T 4.61 Unreliable or missing WLAN security mechanisms
In their delivered configurations, WLAN components are often configured so that only a few security mechanisms are activated, or possibly none at all. Some of these mechanisms are also unreliable and do not offer adequate protection. Even today, there are various WLAN components in use and available as new devices on the market that only support inadequate security mechanisms such as WEP. In some cases, these devices cannot even be updated to obtain stronger security mechanisms.
If no or only weak mechanisms are available to adequately secure the wireless interface and the services used over the WLAN, then secure communication is impossible in the WLAN. This poses additional threats to all components linked together in the network, including, for example, all data also stored on a WLAN client or in a LAN, which can adversely affect the entire IT infrastructure of a government agency or company. In the following, examples of possible security problems are listed.
WEP
If the wireless communication in the WLAN is not protected at all or only protected with WEP, then an attacker can easily listen in on all WLAN communication and often gain possession of confidential information. When using some devices such as WLAN-enabled printers, users are often unaware that a WLAN connection is established in this case, and the network is therefore inadequately secured. An attacker, though, may not only be able to listen in on the printed data, but may also be able to access components in the background system through the WLAN components.
SSID Broadcast
When transmitting data between two neighbouring wireless cells, the SSID (Service Set Identifier or network name) is used to find the next access point. Some access points offer capabilities for suppressing the transmission of the SSID in the broadcast mode to hide the WLAN from unauthorised persons (referred to as a "closed system"). However, WLAN analysers can be used in this case as well to determine the SSID using other management and control signals.
Ability to manipulate MAC addresses
Every network card has its own unique hardware address referred to as the MAC address (Media Access Control address). The MAC addresses of the WLAN clients can be easily intercepted and manipulated, meaning the MAC address filters often built into the access points for the purpose of access protection can be easily overcome.
No key management
Cryptographic keys must be distributed manually in many WLANs, i.e. the same static key must be entered in every WLAN client and access point. This requires physical access to the components. This type of key management often leads to the following situation in actual practice: the cryptographic keys are very seldom changed or not changed at all. If a WLAN key is disclosed, then the entire WLAN is compromised in this case.
Vulnerabilities during administrative accesses to access points
Many access points offer different interfaces and protocols for administration purposes and permit their use over the LAN interface as well as over the wireless interface. When administration is performed over the wireless interface using plain text protocols such as Telnet, HTTP, or SNMP, the administration passwords transmitted over the WLAN can be intercepted. Attackers could use this information to reconfigure the access point.
Encrypted versions of the access protocols mentioned are often not supported or their use is not enforced on the access points.