Slashdot Mirror
802.11 WiFi Denial of Service Exploit Discovered
CRC'99 writes "The Queensland University of Technology has today announced yet another flaw in 802.11 products. AusCERT has the official statement, noting: 'An attacker using a low-powered, portable device such as an electronic PDA and a commonly available wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localisation of the attacker difficult.' Nice to know that a simple PDA could bring a WiFi network to its knees."
...."other people" are soooo smart in finding bugs in the system, than the system creators itself?
Seams like the single most energetic use of all our new technology is figuring out new ways to break it.
Always going forward, 'cause we can't find reverse.
Oh yeah, real nice. Now we can all sleep well at night knowing about this!
weren't they called JAMMERS back in the nice radio-sharks times? Jam the 11 802.11 band frequencies and you have a "DoS" attack...
I wonder if WiFi bridges are also affected by this.
And of course, how long it will take before the manufacturers will be having a firmware update for this. It seems that most firmware updates only add extra functionality to gain an edge over the competitors, but basic stuff like optimalisation is kind of a non-issue. I'm crossing my fingers this will be fixed shortly, but I'm having doubts about it.
The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
In case of a chain:
It's easier to find a weak link in a chain, than it is to make all perfectly strong links.
In case of a 'system':
It's easier to find a single flaw than it is to build all parts well. (not to mention that all parts must also interact well, and do the job.)
using something as small, cheap and common as a hammer I may cause significant disruption to *all* computer activity within walking distance.
What would be the point of this other than making people made? It would not dystroy data. Also, has it been done by a "attacker" or did they do it themselves?
As an aussie it seems really strange that this kind of thing is discovered in Queensland, it's always raining there so what use WiFi is there I really don't know...
Is it just me or could this same idea by applied to any network with collision avoidance?
It is basically a user done packet storm.....
Now I am going to have to dig up that book on cable modem specs....
A microwave oven can bring down a WiFi network. You could plug a 110 volt line into an Ethernet jack if you felt like it. All shared media networks require cooperation in order to run correctly.
This could be a huge problem. Let's say you have a business where you have high sales volumes at certain times, with these times determined by unknown external factors (like a stock broker). If your network is down at those critical times, you loose business and money. Now all your competition needs to do is take out your network during one of these critical times, and all your customers will turn to them.
Wifi networks _require_ cooperation to work. When the protocol says I am not allowed to send now, who can enforce it? I have to admit that tricking everybody else into believing that the channel is in use when it is actually free is an elegant way of disrupting the network, but you could just as well send short blips whenever someone else tries to transmit a packet. Only software which you control stands between you and the network.
exploit ? this is basic RF electronics 101, says a lot for this University's quality of education i must say
maybe i should build a wideband ghz transmitter
When you think about it a kid with a wound up coil, a 9V battery, some resistors and a random number generation chip could completly knock out any kind of WiFi transmission he wanted to.
:E
But would his jamming be any less random than the average slashdot feed?
I've never quite understood WiFi.
I know people who have dailup internet connections and two or three computers, none of them laptops, but still use wifi in preference to RJ-45. (In fact I know people who connect one fixed computer to it's dial-up with WiFi, cause RJ11 phone cable is ugly.)
It's very fashionable, but doesn't seem to work very well. Everyone I know with a WiFi home network has had problems with it.
That said, the idea of free connections in cafes would be cool if there where more of them...
# cat
Damn, my RAM is full of llamas.
...will be to change the modulation scheme to CDMA. It is clearly the future as far as security and spectrum utilisation is concerned and as an always increasing number of equipements begin to use it (such as UMTS mobiles worldwide), the hardware should become cheap enough to make the transition pay off. Until then... keep a cable backup for criticals! ;)
The good old wire prevails!
-Imidazole2
This one has a bit more information.
2 3%255E15306,00.html
http://news.com.au/common/story_page/0,4057,95497
Beware the (sometimes flash) ads.
Go to: http://www.wi-fiplanet.com/tutorials/article.php/2 200071
Good info!
-Imidazole2
this just in...wireless networks are open to a range of attack vectors generally closed to wired networks...competitive interefence leads to signal degradation and loss of service...film at 11
seriously, and i haven't even read the article yet, what could possibly be the news here. i'm imagining that, what, certain tiny packet sequences have a disproportionately large disruptive impact on the protocol by causing extended resets and delays? how is that any different from the recent tcp packet spoofing attacks except in free space?
it would still be easier to get a big antenna and a transceiver and just blanket the spectrum.
move along, nothing to see here.
more information is available in RFC 3580 on the same topic.
Couldn't the same effect also be achieve by a simple spark-gap generator? Granted, this device would also effect all other bands, but has been around for many years and is remarkably low tech.
He who laughs last is stuck in a time dilation bubble.
Any CS course teaches that CSMA/CD only works because of binary exponential backoff ensuring that there isn't a continous stream of collisions. (Basic idea: once a collision occurs, transmitters will wait a random amount of time to retransmit to avoid a collision involving exactly the same transmitters) All you have to do to ensure guaranteed collisions is to have one bad player who 'doesn't backoff' The 'attack' probably just involves changing a '2' somewhre in the firmware to '1'. If they transmit continously, you have a DoS Note, I only know about the theoretical side of CSMA/CD, but as far I can see, its an ineherent flaw in communicating over shared broadcast channels.
Would like to buy second-hand WiFi-enabled PDA, preferably low-powered. Please email me at: big.nothing@bigger.com
SIG: TAKE OFF EVERY 'CAPTAIN'!!
Can you say, "cheap microwave oven" ???
/. for HERF.....
The cheaper, the better.
Want to screw your neighbor over?
take the cover off the oven and turn it on.
Just don't be in the same room when you throw the switch, sort of like when the executioner lights up a prisoner in "Old Sparky"...
Pick one up off the side of the road and then do a google site search on
Have fun kiddies!!
This is the same problem as with LA or VHF radio. Only one device can be transmitting at a time on a single frequency band. This stems from the fact that the receivers have to tune to a certain signal and no two signals are likely to be in the same phase, thus the strongest signal will win. Essentially these devices behave as if they are half-duplex, and well-timed (continuous) collisions will cause the whole segment to come down. This is what happens here. Remember the old coaxial 10base ethernet networks? They were vulnerable to the same thing.
The unfortunate fact here is that there is no cure for this kind of misbehaviour. Old devices likely won't be upgradeable (hence no silver bullet). Multi-band hi-speed WiFi (54Mbit+) is not likely to be affected by this attack, but if they operate in compatibility mode they will be brought down, too. Intelligent access points can lessen the effect of this attack but that leaves the older devices out of the communications.
Essentially this requires quite little work on the part of the attacker since no hi-powered transmitters are needed. That fortunately limits the range of the attack, too. I would like to know if anyone could calculate quick estimates as to the affected area with certain wattage transmitters. Anyone?
"Intellectual Property" should be an affront to anyone capable of independent thought.
CDMA would not solve this problem. CDMA operates the same as 802.11, in that it is a direct sequence spread spectrum modulation. They are different, though, in that 802.11 devices all use the same spreading code, whereas CDMA uses different spreading codes for each device. CDMA is based upon a "base station subscriber" model, where the base station controls all of the subscriber devices - telling them which codes to use, and managing the interference environment. 802.11 is based on a distributed "no node is greater than any other node" basis. Centralized management of spreading codes would require a total re-architecting of 802.11, and would take it in directions that are inimical to the design objectives of the technology.
P.S. I am a member of the 802.11 committee -- I know of what I speak
This is so scary. I just woke up from a dream about the headlines on /. Yes really.
The top story was an article about how to make your own world-population-destroying-virus using a fish tank full of squirrel urine, and the editor had put some snide comment about "Why use squirrel piss when you can make your own terror virus using a tank of ordinary thirstful water?" and I was thinking "No fucking way is thirstful a word".
There were no comments on the story and I was going to first post something like:
--
"Why use squirrel piss when you can make your own terror virus using a tank of ordinary thirstful water?"
Because you must labour long and hard collecting the piss from squirrels while you think of the faces of your enemies...
--
Now is that sad or what? Note, this is not some bizarre, fucked-up troll post, I really did just have this dream, and was sad enough to post it to slashdot. (Did I really just check to see if the top story was about a terror virus??? How insane am I?????).
P.S. the 2nd story was something about the mouse driver in X and how you shouldn't recode it for every application, but have only one mouse driver (!) and I was going to make some humerous post about "without a mouse driver, how is anyone these days going to be able to shut down their computer?". Well, it was funnier when I was asleep.
graspee
"Nice to know that a simple PDA could bring a WiFi network to its knees"
Excuse me, but since when has a small portable computer ever been simple? It's a desktop PC in a smaller case you muppet!
Yup. In other breaking news, microwave ovens operating at certain frequencies have just been discovered to be an effective DoS tool for wireless networks within a limited range.
Another undisclosed report by the NSA reports that hammers are pretty effective too, though their range is extremely short.
Daniel
Carpe Diem
What a mess. The article mentions that 802.11a and 802.11g are excluded from the problem, but those modes suck for public access spots. 11a has the range of spit and 11g degrades as soon as an 11b host joins the party. With hard-wired ethernet, before switches emerged, jabbering NICs were a big problem. Similar problem here, but ID'ing the NIC address (even if possible) will be useless because NIC addresses can be spoofed. Detection of the attacker will have to be done by looking for someone with a smirk on their face. Might there be some law already on the books that prohibits disabling a commercial service? Its time for someone to invent a signal locator, configured to locate this vector of jabber. -aggles
I can bring a cat 5 network down with one simple cable. Remember kids, hot to data! It should be noted that 460 3phase does signficant damage to networks and will arc about 1 inch to compleate the circut. :D
-Polyhead-
Think of this in a corporate sense. For them, time and data are money. If I was paying a development team $AU40+ an hour, how much would it cost if my 20 people had to spend another 5 hours, another 2 days, or a week.
8 hours/day * 20 people * 7 days * $AU40 = $44800
Not exactly realistic, but if you use distributed compilation programs, or anything else that *NEEDS* the network, the loss will be large enough.
$44800 isn't much for a big company, but if I found the bastard I'd probably go to jail.
And my friends and family laughed at me when I used ethernet for my lan.
It just sounds like putting a WiFi card into constant broadcast mode. I guess you can call that a "flaw", but not talking when someone else is talking is a common necessity to all shared channels, with the exception of code division multiplexing I believe.
AccountKiller
it's easy to flood a wireless network, when using colision avoidance, if you're the only one not playing by the rules, you can own the network. It's like being on a token ring, and editing your protocol stack, to never put new tokens on, once you get one, Nobody else gets to send. Any protocol can be broken if you have computers that don't follow the protocol.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I can't imagine how this got on the front page. A regular 2.4GHz cordless phone is enough to take down a WiFi network. And if you're willing to go with a non-portable solution, a cheap microwave will quite easily act as an on-off switch for the whole network.
I remember vacuum cleaners used to destroy TV reception, so I can't imagine they're good for wireless networking either. Any ideas?
aQazaQa
I believe you do... BUT, if you have a number of pseudo-random noise codes stored and try them out sequentially whenever a "channel" is occupied, you could create alternate links, rendering the jamming of the entire spred-frequency quite difficult (as you know, it's one of the advantages of CDMA), and allowing for a switch-like operation instead of a hub-like operation. When establishing a virtual "link", both end could switch to a pre-determined code, changing ever-so-often if needed in a sequence.
There are probably some flaws in my reasoning, for I am a member of IEEE and know that the standards guys are amongs the brightest, but I'd like you to point them out for me: I'm always learning!
"in [sic] first glance"
How long has 802.11 been around?
If a user is trying to get in and sends two packets of unauthorized data within one second, WPA will assume it is under attack and shut down.
The only thing the h4x0r need to do in this situation is send data frames periodically, causing constant shutdowns.
Annoying enought he may be difficult or impossible to find because he don't need to use much transmit power or utilization of the network
This affects WiFi phones as well, based on the AusCERT description of the problem as targeting the physical layer. Good to know before deploying an IP telephony solutions that include a WiFi component.
org.slashdot.post.SignatureNotFoundException: ewg
pfft, we all know the exploit is covering the targets house in tin foil so it can't penetrate
--- [Insert intresting Sig here]
I use a wired network, because it is all within close distance, and the machines are pretty static. My laptop is usually in easy "cabling distance" when I need that.
My dad wanted to use one in the living room though. It was a good 20m worth of cabling, and you'd need to drill through a couple places. Not pretty, nor easy. Then again, turned out the wireless coverage got crappy at that distance (10-12m, 2 walls including one with closet) so we'd have to lay cable anyway, to set up an AP closer. Either that or get a serious antenna. So we used a plain cable anyway, just roll it in and out as needed. 100Mbit beat flaky 1Mbit connection every day of the week.
Wireless is cool if you can cover e.g. the whole living area with one AP. But overall, I'm not too impressed either. Universities are cool though, usually have the right requirements (open landscape, powerful AP, multiple APs) for it. Personally I think I'll stick to cable...
Kjella
Live today, because you never know what tomorrow brings
writen by somone that wants to keep his job...
A slashdotter is furiously spinning his wheels trying to figure out how to pin this on Microsoft. Because we all know that serious security issues can only be the result of evil capitalists cutting corners and simultaneously writing bloated code to satisfy the sinful graphical desires of lusers.
>Previously, attacks against the availability of IEEE 802.11 networks have required specialised hardware and relied on the ability to saturate the wireless frequency with high-power radiation, an avenue not open to discreet attack. This vulnerability makes a successful, low cost attack against a wireless network feasible for a semi-skilled attacker.
That's complete BS. Just use the disassociate attack. It's even easier than the attack mentioned in the article, and people have been doing it for years.
This article wasn't worth reading, sorry.
Last time I looked a simple PDA has a 400mhz processor, 64 meg of RAM, a 64k colour screen, multiple expansion sockets and support for WiFi and/or bluetooth.
Hardly simple. You must be thinking of one of those Palm products :o)
Avantslash - View Slashdot cleanly on your mobile phone.
Despite that googling on "wifi denial of service" comes up with your link, the discovered vulnerabilty is not about the ones that are descibed in the article you found.
Insufficent spectrum with which to develop long enough spreading codes to both achieve the needed low cross-correlation (from one code to any other code), and still maintain 11 Mbits/sec transmission speed. (note: to achieve 11 Mbit/s in 22 MHz of spectrum, 802.11b uses a complex modulation scheme known as CCK - Complementary Code Keying. While I do not fully understand the math behind this, it seems that CCK is unlikely to be amenable to use in creating families of codes with low cross-correlation properties - needed for CDMA).
:)
IS-95 CDMA, I believe, transmits a few kilobits/sec of voice information in a 1.2 MHz bandwidth, using "standard" DSSS. CDMA works because the coding gain with such a huge ratio of data bandwidth to DSSS modulation bandwidth is much larger than that achieved in 802.11 systems.
If you are willing to drop your data rate to, oh, 200 kilobits/sec in the 2.4 GHz band, perhaps 802.11 could be redesigned to accomplish CDMA techniques.
Still, setting up "point-to-point" RF links between individual end user stations would require an enormous amount of computing horsepower (check out a CDMA base station for comparison). And it would not deal with broadcasts, which would still have to be forwarded to an access point - be recoded for each INDIVIDUAL link to each subscriber it serves - and retransmitted N times, where N=number of users served by the access point.
Other systems actually do use techniques somewhat like this, but rather than code division, they use space division (e.g. Vivato, which uses electronic beam steering to establish point-to-point links with each subscriber station).
As I originally stated, and let me re-state - 802.11 is architected on the basis of an "all stations are equal" approach, which makes an uncomfortable fit with a centralized control design. The committee entertained many, many proposals which included centralized control, and rejected them. There are a couple of straightforward reasons: 1) The RF spectrum in which these devices operate is unlicensed and hence "uncontrolled". A base-station centric design would make it so that no station could communicate at all if that base station were experiencing service-blocking interference. The chosen design, though not completely eliminating this failure mode, is more resilient in the face of such issues. Second, the 802.11 MAC is essentially identical for use in an infrastructure mode (i.e. with access points connected to a "distribution medium", typically a wired LAN) and in "ad hoc" mode (where there are only "stations" - no infrastructure at all). Most people forget about "ad hoc" mode, but the committee could not. Their charter required that it be accommodated.
Your turn
When I took a white hat hacking class last summer, one of my instructors had a old X10 device that he modified and put in a generic box with the words "Internet Off" on it. Flip the switch, and the internet turns off for everyone 100 feet or so.
You are right! If Shannon were still alive, he'd be kicking my ass :)
Thank you for the time you took to enlighten me. Good to have a constructive exchange os posts, for a change. :)
This really isn't anything revolutionary. You can take down cell phones in the area that a handheld jammer can transmit. I don't think anyone has ever asserted that low-power wireless transmissions can't be DOS'ed by other low-power wireless transmissions.
Chris -- http://www.bitter.net/
A similar note is that the new Super G wireless routers are using the entire spectrum of 11 channels to increase the speed to a reported 108mbps. It's not an approved standard, but as long as it's not enabled at the factory they are still able to sell them.
If you want to knock out your neighbor's ap just run your Super G router with 108mbps mode enabled.
If you can read this sig - the bitch fell off.
The word is "Lose". You do not "loose" (antonym of "tight") money.
Honey, I shrunk the Cygwin
As a network admin, I would love to have several 802.11 jammers, and plant them all over the building. This would keep people from installing rouge wireless networks.
WiFi isn't CSMA/CD, but CSMA/CA.
The upshot is that conveniece and reliability are generally opposing design goals. Things which are highly reliable by definition must be mature (read old) technologies - you can't know if it will run for n years if you haven't run 1000's of examples for more than n years. WiFi is both relativly new and falls into the convenience camp. And until we can be convinced otherwise it must stay there.
Art is the mathematics of emotion
I'm pretty sure factual knowledge is, by definition, off topic for /. so I'm going to have to ask you to take it elsewhere.
Give a man a fish, he'll eat for a day, but teach a man to phish...
_You_ took my RJ-45 -to- 3-prong Edison adapter off of my desk, didn't you?
The first denial of service were discovered much much earlier. They were:
#1. Linksys firmware
#2. Linksys drivers
#3. XP pre Wireless Rollup Fix
Oh the lost art of code review's. It seems to me that every time a program - or in this case a protocol - is written. Someone finds a hole in it. What ever happened to taking your code to someone with more experience and asking "hey, is there anything wrong with this"
code, review, fix bugs, review again, fix more bugs and review again....
Eventually you have a solid, stable product.
Rinse, Lather, repeat!
-Ghost
I only know about the theoretical side of CSMA/CD, but as far I can see, its an ineherent flaw in communicating over shared broadcast channels.
Few communication channels follow the abstract "shared broadcast" model.
If all devices had and used directional receiver antennas (say, six antennas pointing in different directions with that pick up different signal strengths and determine the source location based on these strengths), we could avoid the problem.
May we never see th
Bring a WiFi network to its knees? What is the range on a transmitter being powered by a PDA? Not far. Walk over to another access point on your network or leave that Starbucks and go to the one ACROSS THE STREET. My neighbor has the same cordless phone as I do. Talk about interference? I have to change the channel on the phone every time I make a call....Now THAT is annoying!
--Always, I mean never..., No I mean always check your references.--
I've got news for ya, you can do the same thing on your local network with a regular lan card. You can also make a much less expensive jammer with an old microwave, or better yet, you can make a broad band (not cable internet) jammer with a file, some wires and a battery. It's being broadcast on public airspace, denial of service is trivially accomplished.
Fred
"A fool and his freedom are soon parted"
-RMS
... pray networking protocol strikes again.
Free Firefox news reader.
I've known about this for ages after it was pointed out to me by a guy at DNSCON.
TBH I didn't realise it was not common knowledge.
The sun is really bright will be their next discovery! I figured this out the first time I white boarded 802.11b two years ago, I just can't yell fscking DUH loud enough.
How would this attack not deny service? Denial of Service is a very broad term, which this Lack of Carrier attack clearly fits into.
Contrast DoS with Intrusive attacks, where you don't disrupt the network, but break in and use resources or take information.
This should not suprise anyone, its radio.. Radio interference is an age old problem, and just goes with the territory of using non-directional radio signals.
---- Booth was a patriot ----
At least they're churning out real geniuses in academia now. I'll bet these guys will soon figure out that if they plug CAT5 cables into wall sockets they can disrupt all the wired LAN stuff withing the area too.
Hey, did you know that you can disrupt a wireless network with a FREAKIN' MICROWAVE OVEN??
Wow, I'm so glad I read slashdot so I could learn that ten times.
score: 5 Informative
Important Stuff
Please try to keep posts on topic.
Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)It is very easy to build 2.4GHz transmitters that can jam 802.11 networks, this is why people should consider things like this when deploying networks using radio technology. Even microwave ovens will do this. And as a side note, BPL (broadband over power lines) are even more suseptable to jamming from something as simple as a CB radio that can wipe out access for blocks.
"I bow to no man" - Riddick
Hell my 2.4 GHz Panasonic cordless phone loves to bring my wireless network to its knees whenever someone is talking on it.
Then I fear the terrorists have already won ...
At Defcon X there was a british groupe whos name I cant recall at the moment who was using the same attack. This is pretty old news in my opinion.
BTW they werent using a palm and a crappy antenna but a laptop and a really good hi-gain antenna. Said they had a 3-mile radius of wifi knockout capibility but they choused to intelligently not display the technique... or at least didnt while I was around.
Never could figure out why my girl liked my bitch tits, then I found out she was a lesbian.
...it's a tricorder.
Oh, wait.
The IEEE 802.11 working group is meeting right now in Garden Grove, California.
They are collectively raising their eyes to the sky and saying "Duh! Another idiot stating the obvious".
A posse is being organized. Hundreds of angry engineers, all bearing their IEEE Wirless Interim meeting badges, will descend on the offending researchers with pitchforks and other spikey objects.
Evil people are out to get you.
I send them the email so I know exactly what's in it, and tell them i'll give them the hammer if they don't open it!
At a recent conference I worked, we provided 802.11b wireless Internet access. Lots of people were complaining about the conenction, so I fired up NetStumbler and noticed that there was an Ad-Hoc node on the same channel and same SSID as our AP.
Evidently, a lot of the "automagic" features on laptops to find and connect to an AP decided to connect to the Ad-Hoc node (in Ad-Hoc mode, of course).
Also I am really of the impression that the existence of an Ad-Hoc node on the same channel as an AP causes severe degredation of the channel throughput. Maybe someone can confirm/deny this.
Anyway, I used my amateur radio transmitter hunting skills to track down the guy stuck on Ad-Hoc mode, including wrapping a cone of aluminum foil around my PCMCIA 802.11b card to give it some directionality. I finally found the guy, asked him to turn off his wireless card. He said he had no idea what Ad-Hoc mode was...
By the way, this attack would be a killer way to distribute a virus at a trade show...I suppose someone could even have a trojan horse AP to do something like that as well.
This isn't news. Any ham radio operator can legally disrupt a wifi network if they are using the same frequency(ies). Hams take precendence over those frequencies and can therefore tell the wifi operators to shut their equipment down. I wrote about this a couple years ago at my last job when our Unv was considering rolling out some wifi. Nothing new here. $5 worth of electronics can be used to illegally disrupt wifi too. Fun, eh? :-)
I have checked over the protocols and everything and found the problem and the solution to it. Filing my patent now... (every fiasco end with SCO)
I wonder if those who believe Might Is Right ever wonder if they Might Be Wrong...
I live just down the road from that university. All I need is uni students running down my street playing with my WiFi
Am I the only person on the planet who realizes that wifi shouldn't be used in 90% of the places it's being installed?
It should ONLY be used with a vpn by most companies. Personally, I *love* the idea of unreliable wifi, because I HATE the idea of "reliable" wifi.
I would most appreciate any links or experience with wifi jammers.
...from the link...
;)
"Fundamental to the functioning of CSMA/CA is the Clear Channel Assessment (CCA) procedure, used in all standards-compliant hardware and performed by a Direct Sequence Spread Spectrum (DSSS) physical (PHY) layer.
I knew those evil corporate bastids were behind this somehow!!
Insufficent spectrum with which to develop long enough spreading codes to both achieve the needed low cross-correlation (from one code to any other code), and still maintain 11 Mbits/sec transmission speed.
In spread-spectrum jargon, we would say, "insufficient processing gain."
But anyhow, cellphone- or 802.11-style direct-sequence spread spectrum is not known for resistance to intentional jamming (in some ways it is actually worse than narrow band). For jamming resistance you need military-style frequency hop. But the problem with ad-hoc networks seems more fundamental to me. How can a new device join a network without some sort of shared secret? You have to have some sort of publically accessible channel to get the spreading or hopping codes. If that channel is publically accessible, then it can be jammed. Hence Bluetooth "pairing", where you mometarily open a channel for exchange of persistent keys.
CCA attacked for DoS seems to be the central idea of this claim.
This claim is pathetic.
CCA is what makes WiFi work
CCA is the dominant factor in slowing down your WLAN near cordless phones and microwaves, not the actual interference that causes packet decoding to fail. Same with any jamming.
CCA is that makes WLAN robust around other uncordinated devices to some degree, thus easy to deploy. Since ISM band requires compliant devices not to occupy channels longer than a certain time period at a time.
CCA is what satisfies the FCC regulation for the ISM band for listen-before-talk. (which no longer applies in some bands, like the 5GHz)
CCA in 2.5Ghz WiFi may include energy-based (-75 dBm or lower threshold depending on your own trasmit power) deferal. You are not supposed to transmit if you hear anything stronger than this threshold in terms of energy.
Also, there is digital version of this, i.e., detecting a valid 802.11 signal, which is in fact way more sensative than energy based CCA.
There are other specified ways to do CCA, but the 5 GHz WiFi does not include the energy-based CCA.
Nonetheless, it is not difficult to detect DoS on CCA. There is even a standards activity on making this even easier in 802.11k TG.
These guys claiming to have discovered this is either clueless about WiFi systems, or just trying to get publicity.
Yes, you can DoS by confusing CCA, but it's no different from a jammer, which any unlicensed system has few recourse.
What about using the same math which powers Cad? (new edonkey) Wouldn't that solve the problem? And wouldn't it allow world-wide-wireless-peer-powered-network?
Just asking...
how come "other people" are soooo smart in finding bugs in the system, than the system creators itself?
Who says they didn't know about it?
Jamming is EASY, and being able to jam any radio signal is a given. That's clearly understood by anyone who works with radio. (Spread spectrum techniques are harder to jam than narrowband, but not by much.)
Why is this suddenly the subject of news items, wringing of hands, and viewing-with-alarm? How can ANYONE POSSIBLY think this is a surprise?
The ONLY thing that's news is that somebody finally got around to doing it.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The actual Micheal countermeasure that you may think as a DoS hole, only gets invoked when a "partially" successful forgery attack is detected, which has probablity of roughly 2^32 or 2^60 (my memory fails me). Which was not considered strong enough (probable in a several days/months of constant trying), thus the counter measure to extend the time to a year or more.
It is not just any two packets.
Again, it only applies to WPA (802.11i TKIP modes), not 802.11i AES-CCMP mode which is about to be ratified.
how come "other people" are soooo smart in finding bugs in the system, than the system creators itself?
Because they never look.
This is NOT a "bug in the system". Being jammable is inherent in ANY radio based communication system.
Just as you can't hear and understand the person talking to you across the room when a pair of people are shouting in your ears or when another person with a similar voice is babbling nonsense at the same time, and you can't read morse code flashlight blinks sent by someone standing between you and the sun, so you can't receive and decode what a Wi-Fi card is sending you when another Wi-Fi card is transmitting "chatter".
The same is true on Cable TV modem signals (where a neighbor's chattering box jams your uplink), on 10-Base Ethernet (where you're all on one coaxial cable and a single chattering device is a constant collision), on broadcast radio and TV (where a nearby signal will wipe out or override and replace a distant one), radar, telephone party lines, hearing (meetings disrupted by the guy with the bullhorn), vision (strobe lights, searchlights, sombody standing between you and what you want to see), and so on.
Jammability is inherent in sharing a transmission medium with an additiona transmitter which is misbehaving, not some "bug" in any particular system.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Check out my sci-fi/humor trilogy at PatriotsBooks.
I have taken some time out of my day to explore this "hammer method". Indeed. It does work. And although attacks of this sort must be carried out at very close proximity to the device in question, the results are wonderfull.
--Always, I mean never..., No I mean always check your references.--
It is already well documented. It is called a microwave oven.
"wOOt! I jammed their wi-fi!! 1!11! LOL The peeps at Fartbucks internet cafe can't get on line!!11! !"
Big whoop-de-doo. Where's the fun in doing that? I could get more Evil-Thrills-per-Minute(tm) by making prank calls.
m.mmm..myyy
I can't speak on Cad/edonkey specifically, but wide-area packet-switched networks generally use multiple hops and time-to-live counters on the packets. If the machines forwarding packets are properly configured (and not compromised), jamming attacks can only take down the local subnet and in that case everyone else routes around. Wireless LAN's have to use a shared RF channel and thus are vulnerable jamming.
was judged capable of starting a Nuclear War if given access to a pay telephone, then bringing down a simple WiFi network with a PDA doesn't sound like much of a challenge.
Hasn't everybody known if you rip the door off your microwave and put it on the roof of the house you'll disrupt all free wireless transmissions in the neighbourhood.
2.4GHz cordless phones are just as effected.
This is hardly something new? I don't understand why it's even newsworthy.
Here's some news for tomorrow:
A bug exists in DHCP where people can DoS it by stealing all the IP addresses in your scope with this new program which asks for an address, changes it's MAC, asks for another. etc. -- It's almost impossible to tell where the person is in big networks without tracing through your switched infrastructure.
It's simply not news. The designers knew this was possible, it was too difficult to fix and as yet nobody's been bored enough to exploit it.
1. Make protocol which depends on carrier detection to perform MAC (CSMA/CA, somewhat similar to the CSMA/CD of HDX ethernet, but unable to detect colisions).In order to reduce colisions, hold off TX while carrier is detected. Release this "super cheapo" MAC with a trendy name (WiFi). Enjoy massive spectral pollution, in one of the few usefull part 15 bands.
2. Supply constant carrier, even a weak one
3. ????
4. Profit! (er.. I mean encourage development of a proper vendor agnostic OTA MAC, like a token-ring-esque polling MAC, or even CDMA.)
Come on, what's so hard????
Why are we stuck with crap like 802.11, why isn't 802.16 here yet????
Even cheap ass propritary units poll, look at Trango (and they can't even seem to figure out ARQ, of all things)
-Mr. Superhet-