Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Way to ID Invisible Intruders on Wireless LANs

Posted by Zonk on from the you-have-laboured-to-produce-a-biologic dept.

Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."

9 of 122 comments (clear)

  1. Virtually impossible? by morgan_greywolf · · Score: 5, Interesting

    I don't know about that. I use WPA-PSK security on my WLAN, and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

    --
    My blog
    1. Re:Virtually impossible? by Alpha830RulZ · · Score: 2, Interesting

      Thanks for laying that out. I don't know what makes this so hard for people to get/do. Come up with 3 to 5 words of something that means something to you, separate with some punctuation, and make sure it's around even only 20 characters, and it should take a million machine botnet something like 10^21 years to crack, assuming the 45/tries a second metric. eg., "IHave7FavoriteFl()wer&" should be good for something like the remaining life of the universe. (3.6*10^27 years, by my calculations)

      Even so called security professionals seem to have trouble with this. One of my favorite gripes is the security team at my new employer, who insist on forcing us to use 8 to 10 character passwords, no more, no less. They demand a numeral and a special character, which actually reduces the search space substantially. I am prone to setting up passwords for people like "Eagles~In*Trees" which is easy to remember, and tough to crack, but they won't let me any more, forcing us to issue things like "sFg#8Jk@", which the user promptly writes on a sticky note and pastes to the monitor so they won't forget it.

      --
      I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
  2. Triangulation by JustKidding · · Score: 4, Interesting

    So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation? Also, varying the signal strength and round trip time could throw this off, but even if the exact location of the attacker cannot be determined because of it, the alarm could still be raised.

    1. Re:Triangulation by Ungrounded+Lightning · · Score: 2, Interesting

      So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation?

      Sounds like they're not "triangulating" - computing the DIRECTION to a station from two monitoring locations in order to identify the station's location as the third point of a triangle. Instead they're measuring the round-trip time for a probe/response, which measures the distance (plus internal delays in the remote station) without identifying direction.

      Adding delay can make a station appear to be farther than it is, but not nearer. So short of finding a way to send signals backward in time (or responding enough faster than the standard firmware to fool the montior) you can't spoof being closer than you are.

      Which does nothing for a pure eavesdropper. But if the "eavesdropper"'s firmware associates with the eavesdropped network enough that it turns on its transmitter and responds to low-level protocol probes, it CAN be detected even if the user sends no traffic.

      They're also using signal strength measurement - perhaps to work around unknown firmware response time. That might make them subject to spoofing by using a directional antenna and/or increasing transmit power to make the signal appear stronger, and thus closer, than it actually is.

      (Another approach would be using multiple receivers at known (or self-measured relative) locations to do a LORAN-style triangulation on particular transmissions from the remote station, measuring the arrival-time differences at three or more stations to locate the remote station at the intersection of two or more hyperbolas. But that involves synchronizing time-bases between the monitoring stations in a way that would be beyond normal firmware's capabilities. It would also become less accurate as the distance to the remote station increases.)

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  3. Makes sense. by ufoolme · · Score: 2, Interesting

    Aussie's are really into all this wireless stuff!

    I'm fairly new to all this but at a very basic level it seems to make sense.
    It just a more complex method of looking at the flashing lights on the modem to see if its in sync with your known wireless connections. -- Okay alot more complex than that.

    I wondeer if this can be applied to other wireless systems, e.g., radio systems. If so it would be very useful

  4. eavesdropping by backwardMechanic · · Score: 5, Interesting

    You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that? Warping of the ether?

    1. Re:eavesdropping by atdt1991 · · Score: 2, Interesting

      Quantum Entanglement! We've got on-board chips for that ... right?

  5. This is new? Products that do some/all now... by myvirtualid · · Score: 2, Interesting

    Not to flame or troll or slashvertise, but how is this new? I was a conference recently where the coolest security product on display was from http://www.airtightnetworks.net/: Their WIPS can be configured with an organization's known wireless clients (MAC address, make, HW and SW versions, etc.), and then detect systems that shouldn't be there.

    According to the reseller's CTO - I had the good fortune to stop by the booth before he and the COO departed and the booth was left with only salesdroids - the system has an extensive database of fingerprints - hardware, software, etc., think of timings and the like specific to particular combinations of OS, firmware, and chipset.

    This raises the bar for a snooper: They not only have to clone your MAC addresses, etc., they have to clone the MAC, etc., on a box running the same OS, firmware, chipset, as the legit box. And they have to get the WPA keys right.

    (They also a neato WPA key management app to raise that bar, too.)

    Apologies if this seems slashvertisical, seems to me the best way to debunk someone's claim of newnessess and neverbeendonebeforedness is to point real selling product that does all of the non-vapourware things the someone claims to have invented.

    --
    I'm here EdgeKeep Inc.
  6. URL to paper by Anonymous Coward · · Score: 1, Interesting

    This URL seems to be the paper that presents the approach.