802'11b Vulnerabilities, AdHoc Mode, RF Jamming and Receiver Design

1
802.11b Vulnerabilities, Ad-Hoc Mode, RF Jamming
and Receiver Design

• Ritesh H Shukla
• Graduate Student
• ECE Dept
• Under the Guidance of
• Prof. William R Michalson

2
802.11 Overview

• What is 802.11, 802.11a, 802.11b and 802.11g
• Defines the MAC layer and physical layer for
  wireless data communication between mobile
  stations in a wireless local area network.
• 802.11b finalized in 1999 and is the most
  successful of all wireless LANs.
• 802.11a and 802.11b provide higher data rate.
  802.11g products launched only a few months ago.
• Three physical layers specified(802.11)
• Infrared
• Frequency hopping spread spectrum
• Direct sequence spread spectrum
• 802.11, 802.11b and 802.11 g operate around 2 GHz
  frequency
• 802.11a operates around 5GHz frequency.
• CSMA-CA ( Carrier Sense Multiple Access -
  Collision Avoidance)

3
Ad-Hoc Mode Vs Infrastructure Mode

• The Independent base station mode has no central
  access point.
• Only Single hopping of data

• All nodes talk to one central access point
• Mobility limited to area covered by the access
  point

4
802.11 Neither Secure nor Robust

• Protocol designed to be a commodity which is
  commercially successful.
• List of different Attacks
• MANAGEMENT FRAMES ARE NOT AUTHENTICATED!
• Denial of Service
• Flooding (CSMA/CA)
• De-authentication
• RF interference based attacks
• Insertion Attack
• Man In the Middle Attacks
• Insert a New Access Point in the network
• Route all traffic through your node
• Encryption attack
• Collecting data and decrypting the information
  contained, made possible due to the weakness in
  the WEP Encryption specified in 802.11.

5
Primary Privacy Issue

• Medium Accessible to All
• Sniffing
• Protection?
• The only protection against sniffing is an
  optional encryption of data called WEP (wired
  equivalent privacy).
• But the protocol is flawed and data can be
  decrypted. The weakness is well documented and
  has been published for every one to read.

Decrypted Date
Hacking Tools on a PDA
6
Jamming Physical Layer Communication

• Step 1Jammer senses the network and waits.
• Step 2Jammers synchronized receiver transmits
  fake data for a small time duration
• Result expected
• The frame appears corrupted at the receiver (CRC
  Check fails)
• The Jammer is stealthy.

7
Receiver Design

• Receiver design and performance can play an
  important role in hidden node problem.
• The requirements on the jammer to have a high
  probability of success depends on the overall
  noise rejection of the receiver and its behavior
  in the presence of a signal spread using the same
  spreading sequence.

8
Down conversion to Base band

• A Zero IF receiver with two stages of down
  conversion is being simulated based on the
  Intersils Prism wireless lan solution for
  802.11x

Target Receiver Design
9
Conclusion

• 802.11 wireless is a highly successful protocol,
  which is not designed to be robust or secure.
• Ad-Hoc mode possible with only a single hop of
  data.
• Knowledge of spreading sequence could make
  jamming present wireless networks easy and the
  source of jamming difficult to detect.
• Understanding of the behavior of wireless
  receivers under the proposed jamming technique
  requires comprehensive simulation and actual
  testing of the results.