Beware of ARP Attacks

The use of encryption and authentication mechanisms can certainly improve the
security of a wireless LAN; however, smart hackers can still find vulnerabilities
due to the way that networking protocols operate. A definite weakness is the
common address resolution protocol (ARP) that all TCP/IP networks utilize.
A hacker with the right tools can exploit ARP and take control of the wireless
LAN.

ARP Basics

ARP is a crucial function used by a sending wireless or wired network interface
card (NIC) to discover the physical address of a destination NIC. The physical
address of a card is the same as the Medium Access
Control (MAC)
address, which is embedded in the card by the manufacturer
and unique from any other NIC or network component. A part of the MAC address
corresponds to the product vendor, which is how monitoring analyzers such as
AirMagnet can display the
vendor of a specific access point.

The MAC address is analogous to the street address of your home. Just as someone
must know this address to send you a letter, a sending NIC must know the MAC
address of the destination. The NIC only understands and responds to the physical
MAC address.

The application software that needs to send the data will have the IP address
of the destination, but the sending NIC must use ARP to discover the corresponding
physical address. It gets the address by broadcasting an ARP request packet
that announces the IP address of the destination NIC.

All stations will hear this request, and the station having the corresponding
IP address will return an ARP response packet containing its MAC address and
IP address. The sending station will then include this MAC address as the destination
address in the frame being sent. The sending station also stores the corresponding
IP address and MAC address mapping in a table for a period of time or until
the station receives another ARP response from the station having that IP address.

ARP Security Issues

A problem with ARP is that it introduces a security risk resulting from ARP
spoofing. For example, a hacker can fool a station by sending from a rogue network
device a fictitious ARP response that includes the IP address of a legitimate
network device, such as a wireless access point or router, and the MAC address
of the rogue device. This causes all legitimate stations on the network to automatically
update their ARP tables with the false mapping.

Of course these stations will then send future packets to the rogue device
rather than the legitimate access point or router. This is a classic man-in-the-middle
attack, which enables a hacker to manipulate user sessions. As a result, the
hacker can obtain passwords, capture sensitive data, and even interface with
corporate servers as if they were the legitimate user.

Secure ARP

In order to circumvent ARP spoofing, vendors such as OptimumPath implement secure
ARP (SARP). This enhancement to ARP provides a special secure tunnel between
each client and the wireless access point or router, which ignores any ARP responses
not associated with the clients on the other end of the secure tunnels. Therefore,
only legitimate ARP responses provide the basis for updating ARP tables. The
stations implementing SARP are free from spoofing.

The use of SARP, however, requires the installation of special software on
each client. Consequently, SARP is not practical for public hotspots. Enterprises,
though, can generally install SARP on clients and be much freer from man-in-the-middle
attacks.

Jim Geier provides independent consulting services to companies
developing and deploying wireless network solutions. He is the author of the
book,
Wireless LANs
and offers training
focusing on wireless LANs.

News Around the Web