[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re:[Full-Disclosure] (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd)
- To: "Sean Batt" <sean@xxxxxxxxxxxxxxxxx>
- Subject: Re:[Full-Disclosure] (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd)
- From: "Ian Latter" <Ian.Latter@xxxxxxxxx>
- Date: Thu, 13 May 2004 17:00:35 +1000
Interesting isn't it .. since it came up I've been wondering how
hard it would be for one of these; http://www.wifiseeker.com/
.. to be "upgraded" to work as a sort of wireless flash-bang (for
the life of the battery) .. throw it in a garden and walk off ...
.. give our grounds keepers IT Security shirts and badges ;-)
----- Original Message -----
>From: "Sean Batt" <sean@xxxxxxxxxxxxxxxxx>
>To: <full-disclosure@xxxxxxxxxxxxxxxx>
>Subject: [Full-Disclosure] (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of
>Service
Vulnerability in IEEE 802.11 Wireless Devices (fwd)
>Date: Thu, 13 May 2004 15:22:19 +1000
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
==========================================================================
=
> AA-2004.02 AUSCERT Advisory
>
> Denial of Service Vulnerability in IEEE 802.11 Wireless Devices
> 13 May 2004
> Last Revised: --
>
> - ---------------------------------------------------------------------------
>
>
> 1. Description
>
> A vulnerability exists in hardware implementations of the IEEE
> 802.11 wireless protocol[1] that allows for a trivial but effective
> attack against the availability of wireless local area network
> (WLAN) devices.
>
> An attacker using a low-powered, portable device such as an
> electronic PDA and a commonly available wireless networking card
> may cause significant disruption to all WLAN traffic within range,
> in a manner that makes identification and localisation of the
> attacker difficult.
>
> The vulnerability is related to the medium access control (MAC)
> function of the IEEE 802.11 protocol. WLAN devices perform Carrier
> Sense Multiple Access with Collision Avoidance (CSMA/CA), which
> minimises the likelihood of two devices transmitting
> simultaneously. Fundamental to the functioning of CSMA/CA is the
> Clear Channel Assessment (CCA) procedure, used in all
> standards-compliant hardware and performed by a Direct Sequence
> Spread Spectrum (DSSS) physical (PHY) layer.
>
> An attack against this vulnerability exploits the CCA function at
> the physical layer and causes all WLAN nodes within range, both
> clients and access points (AP), to defer transmission of data for
> the duration of the attack. When under attack, the device behaves
> as if the channel is always busy, preventing the transmission of
> any data over the wireless network.
>
> Previously, attacks against the availability of IEEE 802.11
> networks have required specialised hardware and relied on the
> ability to saturate the wireless frequency with high-power
> radiation, an avenue not open to discreet attack. This
> vulnerability makes a successful, low cost attack against a
> wireless network feasible for a semi-skilled attacker.
>
> Although the use of WLAN technology in the areas of critical
> infrastructure and systems is still relatively nascent, uptake of
> wireless applications is demonstrating exponential growth. The
> potential impact of any effective attack, therefore, can only
> increase over time.
>
> 2. Platform
>
> Wireless hardware devices that implement IEEE 802.11 using a DSSS
> physical layer. Includes IEEE 802.11, 802.11b and low-speed (below
> 20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and
> high-speed (above 20Mbps) 802.11g wireless devices.
>
> 3. Impact
>
> Devices within range of the attacking device will be affected. If
> an AP is within range, all devices associated with that AP are
> denied service; if an AP is not within range, only those devices
> within range of the attacking device are denied service.
>
> Minimum threat characteristics:
>
> o An attack can be mounted using commodity hardware and
> drivers - no dedicated or high-power wireless hardware is
> required
>
> o An attack consumes limited resources on attacking device,
> so is inexpensive to mount
>
> o Vulnerability will not be mitigated by emerging MAC layer
> security enhancements ie IEEE 802.11 TGi
>
> o Independent vendors have confirmed that there is
> currently no defence against this type of attack for DSSS
> based WLANs
>
> The range of a successful attack can be greatly improved by an
> increase in the transmission power of the attacking device, and
> the use of high-gain antennae.
>
> 3. Workarounds/Mitigation
>
> At this time a comprehensive solution, in the form of software or
> firmware upgrade, is not available for retrofit to existing
> devices. Fundamentally, the issue is inherent in the protocol
> implementation of IEEE 802.11 DSSS.
>
> IEEE 802.11 device transmissions are of low energy and short range,
> so the range of this attack is limited by the signal strength of
> the attacking device, which is typically low. Well shielded WLANs
> such as those for internal infrastructures should be relatively
> immune, however individual devices within range of the attacker
> may still be affected. Public access points will remain
> particularly vulnerable.
>
> The model of a shared communications channel is a fundamental
> factor in the effectiveness of an attack on this vulnerability.
> For this reason, it is likely that devices based on the newer IEEE
> 802.11a standard will not be affected by this attack where the
> physical layer uses Orthogonal Frequency Division Multiplexing
> (OFDM).
>
> It is recognised that the 2.4G Hz band suffers from radio
> interference problems, and it is expected that operators of the
> technology will already have in place measures to shield their
> networks as well as a reduced reliance on this technology for
> critical applications.
>
> The effect of the DoS on WLANs is not persistent - once the jamming
> transmission terminates, network recovery is essentially immediate.
>
> The results of a successful DoS attack will not be directly
> discernable to an attacker, so an attack of this type may be
> generally less attractive to mount.
>
> At this time, AusCERT continues to recommend that the application
> of wireless technology should be precluded from use in safety,
> critical infrastructure and/or other environments where
> availability is a primary requirement. Operators of wireless LANs
> should be aware of the increased potential for undesirable activity
> directed at their networks.
>
> REFERENCES:
>
> [1] IEEE-SA Standards Board, "IEEE Std IEEE 802.11-1999 Information
> Technology - Telecommunications and Information Exchange Between
> Systems-Local and Metropolitan Area Networks - Specific Requirements
> - Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer
> (PHY) Specifications," IEEE 1999.
> http://standards.ieee.org/getieee802/download/802.11-1999.pdf
>
> - -------------------------------------------------------------------------
> AusCERT would like to thank the Queensland University of Technology (QUT)
> Information Security Research Centre (ISRC) for the information contained
> in this advisory. AusCERT would like to thank all vendors that participated
> in this process and provided recommendations for mitigation and/or
> confirmed details of the vulnerability.
> - -------------------------------------------------------------------------
>
> - ---------------------------------------------------------------------------
>
> AusCERT has made every effort to ensure that the information contained
> in this document is accurate. However, the decision to use the information
> described is the responsibility of each user or organisation. The decision to
> follow or act on information or advice contained in this security bulletin is
> the responsibility of each user or organisation, and should be considered in
> accordance with your organisation's site policies and procedures. AusCERT
> takes no responsibility for consequences which may arise from following or
> acting on information or advice contained in this security bulletin.
>
> If you believe that your computer system has been compromised or attacked in
> any way, we encourage you to let us know by completing the secure National IT
> Incident Reporting Form at:
>
> http://www.auscert.org.au/render.html?it=3192
>
> AusCERT also maintains a World Wide Web service which is found on:
> http://www.auscert.org.au.
>
> Internet Email: auscert@xxxxxxxxxxxxxx
> Facsimile: (07) 3365 7031
> Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
> AusCERT personnel answer during Queensland business
> hours which are GMT+10:00 (AEST). On call after hours
> for member emergencies only.
>
> Postal:
> Australian Computer Emergency Response Team
> The University of Queensland
> Brisbane
> Qld 4072
> AUSTRALIA
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Revision History
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> -----BEGIN PGP SIGNATURE-----
>
> iQCVAwUBQKLIGSh9+71yA2DNAQIH3gP8CtJ1vKa6zmDxAIUo20JE2CmmCYiWmyQq
> lLomjl0hZLx+TPJPg2O6I9wlBCDy8grv96B8FT3RLDy7nqoT/QQAc02YiR6EnJl4
> Q9inQOgBhd6FUcW984uxl6MyK0K8wWrPg35dg8jW1ZbQBe8tWzABaOTdbqjAQgES
> rg0vm/7RE5g=
> =L8tY
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
Ian Latter
Internet and Networking Security Officer
Macquarie University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html