By Robert Vamosi
At issue is the connection between a client device, such as your laptop computer or PDA, and the access point (AP) on a wireless network. On a wired network, the wires make that connection relatively secure; on a wireless net, there is no such physical barrier against attack.
More mobility means less security
This is, of course, a wireless net's greatest benefit: you can move around your office building and, regardless of wiring, connect to an intranet or the Internet from any office, conference room, or work station. The same holds true at home: a wireless net allows you to connect to the Net with equal ease from the living room, dining room, or den.
One of the techniques they described exploits the way you hook up to a wireless network: your client device sends a request to connect, or associate with, an AP. Lynn and Baird explained that wireless networks don't verify who is connecting, as long as the device has a valid Media Access Connection (MAC) address and a Service Set ID (SSID).
A man-in-the-middle attack takes advantage of this process. Armed with some custom-made software, Lynn and Baird demonstrated how easy it is to insert a rogue laptop between a legitimate user's client device and an AP and, thus, monitor the traffic sent over the net.
Cracking a wireless net
The first step is to bump all legitimate clients off of the wireless network. Lynn and Baird did this by writing a program that tells their wireless card to send a deauthenticate broadcast, which disassociates all connected clients from the target AP. As long as the attacker's deauthenticate requests continue, legitimate clients can't reconnect to that AP.
One way to protect your net against this type of attack is to turn off the AP's SSID broadcast. But even that can be defeated. To do so, Lynn and Baird started the deauthenticate attack, disconnecting clients from the AP and forcing them to try and reassociate. When those clients tried to reconnect, the attackers grabbed the reassociation requests, which contain each client's MAC address and SSID. With those two pieces of data, an attacker can impersonate a legitimate device on that wireless net.
The data passing over the wireless net might be encrypted, but as I explained last week, 802.11 Wireless Equivalent Protection (WEP) encryption can be broken.
How can you combat MITM attacks? Lynn and Baird recommend using a wireless Intrusion Detection System (IDS) and monitoring the network with products such as AirDefense. They also suggest using directional antennas, lowering the AP's broadcast range, and installing a virtual private network (VPN) with strong mutual authentication.
If you want to know more about the inner workings of wireless networks, I recommend the book 802.11 Wireless Networks: The Definitive Guide, by Matthew S. Gast, published by O'Reilly & Associates. Although it may be too technical for some, the book offers plenty of information for those looking to lock down their wireless nets.
Has your wireless net ever been broken into? What happened? Do you mind sharing your Net connection with others? TalkBack to me!
Senior Associate Editor Robert Vamosi covers hoaxes, viruses, and security threats for CNET Reviews. Have a question for him? Let him know!