Public Access 'Blackspots'

WeakGeek writes "Unstrung has a story talking about a security issue with the combining of 802.11 and GSM/GPRS networks. Seems that 802.11b hotspots provide hackers with an easy way to grab user information from the wide-area network itself. Back when GSM was being defined, standards were designed to only authenticate the details held on the SIM card in a user's device before starting a session on the network. The user's device doesn't in turn check the credentials of the network. Fake a network, get data. Of course, the linked to story seems to be a 'viral' advertisement for a product that fixes this, but I still thought it interesting enough to share."

WEP

[dextr0us]

if i recall.... WEP is the wirless encryption protocol. 802.11 networks should be rolling it out if its not already. Simple solutions? use an SSL gateway

Re:WEP

I may be a bit hazy on how the authentication works, but if the phone connects to some system to verify the key that the network sends is good, will it connect through the network it's trying to verify?

What blackspots ?

[MosesJones]

And why would 802.11b fix this ? If you can put 802.11b there why not just put up a cell to fix the problem ?

Right now where are the 802.11b networks... for the most part they are in the cities. Where do you not have a problem with reception... in the cities.

Why would someone put an 802.11b network out on Route 100N in Vermont rather than just a cell on the top of the mountain ? I'm obviously Mr Thicky here as it does seem that if you are going to put up a wireless network you might as well put up one that is already supported by phones rather than adding more bulk to the phones with a seperate set of chips to drain the battery.

I've got bluetooth on my mobile, and GPRS. Someone please tell me why I'd want 802.11b as well ?

Re:What blackspots ?

The answer is quite simple actually. If the phone could support a protocol with a cheaper infrastructure, then implementing the protocol might not be a bad idea. Say for example that you have an A band PCS network (1850->1945 MHz). The network has great outdoor coverage, but the in-building penetration at PCS frequencies is weak. A large buisness customer wants better coverage inside their offce, but doesn't want to foot the bill for a new $70,000+ base station, never mind trying to get FCC/FAA approval or a lease. Instead, using the network infrastructure that already exists inside the building you add 802.11 access points in places where coverage is weak. Voila, you've managed to solve the problem for probably less that $5,000. There are of course problems with smooth handovers between the 802.11 part of the network and the GSM part of the network, but that's a whole other kettle of fish.

What's this to do with GSM?

[monkey_tennis]

Maybe I'm missing the point :) but isn't this just a function of the fact that there is no user-level authentication in 802.11b at all... The fact that this makes it difficult to hook up WLANs to GSM networks is only just a side-effect.

Doesn't 802.11x begin to address this?

802.11b WAN will be shortlived

[mattyohe]

With the absence of FCC police in a metropoliton area, enforcing the laws of power usage and whatnot is becomming impossible. Ofcourse you can submit a complaint but good luck having an offical actually come out and survey the damage, and while adding all of these cell phones to the mix sounds like a fun idea, its only going to cause many many problems. Why can't these hotspots be using a liscensed freq instead of publicly avaialble one? Especially now that the hams finally realised that they can use the 2.4ghz spec for data. Thats also an odd situation... The hams were way behind on the 2.4ghz issue.. they have had it available forever but was slow to catch on.. With all of these 2.4 freq. products, in a couple years we will be glowing green from all of the radiation.

Why don't we just install it under our skins and we can all be 802.11 hotspots ourselves.

Tunneling GSM authentication not mentioned

[eggboard]

Interestingly, nobody in the article or here mentions the fact that there's a very active group at the IETF that's working on securing all kinds of authentication messaging systems, including EAP (the method for 802.1x wired/wireless authentication). EAP is the focus, but the papers presented at the various conferences cover many authentication methods and methods of securing them.

Protocols like EAP (Extensible Authentication Protocol) are intended to provide a generic mechanism over any transport system to handle legacy and modern handshaking and exchange to authenticate a user in a system.

In 802.1x/EAP, included as of the 802.11i wireless security update, 802.1x defines the roles of a client, access point authentication passthrough, and an authenticator. 802.1x restricts access to the network until the access point using EAP has been told by the authentication system that the client is okay to be on the network. It hands off a key, which eliminates spoofing, as even if you spoof the MAC address, you don't have the key. The key can be swapped frequently, like every 10,000 packets.

The problem with 802.1x/EAP is the same as with the SIM/GSM authentication system as described here. The authentication is sent in the clear! So you have three flavors of tunneled, SSL-like EAP: EAP-TLS (requires a pre-installed certificate on the client), EAP-TTLS (Meetinghouse, Funk support, tunnels EAP inside a tunnel), and PEAP (Microsoft, Cisco, same tunneling but ignores legacy protocols supported within EAP-TTLS).

I've done this before myself.

[dissy]

Ive done this before in a way myself.
It was just an exparement at the time because I was bored.

I setup an oBSD box with wireless card in it not connected to any real network, but acting as an access point.
It handed out seemingly public IPs (It was slightly off from the real IPs my network used)

I did not use WEP on purpose, but set the network name to 'Private_GO_AWAY' (or some such message)

It then ran honeyd and pretended to be a network of a few hosts.

People looking for net access failed to get it, and most left it at that.

Once someone attempted to open a connection to any of these fake IPs, my machine portscanned them back, fingerprinted the OS, grabbed banners from any service it found running, and logged this all with date/time/MAC/hardware brand/etc info.
It also at that point started logging every packet that IP sent up until it left the wireless network.

It was fun to watch people who actually tried to 'break in' over wireless.
As i recal it was only about 5 people in a 6 month period, out of hundreds of people 'passing by' looking for net access.

Only those 5 or so people do I have detailed logs on. (I didnt bother logging anything about the ones just wanting net access, other than the fact they requested an IP and when)

If my signal is being broadcast out and they have full rights to do what they want with it, I feel the same is true for the replys from their wireless hardware to me :)

The Fallacy of Network Security

[drakewyrm]

As was mentioned above, any network can be penetrated once physical access is obtained. Most network security is designed around the concept of trusted portions of the network; an attacker must either break through a firewall, gain control of a machine within the trusted portion of the network, or add a machine under his control to the network. Under 802.2 and related networking protocols, physical access is limited to a wire; to add a machine to the network, an attacker must at least be in the building. Under 802.11, physical access is anywhere within a certain range of a node. With the right equipment, this range can be extended considerably. Suddenly, that firewall isn't quite so effective.

My opinion hasn't changed since the first time I read about 802.11: great, useful, whatever, but NOT TO BE TRUSTED. I have an 802.11 hub on my network, but it sits in the DMZ. Wireless users around the house can still get access to the Internet and some network services, but unauthenticated machines can't get into my happy safe zone. If I needed something like that, I could set up VPN to let my wireless machines become part of the safe zone. VPN uses much better authentication and encryption than 802.11, and VPN implementations can be easily patched as the protocol improves. AFAIK, VPN authentication would defeat the attack described above.