Transcript 536K PowerPoint

802.11b Vulnerabilities,
Ad-Hoc Mode, RF Jamming
and Receiver Design
Ritesh H Shukla
Graduate Student
ECE Dept
Under the Guidance of
Prof. William R Michalson
802.11 Overview
What is 802.11, 802.11a, 802.11b and 802.11g
Defines the MAC layer and physical layer for wireless data
communication between mobile stations in a wireless local area
network.
802.11b finalized in 1999 and is the most successful of all wireless
LANs.
802.11a and 802.11b provide higher data rate. 802.11g products
launched only a few months ago.
Three physical layers specified(802.11):
Infrared
Frequency hopping spread spectrum
Direct sequence spread spectrum
802.11, 802.11b and 802.11 g operate around 2 GHz frequency
802.11a operates around 5GHz frequency.
CSMA-CA ( Carrier Sense Multiple Access - Collision
Avoidance)
Ad-Hoc Mode Vs Infrastructure Mode
The Independent base
station mode has no central
access point.
Only Single hopping of
data
All nodes talk to one central access
point
Mobility limited to area covered by
the access point
802.11 Neither Secure nor Robust
Protocol designed to be a commodity which is commercially
successful.
List of different Attacks
MANAGEMENT FRAMES ARE NOT AUTHENTICATED!
Denial of Service
Flooding (CSMA/CA)
De-authentication
RF interference based attacks
Insertion Attack
Man In the Middle Attacks
Insert a New Access Point in the network
Route all traffic through your node
Encryption attack
Collecting data and decrypting the information contained, made
possible due to the weakness in the WEP Encryption specified in
802.11.
Primary Privacy Issue
Medium Accessible to All
“Sniffing”
Protection?
The only protection against “sniffing” is an optional encryption of
data called WEP (wired equivalent privacy).
But the protocol is flawed and data can be decrypted. The
weakness is well documented and has been published for every
one to read.
Decrypted Date
Hacking Tools on a PDA
Jamming Physical Layer Communication
Step 1:Jammer senses the
network and waits.
Step 2:Jammer’s synchronized
receiver transmits fake data for
a small time duration
Result expected:
The frame appears corrupted at the
receiver (CRC Check fails)
The Jammer is stealthy.
Node B
Node A
Jammer
Receiver Design
Receiver design and
performance can play an
important role in hidden node
problem.
The requirements on the
jammer to have a high
probability of success depends
on the overall noise rejection
of the receiver and its behavior
in the presence of a signal
spread using the same
spreading sequence.
Down conversion to Base band
A Zero IF receiver with two stages of down conversion is being
simulated based on the Intersil’s Prism™ wireless lan solution for 802.11x
Target
Receiver
Design
Conclusion
802.11 wireless is a highly successful protocol,
which is not designed to be robust or secure.
Ad-Hoc mode possible with only a single hop of
data.
Knowledge of spreading sequence could make
jamming present wireless networks easy and the
source of jamming difficult to detect.
Understanding of the behavior of wireless
receivers under the proposed jamming
technique requires comprehensive simulation
and actual testing of the results.