WiMax: Just Another Security Challenge?
by Stephen Barish
Wireless networks have long been hailed as easily deployed, low-cost solutions for providing broadband services to an increasingly mobile population. As with any emerging technology, however, it wasn't long before attackers were exploiting it.
The popular version of wireless networking, known as WiFi, revolutionized the ways that both small home-offices and larger facilities work, making it trivial to extend bandwidth into areas where it was impractical or too expensive to run Ethernet cable. For a while it seemed as if WiFi offered instantly deployable, easily configurable, and most importantly mobile communications to the masses.
Soon, however, over-the-air sniffers, such as kismet and airsnort, allowed attackers to capture and decode data transmitted via WiFi. Rogue access points -- often illicitly deployed by users seeking easier access -- opened security holes deep within companies' enterprises, allowing attackers to completely circumvent traditional protections, such as firewalls and IDS, and simply break in through a wide-open back door. These rogue access points also became a useful way for attackers to capture passwords, credit card numbers, and other sensitive information.
It didn't take long for information technology professionals to realize that the promised land of WiFi was rife with risks, vulnerabilities, and unforeseen dangers that still cause significant security challenges today.
In addition, WiFi has caused many technical headaches. Its effective coverage radius, also known as the "cell radius," is fairly small -- typically a few hundred feet when used with omnidirectional antennas like those in your typical laptop. WiFi also has pretty substantial bandwidth limitations that make it impractical for high-density user environments or as a last-mile transport-layer solution. Over the years these technical challenges, along with the security problems, have been addressed in large part by constantly evolving standards and bolting security controls on top of WiFi. Examples include Wired Equivalent Privacy (WEP) encryption, WiFi Protected Access (WAP) encryption, and 802.1x.
Yet, without using highly directional and large antennas, WiFi still wasn't the optimum solution for large metropolitan-scale or long-haul point-to-point links. This is the reason WiMax and similar standards were born.
|Recommended Uses||Short-range, LAN-centric||Long-range, MAN-centric|
802.11b/g – 2.4 GHz
802.11n – 2.4 GHz, 5 GHz
|Unlicensed or licensed spectrum between 2-66 GHz
US: 2.4 GHz
International: 2.3 GHz, 3.5 GHz
|Quality of Service||Minimal - QoS is relative only between packets/flows||Guaranteed - QoS is assured using scheduling algorithms at MAC layer|
|Cell Footprint||< 300 meters maximum
Most implementations about 30 meters
|Up to 10 kilometers
Most implementations about 3 km
|Bandwidth||802.11b: 11 Mbps max
802.11g: 54 Mbps max
802.11n: at least 100 MbpsAll bandwidth is at short range
|Up to 70 Mbps theoretical max
Up to 40 dedicated subscriber channels
Expect 15 Mbps at 3 km range
Table 1 - A comparison of typical WiFi and WiMax performance characteristics
WiMax refers to a standard designed to provide high-bandwidth wireless services on a metropolitan area scale. It provides a much greater bandwidth in comparison to WiFi, allowing users to share up to 70 Mbps at short range -- although 10 Mbps at 10 km is more typical -- per channel in fixed implementations. Each channel can be split between up to 40 simultaneous users, providing symmetric download speeds that rival a traditional DSL connection.
While WiFi has moved into high-bandwidth solutions with the advent of the draft 802.11n specification, which provides theoretical bandwidth maximums up to 248 Mbps, the true advantage WiMax maintains is in cell radius. Even with 802.11n, WiFi is typically limited to ranges under 300 meters without specialized equipment. In contrast, WiMax provides a much larger cell radius -- up to 3 km in fixed applications -- without significantly degrading its available bandwidth. These key features are the reason the WiMax standard is considered one of the leading contenders for the future of wireless broadband, for use in metropolitan area networks (MAN) and as the underpinnings of 4G cellular networks.
Of course, labeling WiMax a "standard" is something of a misnomer. The actual standard for the MAN-scale wireless solutions that WiMax is based on is IEEE 802.16, which has never been fully adopted. In fact, WiMax is the creation of the WiMax Forum, which is a group of loosely affiliated vendors, suppliers, and engineers worldwide who are trying to standardize a wireless broadband technology for last-mile applications based on the IEEE 802.16e-2005 specification.
When you buy a "WiMax" product you are actually procuring an IEEE 802.16e-2005 compliant device that has been tested and certified as interoperable by the WiMax Forum -- not a truly IEEE 802.16 compliant device. The WiMax Forum maintains a rigid certification program that ensures standards of conformance and interoperability for "WiMax Forum Certified" products. Only four laboratories worldwide are approved to conduct this certification testing: AT4 Wireless, Telecommunications Technology Association, China Academy of Research of Telecommunication Research, and Advance Data Technology Corporation.
How WiMax Works
At the 65,000-foot level, WiMax looks remarkably like a traditional IEEE 802.11x implementation. Subscriber nodes use network access cards to wirelessly connect to a base station, which is typically connected to some accessible network or the Internet.
The primary differences are under the hood. For one, WiMax was designed from the ground up to provide quality of service (QoS) in order to ensure a reliable minimum data rate and availability. To provide QoS, WiMax certified equipment is designed to implement a scheduling algorithm to ensure each subscriber station competes for access only once. From that point forward, the base station provides a time slot that is allocated to each unique subscriber station. This schedule-based solution is far different from that of WiFi, which uses a contention-based media access control scheme where all subscriber stations compete for the same base station's attention on a random, interrupt-driven basis. This is one reason bandwidth varies so much with range from the base station in WiFi implementations: subscribers closer to the base station can simply be heard better, and pre-empt those at more distant ranges. WiMax still suffers from bandwidth degradation over extended ranges, but not nearly as significantly. The inclusion of QoS makes applications such as voice-over-IP (VoIP) much easier to implement, because a relatively constant bandwidth and QoS can be assumed at any given range.
Spectrum usage is significantly different in WiMax applications when compared to WiFi. The IEEE 802.16 specification supports both 2-to-11 GHz and 10-to-66 GHz ranges. Lower frequencies generally provide greater range in the kind of urban environments WiMax is targeted, so frequency ranges above 66 GHz have never been considered suitable for IEEE 802.16 or the WiMax implementation. Also, since IEEE 802.16 remains in draft, there is no globally licensed spectrum at this point. The WiMax Forum, in its quest to ensure interoperability, has licensed three spectrum profiles: 2.3 GHz, 2.5 GHz, and 3.5 GHz. In the United States, the most common implementation is expected to be centered on 2.5 GHz. Outside of the United States, spectrum profiles vary with the radio-frequency spectrum licensing supported by the geopolitical unit in which WiMax implementations are deployed.
From a security perspective, WiMax offers several key advantages over traditional WiFi implementations. WiFi truly revolutionized the way we deliver bandwidth to subscribers, especially mobile ones, but it has always lacked key security features. This lack of security enabled attackers to ruthlessly exploit early adopters of the technology and even today, most access points are unsecured and a large amount of traffic passes in the clear, allowing any casual passers-by or attacker to sniff sensitive information over the air.
Worse, in its native configuration, WiFi does not implement robust authentication at the base station, allowing attackers to deploy rogue access points that they control, which can collect or modify every packet traversing the access point. While remedies do exist (such as WEP and WPA/WPA2), they were bolted on to WiFi to remedy these vulnerabilities.
WiMax was developed from scratch with security in mind. First, every subscriber station uses X.509 certificates to uniquely identify its subscribers. This effectively prevents attackers from spoofing the identity of legitimate subscribers. The goal in adopting this paradigm was to make theft-of-service more difficult. Second, the WiMax supports two robust encryption standards: DES and AES. In a secure implementation, WiMax is designed to use EAP (or IEEE 802.1x) for strong mutual authentication and can enable RSA for data link encryption, although this requires additional hardware within the enterprise (a RADIUS server, etc.) coupled with the use of WiMax.
Potential WiMax Applications
Originally envisioned as a wireless alternative for fixed, MAN-scale networks, WiMax is now being considered for a variety of applications, ranging from last-mile connectivity to a replacement for 802.11x mesh networks. Thanks to the commitment of vendors to the proposed IEEE 802.16x-2005 mobile standard (considered "WiMax Compatible"), WiMax technology is being pushed out to handsets and laptops. Intel in particular has made a major push for early WiMax adoption, but more than 30 companies provide WiMax Forum Certified fixed implementation technology.
In early 2008, the WiMax Forum announced the availability of the first WiMax Forum Certified mobile devices, mostly in the 2.3 GHz range, which is used internationally. The certification of products in the 2.5 GHz band for U.S. use is expected later this summer. While WiMax is just gaining traction in the US, there are literally hundreds of major deployments worldwide, especially in Asia. Some of the more interesting applications to date include:
- Potential 4G Solutions
Wireless carriers are investigating WiMax as an alternative to current 3G/3.5G technologies, such as EVDO and HSPDA. In the US, Sprint has made a major commitment to WiMax as a core part of their 4G strategy. From a raw bandwidth perspective, WiMax offers carriers nearly 2.5x the speed of HSPDA, generally acknowledged as the fastest current 3.5G technology on the market. By building voice networks on top of a stable, high-availability, high bandwidth wireless data connection rather than scavenging data out of bandwidth commonly reserved for voice, carriers will open up a range of location-based, interactive, Web-enabled services currently impossible to deploy.
- Transport Technology for Mobile Solutions
T-Mobile has been using a hybrid 802.16d/WiFi solution to provide bandwidth to rail commuters in the UK since 2005. 802.16d base stations provide transport layer solutions for 802.11 access points in the train cars themselves, and subscribers connect using T-Mobile's existing hotspot technology. Although this implementation is based on the older 802.16d specification, rather than on WiMax Forum certified technology, it demonstrates how the broad cell footprint of WiMax can be used to provide bandwidth to mobile subscribers quickly and easily without forcing them to adopt new technologyóalways a barrier to the proliferation of any new wireless standard.
In 2005, South Korea made a major commitment to IEEE 802.16b with the development of WiBro, which has subsequently been upgraded to full IEEE 802.16e compliance. Beginning in 2006, WiBro solutions were rolled out across much of South Korea, and now coverage exists in most major cities, including Seoul, where even the subways have connectivity. Although not yet a WiMax-certified solution, this remains one of the largest roll-outs to date.
Security Issues and Potential Vulnerabilities
The WiMax security model focuses primarily on theft-of-service and theft-of-data threat vectors. WiMax implements protections in the media access control layer, with a security sub layer that implements authentication and provides hooks for data encryption. While these are perhaps the two most common concerns preventing the deployment of an RF-based connectivity solution in mission-critical roles, they are hardly all-inclusive. In fact, WiMax offers a significant number of theoretical vulnerabilities, some of which are only just beginning to be demonstrated in the wild:
WiMax implements a unidirectional authentication scheme using X.509 certificates from subscriber to base station, but there is no provision for base station to subscriber authentication in return. This opens a potential vulnerability for rogue base stations to attempt the impersonation of legitimate devices. Attackers can simply intercept subscriber initiation requests and spoof responses, authorizing them to use the rogue access point. Since WiMax has so much greater cell radius than WiFi, this is a more severe threat than it would be in a traditional WiFi implementation, at least from an incident response perspective. Using strong mutual authentication via IEEE 802.1x and a RADIUS server would mitigate this risk significantly, although it is important to remember that any security countermeasure added to the enterprise can introduce additional sources of vulnerability if not carefully managed. For instance, deploying 802.1x authentication solutions opens up a window of vulnerability to EAP injection, spoofing, and replay attacks that are well understood and publicized.
- Denial of Service
In addition to MAC-layer vulnerabilities, WiMax could suffer from potential physical layer vulnerabilities as well. First, WiMax uses management frames, similar to those used in WiFi, but WiMax implements cryptographic protections to prevent the majority of spoofing attacks. However, WiMax is vulnerable to replay-based attacks to flood a network with rogue management frames, effectively creating a denial of service. Many WiMax adopters are also concerned about jamming or scrambling attacks, where an attacker attempts to manipulate RF signals in order to interfere with connections. Even electromagnetic interference is being watched closely to determine if it has an adverse impact on reliability and availability.
- Base Station Attacks
No matter how well implemented WiMax protocols and security models are, attackers will still attempt to exploit them. As with virtually every other standards-based technology, some products will have security flaws. This is certainly the case with the recent Airspan WiMax ProST Authentication Bypass Vulnerability. This vulnerability allows an attacker to simply craft a malicious request, which can allow administrative access to the base station. Although these vulnerabilities are typically found and patched rapidly, the challenge with worldwide WiMax adoption is that not all consumers will monitor their equipment for intrusion, and even when the vulnerabilities are published, many do not patch them either.
- Application-Layer Attacks
While WiMax is intended to run securely, making use of strong encryption, it is possible to deploy a solution without enabling either DES or AES. When data is transmitted in the clear, it is vulnerable to sniffing as well as attacks against applications, just as WiFi is. The key to preventing these is for administrators to take advantage of WiMax's built-in encryption capabilities, although DES is not advised because the standard currently supports 56-bit DES only, which is far from secure from brute-force attacks thanks to the power of modern CPUs. AES is much more secure, stronger than WPA2 by far.
WiMax is clearly a technology well on its way to being adopted, at least in Europe and Asia. Domestic U.S. roll-out plans remain less clear. WiMax clearly shows promise for wireless replacement of traditional DSL connections, but the logistics and security ramifications have yet to be thoroughly assessed. And, while WiMax offers significant advantages as a 4G solution for Sprint and other carriers, the marketplace is far from ready to converge into a single solution any time soon. What is clear is that WiMax fixes some of the vulnerabilities we have come to accept in WiFi solutions.
Unfortunately, it is not a silver security bullet. It still has to be configured appropriately and securely to offer the levels of confidentiality, integrity, and availability that consumers are used to on wired-line communications. These challenges will only be overcome, and the true security ramifications of WiMax only understood, when the solution gains a significant amount of traction for MAN deployments, or when it is deployed by a major carrier.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.