The most common types of attack are as follows.
- Probing and discovery tools – A host of tools have emerged that take advantage of the fact that 802.11 infrastructures rely on network broadcasts to communicate with wireless clients. With these probing and discovery tools, unscrupulous individuals can easily locate, and take advantage of, wireless networks that lack strong security safeguards. One of the most common of these tools is Netstumbler, a Windows-based program that uses active scanning to detect low security access points. Once the access point is detected a number of exploits can be mounted against the network.
- MAC identity spoof attacks – In an 802.11 WLAN, MAC addresses are openly broadcasted over the air. The security implication is that potential attackers can sniff the air looking for valid MAC addresses associated with authorized WLAN users, access points and even wired infrastructure components, such as switches and routers. Once detected, programs exist to spoof these addresses, whereby intruders can masquerade as a valid WLAN client or access point. Naturally, this can compromise a WLAN if MAC authentication is the only security scheme employed.
- Denial of service attacks – Because WLANs broadcast over the unlicensed ISM & U-NII public bands with a limited number of available channels, RF interference is a common problem. As interference increases, signal quality and network availability decreases. Malicious individuals can use this to their advantage, debilitating WLAN performance. Common ways of doing this include RF frequency jamming and exploits such as Airjack and void11, which flood the WLAN.
- Man in the middle attacks – A man in the middle attack results from the interception and possible modification of traffic passing between two communicating parties, such as a wireless client and AP. Man in the middle attacks succeed if the systems can’t distinguish communications with an intended recipient from those with the intervening attacker.
- Static WEP cracking programs – Soon after it was first introduced, the Wired Equivalency Protocol (WEP) was broken due to the fact that WEP uses static keys which can be easily cracked. While these deficiencies were soon corrected with the WiFi Protected Access (WPA) protocol and 802.11i (WPA2), both of which leverage dynamic keys, many WLANs continue to use WEP-based security. As a result, they are still vulnerable to WEP cracking programs.
- Rogue access point attack programs – A number of “rogue access point attack programs” exist which allow attackers to perform a number of stealth attacks by posing as host access points on a WLAN network.
- Misconfigured clients – Due to the nature of the 802.11 specification enterprise WLANs are vulnerable to security risks when new hosts or clients enter the network and when ad-hoc networking is allowed. A wired host with an enabled WLAN adapter, for example, could unwittingly connect to an unknown WLAN. An attacker would then be able to compromise the host machine via the open WLAN adapter through routing features on Linux and Windows and mount an attack against the wired connection. Similarly, the overflow of RF signals means that accidental connections can occur with neighbouring WLANs, which can compromise the security of trusted networks.
