Wireless LAN Security FAQ
By Christopher W. Klaus of Internet Security Systems (ISS). Please
send corrections, additions, and new questions to cwkpub...@iss.net.
Version 1.6 - Last Updated September 30th 2002
*  Where do I get the latest version of this Wireless LAN
*  What is the overview of Wireless LAN 802.11 technology?
+ [1.1] When will 802.11a arrive and how will the security be
different than 802.11b?
+ [1.2] What is an Access Point?
+ [1.3] How much does the equipment for wireless 802.11b cost?
+ [1.4] Are companies the only wireless targets by attackers?
+ [1.5] Where can you find wireless 802.11 networks?
+ [1.6] How does the antenna affect wireless LAN security?
o [1.6.1] How do I build a cheap and effective antenna?
+ [1.7] Can you spot a laptop with wireless 802.11 capability
by looking for the antenna?
*  What are the major security risks to 802.11b?
+ [2.1] What are Insertion Attacks?
o [2.1.1]Plug-in Unauthorized Clients
o [2.1.2]Plug-In Unauthorized Renegade Base Stations
+ [2.2] What are Interception and monitoring wireless traffic
o [2.2.1] Wireless Sniffer
o [2.2.2] Hijacking the session
o [2.2.3] Broadcast Monitoring
o [2.2.4] ArpSpoof Monitoring and Hijacking
# [18.104.22.168] Hijacking SSL (Secure Socket Layer) and
SSH (Secure Shell) connections
o [2.2.5] BaseStation Clone (Evil Twin) intercept traffic
+ [2.3] What are AP and Client Misconfigurations?
o [2.3.1] Server Set ID (SSID)
# [22.214.171.124] What are the default SSID's?
o [2.3.2] What is Secure Access Mode?
o [2.3.3] Bruteforce Base Station SSID
o [2.3.4] Can the SSID be encrypted?
o [2.3.5] By turning off the broadcast of SSID, can
someone still sniff the SSID?
o [2.3.6] Wired Equivalent Privacy (WEP)
# [126.96.36.199] Attacks against WEP
# [188.8.131.52] Default WEP Keys
# [184.108.40.206] How Large is WEP Keys
o [2.3.7] SNMP community words
# [220.127.116.11] SNMP Vulnerabilities
o [2.3.8] Configuration Interfaces
o [2.3.9] Client side security risk
o [2.3.10] Installation Risk
+ [2.4] What is Jamming?
o [2.4.1] 2.4 GHz Interfering Technology
+ [2.5] What are Client to Client Attacks?
o [2.5.1] Filesharing and other TCP/IP service attacks
o [2.5.2] DOS (Denial of Service)
o [2.5.3] Hybrid Threats
+ [2.6] War Driving Access Point Maps
+ [2.7] Parasitic Grids
*  What are solutions to minimizing WLAN security risk?
+ [3.1] Wireless Security Policy and Architecture Design
o [3.1.1] Basic Field Coverage
+ [3.2] Treat BaseStations as Untrusted
+ [3.3] Base Station Configuration Policy
o [3.3.1] 802.1X Security
+ [3.4] Base Station Discovery
o [3.4.1] Honeypots - FakeAP
+ [3.5] Base Station Security Assessments
+ [3.6] Wireless Client Protection
*  Who is making 802.11 Security Solutions?
+ [4.1] 802.11 Gateway Infrastructure
+ [4.2] 802.11 Security Analysis Tools
*  About Internet Security System's Wireless 802.11b Solution
*  Acknowledgements
* Added new war driving maps.
* Updated 802.11a as being now available.
* Added how large is WEP key information.
* Added acknowledgements section
* Added Honeypots - FakeAP
* Add basic field coverage strategy
* Added all of Netgear's default WEP keys.
* Added Pringles Can and Waveguide Antenna Info.
* Added hybrid threats, next-gen virus/worm spread by wireless.
* Added Parasitic Grids. Free anonymous access for intruders.
* Added SNMP vulnerabilities.
* Added 802.1X Security, and its flaws.
* Added MiniStumbler, Wireless Scanner, BlackICE PC Protection.
* Added info on Broadcast pings.
* Added Section 1.7 regarding internal antenna.
* Added link to Cigital regarding ArpSpoofing. Cigital put together
a nice diagram of the attack.
* Added Default WEP key for NetGear AP.
* Added link to BSD version of AirSnort.
* Added where this WLAN Security FAQ can be found.
* Cleaned up the formatting
* Added better indexing, added hyperlinks between index and content
* Added link to article on wireless LAN antennas
* Added NetStumbler, WEPCrack tools, Added WEP insecurity paper
* Added Ecutel, BlueSocket, and NetMotion as WLAN Sec. Products
* Updated Accuracy of WEP description and made it clear that SSID
not being encrypted.
* Added Broadcast of SSID turned off can still be circumvented.
* Added Addtron's default SSID, a popular AP
* Added War Driving AP maps.
* Added 802.11 ArpSpoof, a technique used by ISS X-Force Consulting.
* Added hijacking SSH and SSL connections via wireless.
* Added 2 X-Force Advisories on Wireless 802.11 flaws
* First draft
 Where do I get the latest version of this Wireless LAN Security FAQ?
* The most current version is on the Web at
* It will be regularly posted to issfo...@iss.net
* It will be posted to the following Usenet newsgroups:
 What is the overview of Wireless LAN 802.11 technology?
Wireless LAN technology standard 802.11b has the strongest momentum to
becoming the main standard for corporate internal wireless LAN
networks. The bandwidth of 802.11b is 11 mbits and operates at 2.4 GHz
Frequency. The successor of this current 802.11b standard is 802.11a
and it is designed to be faster speed and operate at a different
frequency. While 802.11a standard and the technology behind it has
become available, 802.11b is still widely used today and many
companies and individuals are deploying it or deploying dual 802.11b
and 802.11a devices.
As more wireless technology is developed and implemented, the
complexity of the types of attacks will increase, but these appear the
standard main methods used to break and attack wireless systems. These
attacks may be very similar against other wireless type technologies
and is not unique to 802.11b. By understanding these risks and how to
develop security solution for 802.11b, this will be a good
stepping-stone for providing a good secure solution to any wireless
[1.1] When will 802.11a arrive and how will the security be different than
Most manufacturers of wireless technologies have come out with 802.11a
technology now. The specifications for the protocols of 802.11a are
very similar to 802.11b, therefore many of the security risks are
shared for both 802.11a and 802.11b. Many of the security issues
around 802.11b will continue to be an issue with 802.11a, therefore by
understanding current issues will help organizations deal with future
issues as well.
[1.2] What is an Access Point?
The AP (access point also known as a base station) is the wireless
server that connects clients to the internal network. Base stations
typically act as a bridge for the clients. There is an IP address for
management configuration of the base station. The base stations
typically have an SNMP agent for remote management.
[1.3] How much does the equipment for wireless 802.11b cost?
Base stations have become relatively inexpensive, approximately under
$300US. The 802.11 client cards for PDAs, laptops, and desktops are
approximately under $100US. Because of inexpensive equipment to get
into wireless, attackers can get easy access to the tools necessary to
apply the attack. Because of the inexpensive price, within many
companies employees can purchase wireless equipment without approval
and deploy this in a rogue fashion, creating additional risk.
[1.4] Are companies the only wireless targets by attackers?
While this FAQ focuses on the risk issues from a corporate network
perspective, these same issues apply to home networks and
telecommuters that are using wireless. As the corporate networks are
allowing in remote users, these remote users may be using wireless at
their end-point to connect in. In this case, even if wireless
capabilities have not been installed on the corporate network, they
may still be affected by the risk that their remote employees are
using wireless at home or on the road.
[1.5] Where can you find wireless 802.11 networks?
Airports, hotels, and even coffee shops like Starbucks are deploying
802.11 networks so people can wirelessly browse the Internet with
their laptops. As these types of networks increase, this will create
read more »