New Way to ID Invisible Intruders on Wireless LANs

Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."

Doesn't seem to practical

[faloi]

The description is, basically, they use the signal strength and round trip times of the signals to figure out if someone unauthorized is on your network. The downside is that, in large corporate wireless networks, I would think people tend to be pretty mobile and there won't be a reliable indicator that the odd signal from slightly too far away isn't just somebody who remembered one last thing on the way to their car. Smaller wireless networks aren't likely to care enough to spend the time it takes to tell.

It's an interesting idea, but I have a hard time seeing it become widespread.

Re:Doesn't seem to practical

[cyriustek]

Whislt you have somewhat of a point, the odd occasion where one may forget something and try to access the LAN at his car is an outlier to the data set. If the system notices someone from that location connecting to the network, and can either force a new authentication event requiring a local cert, or can simply shut down the AP the external person is connecting to. (Preferably shutting it down.)

As an aside, the company can also have a policy explicitly forbidding access from the parking lot. If what they had to do is so important, they can either go into the building, or wait until they are home and use their VPN connection.

"detect eavesdropping"

[Anonymous Coward]

Yeah, right, detect eavesdropping. Any other snake oil you want to sell?

Re:Signal roundtrip times is the tipoff

[Silver Sloth]

But leave the router open, wouldya?

No, I won't.

I don't wan't anyone not authorised by me on my network. I see no reason why I 'ought to be required to provide this service to all listeners'. Sorry, my network, my rules.

How is this ground breaking?

[computerchimp]

1) hopping from one router to another is detected via traditional means
2) higher than average roundtrip times are noticed via traditional means
3) signal is triangulated via traditional means to put a location on a suspected signal.

A new but an obvious proceedure that someone has decided to put to paper and product. It is a nice product to notice but this is about as ground breaking as peanut butter and chocolate.

CC

Re:Signal roundtrip times is the tipoff

[X0563511]

What I love is that (the summary at least) article states you can use this to see if someone is monitoring your network.

Excuse me? How in the hells would you tell of someone was passively reading incoming radio waves? Isn't that the point of active vs passive radar systems, for instance? You can't!

Re:Virtually impossible?

[cbiltcliffe]

and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

If the intruders were invisible, how would you see them in logs and IDS? They're invisible. Passive monitoring won't show up in any logs. I know, because I do it sometimes as part of my security service to my customers. You can break into a WEP-encrypted moderate-traffic wireless network without sending a single packet. Once you're in, you can capture all traffic on that network and save it, again, without sending a single packet.
WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own.

Using the Storm botnet as an example:

There were estimates that put the botnet as large as 50,000,000 computers. Having done WPA-PSK key cracking on a P4 1.6 laptop, it can run around 30 passphrases/second. My desktop is significantly faster, although I haven't actually tried PSK cracking on it. I'd assume probably 45 / second or more. It's not a state of the art machine, by any means. Probably about average.

So if we assume an 8 character random passphrase, (which is all a lot of people will use, so it's easier to remember) that you can type on your keyboard, (again, who's going to use Alt-Numpad combinations?) there are 96 possible keystroke characters that can make up each byte. 96^8 = 7213895789838336 possible password combinations.
Assuming 45 passphrases / second for each machine, it will take, using this botnet, just over 37 days to break that password. That's assuming the most complex password possible for 8 characters. Realistically, you can take out any special character that's not in 13375p3@k, and for most all you'd need is numbers and letters. That'll cut your time significantly.
Yes, that's only an 8 character password, which will take 96 times as long to break with only 1 extra character, but how many people, who don't use their full allotment of 63-characters of randomness, are going to use something like "password", "dave sucks", "fleabert" (name of their cat), or even "fleabert scratches too much" as their passphrase?
Now you've got standard words, which can easily be pulled from a dictionary and put together in different combinations until the passphrase is cracked. Trivial, with enough computing power. And unfortunately, the only people who have access to that kind of computing power, are (I shudder to use the word) cybercriminals.

Re:Virtually impossible?

[morgan_greywolf]

Of course, any security can be cracked... I personally use a shared key that is significantly longer than that. adding 1 extra character over 8 makes it 96^9, but adding, say 3 extra characters makes it 6382393305518410039296 possible password combinations, which would take that same botnet like 90,000 years to crack.

Oh, yeah, and bear in mind: those 50,000,000 would all have to be in range of the access point and would have to not overwhelm the access point. Even the best Cisco Aironet equipment isn't going to handle that kind of load.

Re:Signal roundtrip times is the tipoff

[jasen666]

Because if they download kiddie pr0n, it's *MY* IP address that gets logged, and my house the FBI raids looking for said kiddie pr0n.
Not worth the risk to be a good Samaritan to the neighbor's who can't afford their own internet.

Re:eavesdropping

[Ungrounded Lightning]

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that?

Your firmware might react to being associated with a network enough to eavesdrop it by also responding to low-level configuration traffic. If that happens, even if you don't send any data the firmware may respond to probes, letting the network know you're listening.

If you're truly eavesdropping you're undetectable. But do you know what the vendor put in the binary blob?