Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Wireless Networking Security Hardware

802.11 WiFi Denial of Service Exploit Discovered 251

CRC'99 writes "The Queensland University of Technology has today announced yet another flaw in 802.11 products. AusCERT has the official statement, noting: 'An attacker using a low-powered, portable device such as an electronic PDA and a commonly available wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localisation of the attacker difficult.' Nice to know that a simple PDA could bring a WiFi network to its knees."
This discussion has been archived. No new comments can be posted.

802.11 WiFi Denial of Service Exploit Discovered

Comments Filter:
  • by Gabrill ( 556503 ) on Thursday May 13, 2004 @05:47AM (#9137419)
    Seams like the single most energetic use of all our new technology is figuring out new ways to break it.
  • jammers? (Score:5, Interesting)

    by tasinet ( 747465 ) on Thursday May 13, 2004 @05:49AM (#9137434)
    weren't they called JAMMERS back in the nice radio-sharks times? Jam the 11 802.11 band frequencies and you have a "DoS" attack...
    • Re:jammers? (Score:4, Interesting)

      by RollingThunder ( 88952 ) on Thursday May 13, 2004 @05:55AM (#9137476)
      They do refer to that in the alert - that's what the "high powered saturation" method is.

      This sounds more subtle, working with the data side of the network and confusing the nodes, rather than just squashing the RF.
    • Re:jammers? (Score:5, Funny)

      by WegianWarrior ( 649800 ) on Thursday May 13, 2004 @06:03AM (#9137522) Journal

      A jammer - in the spesific sence of a white-noise transmitter - wouldn't give a 'denial of service' style attack. It would drown out the other transmitters, thus fooling your device into thinking that there is no network avilable. Perhaps we should call it a Lack of Carrier Attack? Splitting hairs, I know ;).

      That, and using a PDA and a network card is a much geekier - and thus more intersting - way of doing it. Jammers are soooo 80's.

      • Re:jammers? (Score:4, Funny)

        by meatspray ( 59961 ) * on Thursday May 13, 2004 @07:40AM (#9138008) Homepage
        I prefer using cordless phones and microwave ovens to jam up my 802.11 equipment. Sure it's low tech, but I'm lazy damnit!
      • Re:jammers? (Score:3, Insightful)

        by FireFury03 ( 653718 )
        A jammer - in the spesific sence of a white-noise transmitter - wouldn't give a 'denial of service' style attack. It would drown out the other transmitters, thus fooling your device into thinking that there is no network avilable.

        In what way is that not a denial of service? It denies the clients access to the access point service, in the same way as a bomb in a datacentre denies all the clients from contacting the servers there.
    • Re:jammers? (Score:5, Informative)

      by PornMaster ( 749461 ) on Thursday May 13, 2004 @06:16AM (#9137605) Homepage
      Personally, I found that my 2.4GHz cordless phone did too good of a job of disrupting my 802.11g, so I unplugged it and use a 900MHz phone.
    • Re:jammers? (Score:2, Interesting)

      by mlush ( 620447 )
      weren't they called JAMMERS back in the nice radio-sharks times? Jam the 11 802.11 band frequencies and you have a "DoS" attack...

      A jammer is pumping out a lot of power to swamp the radio frequences and would be trivial to trace (all you need is a directional antenna). This is more akin to poisoning a lake, you know something is wrong (all the dead fish are a clue), but tracking down the source of the poison is hard it could be anywhere in the lake. I one way to find the DoS would be to switching off

  • I wonder... (Score:2, Insightful)

    by MoreDruid ( 584251 )
    I wonder if WiFi bridges are also affected by this.
    And of course, how long it will take before the manufacturers will be having a firmware update for this. It seems that most firmware updates only add extra functionality to gain an edge over the competitors, but basic stuff like optimalisation is kind of a non-issue. I'm crossing my fingers this will be fixed shortly, but I'm having doubts about it.
    • Re:I wonder... (Score:5, Informative)

      by MDCore ( 324972 ) on Thursday May 13, 2004 @05:58AM (#9137491)
      How can this be "interesting"? Read the article folks, it's a fundamental flaw in the protocol.

      from the article:

      At this time a comprehensive solution, in the form of software or
      firmware upgrade, is not available for retrofit to existing
      devices. Fundamentally, the issue is inherent in the protocol
      implementation of IEEE 802.11 DSSS.
      • by KDan ( 90353 )
        I believe the (not-so-interesting) term for a post lacking content or intelligence but appearing to have them is "karma whoring".

        Daniel
      • Re:I wonder... (Score:2, Informative)

        by Merlisk ( 450712 )
        > How can this be "interesting"? Read the article folks, it's a fundamental flaw in the protocol.

        Good catch. I was taught about this flaw a few years ago in my first wireless class. I remember my teacher saying, "...and that's why you should never put a mission critical network on wireless."

        It made sense to me, so I filed in the back of my mind and we went on. Wireless is the case that proves the rule of functionality over security.
    • Re:I wonder... (Score:3, Interesting)

      by ezzzD55J ( 697465 )

      And of course, how long it will take before the manufacturers will be having a firmware update for this. It seems that most firmware updates only add extra functionality to gain an edge over the competitors, but basic stuff like optimalisation is kind of a non-issue. I'm crossing my fingers this will be fixed shortly, but I'm having doubts about it.

      From the AUSCERT advisory:

      3. Workarounds/Mitigation

      At this time a comprehensive solution, in the form of software or
      firmware upgrade, is not available

  • by rokzy ( 687636 ) on Thursday May 13, 2004 @05:51AM (#9137442)
    using something as small, cheap and common as a hammer I may cause significant disruption to *all* computer activity within walking distance.
  • Why? (Score:2, Insightful)

    by egm06 ( 757369 )
    What would be the point of this other than making people made? It would not dystroy data. Also, has it been done by a "attacker" or did they do it themselves?
  • by Anonymous Coward on Thursday May 13, 2004 @05:52AM (#9137454)
    A microwave oven can bring down a WiFi network. You could plug a 110 volt line into an Ethernet jack if you felt like it. All shared media networks require cooperation in order to run correctly.
    • That would be the, er, etherkiller [fiftythree.org]! (Also AUI killer, VGA killer, BNC killer, etc, etc, etc on that link!)

    • Except that the 802.11b vendors seem to have some hardening against microwave ovens built into the drivers and firmware.

      I think the scary part of this is supposed to be the fact that one can bring down the network using nothing more than off-the-shelf hardware and a little custom software. Worse, it's hardware that is indistinguishable from what a legitimate user might have.

      Let's say, for instance, that I want to bring down the hotspot at my local Starbucks. It would probably be suspicious (or at least fu
    • by dachshund ( 300733 ) on Thursday May 13, 2004 @07:02AM (#9137824)
      A microwave oven can bring down a WiFi network. You could plug a 110 volt line into an Ethernet jack if you felt like it. All shared media networks require cooperation in order to run correctly.

      Because I can't carry a microwave around in my pocket, and it would require some significant source of electricity. This requires only a PDA, and presumably doesn't drain its batteries in a matter of seconds the way RF jamming would.

      Honestly, this isn't as useful an attack as some of the targeted ones (see a paper written by Bellardo and Savage) where you can knock a specific individual off the net (and then potentially reconnect them to your own "access point".) But it still has some advantages over brute-force jamming.

    • "You could plug a 110 volt line into an Ethernet jack if you felt like it."

      And all you would do is block that specific port, the rest of the net would remain fully functioning (ethernet ports are galvanically isolated).

  • No workaround... (Score:3, Interesting)

    by Rico_za ( 702279 ) on Thursday May 13, 2004 @05:52AM (#9137456)
    At this time a comprehensive solution, in the form of software or firmware upgrade, is not available for retrofit to existing devices. Fundamentally, the issue is inherent in the protocol implementation of IEEE 802.11 DSSS.

    This could be a huge problem. Let's say you have a business where you have high sales volumes at certain times, with these times determined by unknown external factors (like a stock broker). If your network is down at those critical times, you loose business and money. Now all your competition needs to do is take out your network during one of these critical times, and all your customers will turn to them.

    • Re:No workaround... (Score:3, Informative)

      by Wudbaer ( 48473 )
      I'm sorry, but if you use WiFi for mission critical stuff it's your own fault. Perhaps if you are on a large construction site or something like that were you cannot lay cables, but besides that just use good old reliable cabling.
      • This is true, however the number of times I have seen 802.11 put in because the contractor couldn't be bothered with laying cables...

        I hold the firm belief that people who don't have a very good understanding of the security concerns should never be allowed to set up any wireless kit. At least bad security on the wire requires the attacker to actually have physical access to the wire.
    • The word is "Lose". You do not "loose" (antonym of "tight") money.
  • Well, duh (Score:2, Insightful)

    by Anonymous Coward
    Wifi networks _require_ cooperation to work. When the protocol says I am not allowed to send now, who can enforce it? I have to admit that tricking everybody else into believing that the channel is in use when it is actually free is an elegant way of disrupting the network, but you could just as well send short blips whenever someone else tries to transmit a packet. Only software which you control stands between you and the network.
  • Why WiFi? (Score:2, Interesting)

    by bcmm ( 768152 )
    I've never quite understood WiFi.

    I know people who have dailup internet connections and two or three computers, none of them laptops, but still use wifi in preference to RJ-45. (In fact I know people who connect one fixed computer to it's dial-up with WiFi, cause RJ11 phone cable is ugly.)

    It's very fashionable, but doesn't seem to work very well. Everyone I know with a WiFi home network has had problems with it.

    That said, the idea of free connections in cafes would be cool if there where more of them...
    • You don't have to bother with running cables.

      Your cables don't get chewed on by the toddler.

    • Yes, wires are ugly. Despite what you may think, that is a legitimate reason to use wifi.

      I have a wifi network at home, and my father does too. Neither of us have had any problems with it, ever. We both have portables, and the network reaches everywhere in the house where we would want it to go. It's very nice. If you're in the house with your portable, you have a connection, simple as that.
    • I use a wired network, because it is all within close distance, and the machines are pretty static. My laptop is usually in easy "cabling distance" when I need that.

      My dad wanted to use one in the living room though. It was a good 20m worth of cabling, and you'd need to drill through a couple places. Not pretty, nor easy. Then again, turned out the wireless coverage got crappy at that distance (10-12m, 2 walls including one with closet) so we'd have to lay cable anyway, to set up an AP closer. Either that
  • Another link... (Score:5, Informative)

    by Kulic ( 122255 ) on Thursday May 13, 2004 @05:57AM (#9137487) Homepage
    This one has a bit more information.

    http://news.com.au/common/story_page/0,4057,954972 3%255E15306,00.html [news.com.au]

    Beware the (sometimes flash) ads.
  • by imidazole2 ( 776413 ) on Thursday May 13, 2004 @05:59AM (#9137494) Homepage Journal
  • what's the news (Score:3, Interesting)

    by tomreagan ( 24487 ) on Thursday May 13, 2004 @06:00AM (#9137507)
    this just in...wireless networks are open to a range of attack vectors generally closed to wired networks...competitive interefence leads to signal degradation and loss of service...film at 11

    seriously, and i haven't even read the article yet, what could possibly be the news here. i'm imagining that, what, certain tiny packet sequences have a disproportionately large disruptive impact on the protocol by causing extended resets and delays? how is that any different from the recent tcp packet spoofing attacks except in free space?

    it would still be easier to get a big antenna and a transceiver and just blanket the spectrum.

    move along, nothing to see here.
  • request for comment (Score:3, Informative)

    by hutkey ( 709330 ) on Thursday May 13, 2004 @06:01AM (#9137513)
    more information is available in RFC 3580 [faqs.org] on the same topic.
  • Spark Gap? (Score:2, Insightful)

    by shfted! ( 600189 )
    Couldn't the same effect also be achieve by a simple spark-gap generator? Granted, this device would also effect all other bands, but has been around for many years and is remarkably low tech.
  • Classifieds (Score:3, Funny)

    by Big Nothing ( 229456 ) <tord.stromdal@gmail.com> on Thursday May 13, 2004 @06:04AM (#9137530)
    Would like to buy second-hand WiFi-enabled PDA, preferably low-powered. Please email me at: big.nothing@bigger.com
  • by pair-a-noyd ( 594371 ) on Thursday May 13, 2004 @06:04AM (#9137531)
    Can you say, "cheap microwave oven" ???

    The cheaper, the better.

    Want to screw your neighbor over?
    take the cover off the oven and turn it on.
    Just don't be in the same room when you throw the switch, sort of like when the executioner lights up a prisoner in "Old Sparky"...

    Pick one up off the side of the road and then do a google site search on /. for HERF [google.com].....

    Have fun kiddies!!

    • Just don't be in the same room when you throw the switch, sort of like when the executioner lights up a prisoner in "Old Sparky"...


      dont know much about microwaves do you.

      "not being in the same room" mean's nothing. I can do that and stand directly behind the microwave, hell I'll even hold onto it. there is no way in hell I'll stand to the side or in front of it.

      Microwaves are directional, and cince a microwave oven also has a "stirrer" in the top where the magenetron emits it's RF energy to make the ov
  • by Shapemaker ( 779051 ) <mikko.tanner@gm a i l . com> on Thursday May 13, 2004 @06:06AM (#9137543)
    From the article:
    Independent vendors have confirmed that there is currently no defence against this type of attack for DSSS based WLANs
    This is the same problem as with LA or VHF radio. Only one device can be transmitting at a time on a single frequency band. This stems from the fact that the receivers have to tune to a certain signal and no two signals are likely to be in the same phase, thus the strongest signal will win. Essentially these devices behave as if they are half-duplex, and well-timed (continuous) collisions will cause the whole segment to come down. This is what happens here. Remember the old coaxial 10base ethernet networks? They were vulnerable to the same thing.

    The unfortunate fact here is that there is no cure for this kind of misbehaviour. Old devices likely won't be upgradeable (hence no silver bullet). Multi-band hi-speed WiFi (54Mbit+) is not likely to be affected by this attack, but if they operate in compatibility mode they will be brought down, too. Intelligent access points can lessen the effect of this attack but that leaves the older devices out of the communications.

    Essentially this requires quite little work on the part of the attacker since no hi-powered transmitters are needed. That fortunately limits the range of the attack, too. I would like to know if anyone could calculate quick estimates as to the affected area with certain wattage transmitters. Anyone?
    • Isn't multi-channel wireless pretty socially irresponsible? That locks out others from using the band. There are only three non-overlapping bands for "g", using more than one might prevent others from legitimately setting up a network nearby.
  • It just sounds like putting a WiFi card into constant broadcast mode. I guess you can call that a "flaw", but not talking when someone else is talking is a common necessity to all shared channels, with the exception of code division multiplexing I believe.
  • by CastrTroy ( 595695 ) on Thursday May 13, 2004 @06:19AM (#9137619)
    it's easy to flood a wireless network, when using colision avoidance, if you're the only one not playing by the rules, you can own the network. It's like being on a token ring, and editing your protocol stack, to never put new tokens on, once you get one, Nobody else gets to send. Any protocol can be broken if you have computers that don't follow the protocol.
    • it's easy to flood a wireless network, when using colision avoidance, if you're the only one not playing by the rules, you can own the network.

      There are different levels of "easy". "Easy" where you have to send out hundreds or thousands of packets per second is different-- in terms of energy usage and complexity-- from "easy" where you only have to send out a small number of packets. From the description of this attack, it looks a lot like it falls into the latter category. Some of those problems can a

  • by Anonymous Coward on Thursday May 13, 2004 @06:23AM (#9137637)
    I can't imagine how this got on the front page. A regular 2.4GHz cordless phone is enough to take down a WiFi network. And if you're willing to go with a non-portable solution, a cheap microwave will quite easily act as an on-off switch for the whole network.

    I remember vacuum cleaners used to destroy TV reception, so I can't imagine they're good for wireless networking either. Any ideas?

    aQazaQa
  • by dark-br ( 473115 ) on Thursday May 13, 2004 @06:33AM (#9137683) Homepage
    If a user is trying to get in and sends two packets of unauthorized data within one second, WPA will assume it is under attack and shut down.

    The only thing the h4x0r need to do in this situation is send data frames periodically, causing constant shutdowns.

    Annoying enought he may be difficult or impossible to find because he don't need to use much transmit power or utilization of the network

  • by ewg ( 158266 )
    This affects WiFi phones as well, based on the AusCERT description of the problem as targeting the physical layer. Good to know before deploying an IP telephony solutions that include a WiFi component.
  • pfft, we all know the exploit is covering the targets house in tin foil so it can't penetrate
  • PDA (Score:3, Informative)

    by Mr_Silver ( 213637 ) on Thursday May 13, 2004 @06:47AM (#9137756)
    Nice to know that a simple PDA could bring a WiFi network to its knees

    Last time I looked a simple PDA [hp.com] has a 400mhz processor, 64 meg of RAM, a 64k colour screen, multiple expansion sockets and support for WiFi and/or bluetooth.

    Hardly simple. You must be thinking of one of those Palm products :o)

    • Hardly simple. You must be thinking of one of those Palm products

      You mean like this one [palmone.com]?

      Let's see, 400MHz processor, 64 meg of RAM a 64K color screen, an SD/SDIO expansion socket and WiFi.

      You should check the product line before dissing them. They're inexpensive and well built, with a considerable library of free/commercial software.

      • You should check the product line before dissing them.

        I was joking (hence the smiley) but there was a serious comment hidden away.

        If it wasn't for MS and Compaq giving them a swift kick up their complacent arse, we'd all be still living in black and white days with a piss poor diary, 4k note limit, limited contact fields, no today screen and expansion slots which necessitate a great big sleeve.

        I had a Vx, it was pretty good but time has moved on and unfortunately Palm hasn't moved on as quickly as the

    • You wouldn't even need a 'simple PDA;' you'd need a power supply, and something that can spray out random noise in the appropriate frequency range.

      You can probably build a 'wi-fi jammer' from Radio Shack parts. Well, maybe not anymore; Radio Shack seems to be moving away from electronics and what not.

  • by chrisbw ( 609350 ) on Thursday May 13, 2004 @07:05AM (#9137834) Homepage
    This really isn't anything revolutionary. You can take down cell phones in the area that a handheld jammer can transmit. I don't think anyone has ever asserted that low-power wireless transmissions can't be DOS'ed by other low-power wireless transmissions.
  • by CompWerks ( 684874 ) on Thursday May 13, 2004 @07:16AM (#9137886)

    A similar note is that the new Super G wireless routers are using the entire spectrum of 11 channels to increase the speed to a reported 108mbps. It's not an approved standard, but as long as it's not enabled at the factory they are still able to sell them.

    If you want to knock out your neighbor's ap just run your Super G router with 108mbps mode enabled.

  • As a network admin, I would love to have several 802.11 jammers, and plant them all over the building. This would keep people from installing rouge wireless networks.
  • I've got news for ya, you can do the same thing on your local network with a regular lan card. You can also make a much less expensive jammer with an old microwave, or better yet, you can make a broad band (not cable internet) jammer with a file, some wires and a battery. It's being broadcast on public airspace, denial of service is trivially accomplished.
  • I've known about this for ages after it was pointed out to me by a guy at DNSCON [dnscon.org].

    TBH I didn't realise it was not common knowledge.
  • This should not suprise anyone, its radio.. Radio interference is an age old problem, and just goes with the territory of using non-directional radio signals.
  • It is very easy to build 2.4GHz transmitters that can jam 802.11 networks, this is why people should consider things like this when deploying networks using radio technology. Even microwave ovens will do this. And as a side note, BPL (broadband over power lines) are even more suseptable to jamming from something as simple as a CB radio that can wipe out access for blocks.
  • ...it's a tricorder [slashdot.org].

    Oh, wait.
  • The IEEE 802.11 working group is meeting right now in Garden Grove, California.

    They are collectively raising their eyes to the sky and saying "Duh! Another idiot stating the obvious".

    A posse is being organized. Hundreds of angry engineers, all bearing their IEEE Wirless Interim meeting badges, will descend on the offending researchers with pitchforks and other spikey objects.
  • by TheSync ( 5291 ) on Thursday May 13, 2004 @10:42AM (#9140108) Journal
    At a recent conference I worked, we provided 802.11b wireless Internet access. Lots of people were complaining about the conenction, so I fired up NetStumbler and noticed that there was an Ad-Hoc node on the same channel and same SSID as our AP.

    Evidently, a lot of the "automagic" features on laptops to find and connect to an AP decided to connect to the Ad-Hoc node (in Ad-Hoc mode, of course).

    Also I am really of the impression that the existence of an Ad-Hoc node on the same channel as an AP causes severe degredation of the channel throughput. Maybe someone can confirm/deny this.

    Anyway, I used my amateur radio transmitter hunting skills to track down the guy stuck on Ad-Hoc mode, including wrapping a cone of aluminum foil around my PCMCIA 802.11b card to give it some directionality. I finally found the guy, asked him to turn off his wireless card. He said he had no idea what Ad-Hoc mode was...

    By the way, this attack would be a killer way to distribute a virus at a trade show...I suppose someone could even have a trojan horse AP to do something like that as well.
  • This isn't news. Any ham radio operator can legally disrupt a wifi network if they are using the same frequency(ies). Hams take precendence over those frequencies and can therefore tell the wifi operators to shut their equipment down. I wrote about this a couple years ago at my last job when our Unv was considering rolling out some wifi. Nothing new here. $5 worth of electronics can be used to illegally disrupt wifi too. Fun, eh? :-)

To stay youthful, stay useful.

Working...