Wireless Networking Security
“…those who would sacrifice freedom for security deserve neither…” Benjamin
Franklin
Why go wireless
The popularity of wireless network is clearly on the increase. But what are the hidden
costs of going wireless? Are we giving up our security?
The main benefits of wireless networking are:


cost
convenience
The main drawbacks are:


speed
security
General Security Issues of Wireless
Networks
Network security issues, whether wired or wireless, fall into three main categories:
availability, confidentiality and integrity:



Confidentiality: is the information being sent across the network transmitted
in such a way that only the intended recipient(s) can read it.
Integrity: is the information reaching the recipient intact
Availability: is the network available to users whenever it is supposed to be
Confidentiality
The main way to ensure that data is not disclosed to unauthorised users is by
encrypting it during transit, and wireless networks are able to do this in just the same
way as wired networks. However, encryption is meaningless without authentication,
since an unauthorised user could authenticate themselves onto the network and then
be given the key with which to decrypt the data.
The traditional model for authorisation is to have some form of centralised system
which stores access control lists. This model is fine for use in networks which have a
relatively static set of users, and so is suitable for Wi-Fi, but in other networks such as
Bluetooth networks, which are much more ad-hoc in nature, this approach becomes
impractical. In ad-hoc networks, not only does the dynamically changing set of users
make updating access control lists infeasible in terms of cost, but there is also no
guarantee that these devices would be able to access any central system. In these
systems, a better approach is to form secure transient associations between devices,
where the decision on who to trust is made either by each device, or by one master
device which instructs the slave devices on how to behave.
There is a lot of interest in this model for applications such as controlling police
weapons. In America, a large proportion of injuries to police officers come from
stolen police guns. If each officer had a very short range ring (the master) associated
with the gun (the slave) it would prevent anyone other than that officer from using the
weapon.
Integrity
Because packets of data in wireless networks are sent through the air, they can be
intercepted and modified quite easily by malicious users. This means that wireless
networks are more vulnerable to attacks on the integrity of data. However, the current
methods used by wired networks to ensure the integrity of packets, such as
checksums, are perfectly adequate for ensuring the integrity of packets in wireless
networks, and so no novel solutions have been adopted.
Availability
Wireless networks are particularly susceptible to DoS (Denial of Service) attacks.
Unlike wired networks, which require the attacker to be physically connected to the
network in some way before they can launch such an attack, with wireless networks
an attacker only has to be within a certain range of the network (usually 100m) to be
able to launch such an attack. These kind of attacks are particularly difficult to stop
since network providers want to allow legitimate users to initiate communications
with the network, and cannot stop malicious users from exploiting this to cause a
denial of service.
Another way in which malicious users can potentially restrict the availability of the
wireless networks is through radio jamming. This involves sending out a lot of noise
on the same frequency as the network uses. However, there are techniques, such as
frequency hopping which can make this kind of attack more difficult. Also, this threat
is less relevant in the non-military world since the 'jammer' could be reported to the
police and arrested.
One kind of attack on the availability of wireless networks which has arisen in the last
few years is battery exhaustion attacks. Because many wireless network devices are
portable and therefore battery powered, malicious users can repeatedly send messages
to the device. This prevents it from going into its sleep mode, and the battery runs
down much faster.
Wi-Fi (Wireless Fidelity)
Standards
Like with most new geeky technologies there is currently a mish mash of standards.
802.11


original 1997 2.4Ghz wireless Ethernet standard
data rate 1 or 2Mbps
802.11a





5Ghz frequency less susceptible to interference
not compatible with 802.11b
data rate of 54Mbps
uses OFDM (Orthogonal Frequency Division Multiplexing)
short range (60 feet)
802.11b





most widely used standard
up to 11Mbps
2.4Ghz frequency is subject to interference
uses direct sequence spread spectrum modulation
long range (300 feet)
802.11g




regarded by most as an extension to the life of 802.11b
uses the OFDM bit of 802.11a and 2.4Ghz bit of 802.11b
same frequency as 802.11b and so backwards compatible
data rate of 54Mbps
802.11i (coming soon)




IEEE certified security specification
not a wireless protocol as such
offers improved security for data in transit
better control of who can use the network
802.11c/d/e/f/h/IR/j/k/m?

technical specifications of low level standards
Gi-Fi (maybe coming, but not soon)

theoretically 2Gbps can be achieved at frequencies of 56Ghz [1]
Stream and Block Ciphering Overview
Block Ciphers
A block cipher is a symmetric cipher that operates on a fixed size block of bytes at a
time. The stream of binary digits that make up a message are divided into blocks of a
standard size (typically 64 or 128 bits long) and then the encryption algorithm is
applied so that all the bits of each block are encrypted at the same time using the same
key.
Example: Using blocks of 8-bits and a 10-bit key...
block 1
block 2
p0,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14
encrypted using shared secret
k01,k2,k3,k4,k5,k6,k7,k8,k9,k1
c0,c1,c2,c3,c4,c5,c6,c7
Following transmission the ciphertext is decrypted a block at a time at the receiver by
applying the reverse transformation using the same, shared secret key.
Examples of block ciphers are DES, triple DES (3DES), AES and Blowfish.
Stream Ciphers
A stream cipher is a symmetric (secret key) cipher that operates on small units of data
(as small as a single bit) at a time.
Sender and receiver both share the secret key
To send a message the sender uses the key to produce an infinite pseudo-random
keystream. The keystream is then logically combined with the plaintext, typically via
an operation such as XOR to produce ciphertext.
At the other end of the network, the receiver uses the shared secret key to produce an
identical keystream to the sender. This is then XOR-ed with the incoming ciphertext
to reproduce the original plaintext.
Example of Stream Cipher: RC4
Regardless of the type of symmetric cipher being used it is important to keep
changing the key used for encryption. If an attacker can obtain two different ciphertexts encrypted using the same key, statistical analysis of the text’s can be applied to
break the encryption and determine the contents of the shared key.
Note: In reality an infinite keystream is obviously never produced. The keystream is
simply as long as the message being sent.
Security flaws with first generation WiFi
Pre 802.11i hardware manufacturers are/were free to provide which ever level of
security that they saw fit. The baseline security protocol for Wi-Fi is WEP (Wired
Equivalent Privacy) this was first used in the early 802.11 wireless standard and also
exists in 802.11b unchanged [2].
Run down of WEP
Optional encryption standard implemented in the MAC layer.
Encryption in WEP:
 uses a secret key, k (40 or 128 bit).
 k is shared between the access point and the mobile node.



does not specify how k is established – so this is done manually for the
moment.
k is used to encrypt packets before transmission.
integrity check (CRC-32) is used to ensure that packets are not modified in
transit.
To compute an encrypted frame:
1. the plaintext frame data, M, is first concatenated with its ICV (integrity check
value) or checksum, c(M), to produce M + c(M).
 ICV used after decryption to check that the frame hasn’t been
tampered with in transit.
 If the receiver calculates and ICV that doesn’t match the one found
in the frame the receiving station can reject it or flag the user.
2. an initialisation vector (IV) is joined to the secret key to create the packet key,
(IV + k).
 a random 24bit IV lengthens the life of the secret key because it
can be changed for each frame transmission.
 The IV is included unencrypted in the frame so it can be used for
decryption.
3. the RC4 cipher is constructed using the packet key RC4(IV + k).
4. the cipher is XORed with the checksummed plaintext to get the ciphertext
(encrypted data):
C = (M + c(M)) XOR RC4(IV + k)
Weaknesses
1. IV – The small space of possible initialisation vectors means that a collision is
inevitable.
2. CRC and RC4 – The combination of CRC and RC4 means it is possible to
change the message while flipping appropriate bits in the checksum to keep
the packet valid.
Types of attack
1. Passive attacks to decrypt traffic based on statistical analysis.
2. Active attack to inject new traffic from unauthorised mobile stations, based on
known plaintext.
3. Active attack to decrypt traffic by tricking the access point.
4. Dictionary building attack that after a day’s worth of traffic, allows real time
automated decryption of traffic.
Passive Attack
A passive eavesdropper intercepts all wireless traffic, until an IV collision occurs. By
XORing two packets that use the same IV, the attacker obtains the XOR of the two
plaintext messages. The resulting XOR can be used to infer data about the contents of
the two messages. IP traffic is often very predictable and includes a lot of redundancy.
This redundancy can be used to eliminate many possibilities for the contents of
messages. Further educated guesses about the contents of one or both of the messages
can be used to statistically reduce the space of possible messages, and in some cases it
is possible to determine the exact contents [2].
An extension of this attack uses a host on the Internet to send known messages to a
wireless network station. Because the attacker knows the contents of these messages
he will easily be able to decrypt all packets that are sent using the same initialisation
vector.
Active Attack to inject new traffic
If an attacker knows the exact plaintext for one encrypted message, this can be used to
construct correct encrypted packets. This procedure involves calculating the
checksum for a new message and performing bit flips on the original encrypted
message to change the plaintext to the new message. The basic property is that
RC4(X) XOR X XOR Y = RC4(Y). This new packet can now be sent to a mobile
station or access point and will be accepted as a valid packet.
Active Attack to decrypt traffic
If the attacker is able to guess part of the header of a packet then he may be able to
flip appropriate bits to change the destination IP address of the packet. The address
could be changed to a match the address of a machine somewhere on the Internet that
the attacker controls. The attacker could then broadcast the modified packet from a
rogue mobile station. As most wireless network installations have Internet
connectivity the packet will be successfully decrypted by the access point and
forwarded unencrypted to the attackers machine on the Internet!
Dictionary Building Attack
The small space of initialisation vectors allows an attacker to quite quickly build a
table of key streams with an entry for each IV. Once a key stream is identified it can
be used to decrypt all other packets that use the same IV. Remember that the IV is
sent unencrypted in the packet header. Over time the attacker can build an exhaustive
table of IVs and corresponding key streams. Once built the attacker can easily decrypt
every packet sent over the wireless link, without actually ever knowing the secret key,
by looking up the correct key stream in the table. As the initialisation vector in WEP
is only a 24-bit field a busy access point will exhaust every possible IV in just 5
hours!
Wired Equivalent Privacy isn’t equivalent to the privacy over a wired
connection.
Solutions to the short comings of
original Wi-Fi security
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) is a subset of the forthcoming IEEE 802.11i security
standard (also known as WPA2) and is designed to overcome all of the weaknesses
identified in WEP. WPA works with existing 802.11 based hardware using firmware
upgrades and will offer full forward compatibility with the new standard following its
eventual certification.
Features of WPA


Enhanced encryption scheme: Temporal Key Integrity Protocol (TKIP)
Message Integrity Checks (MIC)

Strong User Authentication using one of the standard Extensible
Authentication Protocol (EAP) types available
Encryption
One of WEP’s chief weaknesses was that it used a small (40-bit) static key to initiate
encryption. This key is entered manually on the AP (Access Point) and on all clients
that communicate with it. It never changes unless it is manually re-entered on all
devices.
A 24-bit initialization vector is then appended to this to produce a 64-bit key that is
used for encryption. On busy networks, the initialization may need to be repeated in a
matter of hours meaning that encryption keys are often re-used.




TKIP replaces the single static key with keys that are dynamically generated
each time a wireless client connects to the network.
Key size increased from 40 to 128 bits
Initialisation Vector increased from 24 to 48-bits
A unique encryption key is generated for every packet
After accepting a user’s credentials an authentication server produces a unique master
key which is valid for the current computing session only.
“TKIP distributes this key to the client and the AP and sets up a key hierarchy and
management system, using the pairwise key to dynamically generate unique data
encryption keys to encrypt every data packet that is wirelessly communicated during
that user’s session” Wi-Fi Alliance white paper, 2003
Message Integrity Checks
Designed to prevent an attacker from capturing data packets, altering and then resending them.



The MIC provides a strong mathematical function that is calculated by both
sender and receiver
The receiver compares its calculated value with the contents of the packet
If the calculated value does not match what is found inside the packet, the
packet is assumed tampered with and discarded
Authentication
Home Environments
Pre-Shared Key: This method for authentication uses a statically configured passphrase on both the client workstations and on the access point. This allows users of
the network to be authenticated at the access point without the need for an
authentication server, which is unlikely to be available in home or small office
environments.
Enterprise Security
Access to the network is controlled by an authentication server. This holds user
credentials (e.g. user names and passwords) and authenticates wireless users before
they gain access to the network. One of the Extensible Authentication Protocol (EAP)
types available is then used to carry out the authentication.
Extensible Authentication Protocol (EAP)
EAP is a general protocol for authentication of network users. It does not select a
specific authentication mechanism upon establishing a link, preferring to wait until a
separate authentication phase. “This allows the authenticator to request more
information before determining the specific authentication mechanism.”
www.faqs.org
A number of mechanisms are supported under this scheme including digital
certificates (already widely used in Internet security), unique usernames and
passwords, smart cards, secure IDs, or any other identity credential that the IT
administrator is comfortable deploying.
802.11i Security (WPA2)
Why bother?
While WPA offers significantly better security than WEP it can still be strengthened.
It uses static keys for user authentication and the RC4 encryption algorithm is known
to be vulnerable to some analytic attacks. In addition, one in every 256 keys generated
using the RC4 algorithm is likely to be ‘weak’ – “one or more bytes of the generated
ciphertext are strongly correlated with a few bytes of the key”. www.ncat.edu
802.11i Features
 New method for encryption: Advanced Encryption Standard (AES)
 Combines encryption with authentication using dynamic keys for both
 Scheduled for certification September 2004
Bluetooth
Trivia: named after Danish king Harald "Bluetooth" (Blåtand) 950-986, who united
Denmark
Bluetooth, like Wi-Fi, is a standard for wireless network communications. However,
unlike Wi-Fi, which is designed to replace existing, high bandwidth, long range wired
networks Bluetooth is designed primarily for short range, low bandwidth 'Personal
Area Networks'. The idea is to provide a common communication specification to
allow completely dissimilar devices, such as PDAs, mobile phones, printers and even
fridges to communicate with each other. Unlike Wi-Fi, Bluetooth has to be available
to devices with low computational power.
Bluetooth devices are divided up into 3 power categories:
Category 1 devices have a range of between 0.1 and 1m. These devices might include
mobile phone headsets, where the communicating devices are most likely to be in
close proximity
Category 2 devices have a range of between 1 and 10m. This is the most common
power range for Bluetooth devices. Most suitable for PAN’s since it provides
sufficient range for most applications, but is limited range enough to provide a certain
level of security from potential listeners.
Category 3 devices have a range of up to 100m. This is equivalent to most current WiFi networks, but given the low bandwidth of Bluetooth(1Mbps theoretical, ~700Kbps
actual with Forward Error Correction) is not a direct competitor
Another difference to Wi-Fi is the ad-hoc nature of Bluetooth networks. Although
Wi-Fi networks are designed with a certain amount of flexibility, they are generally
fairly static. In contrast, Bluetooth devices (which are most often mobile) are designed
to be able to move in and out of networks as the owner moves around. This difference
means that the same security procedures that are used in Wi-Fi are not suited to
Bluetooth, and new measures have been adopted.
Bluetooth Security
In Bluetooth, there are three security modes

Security Mode 1: In this mode, the device does not implement any security
procedures, and allows any other device to initiate connections with it

Security Mode 2: In mode 2, security is enforced after the link is established,
allowing higher level applications to run more flexible security policies.

Security Mode 3: In mode 3, security controls such as authentication and
encryption are implemented at the Baseband level before the connection is
established. In this mode, Bluetooth allows different security levels to be
defined for devices and services.
Devices
Devices are other Bluetooth devices that wish to use the services you provide. These
devices are divided into two categories: trusted and untrusted

Trusted devices have a fixed relationship with your device. They generally
have unrestricted access to all services, although this can be refined to set
different access policies for each service.

Untrusted devices have no permanent fixed relationship with your device (but
may have a temporary one) or have a permanent relationship but are
considered untrustworthy. They are generally limited as to the services they
can access.
Services
Services are the services you provide to other devices, and are divided into three
categories:

Services that require authorisation and authentication: Only trusted devices
have automatic access; all other devices require manual authorisation

Services that require authentication only: authorisation is not required

Services that are open to all: access to services is granted without the need for
approval
Service level security
In security mode 2, security is handled by higher level applications rather than at the
link level, and is enforced after the communication is established
Fig 1: The Bluetooth architecture
Because Bluetooth uses the RFCOMM protocol it is able to use existing protocols
such as TCP, UDP and WAP, and can use the security measures built into these.
Link level
In security mode 3, security is enforced before a communications link is established.
Security in Bluetooth, like in other networks is based on authentication and
encryption.
In Bluetooth security there are four main identifiers
1. 48 bit unique IEEE Bluetooth device address (BD_ADDR)
2. 128 bit Link key, used for authentication
3. 8-128 bit symmetric encryption key
4. 128 bit random numbers (RAND) generated as required
Authentication
To authenticate devices in Bluetooth, a link key is generated for the connection,
followed by a challenge-response strategy to ensure that the claimant device knows
the link key. There are four types of link key defined in the Bluetooth specification:
unit keys, initialisation keys, combination keys and master keys. In addition,
Bluetooth defines four algorithms (E1, E21, E22 and E3) for key generation and
authentication. They are all based on the SAFER+ block cipher algorithm.
Unit key:
The unit key is generated in the device when it is first turned on, using the E21 key
generating algorithm. Once generated, it is stored in the non-volatile memory of the
device and rarely changes. The unit key can be used as a link key between two
devices, however it is a last resort since sharing the unit key allows the device to be
'spoofed'. For example, if device A communicates with device B using A's unit key as
the link key, device B then has a copy of A's unit key. Device B can then pretend to
be device A and start a communication with device C, or can intercept and decode
communications between A and C if A's unit key is used as the link key. In general,
the unit key is only used as a link key when one of the devices has very limited
memory and is not capable of remembering any extra keys.
Fig 2: The E21 key generation algorithm used in generating unit and combination
keys
Initialisation key:
The initialisation key is needed for two devices who have never communicated
before. A PIN code of between 1 and 16 octets in length is entered into both devices,
and an initialisation key is generated using the E22 key generating algorithm. The
algorithm is given the PIN (augmented with the BD_ADDR of the claimant device),
and a 128bit random number from the verifying device. This key is then used for key
exchange during the generation of a link key after which it is discarded.
Fig 3: The E22 key generation algorithm, used in generating initialisation and master
keys
Combination key:
The combination key is generated using another key, usually the initialisation key,
and is the most secure of the four keys. Firstly, each unit generates a temporary key
using the same method as used for unit key creation (e.g. device 1 inputs RAND1 and
BD_ADDR1 into the E21 algorithm to produce KEY1, device 2 inputs RAND2 and
BD_ADDR2 to produce KEY2). Device 1 then XORs its temporary key (KEY1) with
the current link key and sends it to device 2. Similarly, device 2 XORs KEY2 and
sends it to device 1. Each device then decrypts the random number, and using the
BD_ADDR of the other device, calculates the other temporary key. Both devices then
XOR KEY1 and KEY2 to produce the combination key.
Master key:
This key is the only temporary key and is generated when one device needs to
communicate with several others (one master, several slaves). Firstly, the master key
is created (by the master) by putting two random numbers into the E22 key generation
algorithm. The master then sends another random number to each slave. The master
and all the slaves then put the current link key and the random number into the key
generating algorithm to produce an overlay. The master then XORs the master key
with that overlay and transmits it to all of the slaves. The slaves (which each have a
copy of the overlay) can then calculate the master key.
Once the link key has been established, Bluetooth uses a challenge-response scheme
for authentication, and relies on both parties sharing the same secret key. Firstly, the
verifier sends the claimant a 128 bit random number. The claimant inputs this
number, the current link key and its own BD_ADDR into the authentication algorithm
E1, and sends the output back to the verifier. If the response matches the value
calculated by the verifier, the claimant is authenticated. A by-product of the
authentication algorithm is the ACO (Authenticated Ciphering Offset) which is stored
by both devices for use later on in the encryption process.
Fig 4: The E1 authentication algorithm
Encryption
To encrypt payloads of their packets, Bluetooth devices uses private encryption key
derived from the current link key, the 96 bit COF (Ciphering Offset Number - based
on the ACO generated during the authentication process) and a 128 bit random
number.
This encryption key, along with the device clock, the device address and a random
number are fed into the E0 stream cipher algorithm (based on the Massey and
Rueppel summation stream cipher generator). The encryption key is regenerated
every new packet transmission.
Fig 5: Encryption in Bluetooth
Since the encryption key size varies from 8 bits to128 bits, the devices have to
negotiate the length of the encrytpion key. Firstly, the master sends a suggested length
to the slave. The slave can then accept this, or reject it and send back a suggestion for
another length. This continues until a consensus is reached, or until one of the devices
aborts the negotiation.
Weaknesses with Bluetooth
There are three main types of attacks on Bluetooth connections
Attacks on the confidentiality
It has been suggested that the E0 stream cipher can be broken in 2^66 in some
circumstances. However, the fact that Bluetooth devices resynchronise the stream
cipher every packet means that malicious users attempting to break the encryption in
this way would not have sufficient time to succeed.
If a device's unit key is used as the link key, trusted devices can spoof that device and
can initiate communications posing as that device, or can intercept communications
between that device and another which use the unit key as a link key.
The fact that Bluetooth uses 4 digit pins for the initialisation key is a weakness. With
only 10000 possibilities, PINs can be exhaustively searched and the key broken. In
addition to this, research has shown that 50% of PINs are ‘0000’, putting the security
of PINs further into question. One way to avoid this threat is by only pairing devices
in secure locations. Given that the range of most Bluetooth devices is only 10m (less
when the signal has to travel through walls) this is not too inconvenient, and generally
only prohibits users from pairing in busy locations such as stations or airports.
Attacks on the availability
Bluetooth uses the unlicensed and heavily used, 2.45Ghz frequency. This makes it
susceptible to interference from other devices, such as microwaves. However, to
combat this it uses the technique of frequency hopping. This improves the clarity and
also discourages casual eavesdropping, since only synchronised devices can
communicate.
Another form of denial of service attack, the battery exhaustion attack, is one that
Bluetooth devices are susceptible to. Unfortunately, it is very difficult to prevent this
kind of attack without restricting the usability of the device. For example, users can
choose to turn off Bluetooth until they need it, but this is irritating for the user. Work
is underway by the Bluetooth Special Interest Group to find a solution, but currently
there is no effective defence.
Attacks on user privacy
Another issue with Bluetooth is that of user privacy. Since the address of the device is
freely available, once it is associated with an individual it can be used to carry out
profiling, and other more questionable forms of monitoring, violating user privacy.
Bluejacking is where users can send anonymous, unsolicited messages to other
Bluetooth users Bluetooth in the form of business cards, exploiting the Bluetooth
standard of accepting them. Although currently this is a relatively small and
innocuous craze, the same property could be used by unscrupulous marketers to target
passing customers (and indeed in some places, this is already happening). The
combination of these two attacks on privacy could prove to be extremely annoying
and intrusive to end users. For example, companies with your details (including the
address of your Bluetooth device) on record could bombard you with personalised
adverts and offers whenever you are near their store.
Conclusion
1. Wired Equivalent Privacy is vulnerable to attack, has many weaknesses and is
difficult to use.
a. We think that the flaws with WEP are due to it being rushed to market
to create demand for wireless networks.
b. The security specification was not certified before being put into
production, this mistake must be learnt from.
2. Wi-Fi Protected Access is more resilient to attack and is easier to use.
a. WPA greatly improves on the security of WEP, but is only a stopgap
for 802.11i
3. Bluetooth
a. Security is sufficient for personal use, but for more security critical
applications improvements need to be made
In general, the biggest threat to the security of the network is the incompetence of the
network administrators or users. The existing standards are strong enough to protect
networks from all but the most determined of hackers, yet in many wireless networks
these measures are not implemented. If users are considering going wireless, they
need to worry less about the about the existing standards, and more about their own
knowledge.
References
1. Glenn Fleishman (2003), “Gi-Fi?”, (Wi-Finetnews.com)
2. Nikita Borisov, Ian Goldberg, and David Wagner (2001), “Security of the
WEP algorithm”, (http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html)
3. Adam Stubblefield, John Ioannidis, Aviel D. Rubin (2001), “Using the
Fluhrer, Mantin, and Shamir Attack to Break WEP”, AT&T Labs Technical
Report TD-4ZCPZZ.
4. Jim Geier (2002), “802.11 WEP: Concepts and Vulnerability”, (www.wifiplanet.com)
5. F.L.Wong (2003), “Security considerations for a short-range wireless
technology”, (www.security.org.sg)
6. Juha T. Vainio (2000), “Bluetooth Security”, Helsinki University of
Technology
7. Frank Stajano, Ross Anderson (1999), “The Resurrecting Duckling: Security
Issues for Ad-hoc wireless networks”
8. Thomas Xydis (2000), “Security Comparison: Bluetooth Communications vs
802.11”, (www.bluetooth.org)
9. Thomas Muller (1999), “Bluetooth Security Architecture”,
(www.bluetooth.org)
10. Christian Gehrmann (2002), “Bluetooth Security White Paper”,
(www.bluetooth.org)
11. Wi-Fi Alliance (2003), “Wi-Fi Protected Access: Strong, standards-based,
interoperable security for today’s Wi-Fi networks”
12. HP (2002), “Wi-Fi Security – Addressing Concerns”