Fixed Wireless Technology

Beware the Bandwidth Thieves

How big a problem for wireless ISPs is bandwidth theft? How often are hackers posing as customers and using your network bandwidth without paying for it? You may never know. That's half the problem.

by Gerry Blackwell [September 30, 2003]

Unless legitimate customers call and say they're being denied access, it's unlikely you'll ever detect bandwidth thieves on your network. Here's how theft happens.

If you use MAC address authentication as your only security mechanism, especially if you have an 802.11b-based wireless infrastructure, it's ridiculously easy for savvy hackers to break in. The MAC (Media Access Control) address is the supposedly fixed identifier on a network client device.

Too many WISPs—and enterprise WLAN managers too—do a quick and dirty kind of authentication that requires no effort on the part of the subscriber/user and adds little overhead to the network—which is why they do it this way, says Jim Portaro, CTO and co-founder of NeTeam, an Akron, Ohio-based wireless systems integrator.

The system compiles a table (a list) of MAC addresses of devices its legitimate customers use, and stores the list at each access point.

When a user tries to associate with that access point, it automatically sends its MAC address as part of the process. The access point looks up the address in its table and if it's there, allows the user on the network. If the address is not in the table, it denies access.

Here's the problem. Contrary to what you may believe—and what some vendors may tell you—the MAC address on a wireless device can be changed.

The tools to do it are available to original equipment manufacturers for testing and configuration purposes. Naturally those tools have now become available to the hacker community. In some cases, if you know where to look, software is downloadable from the Web and bulletin boards.

"I don't consider myself a hacker," says Portaro. "But I think it's safe to say that these tools are available for most if not all [Wi-Fi] cards. We work with them ourselves sometimes and, yes, we've seen them open to the public."

The other part of the hacker arsenal needed to "spoof" a MAC address—change the address of a client device so that it can pretend to be another device—is even more readily available.

Using legitimate network management software tools such as Sniffer Wireless 4.7 from Network Associates Inc., Network Instruments LLC's Observer Version 8.1 or AiroPeek NX from WildPackets Inc., hackers can detect wireless traffic and intercept transmissions.

Within those transmissions, they will find legitimate MAC addresses. It's then a simple matter to change the address on their own device to that of a valid subscriber/user.

The hacker can't associate with that access point, or probably any other access point in the network, until the legitimate user with that MAC address logs off.

But in a typical WISP environment, that may be every night when subscribers power down. In a Wi-Fi hotspot environment, of course, customers may log on and off every few minutes.

Once the legitimate user logs off, the hacker can jump on and pose as that customer. And you'll never know.

"How prevalent it is [in WISP networks], we're just not sure," Portaro admits. "Until one of your users complains about denial of service on their [network] card, you don't know."

It may be the case that hackers have enough other easy prey—poorly secured residential and enterprise wireless LANs connected to the Internet—that they don't need to bother with usually better protected WISP networks, Portaro suggests.

But don't count on it, he adds, especially if you're in a less built-up area where such prey may be harder to find.

The good news is that solutions to the MAC address spoofing problem are well understood. The bad news: they generally require time and effort at the very least, and in some cases, investment in new network hardware.

The simplest solution is to implement WEP (Wireless Equivalent Protocol) encryption on a Wi-Fi network. WEP is the much-written-about but flawed native encryption scheme for Wi-Fi.

With WEP activated, the hacker can still sniff out a MAC address, because it's typically sent in the open, but the hacker won't be able to communicate over the network without an encryption key.

WEP requires no additional hardware or software. However, there is always a network performance hit when using encryption, Portaro points out. Plus, WEP keys can be broken.

The most serious downside to implementing a new regime of using WEP encryption, though, is that it sorely tasks the ISP. At the very least, each subscriber or user must be contacted and walked through the process of reconfiguring their device. Or the service provider must visit each subscriber.

"It's a management play," Portaro says. "Even if it's not feet on the street, it's sending out letters and e-mails instructing users what to do. That's the biggest push-back you'll get from ISPs [to the idea of adding WEP encryption after the fact]. It is a lot of effort."

Other solutions require as much effort, plus capital investment, as is true of wireless network security appliances such as those from Bluesocket and ReefEdge, Inc..

Many ISPs already do the bare minimum, and have RADIUS (Remote Authentication Dial-In User Service) servers, but if they don't, adding RADIUS means hooking up another piece of equipment.

RADIUS servers force customers to log in to the network using a UserID and password. It's not likely such a change would be very popular with customers.

Legitimate UserID and password combinations are stored in a table on the device, which looks up the combination the user sends and allows or blocks access accordingly. Of course, the ID and password are transmitted through the wireless IP stream, and so may be no more secure than WEP itself. If the stream can be read, it may be possible to find the password and ID.

"Again, it's going to require management time," Portaro cautions. "If you put in an appliance or install a RADIUS server, it will take time to build the tables, and to walk users through the authentication process."

So is it worth it? Well, maybe not, Portaro suggests. "If you're not actually running into [the problem], how much money are you going to want to spend to solve it?"

WISPs may not know when they're being victimized, of course. But on the other hand, the worst result of bandwidth theft may be the customer relations hit, when legitimate customers try to log on and are denied because somebody else is already logged on using their MAC address.

It could be argued that if you don't have irate customers calling about being denied access, you don't have the problem.

Clearly the best solution is to design the WISP network with adequate security in the first place—WEP at a minimum.

Or, as Portaro suggests, use proprietary RF infrastructure that is far less likely to be victimized because client devices, unlike with Wi-Fi, are few and expensive, so less tempting for hackers.

—End