Slashdot Mirror
Security Vulnerability in Apple's AirPort Base Station
inditek writes "At Stake has issued a security warning today about a vulnerability in Apple's AirPort Base Station: 'Apple's AirPort device is a wireless access point, providing 802.11 services to network clients. Authentication credentials are obfuscated, and then sent over the network. If an AirPort is administered over the Ethernet interface or via an insecure (non WEP) wireless connection, an attacker that can sniff the network can obtain administrative access to the AirPort.'"
Considering most Airports are at home.
Oh no the hackers are telnetting from inside the house!
Besides if you're using a switch instead of a stupid hub they can't sniff you anyway.
He who knows not and knows he knows not is a wise man. He who knows not and knows not he knows not is a fool.
I think what they're saying is that the Airport base station, which is an 802.11 base station, has exactly the same security vulnerability as an 802.11 base station.
This is very old news.
Now wash your hands.
I wonder what promped them to release this. It is obvious that you could "sniff" the password for the airport since it uses clear text for the password. If this considered a security hole then linksys, dlink, belkin, cisco, 3com, asante, maxgate, netgear, samsung, unex and virtually every one else who makes wireless ap's has the same problem.
read the advisory, they just XOR stuff and it's easily reversible. other basestations aren't quite so lame. my submitted post got edited, and one should read the links first anyway.
You've gone too far, Dave.
From the article: Authentication credentials are obfuscated, and then sent over the network. If an AirPort is administered over the Ethernet interface or via an insecure (non WEP) wireless connection, an attacker that can sniff the network can obtain administrative access to the AirPort.
...
If an AirPort is administered over the Ethernet interface or via an insecure (non WEP) wireless connection, an anonymous attacker that can sniff the network can obtain administrative access to the AirPort. If WEP is enabled, then the attack is limited to WEP authenticated attackers.
It is well known that WEP can quickly and easily be broken, so really what this is saying is that all Airport base stations that are administered are vulnerable, regardless of whether WEP is used or not
Workaround: Only admin the Airport from a Mac connected directly to the cabled ethernet interface using a crossover cable until this issue is patched.
But, but.. the yahoo article linked from slashdot said that it was 2-3weeks afterwards. Also, there's no mention on the IMAX Si..
Ok, what the hell. There WASN'T information on their site the last time I checked. Now there is. Nothing about a release date, besides 'June 2003', which isn't the normal Matrix release day (since that's 5/15, which is a Thursday according to my calendar)
Yeah, WEP isn't secure, but even without WEP some access points take some efforts to make the admin access a little less easy to get, since it's just hanging out out there.
The point of the security advisory is that this access point's efforts in that realm are really silly and make it worse than the other access points. None of them are really "secure." The part you quoted seems to allude or infer that some are, and that's kind of dumb of them to say - but you're getting distracted from the point.
That maybe well known, but it doesn't make it true. Breaking WEP requires a certain number of weak keys to be snooped. These weak keys are rare. I once saw an estimate of how much traffic it would take. I've never sent that much traffic on my WEP connection.
Is this seriously copnsidered a flaw given that most remote managed access points can be explioted in such a way - hmmm any network tbh. be it snmp or hidden udp ports for administration there there and can be found.
--
Nothing new to see here move along
--
What many people don't realize is that these programs require the harvest of between 2000 and 10000 'weak' packets which can take as little as 20 hours and as long as a week of constant monitoring to collect. If you don't believe me, go read the FAQ of any WEP cracking program. These programs are only proof of concept models, and lack a practical implementation. I tried KisMAC against my own ap and failed to produce any results.
WEP is perfectly secure for a standard network, and anyone who is willing to spend 100 hours standing in my driveway just for access to a network on which everything else is passworded is simply insane.
Anyone who acts like WEP is worthless is simply misinformed.
Yawn.
This has nothing to do with the Airport device in specific. The same is true for any 802.11 device. If you're connecting to it not using WEP, then it's insecure. We know this. It's not an Apple thing.
Nothing from nowhere I'm no one at all
from the post (not having bothered to read the article, as it seems there's no point...): ...administered over the Ethernet interface or via an insecure (non WEP) wireless connection, an attacker that can sniff the network can obtain administrative access to the AirPort (emphasis mine)
/. section - commonsense.slashdot.org - to address these kinds of posts.
well, big frickin' duh, if you'll pardon my french.
if i administrate any computer or for that matter any access point via an insecure connection or any connection that can be sniffed by an intruder well, no doubt it can be compromised!
why is this news? why, more specifically is this apple news?
why not create a new
- Entertaining Bits from the Ancient Kernel Tree
I'd hit em with my car....that'll stop script kiddies on their iBook!
Additionally, many firmware implementations for 802.11 products have been updated to not use weak initialization vectores (IVs), which are used in ultimately decyphering a WEP key.
WEP is perfectly secure for a standard network, and anyone who is willing to spend 100 hours standing in my driveway just for access to a network on which everything else is passworded is simply insane.
I'm afraid he doesn't need to stand in your driveway. Are you 100% positive your Airport network cannot be accessed from any neighboring building? If it can (and I think it's quite possible, actually), then you could be vulnerable for some smartass neighborhood kid. He can wait, he can break your network on his home machine in its spare time, just like seti@home. 100 or 200 hours is not a problem for him.
What many people don't realize is that these programs require the harvest of between 2000 and 10000 'weak' packets which can take as little as 20 hours and as long as a week of constant monitoring to collect. If you don't believe me, go read the FAQ of any WEP cracking program. These programs are only proof of concept models, and lack a practical implementation. I tried KisMAC against my own ap and failed to produce any results.
What? You couldn't get any results from your own AP (with I'm guessing perhaps only 1 or two computers).
Oh that's alright then - panic over.
I suggest you go and do some reading yourself. WEP is NOT secure due to fundamental flaws in the protocol design. For example MAC addresses are not encrypted, nor are beacon frames. Wireless networks CAN and ARE compromised. Just because you cannot get a tool working on your own equipment does not mean that the tool does not work.
Proof of concept my ass.
More importantly they have to be standing in your driveway while you ADMINISTER your AP for 100 hours!
WEP is just fine for this level of security.
Now as far as packet sniffing and random buggery, well it's certainly vulnerable and I wouldn't deploy it on a corporate level in any high traffic business district.
A fool throws a stone into a well and a thousand sages can not remove it.
That would be like; security.microsoft.com
Ask your dad, etc.
There is no building within range of my AirPort Base Station, apart from my own house. Some of us have elbow room. :-)
There is no doubt (and certainly no argument) that this is a well known security vulnerability of 802.11b access points, the Airport being one of them.
If you read the posting, @Stake is not laying claim to the vulnerability, rather the obfuscation technique used by Apple to transmit their passwords. While other wireless routers (linksys, netgear, etc.) all suffer from the same core vulnerability, they don't all use the same methods for transmitting password information. RTFA:
The authentication credentials, a password with a maximum length of
32 characters, are XOR'd against a predefined key. When sent over
the network, the password is sent out in a 32 byte fixed block.
@stake was able to determine the key by setting a one character
password and monitoring the network traffic. This revealed 31 bytes
of the XOR 'key'. The final byte can be obtained by XORing the
obfuscated first byte against the first character of the plaintext
password.
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
There is no building within range of my AirPort Base Station, apart from my own house. Some of us have elbow room. :-)
Phew - no buildings near your base station. Looks like all those starbucks using Airport kit are secure after all.
psst. it may be difficult for you to accept, but the world does not revolve around you see...
Phew - no buildings near your base station. Looks like all those starbucks using Airport kit are secure after all.
psst. it may be difficult for you to accept, but the world does not revolve around you see...
The post I was replying to said "Are you 100% positive your Airport network cannot be accessed from any neighboring building? If it can (and I think it's quite possible, actually), then you could be vulnerable for some smartass neighborhood kid." I think my response was appropriate. YMMV.
OK, so somebody can obtain administrative access to my ABS. So what? I suppose that they could reprogram it to let them in, or keep me out. But since I have physical access to the station, I can always force a manual reset. I suppose that it might be useful as a preliminary step to turn off WEP, and avoid the work of cracking WEP.
All wireless devices need *correct use*. Use correctly your admin options.
.. to those pc users never occurred that their connection could have constant parassites - and i know 100 % i'm not the only one in this block of flats to do that - to slower their own surfing speed. So, internet radio at 160 k/sec, downloading mails and surfing fast.
And don't intend the article as the other wireless systems being "more secure".
I am surfing constantly on neighbors Linksys system - their covad is so much faster than our dsl. I've never sniffed to get it. It shows up on my airport menus
I am too comfortably lazy to tell them that they *could* inform themselves about what is a password.
These programs are only proof of concept models, and lack a practical implementation.
Coming from someone who proves people like you wrong for a living; I think I speak for everyone when I say "BULLSHIT!".
WEP is perfectly secure for a standard network, and anyone who is willing to spend 100 hours standing in my driveway just for access to a network on which everything else is passworded is simply insane.
No one needs to stand around for 100 hours (god knows what orifice you pulled that figure out of) in your driveway. Apparently you're not familiar with high gain antennae, nor with the fact that these attacks can be 100% passive.
So you're saying your network is completely secure from the inside just because you use passwords? Just what the hell kind of network are you running anyway? Surely it's not 100% encrypted..
Anyone who acts like WEP is worthless is simply misinformed.
I think it's pretty clear who's misinformed.
uh....did you happen to have 2 post windows open at the same time and pick the wrong one? or is this an interesting new bug in /. ?
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Really isn't this a basic security issue?
Well, as long as the obfuscation, whatever be it, is constant, you don't even need to unobfuscate it, as sending the obfuscated password is enough to gain administrative access to the base station.
Unobfuscating the password is merely a convenience to avoid patching the base administration software.
On a security point of vue, this is the same as a login process. The Airport base would have to use secured login methods (like public key exchange or challenge/reply, etc) to prevent such flaws.
This is true for every network appliance, or for the matter, every time a login is done thru an unsecured channel. This is why ssh exists.
The presence of a rat is well regarded in Japan, it is the sign of a good harvest.
OH THE SHAME I fell off the wagon and use sigs again!
I found that the biggest security risk is one's own laziness. Setting a password will most likely keep me from using your internet access from my house. But you didn't, so I have free internet access on my ibook (only in the dining room). Lucky for you, I was nice enough not to change the password so you could use it too.
The password's XOR'ed with a key. A casual administrator might look at sniffer output and believe it was nontrivially encrypted, and get a false sense of security.
Since it's apparently the same key every time, it might as well be plaintext as far as real security goes.
By "standard network", did you mean "standard home network"?
20 hours is a bit pessimistic.
"we were able to collect that many packets in a few hours on a partially loaded network", says the Stubblefield/Ioannidis/Rubin paper (ATT tech report TD-4ZCPZZ) about implementing the Fluhrer/Mantin/Shamir attack.
What's important here is how that "few hours" compares to the amount of time the WEP key stays in service. If you've got a big network it's almost impossible to get everyone to change to a new WEP key. If you keep a password for months that can be cracked in a day, that's not good. If you can't re-secure your network after one laptop gets stolen, that's not good either.
For your situation WEP is not a disaster. It's enough to push intruders over to your neighbors who aren't using any security. You've got strong passwords behind it. But I wouldn't tell a high-profile target or an enterprise network that WEP is "perfectly secure".