Wireless broadband systems could be vulnerable to attack

Wireless broadband systems planned for global use that use the popular WiMax standard can, "despite good intentions," be jammed, hacked and spoofed, according to a paper published last month by a United Kingdom group of government intelligence experts.

The Centre for the Protection of National Infrastructure warned in a paper that WiMax has fundamental security flaws, including the lack of two-way authentication, which allows a hacker to set up a "rogue" base station to impersonate a legitimate one so that the hacker can spoof the base station and launch man-in-the-middle attacks, "exposing subscribers to various confidentiality and availability threats," the CPNI paper said.

"This means session hijacking is possible and the attacker could gain access to sensitive information," according to CPNI, a UK intergovernmental organization which uses personnel and resources from agencies including the Security Service (M15), the National Security Advice Centre and Communications Electronics Security Group.

WiMax (Worldwide Interoperability for Microwave Access) is an alternative to Wi-Fi (Wireless Fidelity). While Wi-Fi is used in most businesses and homes for wireless connectivity to the Internet, WiMax is considerably stronger and can cover a larger area. It can deliver a wireless broadband signal from a distance of 30 miles at 70 megabytes per second. That's about 10 times the bandwidth of a home broadband Internet connection in the Washington, D.C., metropolitan area.

Because of the WiMax advantages, more than 470 chip and equipment manufacturers and network operators - such as Intel, Alcatel-Lucent, Fujitsu, Motorola, Samsung, AT&T and British Telecom -- rely on WiMax to develop systems. One network operator, Sprint Nextel, plans to use WiMax to provide high-speed mobile service to its subscribers through a public network that it plans to launch in the United States in April 2008.

Federal and state government agencies and businesses can use the technology to set up private networks. The Marine Corps, for example, has deployed tactical networks in the Mideast using WiMax equipment from Redline Communications. Caltrain, the California commuter rail operator, also uses Redline gear to provide high-speed voice, video and data services between rail stations.

The WiMax 802.16e standard provides strong encryption through use of the Advanced Encryption Standard, which meets U.S. government requirements. But AES management frames are broadcast in the clear, meaning an attacker can grab subscriber information and other sensitive network information, the CPNI report concluded.

Because WiMax, like the short-range Wi-Fi, uses the radio frequency spectrum, WiMax also is subject to physical jamming and denial-of-service "flood attacks," which can knock out a connection, the paper reported.

Joshua Wright, a senior security architect with Aruba Networks, which manufactures Wi-Fi but not WiMax gear, said the security flaws in the WiMax standards are well known and reflect the fact that it was developed with public network operators in mind to prevent hackers from stealing the service, not with the user in mind by ensuring security. The standards "do a great job for the service provider, but very little has been done to protect the subscriber," Wright said.

Service providers can use the WiMax standard to determine the identity of a subscriber, Wright said, but there is no way for a subscriber using WiMax to determine if the base station being used is a legitimate one or one that a hacker set up to steal sensitive information.

Wright said the WiMax standard does have an option to incorporate the Extensible Authentication Protocol, which allows users to authenticate base stations, which would help address the vulnerability.

Ali Tabassi, vice president for technology development at Sprint Nextel, said in an e-mail that his company plans to use mutual authentication, including EAP, to reduce the threat of rogue base stations and man-in-the middle attacks. Tabassi wrote that Sprint Nextel plans to change encryption keys frequently to prevent session hijacking and spoofing of management frames.

Jamming is a problem for WiMax, but no more than with any other radio-based system, Tabassi said. He added that Sprint Nextel plans to deploy detection/mitigation solutions to address attacks against its networks.

Janet Kumpu, president of Fortress Technologies, which provides wireless systems with multiple layers of security for government users, said the CPNI paper indicated to her that UK and U.S. agencies are aware of the WiMax security shortcomings and need to look at alternative means of protecting their network infrastructure, such as the Fortress authentication protocol used by Redline Communication in systems supplied to the Marine Corps.

Magued Barsoum, Fortress chief technical officer, said the CPNI report highlighted what he called "the biggest challenge" of WiMax security: rogue base stations, which Fortress handles with an authentication protocol based on Diffie-Hellman key protocol, which the signals intelligence agency of the United Kingdom originally developed. The solution provides for mutual authentication inside an encrypted channel, which eliminates spoofing and rogue base stations, Barsoum said.

Kumpu said the company is in discussion with network operators such as Sprint Nextel to adopt its technology for use in public networks, specifically to support government users, providing agencies with security that meets federal standards.

"The real test of WiMax security will come when providers using wide-scale network deployments, and researchers and attackers have access to commodity CPE [customer premises equipment]," according to the CPNI report. "Until then, the security of WiMax is limited to speculation."

As far as Barsoum is concerned, that could be too late. Security needs to built in before any WiMax network is deployed, he said.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.