How we tested

How we tested the security of various wireless devices and technologies.

We set up two test beds at Lab Alliance partner Opus One's labs in Tucson, one for stations (clients running wireless network interface cards) and one for access points and wireless LAN switches.  Both sets of tests were monitored using Dell laptop computers running Red Hat Linux 9 and a modified version of AirSnort, the open source Wired Equivalent Privacy (WEP) key recovery tool.  We also made heavy use of our AirMagnet Handheld to diagnose minor interoperability issues between different wireless devices.

AirSnort is designed to recover the WEP keys of any network it sees, as quickly as possible.  It does this by collecting all packets from all stations and all access points.  We modified our version of this open source tool to only look at the packets sent from the device being tested.  This change enabled us to identify whether it was the station or the access point that was vulnerable to AirSnort key recovery.  We also modified AirSnort to print out the "weak" initialization vectors that it was using to guess the WEP key.

Cracking the wireless security code

Security picks

What we tested

WEP: Stick a fork in it

802.1X: A stepping stone

WPA - An accident waiting to happen

802.11i: The next big thing

Security standards aside, lock down your boxes, boys!

Wireless Access Point: Wire-side security testing (PDF)

How to do it: Securing your wireless LAN

Tools, not standards, that help tie down wireless nets

Glossary of wireless security terms

Explaining TKIP

Archive of Network World reviews

Subscribe to the Product Review newsletter

We used an IBM Thinkpad laptop with a 1.2 GHz processor and 512M-byte RAM running a clean installation of Windows 2000 SP4 to test each wireless PCMCIA card, connecting the station to a Cisco Aironet 350 access point.  To test access points, we used the same laptop with a Cisco Aironet 350 card to generate traffic.

For each test, we used the Unix "ping" command with the flood option to generate a high rate of bidirectional traffic over the airwaves.  We let the AirSnort laptop listen to the traffic for a minimum of 50 million packets, usually about 12 hours at the very high traffic rate we were generating. 

We wanted to be sure that AirSnort saw every possible initialization vector (IV), therefore giving it the best chance of recovering the WEP key.  Since there are 16 million IVs, we had to generate sufficient packets to guarantee that every IV was seen at least once (it doesn't do AirSnort any good to see the same IV twice).

Although most wireless devices use a simple counter to generate IVs (this is actually the most secure method), some products use a random number generator.  We picked 32 to 50 million packets as a "safe" range to guarantee that we were actually measuring the WEP performance of the product.  Even though we were saturating the airwaves, it takes a long time to generate that many packets.  Claims that WEP keys can be recovered in 15 minutes are, we discovered, highly exaggerated.

That level of traffic flooding would be highly unusual in a typical enterprise WLAN.  In fact, we had to shut our building wireless network down during the test, because the traffic we were generating saturated the 802.11b/g frequency range.

We also used the open source wireless analysis tool KisMAC to verify the existence and successful operation of key recovery techniques using offline dictionary attacks on LEAP and for WPA using pre-shared keys.  When testing 802.1X, we used Funk's Odyssey RADIUS server as our authentication server.  

Once we had finished our tests on the wireless side of the products, we used a variety of common attack tools, including the open source tools Nmap, wget, Nessus and IP Stack Integrity Checker (ISIC) to discover open services, guess passwords, and test the security of the wired side of the access points.  Our attack tools ran in a VMware virtual machine, which made them easy to pick up and move between our labs.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.