Slashdot Mirror
802.11 WiFi Denial of Service Exploit Discovered
CRC'99 writes "The Queensland University of Technology has today announced yet another flaw in 802.11 products. AusCERT has the official statement, noting: 'An attacker using a low-powered, portable device such as an electronic PDA and a commonly available wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localisation of the attacker difficult.' Nice to know that a simple PDA could bring a WiFi network to its knees."
This one has a bit more information.
2 3%255E15306,00.html
http://news.com.au/common/story_page/0,4057,95497
Beware the (sometimes flash) ads.
How can this be "interesting"? Read the article folks, it's a fundamental flaw in the protocol.
from the article:
At this time a comprehensive solution, in the form of software or
firmware upgrade, is not available for retrofit to existing
devices. Fundamentally, the issue is inherent in the protocol
implementation of IEEE 802.11 DSSS.
Go to: http://www.wi-fiplanet.com/tutorials/article.php/2 200071
Good info!
-Imidazole2
more information is available in RFC 3580 on the same topic.
This is the same problem as with LA or VHF radio. Only one device can be transmitting at a time on a single frequency band. This stems from the fact that the receivers have to tune to a certain signal and no two signals are likely to be in the same phase, thus the strongest signal will win. Essentially these devices behave as if they are half-duplex, and well-timed (continuous) collisions will cause the whole segment to come down. This is what happens here. Remember the old coaxial 10base ethernet networks? They were vulnerable to the same thing.
The unfortunate fact here is that there is no cure for this kind of misbehaviour. Old devices likely won't be upgradeable (hence no silver bullet). Multi-band hi-speed WiFi (54Mbit+) is not likely to be affected by this attack, but if they operate in compatibility mode they will be brought down, too. Intelligent access points can lessen the effect of this attack but that leaves the older devices out of the communications.
Essentially this requires quite little work on the part of the attacker since no hi-powered transmitters are needed. That fortunately limits the range of the attack, too. I would like to know if anyone could calculate quick estimates as to the affected area with certain wattage transmitters. Anyone?
"Intellectual Property" should be an affront to anyone capable of independent thought.
CDMA would not solve this problem. CDMA operates the same as 802.11, in that it is a direct sequence spread spectrum modulation. They are different, though, in that 802.11 devices all use the same spreading code, whereas CDMA uses different spreading codes for each device. CDMA is based upon a "base station subscriber" model, where the base station controls all of the subscriber devices - telling them which codes to use, and managing the interference environment. 802.11 is based on a distributed "no node is greater than any other node" basis. Centralized management of spreading codes would require a total re-architecting of 802.11, and would take it in directions that are inimical to the design objectives of the technology.
P.S. I am a member of the 802.11 committee -- I know of what I speak
Personally, I found that my 2.4GHz cordless phone did too good of a job of disrupting my 802.11g, so I unplugged it and use a 900MHz phone.
500GB of disk, 5TB of transfer, $5.95/mo
That would be the, er, etherkiller! (Also AUI killer, VGA killer, BNC killer, etc, etc, etc on that link!)
I find your ideas intriguing and I wish to subscribe to your newsletter.
RTFA. It says that jamming attacks of this sort need a powerful transmitter - not the easiest thing to obtain - whereas this just needs an ordinary wireless LAN card, which is much cheaper and easier to obtain.
Er... What? Correct me if I'm wrong, but aren't PDAs based on a hardware architecture thats not used in desktops? Or at least not in PCs! Unless you count anything with RAM, a proccesor, and a disk as a PC...
# cat
Damn, my RAM is full of llamas.
If a user is trying to get in and sends two packets of unauthorized data within one second, WPA will assume it is under attack and shut down.
The only thing the h4x0r need to do in this situation is send data frames periodically, causing constant shutdowns.
Annoying enought he may be difficult or impossible to find because he don't need to use much transmit power or utilization of the network
I'm sorry, but if you use WiFi for mission critical stuff it's your own fault. Perhaps if you are on a large construction site or something like that were you cannot lay cables, but besides that just use good old reliable cabling.
Last time I looked a simple PDA has a 400mhz processor, 64 meg of RAM, a 64k colour screen, multiple expansion sockets and support for WiFi and/or bluetooth.
Hardly simple. You must be thinking of one of those Palm products :o)
Avantslash - View Slashdot cleanly on your mobile phone.
Insufficent spectrum with which to develop long enough spreading codes to both achieve the needed low cross-correlation (from one code to any other code), and still maintain 11 Mbits/sec transmission speed. (note: to achieve 11 Mbit/s in 22 MHz of spectrum, 802.11b uses a complex modulation scheme known as CCK - Complementary Code Keying. While I do not fully understand the math behind this, it seems that CCK is unlikely to be amenable to use in creating families of codes with low cross-correlation properties - needed for CDMA).
:)
IS-95 CDMA, I believe, transmits a few kilobits/sec of voice information in a 1.2 MHz bandwidth, using "standard" DSSS. CDMA works because the coding gain with such a huge ratio of data bandwidth to DSSS modulation bandwidth is much larger than that achieved in 802.11 systems.
If you are willing to drop your data rate to, oh, 200 kilobits/sec in the 2.4 GHz band, perhaps 802.11 could be redesigned to accomplish CDMA techniques.
Still, setting up "point-to-point" RF links between individual end user stations would require an enormous amount of computing horsepower (check out a CDMA base station for comparison). And it would not deal with broadcasts, which would still have to be forwarded to an access point - be recoded for each INDIVIDUAL link to each subscriber it serves - and retransmitted N times, where N=number of users served by the access point.
Other systems actually do use techniques somewhat like this, but rather than code division, they use space division (e.g. Vivato, which uses electronic beam steering to establish point-to-point links with each subscriber station).
As I originally stated, and let me re-state - 802.11 is architected on the basis of an "all stations are equal" approach, which makes an uncomfortable fit with a centralized control design. The committee entertained many, many proposals which included centralized control, and rejected them. There are a couple of straightforward reasons: 1) The RF spectrum in which these devices operate is unlicensed and hence "uncontrolled". A base-station centric design would make it so that no station could communicate at all if that base station were experiencing service-blocking interference. The chosen design, though not completely eliminating this failure mode, is more resilient in the face of such issues. Second, the 802.11 MAC is essentially identical for use in an infrastructure mode (i.e. with access points connected to a "distribution medium", typically a wired LAN) and in "ad hoc" mode (where there are only "stations" - no infrastructure at all). Most people forget about "ad hoc" mode, but the committee could not. Their charter required that it be accommodated.
Your turn
A similar note is that the new Super G wireless routers are using the entire spectrum of 11 channels to increase the speed to a reported 108mbps. It's not an approved standard, but as long as it's not enabled at the factory they are still able to sell them.
If you want to knock out your neighbor's ap just run your Super G router with 108mbps mode enabled.
If you can read this sig - the bitch fell off.
The word is "Lose". You do not "loose" (antonym of "tight") money.
Honey, I shrunk the Cygwin
Just don't be in the same room when you throw the switch, sort of like when the executioner lights up a prisoner in "Old Sparky"...
dont know much about microwaves do you.
"not being in the same room" mean's nothing. I can do that and stand directly behind the microwave, hell I'll even hold onto it. there is no way in hell I'll stand to the side or in front of it.
Microwaves are directional, and cince a microwave oven also has a "stirrer" in the top where the magenetron emits it's RF energy to make the oven cook evenly (a metal fan that turns slowish to bounce the RF energy all over the over interior.) it will come out the face in random directions.
now remove the magenetron, fix a feedhorn to the front and now we can beam that energy where we want it.... Kill a bird on a tree limb, completely hose the aircraft radar at the local airport, etc....
Now to completely correct you. you need to take the DOOR off and override all the safety equipment. taking the cover off does nothing as the RF chamber is still intact.
I strongly suggest that nobody screw with high power microwave RF if they like life. that stuff cant cook parts of you and you will not know it until it start to hurt, and that means you are already cooked.
but to learn more start looking at www.arrl.org
Do not look at laser with remaining good eye.
> How can this be "interesting"? Read the article folks, it's a fundamental flaw in the protocol.
Good catch. I was taught about this flaw a few years ago in my first wireless class. I remember my teacher saying, "...and that's why you should never put a mission critical network on wireless."
It made sense to me, so I filed in the back of my mind and we went on. Wireless is the case that proves the rule of functionality over security.
Failure is not an option. It comes bundled with your Microsoft product. -- Ferenc Mantfeld