802.11 WiFi Denial of Service Exploit Discovered 251
CRC'99 writes "The Queensland University of Technology has today announced yet another flaw in 802.11 products. AusCERT has the official statement, noting: 'An attacker using a low-powered, portable device such as an electronic PDA and a commonly available wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localisation of the attacker difficult.' Nice to know that a simple PDA could bring a WiFi network to its knees."
All your base station are belong to us (Score:5, Insightful)
Re:All your base station are belong to us (Score:2)
- Australia's Great Linux-Based Satellite Network [slashdot.org]
- Estonia Embraces Wi-Fi Wireless Internet Access [slashdot.org]
- Asus Launching a Wi-Fi Hard Drive [slashdot.org]
- WiFi Phone Announced [slashdot.org]
Just because an exploit is found in WiFi... Oh my god, seems like most energy is put into breaking stuff!
Be happy that this problem has now been given attention and don't be so damn negative.
Re:All your base station are belong to us (Score:2)
Re:All your base station are belong to us (Score:5, Insightful)
The alternative would be widespread adoption without any real security and a few nutcases having the possibility to break _and_ abuse the tech without anyone having the slightest idea of its insecurity.
Re:All your base station are belong to us (Score:2, Funny)
jammers? (Score:5, Interesting)
Re:jammers? (Score:4, Interesting)
This sounds more subtle, working with the data side of the network and confusing the nodes, rather than just squashing the RF.
Re:jammers? (Score:5, Funny)
A jammer - in the spesific sence of a white-noise transmitter - wouldn't give a 'denial of service' style attack. It would drown out the other transmitters, thus fooling your device into thinking that there is no network avilable. Perhaps we should call it a Lack of Carrier Attack? Splitting hairs, I know ;).
That, and using a PDA and a network card is a much geekier - and thus more intersting - way of doing it. Jammers are soooo 80's.
Re:jammers? (Score:4, Funny)
Re:jammers? (Score:3, Insightful)
In what way is that not a denial of service? It denies the clients access to the access point service, in the same way as a bomb in a datacentre denies all the clients from contacting the servers there.
Re:jammers? (Score:5, Informative)
Re:jammers? (Score:2, Interesting)
A jammer is pumping out a lot of power to swamp the radio frequences and would be trivial to trace (all you need is a directional antenna). This is more akin to poisoning a lake, you know something is wrong (all the dead fish are a clue), but tracking down the source of the poison is hard it could be anywhere in the lake. I one way to find the DoS would be to switching off
Re:jammers? (Score:2)
Like a cheap 2.4GHz cordless phone. Includes a mobile power source (battery) and everything for $25.
Re:jammers? (Score:2)
I wonder... (Score:2, Insightful)
And of course, how long it will take before the manufacturers will be having a firmware update for this. It seems that most firmware updates only add extra functionality to gain an edge over the competitors, but basic stuff like optimalisation is kind of a non-issue. I'm crossing my fingers this will be fixed shortly, but I'm having doubts about it.
Re:I wonder... (Score:5, Informative)
from the article:
At this time a comprehensive solution, in the form of software or
firmware upgrade, is not available for retrofit to existing
devices. Fundamentally, the issue is inherent in the protocol
implementation of IEEE 802.11 DSSS.
Re:I wonder... (Score:2, Funny)
Daniel
Re:I wonder... (Score:2)
Daniel
Re:I wonder... (Score:2, Informative)
Good catch. I was taught about this flaw a few years ago in my first wireless class. I remember my teacher saying, "...and that's why you should never put a mission critical network on wireless."
It made sense to me, so I filed in the back of my mind and we went on. Wireless is the case that proves the rule of functionality over security.
Re:I wonder... (Score:3, Interesting)
From the AUSCERT advisory:
I found a major flaw too (Score:4, Funny)
Re:I found a major flaw too (Score:2)
No witnesses!
Re:I found a major flaw too (Score:5, Funny)
I then use outlook to open a attatchment from an unknown source.
Why? (Score:2, Insightful)
Re:Time is Money (Score:2)
Less then the cost of some cheap 24port switches and a few thousand feed of ethernet to manually wire everything.
Re:Time is Money (Score:2)
According to XE.COM, 1 AUD = 0.955264 CAD
According to TigerDirect.ca
$104.99 CAD Gigafast - EE2400-SV - 10/100Mbps 24-Port Switch
$132.99 Cables Unlimited - Cable Network Kit with 1000' CAT5 Grey UTP, RJ45 Micron Connectors and Crimp Tool
$83.99 Cables To Go - 1000' Roll Cat5e Grey UTP
If you don't have NICs already (most PCs do these days), add another $11/NIC, or another $500ish.
So we're only talking 2*104.99+132.99+2*83.99, or $510.95CAD or about $534.88AUD. Up to around $1000 if you need N
Exactly how is this surprising? (Score:5, Insightful)
Re:Exactly how is this surprising? (Score:3, Informative)
That would be the, er, etherkiller [fiftythree.org]! (Also AUI killer, VGA killer, BNC killer, etc, etc, etc on that link!)
Re:Exactly how is this surprising? (Score:2)
Re:Exactly how is this surprising? (Score:3, Insightful)
I think the scary part of this is supposed to be the fact that one can bring down the network using nothing more than off-the-shelf hardware and a little custom software. Worse, it's hardware that is indistinguishable from what a legitimate user might have.
Let's say, for instance, that I want to bring down the hotspot at my local Starbucks. It would probably be suspicious (or at least fu
Re:Exactly how is this surprising? (Score:2)
Don't you think they'd notice the weirdo in the parking lot pointing a Pringles can at the hospital?
Re:Exactly how is this surprising? (Score:2)
Not if it's a mental hospital.
Re:Exactly how is this surprising? (Score:2)
That's amazing, considering that I have never once been able to use a wireless device within twenty feet of an operating microwave.
Re:Exactly how is this surprising? (Score:5, Interesting)
Because I can't carry a microwave around in my pocket, and it would require some significant source of electricity. This requires only a PDA, and presumably doesn't drain its batteries in a matter of seconds the way RF jamming would.
Honestly, this isn't as useful an attack as some of the targeted ones (see a paper written by Bellardo and Savage) where you can knock a specific individual off the net (and then potentially reconnect them to your own "access point".) But it still has some advantages over brute-force jamming.
Re:Exactly how is this surprising? (Score:2)
And all you would do is block that specific port, the rest of the net would remain fully functioning (ethernet ports are galvanically isolated).
Re:Exactly how is this surprising? (Score:2)
No workaround... (Score:3, Interesting)
This could be a huge problem. Let's say you have a business where you have high sales volumes at certain times, with these times determined by unknown external factors (like a stock broker). If your network is down at those critical times, you loose business and money. Now all your competition needs to do is take out your network during one of these critical times, and all your customers will turn to them.
Re:No workaround... (Score:3, Informative)
Re:No workaround... (Score:2)
I hold the firm belief that people who don't have a very good understanding of the security concerns should never be allowed to set up any wireless kit. At least bad security on the wire requires the attacker to actually have physical access to the wire.
[Grammar-Nazi] "Lose", not "loose". (Score:3, Informative)
Well, duh (Score:2, Insightful)
Why WiFi? (Score:2, Interesting)
I know people who have dailup internet connections and two or three computers, none of them laptops, but still use wifi in preference to RJ-45. (In fact I know people who connect one fixed computer to it's dial-up with WiFi, cause RJ11 phone cable is ugly.)
It's very fashionable, but doesn't seem to work very well. Everyone I know with a WiFi home network has had problems with it.
That said, the idea of free connections in cafes would be cool if there where more of them...
Re:Why WiFi? (Score:2)
Your cables don't get chewed on by the toddler.
Re:Why WiFi? (Score:2)
I have a wifi network at home, and my father does too. Neither of us have had any problems with it, ever. We both have portables, and the network reaches everywhere in the house where we would want it to go. It's very nice. If you're in the house with your portable, you have a connection, simple as that.
Re:Why WiFi? (Score:2)
Yes, you can make RJ-45 unobtrusive, if you spend money and work hard at it. Or you can just buy a cheap wifi base station and wireless card. For some people, even with a desktop computer, the extra money is worth the convenience. If you have a portable, I can't imagine not usi
Flexibility and where to run cables... (Score:2)
My dad wanted to use one in the living room though. It was a good 20m worth of cabling, and you'd need to drill through a couple places. Not pretty, nor easy. Then again, turned out the wireless coverage got crappy at that distance (10-12m, 2 walls including one with closet) so we'd have to lay cable anyway, to set up an AP closer. Either that
Re:Flexibility and where to run cables... (Score:2)
Re:Why WiFi? (Score:2)
Another link... (Score:5, Informative)
http://news.com.au/common/story_page/0,4057,95497
Beware the (sometimes flash) ads.
For more information: (Score:5, Informative)
what's the news (Score:3, Interesting)
seriously, and i haven't even read the article yet, what could possibly be the news here. i'm imagining that, what, certain tiny packet sequences have a disproportionately large disruptive impact on the protocol by causing extended resets and delays? how is that any different from the recent tcp packet spoofing attacks except in free space?
it would still be easier to get a big antenna and a transceiver and just blanket the spectrum.
move along, nothing to see here.
request for comment (Score:3, Informative)
Spark Gap? (Score:2, Insightful)
Classifieds (Score:3, Funny)
So you want to DOS a wifi ?? (Score:5, Interesting)
The cheaper, the better.
Want to screw your neighbor over?
take the cover off the oven and turn it on.
Just don't be in the same room when you throw the switch, sort of like when the executioner lights up a prisoner in "Old Sparky"...
Pick one up off the side of the road and then do a google site search on
Have fun kiddies!!
Re:So you want to DOS a wifi ?? (Score:3, Informative)
dont know much about microwaves do you.
"not being in the same room" mean's nothing. I can do that and stand directly behind the microwave, hell I'll even hold onto it. there is no way in hell I'll stand to the side or in front of it.
Microwaves are directional, and cince a microwave oven also has a "stirrer" in the top where the magenetron emits it's RF energy to make the ov
Older / Single-band WiFi vulnerable (Score:5, Informative)
This is the same problem as with LA or VHF radio. Only one device can be transmitting at a time on a single frequency band. This stems from the fact that the receivers have to tune to a certain signal and no two signals are likely to be in the same phase, thus the strongest signal will win. Essentially these devices behave as if they are half-duplex, and well-timed (continuous) collisions will cause the whole segment to come down. This is what happens here. Remember the old coaxial 10base ethernet networks? They were vulnerable to the same thing.
The unfortunate fact here is that there is no cure for this kind of misbehaviour. Old devices likely won't be upgradeable (hence no silver bullet). Multi-band hi-speed WiFi (54Mbit+) is not likely to be affected by this attack, but if they operate in compatibility mode they will be brought down, too. Intelligent access points can lessen the effect of this attack but that leaves the older devices out of the communications.
Essentially this requires quite little work on the part of the attacker since no hi-powered transmitters are needed. That fortunately limits the range of the attack, too. I would like to know if anyone could calculate quick estimates as to the affected area with certain wattage transmitters. Anyone?
Re:Older / Single-band WiFi vulnerable (Score:2)
Is this really new? (Score:2)
It was an obvious problem (Score:5, Interesting)
Re:It was an obvious problem (Score:2)
There are different levels of "easy". "Easy" where you have to send out hundreds or thousands of packets per second is different-- in terms of energy usage and complexity-- from "easy" where you only have to send out a small number of packets. From the description of this attack, it looks a lot like it falls into the latter category. Some of those problems can a
Seeing as how the 2.4GHz band is unregulated... (Score:3, Interesting)
I remember vacuum cleaners used to destroy TV reception, so I can't imagine they're good for wireless networking either. Any ideas?
aQazaQa
WPA vulnerable too... (Score:3, Informative)
The only thing the h4x0r need to do in this situation is send data frames periodically, causing constant shutdowns.
Annoying enought he may be difficult or impossible to find because he don't need to use much transmit power or utilization of the network
This affects WiFi phones (Score:2, Interesting)
Tin foil hat (Score:2, Funny)
PDA (Score:3, Informative)
Last time I looked a simple PDA [hp.com] has a 400mhz processor, 64 meg of RAM, a 64k colour screen, multiple expansion sockets and support for WiFi and/or bluetooth.
Hardly simple. You must be thinking of one of those Palm products :o)
Re:PDA (Score:2)
You mean like this one [palmone.com]?
Let's see, 400MHz processor, 64 meg of RAM a 64K color screen, an SD/SDIO expansion socket and WiFi.
You should check the product line before dissing them. They're inexpensive and well built, with a considerable library of free/commercial software.
Re:PDA (Score:2)
I was joking (hence the smiley) but there was a serious comment hidden away.
If it wasn't for MS and Compaq giving them a swift kick up their complacent arse, we'd all be still living in black and white days with a piss poor diary, 4k note limit, limited contact fields, no today screen and expansion slots which necessitate a great big sleeve.
I had a Vx, it was pretty good but time has moved on and unfortunately Palm hasn't moved on as quickly as the
Re:PDA (Score:2)
You wouldn't even need a 'simple PDA;' you'd need a power supply, and something that can spray out random noise in the appropriate frequency range.
You can probably build a 'wi-fi jammer' from Radio Shack parts. Well, maybe not anymore; Radio Shack seems to be moving away from electronics and what not.
Just like a cell phone... (Score:4, Insightful)
New Super G AP's are doing the same thing (Score:3, Informative)
A similar note is that the new Super G wireless routers are using the entire spectrum of 11 channels to increase the speed to a reported 108mbps. It's not an approved standard, but as long as it's not enabled at the factory they are still able to sell them.
If you want to knock out your neighbor's ap just run your Super G router with 108mbps mode enabled.
This could be used for Good (Score:2, Interesting)
Re:This could be used for Good (Score:2)
I presume that beige wireless networks are okay?
This is news? (Score:2)
Known about this for ages (Score:2)
TBH I didn't realise it was not common knowledge.
A Radio DDOS? Go figure (Score:2)
I've known this for years. (Score:2)
It's not a simple PDA that does it... (Score:2)
Oh, wait.
802.11 is Meeting right now (Score:2)
They are collectively raising their eyes to the sky and saying "Duh! Another idiot stating the obvious".
A posse is being organized. Hundreds of angry engineers, all bearing their IEEE Wirless Interim meeting badges, will descend on the offending researchers with pitchforks and other spikey objects.
Ad-Hoc mode DOS/Trojan (Score:4, Interesting)
Evidently, a lot of the "automagic" features on laptops to find and connect to an AP decided to connect to the Ad-Hoc node (in Ad-Hoc mode, of course).
Also I am really of the impression that the existence of an Ad-Hoc node on the same channel as an AP causes severe degredation of the channel throughput. Maybe someone can confirm/deny this.
Anyway, I used my amateur radio transmitter hunting skills to track down the guy stuck on Ad-Hoc mode, including wrapping a cone of aluminum foil around my PCMCIA 802.11b card to give it some directionality. I finally found the guy, asked him to turn off his wireless card. He said he had no idea what Ad-Hoc mode was...
By the way, this attack would be a killer way to distribute a virus at a trade show...I suppose someone could even have a trojan horse AP to do something like that as well.
Well duh (Score:2)
Re:how come... (Score:5, Insightful)
Re:how come... (Score:2, Insightful)
but considering the fact that the system they are building is important than CV (ust an example), why they don't get what others get in first glance?
Re:how come... (Score:3, Insightful)
Also, it's easier to find an exploit in an established system. Now we have lots of hardware and available WLAN access points to play about with. It's quite difficult to 'hack' a specification...
Easy... (Score:5, Insightful)
It's easier to find a weak link in a chain, than it is to make all perfectly strong links.
In case of a 'system':
It's easier to find a single flaw than it is to build all parts well. (not to mention that all parts must also interact well, and do the job.)
Re:how come... (Score:5, Insightful)
Re:how come... (Score:2, Informative)
Re:how come... (Score:4, Funny)
Technology split (Score:2, Insightful)
The upshot is that conveniece and reliability are generally opposing design goals. Things which
This is NOT a "bug in the system". (Score:3, Insightful)
Because they never look.
This is NOT a "bug in the system". Being jammable is inherent in ANY radio based communication system.
Just as you can't hear and understand the person talking to you across the room when a pair of people are shouting in your ears or when another person with a similar voice is babbling nonsense at the same time, and you can't read morse code flashlight blinks sent by someone s
Re:A future solution... CDMA? - NOT! (Score:5, Informative)
P.S. I am a member of the 802.11 committee -- I know of what I speak
Re:A future solution... CDMA? - NOT! (Score:5, Informative)
IS-95 CDMA, I believe, transmits a few kilobits/sec of voice information in a 1.2 MHz bandwidth, using "standard" DSSS. CDMA works because the coding gain with such a huge ratio of data bandwidth to DSSS modulation bandwidth is much larger than that achieved in 802.11 systems.
If you are willing to drop your data rate to, oh, 200 kilobits/sec in the 2.4 GHz band, perhaps 802.11 could be redesigned to accomplish CDMA techniques.
Still, setting up "point-to-point" RF links between individual end user stations would require an enormous amount of computing horsepower (check out a CDMA base station for comparison). And it would not deal with broadcasts, which would still have to be forwarded to an access point - be recoded for each INDIVIDUAL link to each subscriber it serves - and retransmitted N times, where N=number of users served by the access point.
Other systems actually do use techniques somewhat like this, but rather than code division, they use space division (e.g. Vivato, which uses electronic beam steering to establish point-to-point links with each subscriber station).
As I originally stated, and let me re-state - 802.11 is architected on the basis of an "all stations are equal" approach, which makes an uncomfortable fit with a centralized control design. The committee entertained many, many proposals which included centralized control, and rejected them. There are a couple of straightforward reasons: 1) The RF spectrum in which these devices operate is unlicensed and hence "uncontrolled". A base-station centric design would make it so that no station could communicate at all if that base station were experiencing service-blocking interference. The chosen design, though not completely eliminating this failure mode, is more resilient in the face of such issues. Second, the 802.11 MAC is essentially identical for use in an infrastructure mode (i.e. with access points connected to a "distribution medium", typically a wired LAN) and in "ad hoc" mode (where there are only "stations" - no infrastructure at all). Most people forget about "ad hoc" mode, but the committee could not. Their charter required that it be accommodated.
Your turn
Re:A future solution... CDMA? - NOT! (Score:3, Funny)
Re:And this is somehow new? (Score:3, Funny)
Another undisclosed report by the NSA reports that hammers are pretty effective too, though their range is extremely short.
Daniel
Re:PDAs? Simple? (Score:2, Informative)
Re:PDAs? Simple? (Score:2)
Re:Ouch (Score:2)
Re:stating the obvious (Score:2)
Re:Somehow, Somewhere (Score:2)
The only thing that I can think of that could allow a fix would be, as the article alluded to, directional support in all 802.11 devices to help triangulate interference. Still a pretty awful hack.
Re:Probably obvious to the people who made protoco (Score:3, Insightful)
Few communication channels follow the abstract "shared broadcast" model.
If all devices had and used directional receiver antennas (say, six antennas pointing in different directions with that pick up different signal strengths and determine the source location based on these strengths), we could avoid the problem.