Phishing in the Wireless: Implementation and Analysis
Web-based authentication is a popular mechanism implemented by Wireless Internet Service Providers (WISPs) because it allows a simple registration and authentication of customers, while avoiding high resource requirements of the new IEEE 802.11 i security standard and backward compatibility issues of legacy devices. In this work we demonstrate two different and novel attacks against web-based authentication. One attack exploits operational anomalies of low- and middle-priced devices in order to hijack wireless clients, while the other exploits an already known vulnerability within wired networks which, in dynamic wireless environments, turns out to be even harder to detect and protect against.
KeywordsAccess Point Authentication Response Medium Access Control Address Address Resolution Protocol Authentication Request
- 1.IEEE 802.11. IEEE Standard for Local and Metropolitan Area Networks — Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Standard, July 1999.Google Scholar
- 2.IEEE 802.1 li/D10.0. Security Enhancements, Amendment 6 to IEEE Standard for Information Technology. IEEE Standard, April 2004.Google Scholar
- 3.J. Bellardo and S. Savage. 802.11 Denial-of-Service attacks: real vulnerabilities and practical solutions. In Proceedings of the USENIX Security Symposium, pages 15–28, August 2003.Google Scholar
- 4.A. Bittau, M. Handley, and J. Lackey. The Final Nail in WEP’s Coffin. In SP’ 06: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’O6), pages 386–400, Washington, DC, USA, 2006. IEEE Computer Society.Google Scholar
- 5.N. Borisov, I. Goldberg, and D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In MobiCom’ 01: Proceedings of the 7th Annual International Conference on Mobile Computing and Networking, pages 180–189, July 2001.Google Scholar
- 6.D. Faria and D. Cheriton. DoS and authentication in wireless public access networks. In Proceedings of the 2004 ACM Workshop on Wireless Security, pages 47–56, September 2002.Google Scholar
- 7.B. Fleck and Dimov J. Wireless Access Points and ARP Poisoning: Wireless vulnerabilities that expose the wired network, http://www.packetnexus.com/docs/arppoison.pdf (last access: 2006-10-30).
- 8.S. Fluhrer, I. Mantin, and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. In SAC’ 01: Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography, pages 1–24, August 2001.Google Scholar
- 9.C. He and J. C. Mitchell. Analysis of the 802.1 li 4-way handshake. In Proceedings of the 2004 ACM Workshop on Wireless Security, pages 43–50, October 2004.Google Scholar
- 10.C. He and J. C. Mitchell. Security analysis and improvements for IEEE 802.1 li. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS’05), pages 90–110, February 2005.Google Scholar
- 11.I. Martinovic, F. A. Zdarsky, A. Bachorek, and J. B. Schmitt. Introduction of IEEE 802.1 li and Measuring its Security vs. Performance Tradeoff. In Proceedings of the 13th European Wireless Conference, Paris, France, accepted for publication, April 2007.Google Scholar
- 12.I. Martinovic, F. A. Zdarsky, and J. B. Schmitt. On the Way to IEEE 802.11 DoS Resilience. In Proceedings of IFIP Networking 2006, Workshop on Security and Privacy in Mobile and Wireless Networking, Coimbra, Portugal. Springer LNCS, May 2006.Google Scholar
- 13.B. Schneier. Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Inc., New York, NY, USA, 2000.Google Scholar
- 14.S. Whalen. Introduction to ARP Spoofing, http://www.node99.org/projects/arpspoof/arpspoof.pdf (last access: 2006-10-24).