WiMAX is the much-anticipated broadband wireless access mechanism for delivering high-speed connectivity over long distances, making it attractive to Internet and telecommunications service providers. Designed by the IEEE 802.16 committee, WiMAX was developed after security failures from the early IEEE 802.11 networks. Aware of the importance of security, the 802.16 working groups designed several mechanisms to protect the service provider from theft of service, and to protect the customer from unauthorized information disclosure.
A fundamental principle in 802.16 networks is that each subscriber station (SS) must have a X.509 certificate to uniquely identify the subscriber. This certificate makes it difficult for an attacker to spoof the identity of legitimate subscribers. A fundamental flaw in the authentication mechanism used by WiMAX’s privacy and key management (PKM) protocol is the lack of base station (BS) or service provider authentication. This makes WiMAX networks susceptible to man-in-the-middle attacks. The 802.16e amendment added support for the Extensible Authentication Protocol (EAP) to WiMAX networks. Support for EAP protocols is currently optional for service providers.
With the 802.16e amendment, support for the AES cipher is available, providing strong support for confidentiality of data traffic. Like the 802.11 specification, management frames are not encrypted, allowing an attacker to collect information about subscribers in the area and other potentially sensitive network characteristics.
WiMAX deployments will use licensed RF spectrum, giving some measure of protection from unintentional interference. It’s reasonably simple, however, for an attacker to use readily available tools to jam the spectrum for all planned WiMAX deployments. An attacker can also use legacy management frames to forcibly disconnect legitimate stations, similar to the deauthenticate flood attacks used against 802.11 networks.
Despite good intentions for WiMAX security, there are several potential attacks open to adversaries, like Rogue Base Stations, DoS Attacks and man-in-the-middle Attacks.
The real test of WiMax security will come when providers begin wide-scale network deployments, and researchers and attackers have access to commodity CPE equipment. Until then, the security of WiMAX is limited to speculation.
Wright is a senior security researcher for Aruba Networks, editorial board member of the Wireless Vulnerabilities and Exploits project and senior instructor at the SANS Institute.