This article describes IEEE 802.11-specific hacking techniques that attackers have used, and suggests various defensive measures. We describe sniffing, spoofing and probing in the context of wireless networks. We describe how SSIDs can be determined, how a sufficiently large number of frames can be collected so that WEP can be cracked. We show how easy it is to cause denial-of-service through jamming and through forged disassociations and deauthentications. We also explain three man-in-the-middle attacks using wireless networks. We give a list of selected open-source tools. We summarize the activity known as war driving. We conclude the article with several recommendations that will help improve security at a wireless deployment site.

1. Introduction

Wireless networks broadcast their packets using radio frequency or optical wavelengths. A modern laptop computer can listen in. Worse, an attacker can manufacture new packets on the fly and persuade wireless stations to accept his packets as legitimate.

We use the term hacking as described below.

hacker n. [originally, someone who makes furniture with an axe] 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value. 4. A person who is good at programming quickly. 5. An expert at a particular program, or one who frequently does work using it or on it; as in `a Unix hacker'. (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limi