Abstract
Web-based authentication is a popular mechanism implemented by Wireless Internet Service Providers (WISPs) because it allows a simple registration and authentication of customers, while avoiding high resource requirements of the new IEEE 802.11 i security standard and backward compatibility issues of legacy devices. In this work we demonstrate two different and novel attacks against web-based authentication. One attack exploits operational anomalies of low- and middle-priced devices in order to hijack wireless clients, while the other exploits an already known vulnerability within wired networks which, in dynamic wireless environments, turns out to be even harder to detect and protect against.
Please use the following format when citing this chapter: Martinovic, I., Zdarsky, F., Bachorek, A., Jung, C, and Schmitt, .1., 2007, in IFIP Internationa! Federation for Information Processing, Volume 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H., EiorY, M., Labuschagne, L., Eloff, J., von Solms, R., (Boston: Springer), pp. 145–156.
Chapter PDF
Similar content being viewed by others
Keywords
- Access Point
- Authentication Response
- Medium Access Control Address
- Address Resolution Protocol
- Authentication Request
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
IEEE 802.11. IEEE Standard for Local and Metropolitan Area Networks — Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Standard, July 1999.
IEEE 802.1 li/D10.0. Security Enhancements, Amendment 6 to IEEE Standard for Information Technology. IEEE Standard, April 2004.
J. Bellardo and S. Savage. 802.11 Denial-of-Service attacks: real vulnerabilities and practical solutions. In Proceedings of the USENIX Security Symposium, pages 15–28, August 2003.
A. Bittau, M. Handley, and J. Lackey. The Final Nail in WEP’s Coffin. In SP’ 06: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’O6), pages 386–400, Washington, DC, USA, 2006. IEEE Computer Society.
N. Borisov, I. Goldberg, and D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In MobiCom’ 01: Proceedings of the 7th Annual International Conference on Mobile Computing and Networking, pages 180–189, July 2001.
D. Faria and D. Cheriton. DoS and authentication in wireless public access networks. In Proceedings of the 2004 ACM Workshop on Wireless Security, pages 47–56, September 2002.
B. Fleck and Dimov J. Wireless Access Points and ARP Poisoning: Wireless vulnerabilities that expose the wired network, http://www.packetnexus.com/docs/arppoison.pdf (last access: 2006-10-30).
S. Fluhrer, I. Mantin, and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. In SAC’ 01: Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography, pages 1–24, August 2001.
C. He and J. C. Mitchell. Analysis of the 802.1 li 4-way handshake. In Proceedings of the 2004 ACM Workshop on Wireless Security, pages 43–50, October 2004.
C. He and J. C. Mitchell. Security analysis and improvements for IEEE 802.1 li. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS’05), pages 90–110, February 2005.
I. Martinovic, F. A. Zdarsky, A. Bachorek, and J. B. Schmitt. Introduction of IEEE 802.1 li and Measuring its Security vs. Performance Tradeoff. In Proceedings of the 13th European Wireless Conference, Paris, France, accepted for publication, April 2007.
I. Martinovic, F. A. Zdarsky, and J. B. Schmitt. On the Way to IEEE 802.11 DoS Resilience. In Proceedings of IFIP Networking 2006, Workshop on Security and Privacy in Mobile and Wireless Networking, Coimbra, Portugal. Springer LNCS, May 2006.
B. Schneier. Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Inc., New York, NY, USA, 2000.
S. Whalen. Introduction to ARP Spoofing, http://www.node99.org/projects/arpspoof/arpspoof.pdf (last access: 2006-10-24).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Martinovic, I., Zdarsky, F.A., Bachorek, A., Jung, C., Schmitt, J.B. (2007). Phishing in the Wireless: Implementation and Analysis. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_13
Download citation
DOI: https://doi.org/10.1007/978-0-387-72367-9_13
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-72366-2
Online ISBN: 978-0-387-72367-9
eBook Packages: Computer ScienceComputer Science (R0)