Wireless broadband systems could be vulnerable to attack

Wireless broadband systems planned for global use that use the popular WiMax standard can, "despite good intentions," be jammed, hacked and spoofed, according to a paper published last month by a United Kingdom group of government intelligence experts.

The Centre for the Protection of National Infrastructure warned in a paper that WiMax has fundamental security flaws, including the lack of two-way authentication, which allows a hacker to set up a "rogue" base station to impersonate a legitimate one so that the hacker can spoof the base station and launch man-in-the-middle attacks, "exposing subscribers to various confidentiality and availability threats," the CPNI paper said.

"This means session hijacking is possible and the attacker could gain access to sensitive information," according to CPNI, a UK intergovernmental organization which uses personnel and resources from agencies including the Security Service (M15), the National Security Advice Centre and Communications Electronics Security Group.

WiMax (Worldwide Interoperability for Microwave Access) is an alternative to Wi-Fi (Wireless Fidelity). While Wi-Fi is used in most businesses and homes for wireless connectivity to the Internet, WiMax is considerably stronger and can cover a larger area. It can deliver a wireless broadband signal from a distance of 30 miles at 70 megabytes per second. That's about 10 times the bandwidth of a home broadband Internet connection in the Washington, D.C., metropolitan area.

Because of the WiMax advantages, more than 470 chip and equipment manufacturers and network operators - such as Intel, Alcatel-Lucent, Fujitsu, Motorola, Samsung, AT&T and British Telecom -- rely on WiMax to develop systems. One network operator, Sprint Nextel, plans to use WiMax to provide high-speed mobile service to its subscribers through a public network that it plans to launch in the United States in April 2008.

Federal and state government agencies and businesses can use the technology to set up private networks. The Marine Corps, for example, has deployed tactical networks in the Mideast using WiMax equipment from Redline Communications. Caltrain, the California commuter rail operator, also uses Redline gear to provide high-speed voice, video and data services between rail stations.

The WiMax 802.16e standard provides strong encryption through use of the Advanced Encryption Standard, which meets U.S. government requirements. But AES management frames are broadcast in the clear, meaning an attacker can grab subscriber information and other sensitive network information, the CPNI report concluded.

Because WiMax, like the short-range Wi-Fi, uses the radio frequency spectrum, WiMax also is subject to physical jamming and denial-of-service "flood attacks," which can knock out a connection, the paper reported.

Joshua Wright, a senior security architect with Aruba Networks, which manufactures Wi-Fi but not WiMax gear, said the security flaws in the WiMax standards are well known and reflect the fact that it was developed with public network operators in mind to prevent hackers from stealing the service, not with the user in mind by ensuring security. The standards "do a great job for the service provider, but very little has been done to protect the subscriber," Wright said.

Service providers can use the WiMax standard to determine the identity of a subscriber, Wright said, but there is no way for a subscriber using WiMax to determine if the base station being used is a legitimate one or one that a hacker set up to steal sensitive information.

Wright said the WiMax standard does have an option to incorporate the Extensible Authentication Protocol, which allows users to authenticate base stations, which would help address the vulnerability.

Ali Tabassi, vice president for technology development at Sprint Nextel, said in an e-mail that his company plans to use mutual authentication, including EAP, to reduce the threat of rogue base stations and man-in-the middle attacks. Tabassi wrote that Sprint Nextel plans to change encryption keys frequently to prevent session hijacking and spoofing of management frames.

Jamming is a problem for WiMax, but no more than with any other radio-based system, Tabassi said. He added that Sprint Nextel plans to deploy detection/mitigation solutions to address attacks against its networks.

Janet Kumpu, president of Fortress Technologies, which provides wireless systems with multiple layers of security for government users, said the CPNI paper indicated to her that UK and U.S. agencies are aware of the WiMax security shortcomings and need to look at alternative means of protecting their network infrastructure, such as the Fortress authentication protocol used by Redline Communication in systems supplied to the Marine Corps.

Magued Barsoum, Fortress chief technical officer, said the CPNI report highlighted what he called "the biggest challenge" of WiMax security: rogue base stations, which Fortress handles with an authentication protocol based on Diffie-Hellman key protocol, which the signals intelligence agency of the United Kingdom originally developed. The solution provides for mutual authentication inside an encrypted channel, which eliminates spoofing and rogue base stations, Barsoum said.

Kumpu said the company is in discussion with network operators such as Sprint Nextel to adopt its technology for use in public networks, specifically to support government users, providing agencies with security that meets federal standards.

"The real test of WiMax security will come when providers using wide-scale network deployments, and researchers and attackers have access to commodity CPE [customer premises equipment]," according to the CPNI report. "Until then, the security of WiMax is limited to speculation."

As far as Barsoum is concerned, that could be too late. Security needs to built in before any WiMax network is deployed, he said.