Possible attack vectors
- MAC spoofing
If an attacker can change his MAC address as desired, he can bypass the authentication process theoretically. However, instead of needing to acquire an access key, he now needs to acquire an IP address/ MAC address combination which was already granted access. This information could be gained by passive sniffing of DHCP traffic, however the existence of two identical link layer and network layer addresses on the same network should not go unnoticed for long. And we ruled this ability out up front, anyway :)
- DNS Tunneling
An attacker could gain unpriviledged access to the Internet by tunneling his data through the domain name system. Although there is no easy way to prevent that kind of attack, this method requires a fairly substantial amount of knowledge, preparation and network resources, all of which only a few people can be assumed to have.
- AP spoofing
An attacker could setup his hardware as a WLAN master node himself, hoping that other customers would join his network instead of ours, not noticing the difference. He then could in theory gather access information from them in order to use it at a later time to authenticate himself. However, customers who bought access time would complain quickly if they were not able to access the Internet after having authenticated themselves, so the problem could be recognized fast. There still is the possibility of someone bringing two WLAN cards at once, one for spoofing the hotspot and gathering information, the other to log into the real hotspot and relaying the paying customers traffic, thus gaining a free ride.
As expected, our network setup is not 100% secure. However, the large majority of users will have no easy way to bypass the authentication scheme. At least until MS Windows MAC-spoofing software becomes commonplace.
