See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/277560716

A Survey on Wireless Security: Technical Challenges, Recent Advances and

Future Trends

Article in Proceedings of the IEEE · May 2015

DOI: 10.1109/JPROC.2016.2558521 · Source: arXiv

CITATIONS READS
1,088 4,669

3 authors:

Yulong Zou Xianbin Wang

37 PUBLICATIONS 3,725 CITATIONS

The University of Western Ontario
620 PUBLICATIONS 14,942 CITATIONS
SEE PROFILE
SEE PROFILE

L. Hanzo
University of Southampton
3,020 PUBLICATIONS 73,112 CITATIONS

SEE PROFILE

All content following this page was uploaded by L. Hanzo on 18 July 2019.

The user has requested enhancement of the downloaded file.

 PROCEEDINGS OF THE IEEE 1

A Survey on Wireless Security: Technical

Challenges, Recent Advances and Future Trends
Yulong Zou, Senior Member, IEEE, Xianbin Wang, Senior Member, IEEE, and Lajos Hanzo, Fellow, IEEE

Abstract—Due to the broadcast nature of radio propagation, AKA Authentication and Key Agreement
the wireless air interface is open and accessible to both authorized AP Access Point
arXiv:1505.07919v1 [cs.IT] 29 May 2015

and illegitimate users. This completely differs from a wired BS Base Station
network, where communicating devices are physically connected
through cables and a node without direct association is unable CDMA Code Division Multiple Access
to access the network for illicit activities. The open communica- CK(s) Ciphering Key(s)
tions environment makes wireless transmissions more vulnerable CSI Channel State Information
than wired communications to malicious attacks, including both CSMA/CA Carrier Sense Multiple Access with Collision
the passive eavesdropping for data interception and the ac- Avoidance
tive jamming for disrupting legitimate transmissions. Therefore,
this paper is motivated to examine the security vulnerabilities CST Carrier Sensing Time
and threats imposed by the inherent open nature of wireless CTS Clear to Send
communications and to devise efficient defense mechanisms for DA Destination Address
improving the wireless network security. We first summarize DCF Distributed Coordination Function
the security requirements of wireless networks, including their DES Data Encryption Standard
authenticity, confidentiality, integrity and availability issues. Next,
a comprehensive overview of security attacks encountered in DIFS Distributed Inter-Frame Space
wireless networks is presented in view of the network protocol DN Destination Node
architecture, where the potential security threats are discussed DSSS Direct-Sequence Spread Spectrum
at each protocol layer. We also provide a survey of the exist- DoS Denial of Service
ing security protocols and algorithms that are adopted in the EPC Evolved Packet Core
existing wireless network standards, such as the Bluetooth, Wi-
Fi, WiMAX, and the long-term evolution (LTE) systems. Then, E-UTRAN Evolved-Universal Terrestrial Radio Access Net-
we discuss the state-of-the-art in physical-layer security, which work
is an emerging technique of securing the open communica- FHSS Frequency-Hopping Spread Spectrum
tions environment against eavesdropping attacks at the physical FTP File Transfer Protocol
layer. Several physical-layer security techniques are reviewed GSVD Generalized Singular Value Decomposition
and compared, including information-theoretic security, artificial
noise aided security, security-oriented beamforming, diversity HSS Home Subscriber Server
assisted security, and physical-layer key generation approaches. HTTP HyperText Transfer Protocol
Additionally, since a jammer emitting radio signals can readily ICMP Internet Control Message Protocol
interfere with the legitimate wireless users, we introduce the ICV Integrity Check Value
family of various jamming attacks and their counter-measures, IK(s) Integrity Key(s)
including the constant jammer, intermittent jammer, reactive
jammer, adaptive jammer and intelligent jammer. Finally, some IMSI International Mobile Subscriber Identity
technical challenges which remain unresolved at the time of IP Internet Protocol
writing are summarized and the future trends in wireless security IV Initialization Vector
are discussed. LTE Long Term Evolution
Index Terms—Wireless security, eavesdropping attack, denial- MAC Medium Access Control
of-service (DoS), jamming, network protocol, information- MIC Message Integrity Check
theoretic security, artificial noise, beamforming, diversity, wire- MIMO Multiple-Input Multiple-Output
less jamming, wireless networks.
MISOME Multiple-Input Single-Output Multiple-
Eavesdropper
NOMENCLATURE MITM Man In The Middle
3G 3rd Generation MME Mobility Management Entity
AAA Authentication, Authorization and Accounting NIC Network Interface Controller
AES Advanced Encryption Standard NP Non-deterministic Polynomial
OFDMA Orthogonal Frequency-Division Multiple Access
Y. Zou is with the School of Telecommunications and Information Engineer- OSI Open Systems Interconnection
ing, Nanjing University of Posts and Telecommunications, Nanjing, China.
email: {[email protected]}. PER Packet Error Rate
X. Wang is with the Electrical and Computer Engineering Depart- PKM Privacy and Key Management
ment, The University of Western Ontario, London, Ontario, Canada. email: PN Pseudo Noise
{[email protected]}.
L. Hanzo is with the School of Electronics and Computer Science, Univer- PRNG Pseudo-Random Number Generator
sity of Southampton, Southampton, UK. email: {[email protected]}. QoS Quality of Service
PROCEEDINGS OF THE IEEE 2

Channel
RFCOMM Radio Frequency COMMunications characteristics
RSA Rivest-Shamir-Adleman Secrecy
capacity Authentication
RSS Received Signal Strength
RTS Request to Send
SA Source Address Wireless
Intercept
SIFS Short Inter-Frame Space probability
Security Authorization
SINR Signal-to-Interference-and-Noise Ratio Design
SQL Structured Query Language
SMTP Simple Mail Transfer Protocol
SN Source Node Complexity Encryption
SNR Signal-to-Noise Ratio Latency
SS Subscriber Station
Fig. 1. Wireless security methodologies and design factors.
SSL Secure Sockets Layer
TA Transmitter Address
TCP Transmission Control Protocol
TDMA Time-Division Multiple Access application layer, transport layer, network layer [6], medium
TK Temporal Key access control (MAC) layer [7] and physical layer [8], [9].
TKIP Temporal Key Integrity Protocol Security threats and vulnerabilities associated with these pro-
TLS Transport Layer Security tocol layers are typically protected separately at each layer
TSC TKIP Sequence Counter to meet the security requirements, including the authenticity,
TTAK TKIP-mixed Transmit Address and Key confidentiality, integrity and availability [10]. For example,
TTLS Tunneled Transport Layer Security cryptography is widely used for protecting the confidentiality
UDP User Datagram Protocol of data transmission by preventing information disclosure to
UE(s) User Equipment(s) unauthorized users [11], [12]. Although cryptography im-
UMTS Universal Mobile Telecommunications System proves the achievable communications confidentiality, it re-
WEP Wired Equivalent Privacy quires additional computational power and imposes latency
WiMAX Worldwide Interoperability for Microwave Ac- [13], since a certain amount of time is required for both
cess data encryption and decryption [14]. In order to guarantee
WLAN Wireless Local Area Network the authenticity of a caller or receiver, existing wireless
WMAN Wireless Metropolitan Area Network networks typically employ multiple authentication approaches
WPA Wi-Fi Protected Access simultaneously at different protocol layers, including MAC-
WPA2 Wi-Fi Protected Access II layer authentication [15], network-layer authentication [16],
WPAN Wireless Personal Area Network [17] and transport-layer authentication [18]. To be specific,
in the MAC layer, the MAC address of a user should be
authenticated to prevent unauthorized access. In the network
I. I NTRODUCTION layer, the Wi-Fi protected access (WPA) and the Wi-Fi pro-
tected access II (WPA2) are two commonly used network-
D URING the past decades, wireless communications in-
frastructure and services have been proliferating with
the goal of meeting rapidly increasing demands [1], [2].
layer authentication protocols [19], [20]. Additionally, the
transport-layer authentication includes the secure socket layer
According to the latest statistics released by the International (SSL) and its successor, namely the transport layer security
Telecommunications Union in 2013 [3], the number of mobile (TLS) protocols [21]-[23]. It becomes obvious that exploiting
subscribers has reached 6.8 billion worldwide and almost multiple authentication mechanisms at different protocol layers
40% of the world’s population is now using the Internet. is capable of enhancing the wireless security, again, at the
Meanwhile, it has been reported in [4] that an increasing cost of high computational complexity and latency. As shown
number of wireless devices are abused for illicit cyber-criminal in Fig. 1, the main wireless security methodologies include
activities, including malicious attacks, computer hacking, data the authentication, authorization and encryption, for which the
forging, financial information theft, online bullying/stalking diverse design factors e.g. the security level, implementation
and so on. This causes the direct loss of about 83 billion Euros complexity and communication latency need to be balanced.
with an estimated 556 million users worldwide impacted by In wired networks, the communicating nodes are physically
cyber-crime each year, according to the 2012 Norton cyber- connected through cables. By contrast, wireless networks are
crime report [4]. Hence, it is of paramount importance to extremely vulnerable owing to the broadcast nature of the
improve wireless communications security to fight against wireless medium. Explicitly, wireless networks are prone to
cyber-criminal activities, especially because more and more malicious attacks, including eavesdropping attack [24], denial-
people are using wireless networks (e.g., cellular networks and of-service (DoS) attack [25], spoofing attack [26], man-in-
Wi-Fi) for online banking and personal emails, owing to the the-middle (MITM) attack [27], message falsification/injection
widespread use of smartphones. attack [28], etc. For example, an unauthorized node in a
Wireless networks generally adopt the open systems in- wireless network is capable of inflicting intentional interfer-
terconnection (OSI) protocol architecture [5] comprising the ences with the objective of disrupting data communications
PROCEEDINGS OF THE IEEE
between legitimate users. Furthermore, wireless communica-
tions sessions may be readily overheard by an eavesdropper,
as long as the eavesdropper is within the transmit coverage
area of the transmitting node. In order to maintain confidential
transmission, existing systems typically employ cryptographic
techniques for preventing eavesdroppers from intercepting data
transmissions between legitimate users [29], [30]. However,
cryptographic techniques assume that the eavesdropper has
limited computing power and rely upon the computational
hardness of their underlying mathematical problems. Hence,
they can only achieve what we may refer to as computational
security. The security of a cryptographic approach would be
significantly compromised, if an efficient method of solving
its underlying hard mathematical problem was to be dis-
covered [31]. More importantly, the conventional secret key
exchange in cryptographic techniques (e.g., Diffie-Hellman
key agreement protocol) requires a trusted key management
center, which however may not be applicable in some wireless
networks operating without a fixed infrastructure due to the
highly dynamic nature of mobile environments [32], [149]-
[151].
To this end, physical-layer security is emerging as a promis-
ing means of protecting wireless communications to achieve
information-theoretic security against eavesdropping attacks.
In [33], Wyner examined a discrete memoryless wiretap
channel consisting of a source, a destination as well as an
eavesdropper and proved that perfectly secure transmission can
be achieved, provided that the channel capacity of the main
link from the source to the destination is higher than that of
the wiretap link from the source to the eavesdropper. In [34],
Wyner’s results were extended from the discrete memoryless
wiretap channel to the Gaussian wiretap channel, where the
notion of a so-called secrecy capacity was developed, which
was shown to be equal to the difference between the channel
capacity of the main link and that of the wiretap link. If
the secrecy capacity falls below zero, the transmissions from
the source to the destination become insecure and the eaves-
dropper would become capable of intercepting the source’s
transmissions [35], [36]. In order to improve the attainable
transmission security, it is of importance to increase the
secrecy capacity by exploiting sophisticated signal processing
techniques, such as the artificial noise aided security [37]-[39],
security-oriented beamforming [40], [41], security-oriented
diversity approaches [42], [43] and so on.
In this paper, we are motivated to discuss diverse wireless at-
tacks as well as the corresponding defense mechanisms and to
explore a range of challenging open issues in wireless security
research. The main contributions of this paper are summarized
as follows. Firstly, a systematic review of security threats and
vulnerabilities is presented at the different protocol layers,
commencing from the physical layer up to the application
layer. Secondly, we summarize the family of security protocols
and algorithms used in the existing wireless networks, such as
the Bluetooth, Wi-Fi, WiMAX and long-term evolution (LTE)
standards. Thirdly, we discuss the emerging physical-layer
security in wireless communications and highlight the class
of information-theoretic security, artificial noise aided security,
security-oriented beamforming, security-oriented diversity and
3
physical-layer secret key generation techniques. Additionally,
we provide a review on various wireless jammers (i.e., the
constant jammer, intermittent jammer, reactive jammer, adap-
tive jammer and intelligent jammer) as well as their detection
and prevention techniques. Finally, we outline some of open
challenges in wireless security.
The remainder of this paper is organized as follows. Section
II presents the security requirements of wireless networks,
where the authenticity, confidentiality, integrity and avail-
ability of wireless services are discussed. In Section III,
we analyze the security vulnerabilities and weaknesses of
wireless networks at different protocol layers, including the
application layer, transport layer, network layer, MAC layer
and physical layer. Next, in Section IV, the security protocols
and algorithms used in existing wireless networks, such as the
Bluetooth, Wi-Fi, WiMAX and LTE standards, are discussed.
Then, Section V presents the physical-layer security which is
emerging as an effective paradigm conceived for improving
the security of wireless communications against eavesdrop-
ping attacks by exploiting the physical-layer characteristics
of wireless channels. Additionally, we summarize the various
known wireless jamming attacks and their counter-measures
in Section VI, followed by Section VII, where some open
challenges and future trends in wireless security are presented.
Finally, Section VIII provides some concluding remarks.
II. S ECURITY R EQUIREMENTS IN W IRELESS N ETWORKS
Again, in wireless networks, the information is exchanged
among authorized users, but this process is vulnerable to
various malicious threats owing to the broadcast nature of
the wireless medium. The security requirements of wireless
networks are specified for the sake of protecting the wireless
transmissions against wireless attacks, such as eavesdropping
attack, DoS attack, data falsification attack, node compromise
attack and so on [44], [45]. For example, maintaining data
confidentiality is a typical security requirement, which refers
to the capability of restricting data access to authorized users
only, while preventing eavesdroppers from intercepting the
information. Generally speaking, secure wireless communica-
tions should satisfy the requirements of authenticity, confiden-
tiality, integrity and availability [46], as detailed below:
• Authenticity: Authenticity refers to confirming the true
identity of a network node to distinguish authorized users
from unauthorized users. In wireless networks, a pair
of communicating nodes should first perform mutual
authentication before establishing a communications link
for data transmission [47]. Typically, a network node
is equipped with a wireless network interface card and
has a unique medium access control (MAC) address,
which can be used for authentication purposes. Again, in
addition to MAC authentication, there are other wireless
authentication methods, including network-layer authen-
tication, transport-layer authentication and application-
layer authentication.
• Confidentiality: The confidentiality refers to limiting the
data access to intended users only, while preventing the
disclosure of the information to unauthorized entities
PROCEEDINGS OF THE IEEE
[48]. Considering the symmetric key encryption tech-
nique as an example, the source node first encrypts the
original data (often termed as plain-text) using an encryp-
tion algorithm with the aid of a secret key that is shared
with the intended destination only. Next, the encrypted
plain-text (referred to as cipher-text) is transmitted to
the destination that then decrypts its received cipher-
text using the secret key. Since the eavesdropper has no
knowledge of the secret key, it is unable to interpret the
plain-text based on the overheard cipher-text. However,
the classic Diffie-Hellman key agreement protocol used
in symmetric key cryptography is only computationally
secure [31] and requires a trusted key management center,
which may not be applicable in some wireless networks
operating without a fixed infrastructure [32], [149]-[151].
To this end, physical-layer security emerges as an effec-
tive means of protecting the confidentiality of wireless
transmission against eavesdropping attacks for achieving
information-theoretic security [33], [49]. The details of
physical-layer security will be discussed in Section V.
• Integrity: The integrity of information transmitted in a
wireless network should be accurate and reliable during
its entire life-cycle representing the source-information
without any falsification and modification by unautho-
rized users. The data integrity may be violated by so-
called insider attacks, such as for example node com-
promise attacks [50]-[52]. More specifically, a legitimate
node that is altered and compromised by an adversary,
is termed as a compromised node. The compromised
node may inflict damage upon the data integrity by
launching malicious attacks, including message injection,
false reporting, data modification and so on. In general, it
is quiet challenging to detect the attacks by compromised
nodes, since these compromised nodes running malicious
codes still have valid identities. A promising solution to
detect compromised nodes is to utilize the automatic code
update and recovery process, which guarantees that the
nodes are periodically patched and a compromised node
may be detected, if the patch fails. The compromised
nodes can be repaired and revoked through the so-called
code recovery process.
• Availability: The availability implies that the authorized
users are indeed capable of accessing a wireless network
anytime and anywhere upon request. The violation of
availability, referred to as denial of service, will result
in the authorized users to become unable to access the
wireless network, which in turn results in unsatisfactory
user experience [53], [54]. For example, any unauthorized
node is capable of launching DoS activities at the physical
layer by maliciously generating interferences for dis-
rupting the desired communications between legitimate
users, which is also known as a jamming attack. In order
to combat jamming attacks, existing wireless systems
typically consider the employment of spread spectrum
techniques, including direct-sequence spread spectrum
(DSSS) [55], [56] and frequency-hopping spread spec-
trum (FHSS) solutions [57]. To be specific, DSSS em-
4
TABLE I
S UMMARIZATION OF W IRELESS S ECURITY R EQUIREMENTS .
Security Requirements Specific Objectives to be Achieved
Specified to differentiate authorized users from
Authenticity
unauthorized users
Confidentiality
Specified to limit the confidential data access to
intended users only
Specified to guarantee the accuracy of the trans-
Integrity
mitted information without any falsification
Specified to make sure that the authorized users
Availability can access wireless network resources anytime
and anywhere upon request
ploys a pseudo-noise (PN) sequence to spread the spec-
trum of the original signal to a wide frequency bandwidth.
In this way, the jamming attack operating without the
knowledge of the PN sequence has to dissipate a much
higher power for disrupting the legitimate transmission,
which may not be feasible in practice due to its realistic
power constraint. As an alternative, FHSS continuously
changes the central frequency of the transmitted wave-
form using a certain frequency-hopping pattern, so that
the jamming attacker cannot monitor and interrupt the
legitimate transmissions.
The above-mentioned authenticity, confidentiality, integrity
and availability are summarized in Table I, which are com-
monly considered and implemented in the existing wireless
networks, including the Bluetooth [58], Wi-Fi [59], Worldwide
Interoperability for Microwave Access (WiMAX) [60], Long-
Term Evolution (LTE) [61] standards and so on. In principle,
wireless networks should be as secure as wired networks. This
implies that the security requirements of wireless networks
should be the same as those of wired networks, including
the requirements of authenticity, confidentiality, integrity and
availability. However, due to the broadcast nature of radio
propagation, achieving these security requirements in wireless
networks is more challenging than in wired networks. For
example, the availability of wireless networks is extremely
vulnerable, since a jamming attack imposing a radio signal can
readily disrupt and block the wireless physical-layer communi-
cations. Hence, compared to wired networks, wireless systems
typically employ an additional DSSS (or FHSS) technique in
order to protect the wireless transmissions against jamming
attacks.
III. S ECURITY V ULNERABILITIES IN W IRELESS
N ETWORKS
In this section, we present a systematic review of various
security vulnerabilities and weaknesses encountered in wire-
less networks. Apart from their differences, wired and wireless
networks also share some similarities. For example, they both
adopt the OSI layered protocol architecture consisting of the
physical layer, MAC layer, network layer, transport layer
and application layer. As shown in Fig. 2, a network node
(denoted by node A) employs these protocols for transmitting
its data packets to another network node (i.e., node B).
PROCEEDINGS OF THE IEEE 5

Node A Node B

Application Application

Transport Transport

Network Network

Medium Access Control Medium Access Control

(MAC) (MAC)

Physical (PHY) Physical (PHY)

Wireless Medium

Fig. 2. A generic wireless OSI layered protocol architecture consisting of the application layer, transport layer, network layer, MAC layer and physical layer.

TABLE II
M AIN P ROTOCOLS AND S PECIFICATIONS OF THE W IRELESS OSI L AYERS .

Wired Common Wireless

attacks attacks attacks OSI Layers Main Protocols and Specifications

Application HTTP, FTP, SMTP [62]

Transport TCP, UDP [63], [64]

Fig. 3. Relationship between the wired and wireless attacks.
Network IP, ICMP [65]

MAC CSMA/CA, ALOHA, CDMA [66], OFDMA [67]

To be specific, the data packet at node A is first extended
with the protocol overheads, including the application-layer
overhead, transport-layer overhead, network-layer overhead,
MAC overhead and physical-layer overhead. This results in
an encapsulated packet. Then, the resultant data packet is
transmitted via the wireless medium to node B, which will
perform packet-decapsulation, commencing from the physical
layer and proceeding upward to the application layer, in order
to recover the original data packet. Note that the difference
between the wired and wireless networks mainly lies in the
PHY and MAC layers, while the application, transport and
network layers of wireless networks are typically identical to
those of wired networks. As a consequence, the wired and
wireless networks share some common security vulnerabilities
owing to their identical application, transport and network
layers. Nevertheless, they also suffer from mutually exclusive
attacks due to the fact that the wired and wireless networks
have different PHY and MAC layers, as shown in Fig. 3.
Table II shows the main protocols and specifications im-
plemented at each of wireless OSI layers. For example,
the application-layer supports the hypertext transfer protocol
(HTTP) for the sake of delivering web services, while the file
PHY Transmission Medium, Coding and Modulation
transfer protocol (FTP) is used for large-file-transfer, and the
simple mail transfer protocol (SMTP) is invoked for electronic
mail (e-mail) transmission and so on [62]. The commonly
used transport-layer protocols include the transport control
protocol (TCP) and the user datagram protocol (UDP) [63],
[64]. The TCP ensures the reliable and ordered delivery of data
packets, whereas UDP has no guarantee of such reliable and
ordered delivery. In contrast to TCP, UDP has no handshaking
dialogues and adopts a simpler transmission model, hence
imposing a reduced protocol overhead. In the network layer,
we also have different protocols, such as the Internet protocol
(IP), which was conceived for delivering data packets based
on IP addresses, and the Internet control message protocol
(ICMP) designed for sending error messages for indicating,
for example, that a requested service is unavailable or that
a network node could not be reached [65]. Regarding the
MAC layer, there are numerous different protocols adopted
by various wireless networks, such as the carrier sense mul-
PROCEEDINGS OF THE IEEE
TABLE III
M AIN T YPES OF W IRELESS ATTACKS AT THE PHY L AYER .
PHY Attacks Characteristics and Features
Eavesdropping Interception of confidential information [71]
Jamming Interruption of legitimate transmission [72]
tiple access with collision avoidance (CSMA/CA) used in
Wi-Fi networks, the slotted ALOHA employed in tactical
satellite networks by military forces, code division multiple
access (CDMA) involved in third-generation (3G) mobile net-
works [66] and orthogonal frequency-division multiple access
(OFDMA) adopted in the long term evolution (LTE) and
LTE-advanced networks [67]. Additionally, the physical layer
specifies the physical characteristics of information transmis-
sion, including the transmission medium, modulation, line
coding, multiplexing, circuit switching, pulse shaping, forward
error correction, bit-interleaving and other channel coding
operations, etc.
Every OSI layer has its own unique security challenges
and issues, since different layers rely on different protocols,
hence exhibiting different security vulnerabilities [68]-[70].
Below we summarize the range of wireless attacks potentially
encountered by various protocol layers.
A. Physical-Layer Attacks
The physical layer is the lowest layer in the OSI proto-
col architecture, which is used for specifying the physical
characteristics of signal transmission. Again, the broadcast
nature of wireless communications makes its physical layer
extremely vulnerable to eavesdropping and jamming attacks,
which are two main types of wireless physical-layer attacks,
as depicted in Table III. More specifically, the eavesdropping
attack refers to an unauthorized user attempting to intercept the
data transmission between legitimate users [71]. In wireless
networks, as long as an eavesdropper lies in the transmit
coverage area of the source node, the wireless communica-
tions session can be overheard by the eavesdropper. In order
to maintain confidential transmission, typically cryptographic
techniques relying on secret keys are adopted for preventing
eavesdropping attacks from intercepting the data transmission.
To be specific, the source node (SN) and destination node (DN)
share a secret key and the so-called plain-text is first encrypted
at SN, leading to the cipher-text, which is then transmitted to
DN. In this case, even if an eavesdropper overhears the cipher-
text transmission, it remains difficult to extract the plain-text
from the cipher-text without the secret key.
Moreover, a malicious node in wireless networks can read-
ily generate intentional interference for disrupting the data
communications between legitimate users, which is referred
to as a jamming attack (also known as DoS attack) [72]. The
jammer aims for preventing authorized users from accessing
wireless network resources and this impairs the network avail-
ability for the legitimate users. To this end, spread spectrum
techniques are widely recognized as an effective means of
6
TABLE IV
M AIN T YPES OF W IRELESS ATTACKS AT THE MAC L AYER .
MAC Attacks Characteristics and Features
MAC spoofing Falsification of MAC address [73]
Identity theft Stealing of a legitimate user's MAC identity
MITM attack Impersonation of a pair of communicating nodes [74]
Network injection Injection of forged network commands and packets [75]
defending against DoS attacks by spreading the transmit signal
over a wider spectral bandwidth than its original frequency
band. Again, the above-mentioned DSSS and FHSS techniques
exhibit a high jamming-resistance at the physical layer.
B. MAC-Layer Attacks
The MAC layer enables multiple network nodes to access
a shared medium with the aid of intelligent channel access
control mechanisms such as CSMA/CA, CDMA, OFDMA
and so on. Typically, each network node is equipped with a
network interface controller (NIC) and has a unique MAC
address, which is used for user authentication. An attacker
that attempts to change its assigned MAC address with a
malicious intention is termed as MAC spoofing, which is the
primary technique of MAC attacks [73]. Although the MAC
address is hard-coded into the NIC of a network node, it is
still possible for a network node to spoof a MAC address
and thus MAC spoofing enables the malicious node to hide
its true identity or to impersonate another network node for
the sake of carrying out illicit activities. Furthermore, a MAC
attacker may overhear the network traffic and steal a legitimate
node’s MAC address by analyzing the overheard traffic, which
is referred to as an identity-theft attack. An attacker attempting
identity theft will pretend to be another legitimate network
node and gain access to confidential information of the victim
node.
In addition to the above-mentioned MAC spoofing and
identity theft, the class of MAC-layer attacks also includes
MITM attacks [74] and network injection [75]. Typically,
a MITM attack refers to an attacker that first ‘sniffs’ the
network’s traffic in order to intercept the MAC addresses of a
pair of legitimate communicating nodes, then impersonates the
two victims and finally establishes a connection with them. In
this way, the MITM attacker acts as a relay between the pair
of victims and makes them feel that they are communicating
directly with each other over a private connection. In reality,
their session was intercepted and controlled by the attacker.
By contrast, the network injection attack aims for preventing
the operation of networking devices, such as routers, switches,
etc. by injecting forged network re-configuration commands.
In this manner, if an overwhelming number of the forged
networking commands are initiated, the entire network may
become paralyzed, thus requiring rebooting or even repro-
gramming of all networking devices. The main types of
wireless MAC attacks are summarized in Table IV.
PROCEEDINGS OF THE IEEE
TABLE V
M AIN T YPES OF W IRELESS ATTACKS AT THE N ETWORK L AYER .
Network Attacks Characteristics and Features
IP spoofing Falsification of IP address [76]
IP hijacking Impersonation of a legitimate user’s IP address [77], [78]
Paralyzation of a network by launching a huge number
Smurf attack
of ICMP requests [79]
C. Network-Layer Attacks
In the network layer, IP was designed as the principal
protocol for delivering packets from a SN to a DN through
intermediate routers based on their IP addresses. The network-
layer attacks mainly aim for exploiting IP weaknesses, which
include the IP spoofing and hijacking as well as the so-called
Smurf attack [76]-[78], as illustrated in Table V. To be specific,
IP spoofing is used for generating a forged IP address with the
goal of hiding the true identity of the attacker or impersonating
another network node for carrying out illicit activities. The
network node that receives these packets associated with a
forged source IP address will send its responses back to
the forged IP address. This will waste significant network
capacity and might even paralyze the network by flooding it
with forged IP packets. IP hijacking is another illegitimate
activity launched by hijackers for the sake of taking over
another legitimate user’s IP address. If the attacker succeeds
in hijacking the IP address, it will be able to disconnect the
legitimate user and create a new connection to the network
by impersonating the legitimate user, hence gaining access to
confidential information. There are some other forms of IP hi-
jacking techniques, including prefix hijacking, route hijacking
and border gateway protocol hijacking [78].
The Smurf attack is a DoS attack in the network layer,
which intends to send a huge number of ICMP packets (with
a spoofed source IP address) to a victim node or to a group of
victims using an IP broadcast address [79]. Upon receiving the
ICMP requests, the victims are required to send back ICMP
responses, resulting in a significant amount of traffic in the
victim network. When the Smurf attack launches a sufficiently
high number of ICMP requests, the victim network will
become overwhelmed and paralyzed by these ICMP requests
and responses. To defend against Smurf attacks, a possible
solution is to configure the individual users and routers by
ensuring that they do not to constantly respond to ICMP
requests. We may also consider the employment of firewalls,
which can reject the malicious packets arriving from the forged
source IP addresses.
D. Transport-Layer Attacks
This subsection briefly summarizes the malicious activities
in the transport layer, with an emphasis on the TCP and UDP
attacks. To be specific, TCP is a connection-oriented transport
protocol designed for supporting the reliable transmission of
data packets, which is typically used for delivering e-mails
7
TABLE VI
M AIN T YPES OF W IRELESS ATTACKS AT THE T RANSPORT L AYER .
Transport Attacks Characteristics and Features
TCP flooding Sending a huge number of ping requests [80], [81]
UDP flooding Launching an overwhelming number of UDP packets [82]
TCP sequence Fabrication of a legitimate user’s data packets using the
prediction attack predicted TCP sequence index
and for transferring files from one network node to another.
In contrast to TCP, UDP is a connectionless transport protocol
associated with a reduced protocol overhead and latency, but
as a price, it fails to guarantee reliable data delivery. It is often
used by delay-sensitive applications which do not impose strict
reliability requirements, such as IP television, voice over IP
and online games. Both TCP and UDP suffer from security
vulnerabilities including the TCP and UDP flooding as well as
the TCP sequence number prediction attacks, as summarized
in Table VI.
TCP attacks include TCP flooding attacks and sequence
number prediction attacks [80], [81]. The TCP flooding, which
is also known as ping flooding, is a DoS attack in the transport
layer, where the attacker sends an overwhelming number of
ping requests, such as ICMP echo requests to a victim node,
which then responds by sending ping replies, such as ICMP
echo replies. This will flood both the input and output buffers
of the victim node and it might even delay its connection
to the target network, when the number of ping requests is
sufficiently high. The TCP sequence prediction technique is
another TCP attack that attempts to predict the sequence index
of TCP packets of a transmitting node and then fabricates the
TCP packets of the node. To be specific, the TCP sequence
prediction attacker first guesses the TCP sequence index of a
victim transmitter, then fabricates packets using the predicted
TCP index, and finally sends its fabricated packets to a victim
receiver. Naturally, the TCP sequence prediction attack will
inflict damage upon the data integrity owing to the above-
mentioned packet fabrication and injection.
The UDP is also prone to flooding attacks, which are
imposed by sending an overwhelming number of UDP pack-
ets, instead of ping requests used in the TCP flood attack.
Specifically, a UDP flood attacker transmits a large number
of UDP packets to a victim node, which will be forced to
send numerous reply packets [82]. In this way, the victim
node will be overwhelmed by the malicious UDP packets and
becomes unreachable by other legitimate nodes. Moreover, the
UDP flooding attacker is capable of hiding itself from the
legitimate nodes by using a spoofed IP address for generating
malicious UDP packets. The negative impact of such UDP
flooding attacks is mitigated by limiting the response rate
of UDP packets. Furthermore, firewalls can be employed for
defending against the UDP flooding attacks for filtering out
malicious UDP packets.
PROCEEDINGS OF THE IEEE
TABLE VII
M AIN T YPES OF W IRELESS ATTACKS AT THE A PPLICATION L AYER .
Application Attacks Characteristics and Features
Malicious software in the form of code, scripts and
Malware attack
active content programmed by attackers [85]
Inserting rogue SQL statements attempting to gain
SQL injection
unauthorized access to legitimate websites
Injecting client-side scripts into web pages for by-
Cross-site scripting
passing some of the access control measures
Impersonating a legtimate user to gain unauthorized
FTP bounce
access [83]
Malicious attacks in e-mail transfering between the
SMTP attack
SMTP servers and clients
E. Application-Layer Attacks
As mentioned above, the application layer supports HTTP
[62] for web services, FTP [83] for file transfer and SMTP
[84] for e-mail transmission. Each of these protocols is prone
to security attacks. Logically, the application-layer attacks
may hence be classified as HTTP attacks, FTP attacks and
SMTP attacks. More specifically, HTTP is the application
protocol designed for exchanging hypertext across the World
Wide Web, which is subject to numerous security threats. The
main HTTP attacks include the Malware attack (e.g., Trojan
horse, viruses, worms, backdoors, keyloggers, etc.), structured
query language (SQL) injection attack and cross-site scripting
attack [85]. The terminology Malware refers to malicious
software which is in the form of code, scripts and active
content programmed by attackers attempting to disrupt legit-
imate transmissions or to intercept confidential information.
The SQL injection is usually exploited to attack data-driven
applications by inserting certain rogue SQL statements with
an attempt to gain unauthorized access to legitimate websites.
The last type of HTTP attacks to be mentioned is referred
to as cross-site scripting attacks that typically occur in web
applications and aim for bypassing some of the access control
measures (e.g., the same-origin-policy) by injecting client-side
scripts into web pages [85].
The FTP is used for large-file transfer from one network
node to another, which also exhibits certain security vulnera-
bilities. The FTP bounce attacks and directory traversal attacks
often occur in FTP applications [83]. The FTP bounce attack
exploits the PORT command in order to request access to
ports through another victim node, acting as a middle-man.
We note however that most modern FTP servers are configured
by default to refuse PORT commands in order to prevent FTP
bounce attacks. The directory traversal attack attempts to gain
unauthorized access to legitimate file systems by exploiting
any potential security vulnerability during the validation of
user-supplied input file names. In contrast to FTP, the SMTP is
an application-layer protocol designed for transferring e-mails
across the Internet, which, however, does not encrypt private
information, such as the login username, the password and the
messages themselves transmitted between the SMTP servers
and clients, hence raising a serious privacy concern. Moreover,
8
Wireless Attacks Wired Attacks
Comparison
Application attacks same Application attacks
Transport attacks same Transport attacks
Network attacks same Network attacks
MAC attacks different MAC attacks
PHY attacks different PHY attacks
Fig. 4. Comparison between the wireless and wired networks in terms of
security attacks at different OSI layers.
e-mails are frequent carriers of viruses and worms. Thus, the
SMTP attacks include the password ‘sniffing’, SMTP viruses
and worms as well as e-mail spoofing [84]. Typically, antivirus
software or firewalls (or both) are adopted for identifying and
guarding against the aforementioned application-layer attacks.
Table VII summarizes the aforementioned main attacks at the
application layer.
Finally, we summarize the similarities and differences be-
tween the wireless and wired networks in terms of their
security attacks at the different OSI layers. As shown in Fig. 4,
the application, transport and network-layer attacks of wireless
networks are the same as those of wired networks, since the
wireless and wired networks share common protocols at the
application, transport and network layers. By contrast, wireless
networks are different from wired networks in terms of the
PHY and MAC attacks. In general, only the PHY and MAC
layers are specified in wireless networking standards (e.g., Wi-
Fi, Bluetooth, LTE, etc.). In wireless networks, conventional
security protocols are defined at the MAC layer (sometimes
at the logical-link-control layer) for establishing a trusted
and confidential link, which will be summarized for different
commercial wireless networks in Section IV. Additionally, the
wireless PHY layer is completely different from its wireline
based counterpart. Due to the broadcast nature of radio propa-
gation, the wireless PHY layer is extremely vulnerable to both
the eavesdropping and jamming attacks. To this end, physical-
layer security is emerging as an effective means of securing
wireless communications against eavesdropping, as it will be
discussed in Section V. Next, Section VI will present various
wireless jamming attacks and their counter-measures.
IV. S ECURITY D EFENSE P ROTOCOLS AND PARADIGMS
FOR W IRELESS N ETWORKS
This section is focused on the family of security protocols
and paradigms that are used for improving the security of
wireless networks. As compared to wired networks, the wire-
less networks have the advantage of avoiding the deployment
of a costly cable based infrastructure. The stylized illustration
of operational wireless networks is shown in Fig. 5, where
the family of wireless personal area networks (WPAN), wire-
less local area networks (WLAN) and wireless metropolitan
area networks (WMAN) are illustrated, which complement
each other with the goal of providing users with ubiquitous
broadband wireless services [86]. The objective of Fig. 5 is
to provide a comparison amongst the WPAN, WLAN and
PROCEEDINGS OF THE IEEE
Network type
WMAN
WLAN
WPAN
Coverage area
Peak data rate
150Mb/s
100km
2Mb/s
1Gb/s
250m
100m
Bluetooth
Wi-Fi
WiMAX, LTE
Industrial standards
Fig. 5. A family of wireless networks consisting of the wireless personal
area network (WPAN), wireless local area network (WLAN) and wireless
metropolitan area network (WMAN).
WMAN techniques from different perspectives in terms of
their industrial standards, coverage area and peak data rates.
More specifically, a WPAN is typically used for interconnect-
ing with personal devices (e.g., a keyboard, audio headset,
printer, etc.) at a relatively low data rate and within a small
coverage area. For example, Bluetooth is a common WPAN
standard using short-range radio coverage in the industrial,
scientific and medical band spanning the band 2400-2480MHz,
which can provide a peak data rate of 2Mbs and a range of
up to 100 meters (m) [87]. Fig. 5 also shows that a WLAN
generally has a higher data rate and a wider coverage area
than the WPAN, which is used for connecting wireless devices
through an access point (AP) within a local coverage area. As
an example, IEEE 802.11 (also known as Wi-Fi) consists of a
series of industrial WLAN standards. Modern Wi-Fi standards
are capable of supporting a peak data rate of 150Mbs and a
maximum range of 250m [88]. Finally, a MAN is typically
used for connecting a metropolitian city at a higher rate and
over a lager coverage area than the WPAN and WLAN. For
instance, in Fig. 5, we feature two types of industrial standards
for WMAN, namely WiMAX and LTE [89], [90].
In the following, we will present an overview of the security
protocols used in the aforementioned wireless standards (i.e.,
the Bluetooth, Wi-Fi, WiMAX and LTE) for protecting the
authenticity, confidentiality, integrity and availability of legiti-
mate transmissions through the wireless propagation medium.
A. Bluetooth
Bluetooth is a short-range and low-power wireless network-
ing standard, which has been widely implemented in com-
puting and communications devices as well as in peripherals,
such as cell phones, keyboards, audio headsets, etc. However,
Bluetooth devices are subject to a large number of wireless
security threats and may easily become compromised. As a
protection, Bluetooth introduces diverse security features and
9
User Interface
General
Application Application Application Managament
Entity
RFCOMM
Security Service
(or other multiplexing protocol)
Manager Database
L2CAP
Device
Database
HCI
Link Manager/Controller
Query Registration
RFCOMM: Radio Frequency Communication
L2CAP: Logical Link Control and Adaptation Protocol
HCI: Host Controller Interface
Fig. 6. Bluetooth security architecture.
protocols for guaranteeing its transmissions against potentially
serious attacks [91]. For security reasons, each Bluetooth
device has four entities [92], including the Bluetooth device
address (BD ADDR), private authentication key, private en-
cryption key and a random number (RAND), which are used
for authentication, authorization and encryption, respectively.
More specifically, the BD ADDR contains 48 bits, which
is unique for each Bluetooth device. The 128-bit private
authentication key is used for authentication and the private
encryption key that varies from 8 to 128 bits in length is used
for encryption. In addition, RAND is a frequently changing
128-bit pseudo-random number generated by the Bluetooth
device itself.
Fig. 6 illustrates the Bluetooth security architecture, where
the key component is the security manager responsible for
authentication, authorization and encryption [91]. As shown
in Fig. 6, the service database and device database are mainly
used for storing the security-related information on services
and devices, respectively, which can be adjusted through the
user interface. These databases can also be administrated by
the general management entity. When a Bluetooth device
receives an access request from another device, it will first
query its security manager with the aid of its radio frequency
communications (RFCOMM) or other multiplexing protocols.
Then, the security manager has to respond to the query as to
whether to allow the access or not by checking both the service
database and device database. The generic access profile of
Bluetooth defines three security modes:
(I) security mode 1 (non-secure), where no security proce-
dure is initiated;
(II) security mode 2 (service-level enforced security), where
the security procedure is initiated after establishing a link
between the Bluetooth transmitter and receiver;
(III) security mode 3 (link level enforced security), where
the security procedure is initiated before the link’s establish-
ment [91].
In Bluetooth systems, a device is classified into one