Slashdot Mirror

← Back to Stories (view on slashdot.org)

Promiscuity And Wireless LANs

Posted by CmdrTaco on from the cruising-on-someone-else's-wire dept.

VB writes: "I saw this article at ZDNet "cleverly" entitled Hackers poised to land at wireless AirPort. We've probably all seen this coming, but, I'd be curious to see what people think about the possibility of securing a network that sends data through the air. What about promiscuous mode devices within range of transmitters, or satellite communications?"

11 of 183 comments (clear)

  1. Re:Security of Wireless vs. Wired by baptiste · · Score: 5
    The threat is more than you think. I worked for a big networking company (they should know better) whose internal network was completely firewalled from the Internet (they did a very good job in this area) However, they were falling over themselves to get wireless installed and guess where it went first? That's right - the executive suites tied right into the internal LAN. The execs HAD to have their laptops connected. We used high gain antennas to ensure the R&D building was completely covered. Anyone who parked near the building and intercepted an SSID or had the knowledge to hack in could have walked away with their email, passwords, you name it. I honestly don't think WEP was enabled because it was still 'in development' and we were waiting for firmware releases. But they wouldn't let us wait. I hear that the 2nd generation deployment is a little more secure, but you are kidding yourself if you think this was an isolated incident. The potential for commercial spying is huge since wireless (like all the other gizmos) hit the executives first. And those of you talking about limited range - not quite. I use 802.11 to share my pipe with the inlaws next door. Next door is about 500 feet away through the woods. But the signal strength is great and I'm just using the std antennas, not a high gain patch. So it goes farther than you think outside, even when it seems like its really weak inside at short distances.

    Don't get me wrong - I love 802.11b and use it all the time. But I use WEP and my access points are on an isolated LAN tied to an IPSec box which allows me to get to my internal firewalled LAN. Sure, throughput is an issue, but in those cases, I get my ass off the couch and sit at my desktop! :)

    --
    Top Most Bizarre/Disturbing Error Messages
  2. More Popular Than You'd Think by Anonymous Coward · · Score: 4

    Last weekend I was in Boston and it was hard to find a place where I didn't have access to someone's wireless network. Just drove around the back bay and at stop lights would check out my laptop. Most of the time I had a usable signal (typically 20% strength, 90% quality according to the software that came with my card). And I never had to do anything- no trying to find the SSID, no hacking WEP keys, it just worked.

    The coolest part is, each time I was on someone's LAN, on the fun side of their firewall. Joy.

  3. Re:Or encryption? by nosilA · · Score: 4

    There are 3 major problems with WEP (which stands for "Wired Equivalanet Privacy," BTW. I will list them in order of increasing severity.

    1) Key distribution. If you aren't the only person on the network, getting the key out to other people is a non-trivial task and can be the weakest link.

    2) 40-bit - the standard WEP keysize is completely insufficient and can be cracked in relatively no time. 128bit versions of the hardware are available, however, so this is an improvement.

    3) This is the biggie - the WEP authentication protocol relies on DNS and is therefore prone to massive man-in-the-middle attacks. There is a paper by Jesse Walker called "Wireless LANs Unsafe at Any Key Size; and analysis of the WEP encapsulation" that I encourage everyone to read.

    WEP is especially dangerous because it establishes a false sense of security that cause people to be more willing to send sensitive data over the network. You still need to use some other encryption method on to of WEP - even at best it gives the privacy of a standard ethernet LAN.

    Other technologies are under development to improve the state of wireless security, such as the IEEE 802.11 Task Group E, which is trying to develop an authentication scheme suitable for 802.11 wireless networks, or the IEEE 802.1x protocol which will do similar things at a more generic level.

    There is no existing good solution to the wireless problem (PPPoE hacks aside).

    -Alison

  4. Promiscuous by photozz · · Score: 4

    "What about promiscuous mode devices within range of transmitters, or satellite communications?"

    Sounds like my last experiance at a bar........

    --


    Dirty Pirate Hooker
  5. Re:Oh, great by Salamander · · Score: 5

    I took another look at the link to the paper provided in cid #13 (thanks!) and here are some observations.

    The first attack follows directly from the above observation. A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs.

    "IV" is "initialization vector" and is the same as what is elsewhere called a "salt". The IV is 24 bits; in a previous paragraph the authors had calculated that for a access point an IV is likely to get reused after about five hours. From this we're apparently supposed to conclude that it's a trivial matter to store every packet until an IV collision occurs, and then use the contents of both packets to recover plaintext. They even seem to be aware that two packets often won't be enough, but fail to mention that you need to save and search another five hours' worth of peak-bandwidth traffic to get anywhere in that case.

    To be fair, they do point out a pretty serious flaw in a particular implementation of 802.11b, specifically Lucent's, which sets the IV to zero when the card is initialized and merely increments it for each packet. That does indeed make life way too easy for crackers.

    we have been able to successfully intercept WEP-encrypted transmissions by changing the configuration of the drivers. We were able to confuse the firmware enough that the ciphertext (encrypted form) of unrecognized packets was returned to us

    I would say that this is likely to be well beyond the capabilities of most script kiddies, and is probably pretty easy for 802.11b equipment vendors to address.

    Many 802.11 products come with programmable firmware, which can be reverse-engineered and modified to provide the ability to inject traffic to attackers. Granted, such reverse-engineering is a significant time investment (we have not done this ourselves)

    Damn right they haven't. Writing drivers is enough of a pain when the hardware engineer is sitting right next to you. It's harder when you have no access to hardware docs, and harder still when the hardware vendor might actively be attempting to thwart your efforts.

    The real problem is not in the paper itself, though, but in the way it was reported. Consider this conclusion, from the paper:

    The protocol's problems is a result of misunderstanding of some cryptographic primitives and therefore combining them in insecure ways. These attacks point to the improtance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided.

    Yeah, like there have never been any problems discovered in crypto products from the self-appointed experts. Uh huh. But I'll let that slide. Now, for contrast, here's an excerpt from the ZDnet article:

    ."During the design process, the crypto community wasn't invited to participate," says Goldberg, now chief scientist at Zero Knowledge Systems Inc., a privacy-software firm in Montreal.

    That's a pretty inflammatory statement, and apparently not far from being an outright lie. It was irresponsible (or possibly venal) of Ian Goldberg to make such a statement, and doubly so for WSJ's Jared Sandberg. As I said before, there is a matter for serious concern here, but the scaremongering from these people is not helping. The right thing to do would have been to alert the equipment manufacturers, discreetly, and let them decide how they want to alert their customers.

    --
    Slashdot - News for Herds. Stuff that Splatters.
  6. Direct link and my experiences by ckd · · Score: 4

    Some information about their analysis is available.

    Personally, I wasn't counting on WEP anyway, which is why I didn't bother buying the Lucent Gold cards. I just wish IPsec were more common, so that I wouldn't have to tunnel quite so much through ssh.

    Of course, then there are unencrypted wireless networks like the ones at USENIX. Dug Song's presentation on dsniff was a big hit; look for the "Passwords Found on a Wireless Network" paper. (PostScript only, sorry.)

  7. WaveLAN Security by Joel+Rowbottom · · Score: 5
    You'd be surprised the fun which goes on at conferences such as RIPE and IETF when WaveLAN virgins get onto the network and realise it isn't secure.

    You might have heard of a guy called Randy Bush, whose favourite party trick at such events is to sniff the WaveLAN, and email out to captured POP3 usernames their own password with the message 'Be careful with radio!'. It's not even a switched network as a default install.

    Setting up some sort of VPN using PoPToP isn't a bad idea in such cases, although WaveLAN does have some security built into it. Personally I use the Buffalo Technology kit which seems to work for 'doze, BSD and Linux.

    I've heard rumours that if you wander through Stockholm's business district or through the Square Mile in London, if you're in promiscuous mode you can pick up all sorts of transmissions and a large number of DHCP servers offering IPs to anyone who gets the ESS ID right.

    Hope this helps someone. Just be careful out there ;)

    --
    Smegma.
  8. Wireless lans a hacking tool. 802.11 planted on me by Anonymous Coward · · Score: 5
    One day, while tracing a network cable, I came across a D-Link 802.11 base station hidden inside the ceiling just above the network wiring closet. No one knews who put it there nor how long it had been there. The mfg date on the device was 1998, so it couldn't have been longer than that, but still...

    This is scary shit.

    It takes 10 seconds to plug one of these into your network and a power outlet and you're instantaneously wide open, without knowing it. And if you've got network outlets all over your building, it's just that much easier for you to be "bugged", especially since network outlets often appear in rooms not considered to need securing, like lobbys and waiting rooms and such.

    If you're a sysadmin in a really large building, can you really know that every RJ45 jack is being used legitimately? If the spy device is listen -> xmit only, and ignores arp requests, it is invisible other than one extra link light among hundreds on the rack or on some distant hub/switch.

  9. Wireless Worthlessness by HongPong · · Score: 5
    My high school is one of the first in the country to use Apple's AirPort wireless technology in the classroom. We all have Apple iBooks. Everyone uses AOL Instant Messenger in class all day long. :-)

    One day someone figured out that packet sniffers can be used on the network to see other people's POPmail passwords and AIM conversations, as well as whatever websites they are at. It is genuinely disturbing. However, I am terrified of telling our administration about this because of a kill-the-messenger syndrome.

    Let me just say that this is one of the most ridiculously insecure technologies in the world, just waiting for the packets to be pulled down out of the air with a packet sniffer program like EtherPeek. People have been doing this for months around here.

    This is just a school. It's terrifying to think that the world's important financial institutions rely on this technology's security.

    --

    --
    --hongpong.com
  10. Re:Narrow beam antennas and gain by Technician · · Score: 4
    I agree on the impact of using high gain antennas for sniffing. A wireless port has a short 1/4 or 5/8th wave antenna which usualy has a gain of less than 6 DB because of it's non directional signal.

    Every 3 DB gain doubles the power recieved. Every 6 DB increase in antenna gain doubles the distance. (line of sight not over the horizon) A narrow beam dish antenna (old c-band TV dish) can have a gain over 36 DB.

    If your 6 DB laptop has a range of 500 feet, the guy with the dish has 30 DB more receiving power and will get the same signal you get but from 16,000 feet. He doesn't have to be in your parking lot to sniff you. He just needs a reasonably clear line of sight. Do not be fooled thinking the range a low non directional antenna provides is all the further your signal travels. It isn't. It gets 6 DB weaker every doubling the distance it travels.

    It may become too weak for you, but not for a high gain directional antenna. This gain is why a dish antanna can pick out one of many satelites spaced every 6 degrees in the sky over the equator that is transmitting with 50 watts per transponder 22,000 miles away.

    --
    The truth shall set you free!
  11. Oh, great by Salamander · · Score: 4

    I think a lot of people just don't realize how wireless networking can change the way you feel about computing. Until you've actually surfed from the couch, continued reading on a laptop while you get a drink out of the fridge - or even take a leak - all unencumbered and uninterrupted, I don't think you can fully appreciate the difference. It's amazing to think how accustomed we had all become to the limitations of wired connectivity.

    Now this comes along. Right or wrong technically, real or imaginary, this will slow adoption of wireless networking technology. The risk-averse business types who make decisions about deployment will hesitate, so there will be fewer access points both within organizations and in public spaces (hotels, airport lounges, and so on). Companies will forbid their employees to use wireless networking when on the road, or simply not provide the equipment necessary for them to do so. I expect email from our own IT department any moment telling me that wireless is off limits until "investigation of this matter is complete" (which will take months).

    All this loss of convenience occurs because a bunch of people who felt left out of a public IEEE standardization process have said the sky is falling. If you read the article, you'll notice that there's practically no real information that would allow anyone to judge how serious the risk really is, and there's a lot of scaremongering about how easy it will be for "script kiddies" to get the right software. How about the hardware? Yes, folks, you need extra hardware to do this, and you also need to be physically proximate to the target. I'm not at all convinced that the script kiddies will be able to take advantage of this hole - whatever it really is.

    Yes, it sucks that there's any hole of any size in WEP, and even if the script kiddies can't exploit it the professional crooks might, but the sensationalistic way this is being reported is simply not responsible.

    --
    Slashdot - News for Herds. Stuff that Splatters.