Promiscuity And Wireless LANs

VB writes: "I saw this article at ZDNet "cleverly" entitled Hackers poised to land at wireless AirPort. We've probably all seen this coming, but, I'd be curious to see what people think about the possibility of securing a network that sends data through the air. What about promiscuous mode devices within range of transmitters, or satellite communications?"

Re:Security of Wireless vs. Wired

[baptiste]

The threat is more than you think. I worked for a big networking company (they should know better) whose internal network was completely firewalled from the Internet (they did a very good job in this area) However, they were falling over themselves to get wireless installed and guess where it went first? That's right - the executive suites tied right into the internal LAN. The execs HAD to have their laptops connected. We used high gain antennas to ensure the R&D building was completely covered. Anyone who parked near the building and intercepted an SSID or had the knowledge to hack in could have walked away with their email, passwords, you name it. I honestly don't think WEP was enabled because it was still 'in development' and we were waiting for firmware releases. But they wouldn't let us wait. I hear that the 2nd generation deployment is a little more secure, but you are kidding yourself if you think this was an isolated incident. The potential for commercial spying is huge since wireless (like all the other gizmos) hit the executives first. And those of you talking about limited range - not quite. I use 802.11 to share my pipe with the inlaws next door. Next door is about 500 feet away through the woods. But the signal strength is great and I'm just using the std antennas, not a high gain patch. So it goes farther than you think outside, even when it seems like its really weak inside at short distances.

Don't get me wrong - I love 802.11b and use it all the time. But I use WEP and my access points are on an isolated LAN tied to an IPSec box which allows me to get to my internal firewalled LAN. Sure, throughput is an issue, but in those cases, I get my ass off the couch and sit at my desktop! :)

Re:Oh, great

[Salamander]

I took another look at the link to the paper provided in cid #13 (thanks!) and here are some observations.

The first attack follows directly from the above observation. A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs.

"IV" is "initialization vector" and is the same as what is elsewhere called a "salt". The IV is 24 bits; in a previous paragraph the authors had calculated that for a access point an IV is likely to get reused after about five hours. From this we're apparently supposed to conclude that it's a trivial matter to store every packet until an IV collision occurs, and then use the contents of both packets to recover plaintext. They even seem to be aware that two packets often won't be enough, but fail to mention that you need to save and search another five hours' worth of peak-bandwidth traffic to get anywhere in that case.

To be fair, they do point out a pretty serious flaw in a particular implementation of 802.11b, specifically Lucent's, which sets the IV to zero when the card is initialized and merely increments it for each packet. That does indeed make life way too easy for crackers.

we have been able to successfully intercept WEP-encrypted transmissions by changing the configuration of the drivers. We were able to confuse the firmware enough that the ciphertext (encrypted form) of unrecognized packets was returned to us

I would say that this is likely to be well beyond the capabilities of most script kiddies, and is probably pretty easy for 802.11b equipment vendors to address.

Many 802.11 products come with programmable firmware, which can be reverse-engineered and modified to provide the ability to inject traffic to attackers. Granted, such reverse-engineering is a significant time investment (we have not done this ourselves)

Damn right they haven't. Writing drivers is enough of a pain when the hardware engineer is sitting right next to you. It's harder when you have no access to hardware docs, and harder still when the hardware vendor might actively be attempting to thwart your efforts.

The real problem is not in the paper itself, though, but in the way it was reported. Consider this conclusion, from the paper:

The protocol's problems is a result of misunderstanding of some cryptographic primitives and therefore combining them in insecure ways. These attacks point to the improtance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided.

Yeah, like there have never been any problems discovered in crypto products from the self-appointed experts. Uh huh. But I'll let that slide. Now, for contrast, here's an excerpt from the ZDnet article:

."During the design process, the crypto community wasn't invited to participate," says Goldberg, now chief scientist at Zero Knowledge Systems Inc., a privacy-software firm in Montreal.

That's a pretty inflammatory statement, and apparently not far from being an outright lie. It was irresponsible (or possibly venal) of Ian Goldberg to make such a statement, and doubly so for WSJ's Jared Sandberg. As I said before, there is a matter for serious concern here, but the scaremongering from these people is not helping. The right thing to do would have been to alert the equipment manufacturers, discreetly, and let them decide how they want to alert their customers.

WaveLAN Security

[Joel+Rowbottom]

You'd be surprised the fun which goes on at conferences such as RIPE and IETF when WaveLAN virgins get onto the network and realise it isn't secure.

You might have heard of a guy called Randy Bush, whose favourite party trick at such events is to sniff the WaveLAN, and email out to captured POP3 usernames their own password with the message 'Be careful with radio!'. It's not even a switched network as a default install.

Setting up some sort of VPN using PoPToP isn't a bad idea in such cases, although WaveLAN does have some security built into it. Personally I use the Buffalo Technology kit which seems to work for 'doze, BSD and Linux.

I've heard rumours that if you wander through Stockholm's business district or through the Square Mile in London, if you're in promiscuous mode you can pick up all sorts of transmissions and a large number of DHCP servers offering IPs to anyone who gets the ESS ID right.

Hope this helps someone. Just be careful out there ;)

Wireless lans a hacking tool. 802.11 planted on me

One day, while tracing a network cable, I came across a D-Link 802.11 base station hidden inside the ceiling just above the network wiring closet. No one knews who put it there nor how long it had been there. The mfg date on the device was 1998, so it couldn't have been longer than that, but still...

This is scary shit.

It takes 10 seconds to plug one of these into your network and a power outlet and you're instantaneously wide open, without knowing it. And if you've got network outlets all over your building, it's just that much easier for you to be "bugged", especially since network outlets often appear in rooms not considered to need securing, like lobbys and waiting rooms and such.

If you're a sysadmin in a really large building, can you really know that every RJ45 jack is being used legitimately? If the spy device is listen -> xmit only, and ignores arp requests, it is invisible other than one extra link light among hundreds on the rack or on some distant hub/switch.

Wireless Worthlessness

[HongPong]

My high school is one of the first in the country to use Apple's AirPort wireless technology in the classroom. We all have Apple iBooks. Everyone uses AOL Instant Messenger in class all day long. :-)

One day someone figured out that packet sniffers can be used on the network to see other people's POPmail passwords and AIM conversations, as well as whatever websites they are at. It is genuinely disturbing. However, I am terrified of telling our administration about this because of a kill-the-messenger syndrome.

Let me just say that this is one of the most ridiculously insecure technologies in the world, just waiting for the packets to be pulled down out of the air with a packet sniffer program like EtherPeek. People have been doing this for months around here.

This is just a school. It's terrifying to think that the world's important financial institutions rely on this technology's security.

--