Risks in Wireless Network TechnologyCopyright (C) 05/1996 by Howard Fuhs<
Wireless data transmission is no new technology in itself, having been used successfully for decades both in civilian and military telecommunication applications. So nothing was more obvious than replacing the steadily growing wirebound computer networks in companies by developing a reliable wireless transmission technology that would be easy to install and maintain. The currently used wireless network technology is indeed based on well tested wireless data transmission technology, but the adaptation to everyday working conditions in computer networks as well as the requirement for easy installation and maintenance have led to the development of a completely new technology. Using this technology entails a number of new risks.
Wireless network technology can be subdivided into two areas, according to the method of transmission: Transmission by means of radio waves, and transmission by means of infrared light. Instead of transmitting the data in copper wire, they will now be transmitted either as a modulated radio signal, or distributed in a room as infrared light. Although the wireless network technologies are said to be compatible with the corresponding wired technologies, the compatibility ends at the interface, where the data are converted into a wireless signal. How this signals looks with regard to handshake details and transfer protocol is specified by each individual manufacturer of wireless data network systems. One consequence is that there is no compatibility between network components from different manufacturers. If a wireless network needs to be extended this has to be done with components and systems from the same supplier.
The basic problem associated with wireless networks is the uncontrolled radiation of data, and the possibility of third parties intercepting and using this information for their own purposes.
While the use of wired networks makes it necessary for an intruder to gain physical access to the Installation in order to install eavesdropping equipment, it is only necessary to be in the proximity of wireless networks and use a certain type of receiver to be able to "listen in" on the data traffic without authorisation. This type of "listening in" can take different shapes and be conducted by means of different types of technologies. While several of these methods sound more like excerpts from the script of a James Bond movie, it is necessary to emphasise that such methods actually are being used!
It is also necessary to understand that tapped data traffic does not necessarily have to be interpreted in real time. Even in case exotic protocols and simple encryption schemes are implemented, data traffic can be recorded for later complete analysis in a suitably equipped laboratory. This method allows professionals time to crack cryptographic schemes, and to analyse the protocols in use, perhaps even to develop a realtime bugging method if this is required.
This uses special network cards, on which the output signal is led to an infrared light emitting diode (LED). The diode must be well placed. It emits directionless light, which reflected from walls and ceiling in a room, enables other network cards inside the room to "see" the signals by means of built-in infrared light sensitive photosensors. These sensors convert the light to datasignals, which are fed to the input side of the network card.
The use of infrared light to transmit network data introduces a number of security holes. Because of the nondirectional signals, radiation can penetrate window panes and be detectable outside the room. Depending on how the LEDs are situated and the light conditions outside the room, the signals are detectable at a distance of between 5 and 20 meters from a window. It is thus highly likely that the data traffic is clearly readable some distance from external windows.
In a recent experiment a photosensor was placed directly externally on a window pane separating a computer room from the outside (and this can be done very discreetly - if you see a bird-dropping on the window of your computer room, don't trust it! -ed). All captured signals from this sensor were retransmitted using either infrared or wireless technologies and very compact transmitters. Using this technique it was possible to listen to data traffic from a comfortable distance of up to several kilometres, depending on the re-transmission technique. The photosensor is not much larger than a pinhead, and the transmitter considerably smaller than a matchbox.
lt will titillate legal minds that externally placing a listening device of this type on a window does not necessitate breaking and entering. If the window faces a street it will often not even be necessary to trespass, and the equipment can be put in place by any passerby. In case customer access is allowed to a room, in which an infrared light network is operative, it is often possible to place the listening device inside the room, thus obtaining a better signal quality. After installation the device is used as any other type of bugging device.
Instead of placing a bug in the vicinity of a network it is possible to use infrared tele lenses equipped with suitable photosensors and amplifiers. Lenses with focal lengths above 2000 mm are often used for this purpose. Also in this case the security hole is a window.
Simply walling up computer room windows for reasons of data security is not often a viable preventive route to follow, and although it is theoretically possible to install filter foils on windows to block the transmission of infrared light, this method is still rarely used.
In case the computer room has no windows a small hole (<3mm) may be drilled trough a wall, and either an endoscope-like device guiding light to a photosensor, or the sensor itself, conducted through the hole. Apart from this detail the technique is exactly similar to the one used to see through windows. Perpetrators of this type of espionage will often try to use a wall leading to an office or room that does not belong to the victim, or an external wall. Obviously, the hole will be placed as invisibly as possible in order to prevent or delay detection of the attack.
In comparison with infrared light, radio waves have the drawback (in terms of information security) that they do not stop at walls. Whereas infrared light is stopped by obstacles to sight, these allow radio waves to pass unhindered.
Reception of signals from a radio-based network is neither technically nor financially problematic. Usable receivers (radio scanners) cost between ECU 150 and ECU 1500. A scanner enables the network transmission frequency to be found (this takes from a few seconds up to a few minutes). This accomplished, the data signal can be recorded for later analysis, or it can possibly be displayed on a computer screen, analysed in realtime, or stored on disk.
It is necessary to use a slightly different method in case the network cards change their transmission/reception frequencies at regular intervals (frequency hopping). This technique makes it more difficult, but not always impossible, to use commercially available scanning equipment. However, a different listening technique must be used.
The signal from a radio network has a range of between 5 and 100 meters, depending on transmission level, transmission frequency and topographic factors such as building layout. Using suitable directional antennas it is possible to detect this type of data traffic from even greater distances.
Eavesdropping on radio signals can not be prevented without considerable modifications to the buildings housing the networks. These shielding countermeasures are financially unattractive in comparison with other and by and large more effective protective methods. Using directed and focused signals like e.g. the long distance transmission systems used by telecom companies, is out of the question when talking shorthaul networks, for practical reasons.
Regardless of transmission method the question pops up, if it is possible for a person to gain unauthorised access to the wireless network by emulating an authorised computer belonging to the network, and using this to log in and gain access to network resources and data. It is also necessary to ask, whether it would be possible for an attacker to insert false data into the transmission paths, thereby corrupting data or even installing Trojan horses or computer viruses.
The answers to these question closely depend on the transmission techniques used by the individual manufacturer of the wireless networks, and the safety measures built into the design.
The most secure countermeasure would be not to use wireless network technology. Of course, this alternative is not realistic. It is also possible to wiretap normal networks using various wellknown methods, but this hardly leads to the conclusion that networks should be abolished.
Realistic protective measures include online encryption of data before transmitting these across the network. If a safe(!) encryption method is used the "listener on the wall" can of course listen to and record the traffic, but he cannot decode it. Nor can he encode false messages in such a way that these are correctly decoded and thus accepted by the system. In fact, encryption is the only safe and economically realistic method to use to safeguard wireless networks. Other methods may be used supplementarily, but none other can reach the efficiency and security of cryptographic methods, combined with controllable and reasonable costs.
A few things are mentioned in this article, which could be used to perform eavesdropping attacks on wireless networks. It should be stressed, however, that no readymade plug-and-play systems with these capabilities are commercially available. However, the components required to build such systems are readily available, and it is no serious problem for technically competent persons to combine these into eavesdropping devices that will work as described.
Security factors play a very limited role in the sales literature furnished by suppliers of wireless networks, but are occasionally mentioned.
Thus, a supplier of an infrared type network writes: "The security of your data is guaranteed, because it is not possible to eavesdrop on infrared light."
Unfortunately, no proof of this rash claim is included. As clearly demonstrated this claim is untrue and misleading, so this type of guarantee could easily lead to serious product liability problems for the distributor of the product in question.
It has not been possible to test the security of the wireless network systems on the market, because no manufacturers or distributors of these products that we contacted, showed any interest in a project of this type, or indeed wished to support it by supplying equipment to test, etc. In one case a threat of legal action was even made, in case we were to publish any such test, or information of this nature.
Nevertheless all manufacturers and distributors claim that their products are secure. However, none of them are willing to explain the nature of this security, and how it is obtained.
The quick, flexible and uncomplicated installation speaks in favour of wireless networks, but as responsible for information security it is necessary to realise that this network technology brings with it new security problems that require new countermeasures.
Under no circumstances should a product be accepted as secure just because the manufacturer says so. There is plenty of evidence to the contrary.