Proceedings of the 2003 IEEE

Workshop on Information Assurance

United States Military Academy, West Point, NY June 2003

Wireless Security Threat Taxonomy

Donald Welch, Senior Member, IEEE, and Scott Lathrop

Several papers have published very specific threats to wireless WLANs all use the same layer 2 packets; the difference is
networks—specifically in the area of attacks against the IEEE in the physical layer. 802.11a uses a higher frequency
802.11 Wired Equivalency Protocol (WEP). Other papers have than 802.11b or one of the possible flavors of 802.11g.
addressed wireless attacks based on the attack models used in This higher frequency means that the radio transmission
wired networks. However, the different characteristics of
will not travel as far and will not propagate through solid
wireless networks require looking at the threat differently. We
present a Wireless Threat Taxonomy that we used to build the objects as well the low frequency standard. This tends to
security architecture for the Wireless Network at West Point. help limit eavesdropping, but in no way eliminates the
threat. Also 802.11a has about 5 times the bandwidth that
Index terms – Wireless, Threat, Information Assurance, 802.11b does. This higher bandwidth means that attacks
802.11 that require data collection can be executed faster on an
802.11a WLAN than on an 802.11b WLAN. Most of the
attack techniques highlighted here can be applied to other
I. INTRODUCTION wireless network protocols, such as IEEE 802.15, a
wireless personal area network specification similar to
Wireless Local Area Networks (WLAN) are increasing in Bluetooth.
popularity. They are being installed by businesses of all
types, educational institutions, governments, and the We look at the threat from two points of view: the insider
military. WLANs provide users a significant mobility and the outsider. The outsider has access to the wireless
advantage as users can access their information in many network and the software and hardware that can be
locations, some of which are more conducive to purchased or otherwise obtained publicly. The insider is a
collaboration. The freedom and mobility that WLANs valid user of the wireless network whose goal is to obtain
promise, however, also present some serious security access to information which she would not otherwise be
challenges. In the military domain, the department of entitled. The insider has valid software, hardware, and
defense’s (DoD) transition from industrial-age to certificates for both the wired network and WLAN.
network-centric warfare brings with it technical
challenges that are highly dependent and revolve around We start by examining attacks against the confidentiality
the successful implementation of a robust and secure of communication on the network. We then move into
wireless network of systems. These networks must those attacks that actually alter the network traffic, hence
address the threats described here. destroying the integrity of the information on the network.
We do not discuss availability attacks against a wireless
WLANs are not limited by network jacks nor are they network as they include techniques such as electronic
limited by geography. WLANs provide unprecedented jamming which goes beyond the scope of this paper.
flexibility in that an area not originally intended as a
collaborative workspace can accommodate a large When looking at confidentiality attacks we start with the
number of wireless clients. Auditoriums now least intrusive and work towards more intrusive attacks.
accommodate hundreds of networked computers just by Of the seven attack techniques in our taxonomy, three
plugging a few Wireless Access Points (WAPs) into the violate just the confidentiality or privacy of the session:
network. The radio waves used for WLAN propagate traffic analysis, passive eavesdropping, and active
quite well. The advertised ranges for wireless network eavesdropping. One technique can be used to violate
interface cards range up to 300 feet. In reality, 802.11b confidentiality and/or integrity -- the man-in-the-middle
networks can be accessed over one-half mile away in an attack. Three attack techniques violate the integrity of the
urban environment. [1] network traffic: unauthorized access, session high jacking,
and the replay attack.
This paper addressees known security threats to IEEE
802.11 networks focusing specifically on 802.11a because The integrity attack techniques generally require
that is the standard we implemented. However, the successful use of one or more of the confidentiality attack
difference between 802.11a and other protocols in the techniques.
802.11 family is trivial with respect to security. 802.11

ISBN 555555555/$10.00 2003 IEEE

 Proceedings of the 2003 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY June 2003

II. THREATS information acquired from traffic analysis. Unless

explicitly turned off, access points broadcast their Service
In this section we describe seven attack techniques that Set Identifiers (SSIDs) in order to identify themselves to
we use to compare the security technologies available. wireless nodes desiring access to the network. The SSID
We chose these attack techniques to be generic enough so is a parameter that must be configured in the wireless
that they can be used to evaluate representative security card’s driver software for any wireless station desiring
technologies. We also strove to make them complete, in access to a wireless LAN. By broadcasting this
that any well-known attack can be decomposed and the information, access points allow anyone in their area to
components can all be classified into one of these attack identify them with simple locator software. If a
techniques. directional antenna is used along with a Global
Positioning System (GPS), an attacker may know not only
A complete information assurance risk assessment that there is an AP(s) in the area, but may also obtain the
requires a focus on the threats against the three key physical location of the access point or the center of the
components of assuring information. That is, the wireless network. From a military standpoint, this is the
information system should protect against confidentiality, same technique used in triangulating radio
integrity, and availability (CIA) attacks. We chose not to communications or field artillery batteries for the purpose
discuss attacks on the WLAN availability, otherwise of counterfire.
known as denial of service attacks. Denial of Service
attacks against layer 1 or layer 2 cannot be defeated by The third piece of information that an attacker may learn
any of the security technologies that we know about, of through traffic analysis is the type of protocols being
hence we do not feel it worth discussing here. used in the transmissions. This knowledge is obtained
based on the size, type and the number of packets in
A. Traffic Analysis transmission over a period of time. A simple example of
this attack is the analysis of a Transmission Control
Traffic analysis is a simple technique whereby the Protocol (TCP) three-way handshake. TCP synchronizes
attacker determines the load on the communication the communication between two end nodes by
medium by the number and size of packets being transmitting a series of three packets. The sender
transmitted, the source and destination of the packets and transmits a synchronize (SYN) packet to let the receiver
the type of packets. The assumption is that the payload of know it wants to communicate, to provide it with the
the packets is encrypted and the attacker cannot decrypt sender’s initial sequence number, and to pass other
the payload. This leaves only the header and any trailer parameters used in the protocol. The receiver then replies
information visible to the attacker. The attacker only with its initial sequence number an acknowledgement of
needs a wireless card operating in promiscuous (i.e. the original sender’s sequence number (SYNACK).
listening) mode and software to count the number and Finally, the original sender transmits an
size of the packets being transmitted. A simple yagi or acknowledgement of the receiver’s initial sequence
helical directional antenna provides an increased range at number (ACK) and then the transmission of application
which the attacker may analyze traffic. A yagi antenna is data between the two nodes may commence. Each packet
a simple directional antenna consisting of a horizontal used in the three way handshake is a fixed size in terms of
conductor with several insulated dipoles parallel to and in the number of bytes transmitted.
the plane of the conductor. It has been shown that making
a simple yagi antenna out of a “Pringles” can, a steel rod,
and some washers, an attacker may double the range at
which they are receiving transmissions. A helical, or
spiral antenna, built for less than $100 out of PVC
plumbing pipe and copper wire, increases the range by
more than double the original distance. [2]

Traffic analysis allows the attacker to obtain three forms

of information. The attack primarily identifies that there
is activity on the network. Similar to standard radio
communications, a significant increase in the amount of
network activity serves as an indicator for the occurrence
of a large event.

The identification and physical location of wireless access

points (APs) in the surrounding area is a second form of Figure 1: Layer Encryption

ISBN 555555555/$10.00 2003 IEEE

 Proceedings of the 2003 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY June 2003

Most encrypted tunnels are implemented at layer 2 or

layer 3. This leaves the header information exposed for Passive eavesdropping requires reading the payload of the
the implementation layer and all lower layers as packets. Stream ciphers, like WEP are vulnerable to a
illustrated in Figure 1. The attacker can identify the number of passive attacks. WEP is particularly
source and destination by MAC address when layer 2 vulnerable because if its small Initialization Vector and
encryption is employed. Layer 3 encryption leaves the IP poor stream cipher implementation. [10] [11] [5] Because
addresses of the sender and receiver open for viewing. In of the finite number of initialization vector (IV)
most cases the type of traffic is evident from reading the sequences, WEP’s reuse of the IV makes it susceptible to
layer 3 header. attack. Rapid rekeying and other modifications make
stream ciphers less vulnerable, but with a stream cipher it
B. Passive Eavesdropping is always a race between the attacker and defender. Block
ciphers such as AES or 3DES are a much stronger form of
In this attack the attacker passively monitors the wireless encryption. Currently there are not any public practical
session (Figure 2) and the payload. If the payload is attacks on these encryption techniques. From a practical
encrypted, this includes breaking the encryption to read point of view passive eavesdropping is only possible
the plaintext. The only precondition is that the attacker against unencrypted and stream cipher encrypted packets.
has access to the transmission. As described in the
previous section, a directional antenna can detect 802.11 C. Active Eavesdropping
transmissions under the right conditions miles away.
Therefore, this is an attack that cannot easily be stopped The active eavesdropping technique involves the attacker
by using physical security measures. injecting data into the communication to help decipher the
payload. The attacker monitors the wireless session as
One would believe that wireless network users would described in passive eavesdropping. Unlike passive
configure their wireless access points to include some eavesdropping, however, during active eavesdropping, the
form of encryption; however, studies have shown that less attacker not only listens to the wireless connection, but
than half of the wireless access points in use even have also actively injects messages into the communication
the vulnerable 802.11 wireless security standard, the medium in order to assist her in determining the contents
wired equivalent privacy (WEP) protocol, properly of messages. The preconditions for this attack are that
configured and running. [1] the attacker has access to the transmission and has access
to either part of plaintext such as a destination IP address
The attacker can gain two types of information from or the contents of the entire payload.
passive eavesdropping. The attacker can read the data
transmitted in the session and can also gather information Active eavesdropping attacks can take two forms: the
indirectly by examining the packets in the session, attacker can modify a packet or can inject complete
specifically their source, destination, size, number, and packets into the data stream. Since WEP uses a cyclic
time of transmission. The impact of this type of attack is redundancy check (CRC) to verify the integrity of the
that not only is the privacy of the information data in the packet, an attacker can modify messages (even
compromised, but the information gleaned is an important in encrypted form) so that changing data in the packet (i.e.
precondition for other, more damaging attacks. the destination IP address or destination TCP port) cannot
be detected. The attacker’s only requirement is to
determine the bit difference between the data they want to
inject and the original data.

An example of active eavesdropping with partially known

plaintext is IP Spoofing. The attacker changes the
destination IP address of the packet to the IP address of a
host she controls. The access point does the decryption
prior to forwarding the altered packet on to the attacker’s
host. In the case of a modified packet, the authentic
receiving node will request a resend of the packet and so
Figure 2: Passive Eavesdropping the attack will not be apparent.

If the session is encrypted at layer 2 or higher using a For more details on how the CRC-32 integrity checker is
protocol such as Wired Equivalent Protocol (WEP) or the vulnerable see Borisov, Goldberg and Wagner’s papers.
Advanced Encryption Standard (AES), then in order to [11] [9] [4] [5]
read the data the attacker has to decrypt the packets.
[3][4][5][6][1][7][8][9]

ISBN 555555555/$10.00 2003 IEEE

 Proceedings of the 2003 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY June 2003

Using the weaknesses in WEP and other stream ciphers, E. Man-in-the-middle

the attacker can inject known traffic into the network in
order to decrypt future packets sent by others. For If the packets being transmitted are encrypted only at the
example, if the attacker is an insider and sends an email network layer, or layer 3, then the attacker can obtain the
message destined to their own computer on the wireless header information from the data link layer (layer 2) and
LAN or to the victim, the IV associated with that message layer 3. A VPN or IPsec security solution entails such a
now enables the attacker to decrypt packets in the future countermeasure. Although these solutions protect the
using the same IV. Mathematically, when the same IV is users from a direct confidentiality attack against the
used where C is ciphertext and P is plaintext, application data, it does not deny indirect confidentiality
C1 C2 P1 P2 attacks such as man-in-the-middle, session hijacking, or
If you know P1 and can acquire C1 and C2 by replay attacks.
eavesdropping then it is trivial to compute P 2. The same
type of attack can occur by sending web traffic or
knowing where the user is browsing. One could quickly
build a database of (IV, P1) in order to decrypt any layer 2
encryption using WEP. The only defense against this
attack is to frequently change the WEP key so as to
guarantee that you will have unique (IV, key) pairs. The
successful implementation of frequently changing WEP
keys depends on the initial authentication method, the
exchange of the private key, and the frequency at which
the WEP key is updated. Such implementations are
complicated, only guarantee to slow an attacker, and do
not necessarily preclude previously described WEP
attacks.

D. Unauthorized Access Figure 4: Man-in-the-middle Attack

Unauthorized Access is different from any of the previous
attack types that we have discussed in that it is not A man-in-the-middle attack (Figure 4) can be used to read
directed at any individual user or set of users on the private data from a session or to modify the packets thus
WLAN. It is directed against the network as a whole. violating the integrity of a session. This is a real-time
Once an attacker has access to the network, she can then attack, meaning that the attack occurs during a target
launch additional attacks or just enjoy free network use. machine’s session. The data may be read or the session
Although free network use may not be a significant threat modified as it occurs. The attacker will know the
to many networks, access is a key step in ARP based contents of the message prior to the intended recipient
man-in-the-middle attacks. receiving it, or change the message en route.

There are multiple ways to implement this attack. One

example is when the target has an authenticated session
underway. Figure 4Error! Reference source not found.
illustrates this type of attack technique. In step one, the
attacker breaks the session and does not allow the target
to re-associate with the access point. In step two, the
Figure 3: Unauthorized Access target machine attempts to re-associate with the wireless
network through the access point and is only able to
associate with the attacker’s machine which is mimicking
Due to the physical properties of WLANs, attackers will the access point. Also in step two, the attacker associates
always have access to the wireless component of the and authenticates with the access point on behalf of the
network (Figure 3). In some wireless security target. If an encrypted tunnel is in place the attacker
architectures this will also grant the attacker access to the establishes two encrypted tunnels between it and the
wired component of the network. In other architectures, target and it and the access point. [12] [4] [8] [9]
the attacker must use some technique like MAC address
spoofing to gain access to the wired component of the Variations on this attack technique are based on the
network security mechanisms employed. The more security
mechanisms in use the more security mechanisms that the

ISBN 555555555/$10.00 2003 IEEE

 Proceedings of the 2003 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY June 2003

attacker will have to subvert when reestablishing the

connection with both the target and the access point.
Without encryption or authentication in use the attacker
establishes a rogue access point. The target unwittingly
associates to the rogue which acts as a proxy to the actual
wireless network. If authentication is in place the attacker
must defeat the authentication mechanism to establish
new connections between herself and the target and
herself and the access point. If encryption is in use, the
attacker must also subvert the encryption to either read or
modify the message contents. Since 802.11
authentication is not mutual between the access point and
the client, and the default encryption (WEP) is easy to
crack, man-in-the-middle attacks are somewhat trivial on Figure 5: ARP Attack
802.11 networks.
Denying this attack technique is an absolutely vital step in
Address Resolution Protocol (ARP) attacks are a designing the security architecture. Denying access to the
particularly dangerous subset of man-in-the-middle WLAN limits the attacker’s possibilities for further
attacks because these attacks can be directed against attack. Defending against unauthorized access will make
targets on the wired component of the network, not just successful attack on the integrity of the WLAN much
wireless clients. The attack can involve either more difficult.
circumventing the authorization mechanism, if it exists, or
providing false credentials. The ARP attack differs from We have separated ARP redirection attacks from Man-In-
the other attack techniques in that the credentials may in The-Middle attacks because ARP redirection does not
fact belong to a valid user. The attacker is only gaining require that the attacker establish sessions with the target
access to the network and is not masquerading as the and the network. ARP attacks can be a way of
target. This may be an ambiguous distinction but we find performing traffic analysis or passive eavesdropping.
it useful when analyzing authorization technologies. [12]
[9] [13] [5] [14] [15]
F. Session High-Jacking
The Address Resolution Protocol (ARP) maps the Media
Session High Jacking is an attack against the integrity of a
Address Controller (MAC) address (Layer 2) of a network
session. The attacker takes an authorized and
node to the Internet Protocol address (Layer 3). Altering
authenticated session away from its proper owner. The
the mapping of the MAC address to IP address allows an
target knows that it no longer has access to the session but
attacker to reroute network traffic through her machine.
may not be aware that the session has been taken over by
With the session passing through the attacker’s computer
an attacker. The target may attribute the session loss to a
the attacker can read plaintext, collect encrypted packets
normal malfunction of the WLAN. Once the attacker
for later decryption, or modify the packets in the session.
owns a valid session she may use the session for whatever
ARP cache poison attacks are contained by routers but a
purposes she wants and maintain the session for an
great deal of damage can be done with a successful ARP
extended time. This attack occurs in real-time but can
Cache Poisoning attack. [16] [17] [18]
continue long after the victim thinks the session is over.
To carry out a successful attack the attacker must have
To successfully execute Session High Jacking the attacker
access to the network but nothing else. The attacker
must accomplish two tasks. First she must masquerade as
sends a forged ARP reply message that changes the
the target to the wireless network. This includes crafting
mapping of the IP address to the given MAC address.
the higher-level packets to maintain the session, using any
The MAC address is not changed just the mapping. Once
persistent authentication tokens and employing any
the cache has been modified the attacker can act as a
protective encryption. This requires successful
Man-In-The-Middle between any two hosts in the
eavesdropping on the target’s communication to gather
broadcast domain. This is illustrated below in Figure 5
the necessary information as shown in step one of Figure
where an attacker on a wireless client has access to
6 below. The second task the attacker must perform is to
sessions between two wired hosts.
stop the target from continuing the session. The attacker
normally will use a sequence of spoofed disassociate
packets to keep the target out of the session as depicted in
step two below. [14] [13] [19]

ISBN 555555555/$10.00 2003 IEEE

 Proceedings of the 2003 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY June 2003

manipulate the WLAN by selectively modifying parts of

the packet to achieve a desired outcome. [20] [5] [4] [7]
[21]

III. COUNTER MEASURES

To mitigate the risks from these attack techniques a

security architecture must have four components: mutual
authentication, block cipher encryption of the payload,
strong cryptographic integrity protection and a firewall
between the wireless and wired components of the
network. The absence of any one of these components
leaves the WLAN open to attack through well-known
attacks.
Figure 6: Session Hijacking
Mutual authentication means that both the client and the
access point authenticate each other. The access point
knows that it is opening a session with an authorized
G. Replay client and the client knows that it is opening a session
with a legitimate access point. Authenticating the access
Replay attacks are also aimed at the integrity of the point stops man-in-the-middle attacks. Strongly
information on the network if not necessarily the integrity authenticating the client makes replay and session high-
of a specific session. Replay attacks are used to gain jacking attacks more difficult.
access to the network with the authorizations of the target,
but the actual session or sessions that are attacked are not Block cipher encryption of the payload stops passive
altered or interfered with in anyway. This attack is not a eavesdropping attacks. Depending on the implementation
real-time attack; the successful attacker will have access it also makes many other attacks more difficult. Another
to the network sometime after the original session(s). important aspect of the encryption is the layer at which
the packets are encrypted. Layer 2 encryption limits
traffic analysis while layer 3 is more flexible. Layer 2
encryption also makes active eavesdropping attacks much
more difficult. If the implementation and configuration is
sound, replay and session high-jacking attacks become
very difficult.

Strong cryptographic integrity verification is the key to

stopping active eavesdropping. It also plays an important
role, along with payload encryption, in stopping replay
and session high-jacking attacks.

A firewall that stops all network traffic from

unauthenticated clients from reaching the wired network
is absolutely critical to a secure architecture. By not
Figure 7: Replay Attack
stopping unauthorized access ARP attacks are possible all
the way back to the first router in the wired network.
In a replay attack (Figure 7), the attacker captures the ARP attacks are a form of man-in-the-middle attacks; as
authentication of a session or sessions. The attacker then such they can affect the integrity of the information and
either replays the authenticated session at a later time or are devastating.
uses multiple sessions to synthesize the authentication
part of a session. Since the session was valid, the attacker These components, properly implemented and configured,
establishes an authenticated session without being privy will result in a wireless network component that offers
to any shared secrets used in authentication. Without little to no additional threat to the network as a whole.
further security mechanisms the attacker may interact Neglecting any one of these components exposes the
with the network using the target’s authorizations and network to a significant increase in risk.
credentials. If the WLAN employs encryption that the
attacker cannot defeat the attacker may still be able to
ISBN 555555555/$10.00 2003 IEEE
 Proceedings of the 2003 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY June 2003

IV. CONCLUSION
202/1202f1dfull.html&pub=nwc accessed 20 September
In this paper we did not address denial of service attacks 2002.
on wireless networks. Interfering with a wireless [4] Moioli, Fabio, Security in Public Access Wireless
transmission is very easy to do and difficult to stop. An LAN Networks, Masters Thesis, Department of
attacker with a stronger transmitter or advantageous Teleinformatics, Royal Institute of Technology,
location can cause significant availability problems. Stockholm, Sweden. 12 June 2000.
Mitigating these risks is far beyond the scope of this [5] Borisov, Nikita, Ian Goldberg and David Wagner,
paper. Because management packets in 802.11 are not Intercepting Mobile Communications: The Insecurity of
authenticated, even a weak transmitter can broadcast 802.11, in the Proceedings of the Seventh International
forged disassociate packets and keep legitimate users off Conference on Mobile Computing and Networking, July
the network. 16-21, 2001.
[6] Internet Security Systems, Wireless LAN Security:
Another key aspect that we did not address is key 802.11b and Corporate Networks. ISS Technical White
distribution. The encryption keys for the authentication Paper. Webpage online available at
and the payload as well as the actual authentication keys http://documents.iss.net/whitepapers/wireless_LAN_secur
themselves must be available to all participants. ity.pdf last accessed 20 September 2002.
Problems with key distribution can undo all the security [7] Chickinsky, Alan, Wireless LAN Security Threats.
effort put into designing a secure architecture. Document IEEE 802.11-01/258
[8] Colubris Networks, Inc. Comparing Colubris IPSEC
That said, we have described a simple taxonomy for Wireless Access Point Solutions with Wireless
attack techniques that can be used to construct all the Middleware Gateways. 2002 Webpage online available at
well-known wireless attacks. By understanding these http://download.colubris.com/library/whitepapers/WP-
seven attack techniques and using them to analyze a 020912-EN-02-00.pdf last accessed 20 September 2002.
wireless security architecture, the network designer can [9] Colubris Networks, Inc. Comparing Colubris IPSEC
understand the risk and take the proper mitigation steps. Wireless Access Point Solutions with Cisco Safe for
Wireless LANs. 2002 Webpage online available at
By using this taxonomy we determined that the minimum http://download.colubris.com/library/whitepapers/WP-
components of a secure WLAN architecture include at 020912-EN-01-00.pdf last accessed 20 September 2002.
firewall between the wireless and wired components of [10] Arbaugh, William, Narendar Shankar and Y.C. Justin
the network, private mutual authentication, block cipher Wan, Your 802.11 Wireless Network has No Clothes.
encrypted payloads (preferably at layer 2), and strong Department of Computer Science University of Maryland.
cryptographic integrity checking. We used this taxonomy Web page online available at
in designing the West Point wireless network component. http://www.cs.umd.edu/~waa/wireless.pdf last accessed
The wireless component first phase includes seven 20 September 2002.
buildings, 369 access points and will eventually grown to [11] Borisov, Nikita, Ian Goldberg and David Wagner,
5,000 users. It meets the DoD policy for secure Security of the WEP Algorithm. Webpage online
unclassified wireless networks. available at http://www.isaac.cs.berkeley.edu/isaac/wep-
faq.html last assessed 26 September 2002.
V. REFERENCES [12] Lynn, Mike and Robert Baird, Advanced 802.11
Attack, presentation to Black Hat 2002 Conference, Las
Vegas, NV 31 July 2002. Available at
[1] Ellison, Craig, Exploiting and Protecting 802.11b http://www.blackhat.com/presentations/bh-usa-02/baird-
Wireless Networks, 4 September 2001, webpage online lynn/bh-us-02-lynn-802.11attack.ppt last accessed 20
http://www.extremetech.com/print_article/0,3998,a=1388 September 2002.
0,00.asp ExtremeTech.com last accessed 20 September [13] Schwartz, Ephraim, Researcher crack new wireless
2002. security spec. InfoWorld. 14 February 02. Webpage
[2] Leoutre, Marc, Edward Post, Mark Reigner, and Scott online available at
Lathrop, Wireless Security: Wireless Antennas and http://staging.infoworld.com/articles/hn/xml/02/02/14/020
Footprint Analysis, Unpublished Research Paper. United 214hnwifispec.xml, last accessed 1 Oct 02.
States Military Academy, West Point, NY, May 2002. [14] Mishra, Arunesh and William Arbaugh, An Initial
[3] Fratto, Mike, Mobile & Wireless Technology Tutorial: Security Analysis of The IEE 802.1X Standard.
Wireless Security in Network Computing, 22 January University of Maryland, Department of Computer Science
2001, CMP United Business Media, webpage online and University of Maryland Institute for Advanced
http://www.nwc.com/shared/printArticle.jhtml?article=/1 Computer Studies Techniacal Report CS-TR-4328 and
UMIACS-TR-2002-10 6 February 2002.

ISBN 555555555/$10.00 2003 IEEE

 Proceedings of the 2003 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY June 2003

[15] Potter, Bruce, 802.1x: What it is, How it’s broken,

and How to fix it. presentation to Black Hat 2002
Conference, Las Vegas, NV 31 July 2002. Available at
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-
speakers.html#Bruce%20Potter last accessed 20
September 2002.
[16] Whalen, Sean, An Introduction to Arp Spoofing,
April 2001 webpage online available at
http://packetstormsecurity.nl/papers/protocols/intro_to_ar
p_spoofing.pdf last accessed 20 September 2002.
[17] Fleck, Bob and Jordan Dimov, Wireless Access
Points and ARP Poisoning: Wireless vulnerabilities that
expose the wired network. White Paper by Cigital, Inc.
http://www.cigital.com.
[18] Carey, Allan, Wireless Security Vulnerabilities
continue to Surface: Cigital Identifies the Latest. White
Paper by Cigital, Inc. http://www.cigital.com. October
2001.
[19] Skoudis, Ed, Counter Hack: A Step-by-Step Guide t
Computer Attacks and Effective Defenses. Prentice Hall,
Upper Saddle River, New Jersey, 2002. pp 351-358.

[20] Krishnamurthy, Prashnt, Joseph Kabara, Tanapat

Anusas-amornkul, Security in Wireless Residential
Networks, IEEE Transactions on Consumer Electronics,
Vol 48, No 1, February 2002. pp 157- 166.
[21] Karygiannis, Tom and Les Owens, Wireless Network
Security: 802.11, Bluetooth and Handheld Devices
(Draft), National Institute of Standards and Technology
Special Publication 800-48.

ISBN 555555555/$10.00 2003 IEEE