points and connected nodes, view signal to noise graphs, and interactively scroll through scanned ap's and view statistics for each. It also includes a couple other tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.

The BSD-AirTools home page is at http://www.dachb0den.com/projects/bsd-airtools.html

NetStumbler

NetStumbler, by Marius Milner, is a Windows utility for 802.11b based wireless network auditing.

The NetStumbler home page is at http://www.netstumbler.com/


C-17. What are EAP, LEAP, PEAP and EAP-TLS and EAP-TTLS?

EAP, LEAP, PEAP, and TTLS are protocols for securely transporting authentication data over 802.11.

EAP (Extensible Authentication Protocol), defined in RFC 2284, is the original 802.11 standard.

LEAP (Lightweight Extensible Authentication Protocol) was developed by Cisco. Cisco is phasing out LEAP in favor of PEAP.

Transport Layer Security (EAP-TLS) was created by Microsoft and accepted as RFC 2716: PPP EAP TLS Authentication Procotol..

PEAP (Protected Extensible Authentication Protocol) was developed by Microsoft, Cisco and RSA Security.

Tunneled Transport Layer Security (EAP-TTLS) was developed by Funk Software and Certicom, and is supported by Agere Systems, Proxim, and Avaya.

PEAP and EAP-TTLS make it possible to authenticate wireless LAN clients without requiring them to have certificates.

PEAP and EAP-TTLS both utilize Transport Layer Security (TLS) to set up an end-to-end tunnel to transfer the user's credentials without having to use a certificate on the client.

For more information on EAP-TTLS, read the draft RFC EAP Tunneled TLS Authentication Protocol (EAP-TTLS).


C-18. What is TKIP (Temporal Key Integrity Protocol)?

Temporal Key Integrity Protocol is a draft standard from IEEE 802.11i working group.

TKIP provides two major enhancements to WEP:

MIC resolves the initialization vector/base key reuse vulnerability by adding a sequence number field to the wireless frame. The Wireless Access Point (WAP) will drop frames received out of order. The MIC resolves the frame tampering/bit flipping vulnerability by ading a frame integrity check which is not vulnerable to the same mathematical shortcomings as the original 802.11 Integrity Check Value (ICV).

TKIP per-packet keying mitigates the WEP key derivation vulnerability but does not provide resolution for the weaknesses.


C-19. What is SMS (Short Message Service)?

SMS (Short Message Service) is a protocol for sending and receiving text messaging over digital cellular networks, including TDMA, CDMA, and GSM networks. SMS messages are limited to 160 characters.

SMS is vulnerable to DoS (Denial of Service) and identity spoofing attacks.


C-20. What is WAP (Wireless Application Protocol)?

WAP (Wireless Application Protocol) is an open specification for displaying content on wireless devices. WAP supports XHTML for message format. WAP supports WTSL (Wireless Transport Layer Security) and PKI (Public Key Infrastructure) for security.

WAP clients exist for platforms as varied as PalmOS, EPOC, Windows CE, FLEXOS, OS/9, and JavaOS. WAP rides over data networks as varied as CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX, ReFLEX, iDEN, TETRA, DECT, DataTAC, Mobitex and GRPS.

Some WAP devices support 128 bit WTLS keys, while other WAP devices do not. Security is therefore difficult for the average user to gauge.

For information regarding the security of the WTLS protocol, check Attacks Against the WAP WTLS Protocol by Markku-Juhani Saarinen.




#hack FAQ Home | Computers | Data Networks | Wireless Networks | Telephony | Mobile Telephony
Radio | Television | Resources | 2600 | Smart Cards and Magnetic Cards | Miscellaneous