(IJCNS) International Journal of Computer and Network Security, 1

Vol. 1, No. 3, December 2009

Suggestion of New Core Point of Attacks on

IEEE 802.16e Networks: A Survey
Adnan Khan Akhunzada1, Saeed Murtaza2, Ahmad Raza Cheema3 and Arif Wahla4

School of Telecommunication
National University of Science & Technology (NUST), PK

1
Dr.adnan111@gmail.com, 2Shoazib@yahoo.com, 3Ahmad-mcs@nust.edu.pk, 4 Hod-is@mcs.edu.pk

Abstract: This paper presents a survey of unaddressed security
vulnerabilities found in IEEE 802.16e networks. Especially the
vulnerabilities leading to denial of service (DoS) attack on IEEE
802.16e based network are discussed in detail. These
vulnerabilities include unprotected network entry, unencrypted
management communication, unprotected management frames,
weak key sharing mechanism in Multi- and Broadcast operation.
Moreover, the paper suggest a new core point of attacks on
802.16e networks i.e. the list of twenty unauthenticated
management frames which are sent in clear. These
unauthenticated management frames will be the cause of
different kinds of serious threats in the coming near feature. A
new practical scenario based attack regarding Reset command
(RES_CMD) message leading to DoS attack has also been
identified in this paper.
Keywords: WiMAX, IEEE 802.16e security, DoS Attacks,
multi- and broadcast service, shared key vulnerability, hash
chaining solution
. The MS sets up a security association (SA) for each data
1. General Introduction.
When bandwidth requirement is combined with ease and
portability, the answer is Broadband wireless access
(BWA).BWA has been developed to meet fast growing
bandwidth requirements for WLANS and has some
inherent security and design flaws that made it unsuitable
for city wide deployment. In 1999 the working group of
IEEE 802 was setup to develop a new standard of BWA for
MAN namely IEEE 802.16 [1].
IEEE 802.16 was approved by the IEEE in 2001. It was
revised several times and ended in the final standard
IEEE
802.16-2004 which corresponds to revision D and is often
called Fixed WiMAX [2]. It defines Wireless Metropolitan
Broadband access for stationary and nomadic use. This
means end devices can not move between base stations
(BS) but they can enter the network at different locations.
An extended version IEEE 802.16e was developed to
support mobility and is often called Mobile WiMAX
[3].Mobile WiMAX introduces new features like different
handover types, power saving methods and multi- and
broadcast support and eliminates most of the security
vulnerabilities exposed in its predecessors [3]. It uses EAP-
based mutual authentication, a variety of strong encryption
algorithms, nonce’s and packet numbers to defend against
replay attacks and reduced key lifetimes. Initially some
important parts of the functionality of Mobile WiMAX are
introduced. Afterwards different security vulnerabilities
are discussed & at the end the list of twenty
unauthenticated management frames are shown which are
susceptible to different kinds of threats.
1.1 Key management in 802.16e
communication it wants to establish in a 3-way TEK
Exchange processed at initial network. Security association
manages the keys for data encryption (the TEKs), their
lifetimes and other security associated parameters of this
connection. It also includes a TEK state machine which is
used to periodically refresh keying material before the life
span of a TEK expires. To request new keying material the
state machine sends a key request to the BS which
responds with a key response including a new TEK. This
transferred TEK is encrypted by a key encryption key
(KEK) which is derived from AK and is globally used to
decrypt received keys of all SAs. To avoid communication
interruption each SA simultaneously holds two TEKs.
When one TEK expires the second one is used for traffic
encryption and a new one is requested.

Figure 1: The standard request/reply mechanism compared with the MBRA

2 (IJCNS) International Journal of Computer and Network Security,
1.2 Multi- and Broadcast Service (MBS)
IEEE 802.16e has introduced services for multicast and
broadcast communication .This allows the BS to distribute
data simultaneously to multiple MSs and uses a common
group traffic encryption key (GTEK) for traffic en-
/decryption to secure the broadcast communication. Every
group member must know this key. Algorithms used for
sharing the GTEK between MS and BS are shown in
Figure 1. The mandatory key request / reply mechanism
and the optional Multi- and Broadcast Rekeying Algorithm
(MBRA). In the standard request/reply mechanism a MS
has to manage the GTEK update by itself i.e. to request
new keying martial before the old key expires while in
Multi- and Broadcast Rekeying algorithm (MBRA), the
keys are managed by the BS. The BS broadcasts one Key
Update Command message to all MSs, if a key lifetime is
going to expire. This saves a lot of bandwidth as GTEKs
are updated very frequently. It is also distributed by a Key
Update Command message, but in a unicast way encrypted
by the MS-related KEK. If a MS has not received a new
key after a specific time, it requests keying material
according to the standard request/reply mechanism. This is
also done if the authentication value of a Key Update
Command message is not valid.
1.3 Existing Analysis for WiMAX Security
Fixed WiMAX security was analyzed in several papers
[3]. With the publication of the Mobile WiMAX revision,
most of these vulnerabilities were solved. The security of
IEEE 802.16e has only been evaluated by a few papers [4].
[5] Examined the 3-way TEK exchange and the
authorization process and could not find any security flaw.
Also [6] analyzed the key management protocol using
protocol analyzing software and did not notice any
problem. The multi-and broadcast service was examined
by [7] by applying a protocol analyzing tool. He found out
that security of the MBS is based on a few parameters
which need to be implemented properly for complete
protection. It is also pointed out that the Interoperation
with other protocols could be a security problem if these
protocols have lower security characteristics.
2. Vulnerabilities in IEEE 802.16e.
This section highlights vulnerabilities present in Mobile
WiMAX by our analysis. These vulnerabilities are:
2.1. Lack of authenticated management frames
Mobile WiMAX includes some unauthenticated
management frames. An SS has no way to know that the
message forwarded is from genuine BS or from an
adversary.
2.2. Absence of encryption in management
communications
The complete management communication between
mobile station and base station is unencrypted and sent in
clear. A potential adversary can listens to the traffic with
Vol. 1, No. 3, December 2009
freely available tools and can collect lots of information
about both instances.
2.3. Shared keys in the multi- and broadcast Service
For symmetric traffic encryption, the multi-and broadcast
service in Mobile WiMAX shares keying material with all
group members. This introduces the vulnerability that
group members can forge messages or even distribute own
traffic keying material, thus controlling the multi- and
broadcast content.
2.4. Unprotected initial network entry
The complete network entry procedure between BS and
SS/MS is unprotected. An adversary can not listen to the
traffic only but can also use the information to forge
different kinds of management frames, e.g. an attacker can
forge the (RNG-RSP) messages to manipulate different
settings of SS/MS.
3. Possible Denial of Service Attacks on IEEE
802.16e Networks.
(HMAC) [8] or Cipher Based Message Authentication
Code (CMAC) [9] have been proposed to provide integrity
to the majority of management massage. However, some
messages are not provided by any authentication
mechanism. This introduces some vulnerability.
Authentication of broadcasted management messages is
hard since there is no common key to generate message
digests. Moreover, a common key would not entirely
protect the integrity of the message as mobile stations
sharing the key can forge these messages and generate
valid authentication digits. Maximum DoS vulnerabilities
stem from unprotected management frames
3.1. Unprotected management frames
Following are some of the possible denial of service attacks
based on management frames on IEEE 802.16e networks.
We will first briefly explain the purpose of message than
discuss possible DoS attacks based on the message. icity.
3.1.1. Power Control Change Request (PMC-REQ)
Message
The power control mode of a MS can be changed by
sending a Power Control Mode Change Request
(PMC_REQ) to BS. The BS then respond with the power
control mode change response (PMC_RSP) message. This
message can also be sent by the BS in unwanted manner to
change MSs Power control mode. It also includes the
power adjustment value that should be arranged by the
MS. The PMC_REQ message can be used by an opponent
to request an undesired change of an MSs Power control
mode. The message is accepted as if it came from the
genuine MS. Vulnerability regarding forgery of the Power
Control Mode Change Response (PMC_RSP) message
sent from the BS can openly be used an adversary to
change the power control mode of the MS and also adjust
its transmission power with the intention to interrupt the
communication.
 (IJCNS) International Journal of Computer and Network Security, 3
3.1.2. Mobile Neighbor Advertisement (MOB_NBR-
ADV) Message
Neighbor advertisement message (MOB_NBR-ADV) is
also not authenticated used by the serving BS in order to
announce the characteristics of neighbor BS to MSs
seeking for handover possibilities. An opponent is able to
keep back individual BSs by omitting information about
their existence when he forges this message. This prevents
MSs to handover to BSs which might have better
characteristics as their serving BS and can also distribute
wrong data about neighbor BSs or announce non existing
BSs.
3.1.3. Fast Power Control (FPC) Message
Unauthenticated broadcasted Fast Power Control (FPC)
message is sent by the BS to one or multiple MS to adjust
their transmitting power. It is possible to decrease the
transmitting power of all reachable MSs to a minimum so
that it is too low to be recognized by the BS. Another
misuse of the message is to set the transmitting power of
all MSs to the maximum with the objective to stress their
batteries.
3.1.4. Mobile Traffic Indication (MOB_TRF-IND)
Message
Traffic Indication message (MOB_TRF-IND) is one of the
broadcasted and unauthenticated management messages. It
is used by the BS to awake a sleeping MS that there is
traffic destined to it. So the MS is waked up from sleep
mode. An active adversary could use this message to
frequently wake up MSs and stress their battery.
3.1.5. Multicast Assignment Request (MSC-REQ)
Message
Multicast Assignment Request message (MSC-REQ) an
unauthenticated unicast message used by BS to remove a
MS from a multicast polling group and subsequently sends
a response back to the BS. This exchange is done using the
primary management connection between BS and MS. A
polling group is a group of MS which can get bandwidth
from the BS through a polling mechanism. An attacker can
easily remove MSs from polling groups due to no
authentication. If a MS is detached from a polling group, it
has to use the compulsory contention based bandwidth
allocation algorithm which results in a greater uplink
delay.
3.1.6. Down Link Burst Profile Change Request
(DBPC-REQ) Message
The Downlink Burst Profile Change Request message
(DBPC-REQ), the BS sends this message to change the
MSs burst profile to a more robust or a more effective one.
This message does not have any authentication and
integrity protection mechanism.
Adversary can temporarily break the communication
between MS and BS by changing MSs Burst profile
(modulation encoding etc) so that it is not possible for the
MS to demodulate the data received from the BS.
Vol. 1, No. 3, December 2009
3.1.7. Mobile Association Reply (MOB_ASC-REP)
Message
The association result report (MOB_ASC-REP) is another
unauthenticated message with no integrity protection. An
active adversary can change arbitrary response data in the
message like time or power adjustments. Moreover the
message includes the service prediction of the BS which
advertises the services the BS can offer to the MS. Here an
opponent can forge the message in a way that it looks like
no services are being offered for the requesting MS.
3.1.8.Ranging Request (RNG-REQ)Message
Ranging Request (RNG-REQ) message is an
unauthenticated, unencrypted and stateless. Hence this
message has great potential to be used as follows.
1. Attacker can launch a water torture Dos attack by
changing power level to a maximum effectively reducing
its battery life.
2. Attacker can change the SSs downlink channel to
different frequency range and has multiple facets [9].
3. An adversary can shift only uplink channel to interrupt
the communication between SS and BS.
4. An attacker can forge this message the power level of
SS to minimum, so that it can barely transmit to BS
triggering initial ranging procedure repeatedly [9].
3.1.9. Authorization request (AUTH_REQ) message
This message is well protected with nonce and digital
signature of SS/MS. This message is not prone to Dos
attack but still it is vulnerable to replay attack because BS
has no way to know that whether it is fresh or it is
replayed. Many researchers suggested using timestamps
instead of nonces in order to eliminate this vulnerability
[10]. It is also eliminated using sequence number by our
suggestion.
3.1.10. Authorization invalid (Auth_invaled)
message.
This message is itself not protected with HMAC/CMAC
properly. Therefore it has a great potential to be used as a
Dos tool to invalidate legitimate subscriber MSs [9]
3.1.11. Reset command (RES-CMD) Message
This message is used to orders an MS to reinitialize its
MAC state machine. The aim of sending this message is to
allow a BS to reset a non responsive or malfunctioning
SS/MS. It is protected with HMAC which allows the
recipient to check the authenticity of the message.
But still problem may ensue from this message.Consisder
the following step by step scenario.
a. Attacker synchronize with network to receive UL-
MAP message
b. Bandwidth is allocated as CID so attacker chooses
a victim CID and its burst profile from UL-MAP.
c. Next step is to transmit at scheduled time with
scheduled modulation scheme.
d. Rather then rejected by noise filter, the signal will
4 (IJCNS) International Journal of Computer and Network Security,
be qualified as intelligible.
e. Depending up on the signal strength of both the
SS’s, the signal will be either degraded or
completely unintelligible.
f. If this continues, the BS will assume that
the victim is malfunctioning and will issue
RES- CMD.
After resetting, the attacker may start RNG-RSP attack
as mentioned in earlier or may become a rouge BS of
the victim by spoofing BSID.
3.1.12. SS Basic Capability Request (SBC-REQ)
message
This message is used by the SS during basic connection.
Since this message and the response of this message i.e.
(SBC-RSP) SS Basic Capability Response sent by BS is
both unauthenticated and not provided with any integrity
protection mechanism. An active adversary can misuse
these messages and can forge the information for a
potential attack.
There are other non-authenticated messages but a forgery
of their carried information can be considered as less
dangerous for the operability of the protocol.
3.2. Unencrypted management communication
In Mobile WiMAX management messages are still sent in
the clear. The resulting risk shall be outlined in this
section. When a MS performs initial network entry it
negotiates communication parameters and settings with the
BS. Here a lot of information is exchanged like security
negotiation parameters, configuration settings, mobility
parameters, power settings, vendor information, MSs
Capabilities etc. Currently the complete management
message exchange in the network entry process is
unencrypted and the above mentioned information can be
accessed just by listening on the channel. The only
messages which are encrypted are key transfer messages.
But in this case only the transferred key is encrypted, all
other information is still sent in the clear. An adversary
collecting management information can create detailed
profiles about MSs including capabilities of devices,
security settings, associations with base stations and all
other information described above. Using the data offered
in power reports, registration, ranging and handover
messages, a listening adversary is able to determine the
movement and approximate position of the MS as well.
Monitoring the MAC address sent in ranging or
registration messages reveals the mapping of CID and
MAC address, making it possible to clearly relate the
collected information to user equipment.
3.3. Shared keys in Multi- and Broadcast Service
Mobile Wi-max present the service of PMP (point to
multipoint) i.e. to distribute data to multiple MS with one
single message through multi and broadcast services.
IEEE 802.16e Broadcasted messages are encrypted
symmetrically with a shared key. Every member in the
group has the key and thus can decrypt the traffic because
Vol. 1, No. 3, December 2009
message authentication is based on the same shared key.
Every group member, besides decrypting and validating
broadcast messages, can also encrypt and authenticate
messages as if they originate from the genuine BS.
The distribution of the traffic encryption keys (GTEKs)
when the optional Multi-and Broadcast Rekeying
Algorithm (MBRA) are used is more challenging feature.
Due to broadcasting, the GKEK must also be a shared key
and every group member knows it. Thus an active
adversary group member can use it to generate valid
encrypted and authenticated GTEK key update command
messages and distribute its own GTEK. Every group
member would set up the adversary’s key as a valid next
GTEK. Consequently all traffic sent by the genuine BS can
no longer be decrypted by the MS. From an MSs
Viewpoint only traffic from the adversary is valid.
4. List of 20 Unauthenticated
Management Frames:
We will conclude our discussion by showing a list of 20
unauthenticated management frames which presents Type
of the message, Message name, Message description, sent
by, connection and Authentication. Sent by field shows
that management frame is either sent by BS or MS.
Authentication filed shows that either it is
cryptographically authenticated or not. Since all these
messages are totally unauthenticated so these management
frames are susceptible to different kinds of serious threats.
All though IEEE 802.16e networks have a very promising
architecture but still there are some design flaws and
inherent weaknesses. After deep study of 802.16e networks
I found a list of some management frames which are
totally insecure in term of their authentication,
confidentiality, and integrity. An active adversary can
generate serious kinds of malicious attacks using these
management frames.
5. Conclusion
Although IEEE 802.16e has a very robust and promising
Security Architecture, there are still some flaws which
need to be ironed out. In this paper, Vulnerabilities
exposing to IEEE 802.16e networks to DoS attack are
explored comprehensively. . At the end, a list of some of
unauthenticated management frames are shown and must
be properly secured by some cryptographic mechanism
which provides confidentiality, authentication and integrity
known as “CIA” trade in the field of security. Since a
group of IEEE is working on the next draft of this protocol
(802.16 e). There is a window of opportunity to improve
the security measures of the IEEE 802.16 standard before
WiMAX certified equipment has been built and sold by the
millions. Changes need to be made before there are many
“legacy” WiMAX branded systems in customer hands and
while there is still time to ensure interoperability with the
earliest equipment. Thus all these deficiencies must be kept
in mind while designing the next draft of IEEE 802.16e
protocol.
 (IJCNS) International Journal of Computer and Network Security, 5
Vol. 1, No. 3, December 2009

Message Message Description

Type Sent By Connection Authentication
Name
0 UCD Uplink Channel Descriptor BS Broadcast None
Downlink Channel
1 DCD BS Broadcast None
Descriptor
2 DL-MAP Downlink Access Definition BS Broadcast None

3 UL-MAP Uplink Access Definition BS Broadcast None

Initial Ranging or
4 RNG-REQ Ranging Request SS None
Basic
Initial Ranging or
5 RNG-RSP Ranging Response BS None
Basic
DBPC- Downlink Burst Profile
23 SS Basic None
REQ Change Request
Downlink Burst Profile
24 DBPC-RSP BS Basic None
Change Response

26 SBC-REQ SS Basic Capability Request SS Basic None

SS Basic Capability
27 SBC-RSP BS Basic None
Response
Config File TFTP Complete Primary
32 TFTP-RSP BS None
Response Management
ARQ-
33 Standalone ARQ Feedback BS or SS Basic None
Feedback
ARQ-
34 ARQ Discard message BS or SS Basic None
Discard

35 ARQ-Reset ARQ Reset message BS or SS Basic None

Channel measurement
36 REP-REQ BS Basic None
Report Request
Channel measurement
37 REP-RSP SS Basic None
Report Response
Varies (Reject
MSH- Mesh Network
39 BS or SS Broadcast message is not
NCFG Configuration
authenticated)
MSH-
41 Mesh Distributed Schedule SS Broadcast None
DSCH
MSH-
42 Mesh Centralized Schedule BS Broadcast None
CSCH
MSH- Mesh Centralized Schedule
43 BS Broadcast None
CSCF Configuration
AAS- None (uses
44 FBCK- AAS Feedback Response BS Basic Request serial
REQ numbers)

Figure 2: List of Unauthenticated Management Frames.

6 (IJCNS) International Journal of Computer and Network Security,
Vol. 1, No. 3, December 2009

[9] Dworkin M.: Recommendation for Block Cipher Modes

References of Operation: The CMAC mode for authentication,
NIST special publication 800-38B, National
[1]IEEE std. 802.16-2001,”Local and Metropolitan area Institute of Standards and Technology (NIST), MD,
networks, part 16: Air interface for fixed broadband USA, 2005.
Wireless access system,”2001. [10] Krawczyk H., Ballare M., Canetti R.: HMAC: Key-
Hashing for Message Authentication, RFC 2104,
[2] IEEE Std. 802.16-2004, IEEE Standard for Local and http://www.ietf.org/rfc/rfc2104.txt, IETF, 1997.
Metropolitan Area Networks, part 16, Air Interface for [11] Huijie Li, Guangbin Fan, Jigang Qui and Xiaokang
Fixed Broadband Wireless Access Systems, IEEE Lin:”GKDA: A Group Based Key Distribution
Press, 2004. Algorithm for WIMAX MBS Security”.
[3] IEEE Std. 802.16e-2005, IEEE Standard for Local and [12]Diffie, W. Hellman, M: New directions in
Metropolitan Area Networks, part 16, Air Interface for cryptography.IEEE Transactions on information
Fixed and Mobile Broadband Wireless Access theory 22,644-654 (1976).
Systems, IEEE Press, 2006. [13]Taeshik Shon, Wook Choi: An Analysis of Mobile
WiMAX Security: Vulnerabilities and Solutions, First
[4] Johnston D., Walker J.: Overview of IEEE 802.16
International Conference, NBiS 2007, LNCS, Vol.
Security, IEEE Computer Society, 2004.
4650, pp. 88-97, 2007
[5] Data A., He C., Mitchell J.C., Roy A., Sundararajan
M.: 802.16e Notes, Electrical Engineering and
Computer Science Departments, Stanford University,
CA, USA, 2005, available at http://www.iab.org/
liaisons/ieee/EAP/802.16e Notes. PDF [6] Yuksel E.:
Analysis of the PKMv2 Protocol in IEEE 802.16e-
2005 Using Static Analysis Informatics and
Mathematical Modeling, Technical University
Denmark, DTU, 2007, available at http://www.2imm.
dtu.dk/pubdb/ views/publication_details.php?id=5159
[7] Ju-Yi Kuo: Analysis of 802.16e Multicast/Broadcast
group privacy rekeying protocol, Stanford University,
CA, USA, 2006, available at http://www.stanford.
edu/class /cs259/projects/project01/01-Writeup.pdf
[8] Andreas Deininger, Shinsaku Kiyomoto, Jun
Kurihara, Toshiaki Tanaka :Security
Vulnerabilities and
Solutions in Mobile WiMAX ,IJCSNS International
Journal of Computer Science and Network Security,
VOL.7 No.11, November 2007