[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd)
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd)
- From: Gunter Luyten <gunter.lists@xxxxxxxx>
- Date: Thu, 13 May 2004 20:36:47 +0200
Hi full-disclosure readers,
Sean Batt wrote:
[quoted relevant parts only]
A vulnerability exists in hardware implementations of the IEEE
802.11 wireless protocol[1] that allows for a trivial but effective
attack against the availability of wireless local area network
(WLAN) devices.
I don't see what this has to do with the hardware implementation of
802.11. It's not the hardware that is vulnerable, but the medium.
Nothing new about this. All communication that relies upon a shared
medium is vulnerable to this type of "DoS".
An attacker using a low-powered, portable device such as an
electronic PDA and a commonly available wireless networking card
may cause significant disruption to all WLAN traffic within range,
in a manner that makes identification and localisation of the
attacker difficult.
It even needn't be that sophisticated. Anything that transmits on the
same frequency can be used. Of course, you can transmit enough TCP
packets to let collision avoidance make all other devices keep quiet,
but in fact it's enough to jam the frequency. This is similar to
communication over whatever shared medium. If someones "talking", all
the rest must keep quiet. When to parties are transmitting at the same
time, the result is noise.
The vulnerability is related to the medium access control (MAC)
function of the IEEE 802.11 protocol. WLAN devices perform Carrier
Sense Multiple Access with Collision Avoidance (CSMA/CA), which
minimises the likelihood of two devices transmitting
simultaneously. Fundamental to the functioning of CSMA/CA is the
Clear Channel Assessment (CCA) procedure, used in all
standards-compliant hardware and performed by a Direct Sequence
Spread Spectrum (DSSS) physical (PHY) layer.
An attack against this vulnerability exploits the CCA function at
the physical layer and causes all WLAN nodes within range, both
clients and access points (AP), to defer transmission of data for
the duration of the attack. When under attack, the device behaves
as if the channel is always busy, preventing the transmission of
any data over the wireless network.
Previously, attacks against the availability of IEEE 802.11
networks have required specialised hardware and relied on the
ability to saturate the wireless frequency with high-power
radiation, an avenue not open to discreet attack. This
vulnerability makes a successful, low cost attack against a
wireless network feasible for a semi-skilled attacker.
OK, I also just mentioned the "old" attack, but I still don't get what's
so new about this. I can for instance place my wireless access point in
"test-mode", letting it transmit continuously on a channel. Since it
also has enough power, it even does both attacks at once ;-)
The "new" attack is just a consequence of the old frequency jamming attack.
o Independent vendors have confirmed that there is
currently no defence against this type of attack for DSSS
based WLANs
If they keep using a shared medium, this will always be the case. It's
just physics. I think it is not possible to solve this. Maybe only in
one case; if the attacker uses low transmit power, and is separated far
enough from the access point and the other clients, there is a possible
workaround. If one device is "jamming" a frequency, but other devices
are close enough to eachother, they can push away the jamming signal.
But when the jamming source moves in between them, it's not possible
anymore.
The model of a shared communications channel is a fundamental
factor in the effectiveness of an attack on this vulnerability.
For this reason, it is likely that devices based on the newer IEEE
802.11a standard will not be affected by this attack where the
physical layer uses Orthogonal Frequency Division Multiplexing
(OFDM).
That might be possible indeed, but this confirms to me that this
"vulnerability" is based upon radio physics rather than shortcomings in
the CSMA/CA protocol.
It is recognised that the 2.4G Hz band suffers from radio
interference problems, and it is expected that operators of the
technology will already have in place measures to shield their
networks as well as a reduced reliance on this technology for
critical applications.
I think it will be difficult to shield a network... After all, when
you're implementing a wireless network, you do this do have network
access everywhere is a certain range. If you shield this range from
outside, it's indeed not possible for someone standing on your parking
lot to disrupt your network, but the vulnerability within the shield
still remains. For critical applications, one should stick to more
reliable media, like cables. But of course, be sure not to use a hub
than... Although it's harder to disrupt this because you need physical
access to the hub or one of its cables.
If vendors would come with a "workaround", then there will most likely
be a new way to disrupt service again. Like you mentioned 802.11a using
OFDM, this will make an attack more complicated, but not impossible. As
long as you can disrupt the communication between two peers, no protocol
or technique can prevent similar DoS attacks.
At this time, AusCERT continues to recommend that the application
of wireless technology should be precluded from use in safety,
critical infrastructure and/or other environments where
availability is a primary requirement. Operators of wireless LANs
should be aware of the increased potential for undesirable activity
directed at their networks.
I totally agree with this.
Best regards,
Gunter Luyten
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html