In our first status report, we overview the 802.11 wireless standard. Its history, current technologies, and problems with the protocol. Each group member was assigned one of these topics to discuss in a short essay format. The compilation of these essays follows:
In February of 1980, the first meeting of the IEEE computer Society "Local Network Standards Committee", Project 802, was held. (The number, 802, was simply the next number issued by the IEEE for standards projects in the sequence.) It was going to be one LAN standard with speed from 1 to 20 MHz. It was divided into some layers, such as Physical layer (PHY), Media Access Control (MAC), and Higher Level Interface (HILI). The first access method was similar to that for Ethernet, including the bus topology. A token access method was added by the end of 1980. There were three MACs by that time: CSMA/CD, Token Bus, and Token Ring. Over the years, more MAC and PHY groups have been added to the project. The scope of work has grown, and currently 802.11 - the Wireless LAN (WLAN) Working Group, 802.15 - the Wireless Personal Area Network (WPAN) Working Group, and 802.16 - the Broadband Wireless Access (BBWA) Working Group are mainly taking care of wireless projects.
The IEEE 802.11 specifies the wireless standards of "over-the-air" interface between a wireless client and a base station or access point. The IEEE 802.11 specifies both Physical and Media Access Control (MAC) layers. Their purpose is to resolve compatibility issues between manufactures of Wireless LAN equipment. In 1997, the Institute of Electrical and Electronic Engineers (IEEE) suggested the draft of the 802.11 standard for wireless local area networking. In 1999, the networking industry accepted the draft of the 802.11b standard. Soon, they began producing the wireless networking over the 2.4 GHz frequency.
The IEEE 802.15 Working Group provides standards for low-complexity and low-power consumption wireless connectivity in the IEEE 802 family. The Wireless Personal Area Network (WPAN) study group was formed In March 1998. In the same year, the Bluetooth Special Interest Group (SIG) Inc, was formed in May. The following year, in May 1999, the IEEE WPAN Study Group became IEEE 802.15, the WPAN Working Group. The Bluetooth Sepcification v1.0a was released in July 1999.
Currently, there are four IEEE 802.15 projects in development. 802.15.1 is based on 1Mbit/sec WPAN/Bluetooth v1.x derivative work. 802.15.2 is based on Recommended Practice for Coexistence in Unlicensed Bands. 802.15.3 is based on 20+ Mb/s High Rate WPAN for Multimedia and Digital Imaging. 802.15.4 is based on 200 kb/s max for interactive toys, sensor and automation needs. The 802.15.1 standards and the Bluetooth SIG Inc work cooperatively. Their effort resulted from convergence of IEEE standards development activities under way coupled with the formation of the Bluetooth SIG in 1998. The IEEE 802.15.1 Std. derived from Bluetooth v1.1 is scheduled to be approved in 2001.
Since July 1999, the IEEE 802.16 Working Group on Broadband Wireless Access has been developing standards for Wireless Metropolitan Area Networks with global applicability. IEEE 802.16 provides solutions that are more economical than wireline alternatives. The standards set the stage for a revolution in reliable, high-speed network access in the first mile (also known as the "last mile") by homes and enterprises.
The Working Group has completed, and is currently enhancing, two IEEE Standards.
The IEEE 802.16 WirelessMAN Standard ("Air Interface for Fixed Broadband Wireless Access Systems") addresses Wireless Metropolitan Area Networks. Following a two-year effort, the initial standard, covering systems between 10 and 66 GHz, was approved in December 2001 for publication. IEEE Standard 802.16 was published on 8 April 2002. The Working Group is currently developing Amendment 802.16a to expand the scope to licensed and license-exempt bands from 2 to 11 GHz. Amendment 802.16c is in progress, developing 10-66 GHz system profiles to aid interoperability specifications. IEEE Standard 802.16.2 is a Recommended Practice on "Coexistence of Fixed Broadband Wireless Access Systems" covering 10-66 GHz. IEEE Standard 802.16.2 was published on 10 September 2001. In developing Amendment 802.16.2a, the Working Group is expanding the scope to include licensed bands from 2 to 11 GHz as well as enhancing the recommendations regarding point-to-point systems. Other projects are also being formulated. The Mobile Broadband Wireless Access (MBWA) Study Group was formed in March 2002.
There are a number of issues with the 802.11 standard that have been raised by a number of researchers in the field. First, there are some basic, non-security related problems, discussed in a Architecture tutorial presented by Greg Ennis. These include difficulties in media which cause interference and noise, quality to vary over time and space, makes it so you must share bandwidth with unwanted 802.11 devices and non-802 devices. You also cannot assume full connectivity. And there are a multiple international regulatory requirements.
Other problems with 802.11b include the security problems discovered by a group of professors at the University of California, Berkely. They discovered a number of problems with the WEP (Wired Equivalent Privacy) Algorithm. In their web site is open to a number of attacks, including a passive attack to decrypt traffic, an active attack to inject traffic, an active attack from both ends, and a table-based attack.
The first attack is a passive attack to decrypt traffic. With WEP enabled one can still monitor traffic until an initialization vector collision occurs (which happens quite often considering the size of the IV). With statistical analysis, one can determine the plaintext of a message. If you have the plaintext of one message, you can retrieve the plaintext of any message with that IV.
The second attack is an active attack to inject traffic. If an attacker knows the stream used to encrypt a message for a particular IV, he or she can send any number of encrypted messages using that IV. The 802.11 standard is written so that they must accept traffic with duplicate IVs.
The third attack is a active attack from both ends. An attacker first captures a packet that is encrypted. He or she then makes a guess about the destination IP address and changes it so that it is sent to a computer the attacker controls. The packet is then resent. Since most wireless access points have internet connectivity, the packet is sent unencrypted to the computer the attacker controls.
The fourth attack involves a table based attack. Since the space of possible IVs is very small, an attacker can create a decryption table for a particular key. After a time, one could create a dictionary to decrypt every packet that is sent over a particular wireless link.
Another inherent security flaw in WEP involves the fact that WEP is only a optional protocol. Since it is optional, many people do not turn it on by default. As such, even inexperienced hackers can use their wireless access point to use the Internet (if it is wired to the Internet) or have access to their files.
Other methods of controlling access to wireless access points are also inherently insecure. For example, one method of limiting access is to only allow certain MAC addresses to use the access point. This method is vulnerable because MAC addresses need to be sent over the wireless connection and can thus be sniffed. After sniffing, it is easy to modify a MAC address with software, thus allowing access to the point.
One potential workaround for this problem is to use a Virtual Private Network on top of the 802.11 network security system. It is used with digital ids to achieve strong user identification and provide an encrypted tunnel from a client machine right to the server.
Lucent also attempted to create a limit on who may access the point by making the SSID a shared secret, where you need to know the SSID of the access point in order to connect to it. This is also insecure in that the SSID is transmitted ocasssionally by the access point and wireless cards. This means the data could easily be sniffed.
Back to project page