Slashdot Mirror
A Look at the State of Wireless Security
An anonymous reader brings us a whitepaper from Codenomicon which discusses the state and future of wireless security. They examine Bluetooth and Wi-Fi, and also take a preliminary look at WiMAX. The results are almost universally dismal; vulnerabilities were found in 90% of the tested devices[PDF]. The paper also looks at methods for vendors to preemptively block some types of threats. Quoting:
"Despite boasts of hardened security measures, security researchers and black-hat hackers keep humiliating vendors. Security assessment of software by source code auditing is expensive and laborious. There are only a few methods for security analysis without access to the source code, and they are usually limited in scope. This may be one reason why many major software vendors have been stuck randomly fixing vulnerabilities that have been found and providing countless patches to their clients to keep the systems protected."
... when you don't do anything that needs to be secure, over it.
IS that what this is saying?
...in some kind of tube that we could install between the source and the destination.
Lack of security in wireless isn't that huge of a deal. If you meet a skilled hacker, no matter what you throw at him/her they will be able to beat it. However most security holes aren't a huge deal because as long as there isn't a .exe that Joe Script-Kiddy can execute its not going to be exploited. Fact is, a skilled hacker/cracker can defeat any encryption or any security you set up, no matter how advanced. You just need enough security (normally, now for governments or high-profile businesses it is different...) so a script kiddy can't break in.
There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
What we need is a strong, coordinated, open-source effort to create new standards for networking devices, rather than rely totally on proprietary software.
I agree that any attempts for security by proxy will always have vulnerabilities. If you haven't checked the code yourself, you can never trust it 100%. If no one can check the code but crackers with fuzzing tools, then you can't trust it at all.
For most of readers here it will no doubt be obvious, but sadly this is lost on many people who buy software, even those who buy software for large companies.
My little Linux and tech blog
Read more like a marketing blurb for some companies fuzzer. Where are the exploitable vulns and in which products/codebases?
Thank you for not wasting any more of my time.
If you RTFA, you'll see that there are lots of wireless holes. It's a constant battle to keep things patched-- when the vendors elect to issue one. It's also a company that's done a lot of work, and is now looking for more work to do. It reminds me a bit of Symantec's Macintosh threat PR.
This doesn't excuse the rotten wireless security we have today, it nonetheless doesn't provide models for improvements or other advice or recommendations on how security can be improved.
---- Teach Peace. It's Cheaper Than War.
Current wireless solutions in practice don't have something like https usage.
;) ) they can't decrypt each others sessions. Not sure if this is 100% true given the track record ;).
Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).
If you have a WiFi network secured using a naive shared key method, anyone with the shared key can decipher the access of the other users. This might be fine in your house, but not good in some public cafe.
Seems the way around this with current WiFi technology is to let every user use an account - username and password.
Apparently in this case even if users share the same username and password, using WPA2 or whatever (I can't be bothered to keep accurate tabs on below par crap
Assuming it's true, it would be much easier if Windows (and other O/Ses) would default to a standard username and password AND also check the cert of the AP (and issue warnings if it looks dodgy). You should be allowed to log in using a particular user account, or be prompted if the AP rejects the default.
Then people like Starbucks/BK/etc could use certs for their WiFi networks, and customer can have reasonably secured comms at least between themselves and the AP.
The WiFi Alliance should have copied the SSL _concepts_ and got the help of decent security people, rather than coming up with crap year after year (for how many years?).
Which is a fuzzer. And most of the vulns are DOS and reboots.
Not saying wireless security is a not an issue, but the pdf is an ad.
That changes every 3 minutes or less? Simply share the onetime pad between the computer and access point over a wired connection and then make sure their clocks are exactly the same.
Of course making sure they have the same time might be the hard part?
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I think that all wireless gateways should have an SSL/SSH,etc tunnel built into them. Every time a new computer connects to the network, a new random key would be created for the connection and tunnel all the data.
End of wireless security problem.
Ironclad Security only exists when you have Chuck Norris on the shift. Do we really have to discuss this? (Plutonite)
Bzzt! Wrong! I really hope you aren't a wireless hardware designer.
Encryption algorithms (especially the "unbreakable" algorithms you allude to) take time/computing power to encrypt and decrypt at each end of the wireless link. The level of encryption used is always a practical trade-off between security and transfer rate/hardware complexity. If people demand more encryption, suppliers will give it to them, but it comes at a cost and no wireless designer is going to put their product at a competitive disadvantage by using encryption that's stronger than what's "good enough" for most users.
Like Military Intelligence, or Microsoft Excel.
Reduce, reuse, cycle
Always has been, and always will be, the users, sorry thats just the way it is.
I was in the military and crypto security is taken, very very very seriously. You fuck up and at minimum you will lose money, lose rank, lose your clearance or if you fucked up really bad you could go to prison.
The problem is in business if the VP of Sales and Marketing can't make his new toy connect to your wireless infrastructure because his new toy doesn't support the same protocols he will start whining and crying that its "too hard" and you can bet your Linux live DVD you are going to be carving out an exception for the fucktard. Then he will start showing off his new toy, and then low and behold more people start buying the same thing and you have a fight on your hands. At this point the fucking CEO has to get involved and make the call and chances are security is going to lose because the VP of Sales & Marketing brings in the $profit$ and you don't regardless of how well thought out your argument is or how logical it is. Then what is going to happen is that your shit will get hacked, and that very same VP or sales and Marketing will hang it around your neck and you will be screwed.
The only way around these kids of problems I think is two fold.
Hey KID! Yeah you, get the fuck off my lawn!
If you mean beating some huge encryption algorithm, let's look at that word again, "beat". All you need is a ten dollar blowtorch and two minutes with whomever has the key you need. No fancy giant ass mainframes and years of effort required. Just depends on how bad you want that key. Oh not sporting, it is cheating, you didn't use a computer to do this? Yep, real world,deal. And there are a thousand variations on that technique, known to serious "hackers" around the world for thousands of years. Sometimes all it might take is a bag of cash, or access to some exotic nooky, or whatever, just depends. The bottom line is, there is no fool proof security.
For further references and examples also see: apparently stupid and lame legislation that gets passed into law all the time. Most of that is from the B&B principle of modern government, bribery and blackmail.
This has nothing to do with the classic issue of "wireless security", such as the relative strength of WEP versus WPA or WPA2. Some attack works by sending control frames, i.e. the cleartext packets that are used to establish the wireless connection in the first place, without any security being applied. Other attacks allow a station to abuse its connection privileges -- instead of merely consuming a wireless service, it can take over the whole device.
The same technique was demonstrated by Cache & Maynor with Wi-Fi in the summer of 2006. The lessons were quickly learned on the "client" side of the Wi-Fi networks. For example, the validation tools for Windows wireless drivers now include tests against fuzzing attacks. The technique is well known, and the tool advertsied in the article is just one of many available solutions.
However, the article points to an interesting area, the quality of implementation in "appliances" such as Wi-Fi access points. PC and Mac drivers may be well tested now, but who knows what software is run in the average access point? Also, it is much easier to download a new driver for a PC or a Mac than to update the firmware in an access point. So, we may expect to see some interesting exploits against various appliances...
-- Louarnkoz
While your idea is certainly intriguing on it's own merits, the goal of securing wireless has generally been to make it on par with wired networks (hence the original but unsuccessful "Wired Equivalency Protocol"). You accept that at somepoint, on your own network or even downstream, there is every possibility of there being a malicious entity, and the answer to that is security in the transport (IPsec/VPN) or application (https) layer.
Wifi encryption just solves the problem of "how can I control who has access to my (now virtual) cat5 ports?"
There ARE ways to beat 'thermorectal cryptoanalysis' (i.e. shoving blowtorch up someone's ass), military have been using it since forever.
For example, a hacker won't be able to access the net without being present in the building.
Another way: use hardware authorization tokens which are forbidden to be taken from the building.
Ever heard about "teh directional antenna" stuff?
http://www.heise.de/english/newsticker/news/62328
Get the token at the manufacturing plant that makes the things, or someplace in the supply train. Compromise an individual who has authorized access to the inside of the building.
Your security is still beatable. And if you go far enough up the chain of command, it becomes easier in some instances. Here's a variation, a late example in the news now, the intervention of tony blair into the bribery investigation of BAE and high money stakes contracts with the saudis. Lower level security found out about it, higher level security (the prime minister at the top of the executive) got compromised with the reported threat of denial of further intelligence sharing,"you don't want another 7-7 happening, do you?", still back to the B&B method. (pain is just one subset of many under the blackmail approach, gives us what you want, or it will hurt, combined with bribery, forget about the first bribe, and your national defense contractor will make untold billions in profits)
I have wireless security. I just unplug the CAT5 cable.
What a lot of people may not be realizing as they buy newer WAP and WAP2 protected 802.11g and n gear is that if they leave the ability to connected legacy 802.11b devices, they've left open the WEP vulnerability. Everything has to be upgraded, and that can get too expensive to do at once.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Meh, tech is doomed. Rather than invent brand new, solid technology that has a very simple protocol without a bunch of bloated crap added to support potential future additions that every manufacturer handles in its own way, we look to building on existing tech. The problem with technology is people refuse to upgrade and/or replace their machines with something new. Everyone expects new tech to be a backwards compatible, drop-in replacement for what currently exists.
We'd probably be living the Star Trek life in a few years if we actually looked to future possibilities, rather than present possibilities with hacked modifications. I mean, look at the basic building blocks we base all networking on. Are TCP and UDP really the best we can do? Will we stick with those two forever just because it's what we have? And it seems to me we'll never have a better setup, because the groups that invent new technologies don't thinktank with the world to come up with great standards. Everything is rushed within private corporations who are not interested in making frickin' awesome tech - they just want something new enough that they can grab a patent and shove it through production lines to consumers before the next company beats them to it.
Basically, we'll continue to find new enough technologies because that's how businesses profit - by being the first to introduce something new to consumers. But none of it will have been well thought out, planned, or built properly, so we will always have problems with tech being stupidly designed and implemented. You want something new and cool that actually *works*? Find people who know how to invent, don't rush them through the design and implementation phases, and make sure they actually care about what they're working on - money, patents and recognition are not incentive enough.
This WPS business is a giant turd.
No one has ever gotten it to work. I don't know why they put it in routers.
I prevents you from actually connecting to an AP.
I guess this is the security. If you can't actually connect to an AP you can't hack it.
They're using their grammar skills there.
Not everyone who buys software can read code or understand the hardware which it controls. Not everyone who can do both - or thinks he can - can be trusted to detect every flaw.
I use WPA. I know it can't be GEt V1AgrA N()W cracked. I made sure this thing was set up GET YOUR p3n!s enlarged NOW!!! as it should be.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Because more and more techniques are crammed into different subsystems without isolation from others and without the computer having any model of itself. What i mean is: let's dictinct "broken by design" and "implementation bugs". About the first one we cant do much on a short timescale, because a new design (e.g. mandatory encryption/authentication) requires user education (how to distribute keys) about bugs ii can only say: wireless network driver are doing things which are not driver-like (e.g. WPA). If we could isolate the "high entropy exchange" WPA part completely from the comparatatively straighforward hardware access and let the higher layer run in userspace, we would have won a lot. But as long as every hardware vendor is focused on getting the own hardware to the market quickly they will continue to pack crappy drivers.
Wow, what a case of the emperor has no cl..
*EUGH!!!! MY EYES! MY EYES!*
Jesus! What is WRONG with you!
Chas - The one, the only.
THANK GOD!!!
Not everyone who buys software can read code or understand the hardware which it controls.
Sure, but that does not affect my point, that often people are pretending that something can be trusted when there is no basis for that trust.
If you can't read code then you have even less basis on which to trust it. Likewise, I am not a lawyer so I have no basis on which to trust the contract with my ISP.
My little Linux and tech blog
The Vista wireless subprotocols make it where Vista PC's barely talk to one another. So an intruder has no hope! Now That is security! http://fakesteveballmer.blogspot.com/
...used together with wireless, this makes one hell of a tight drum.
WARNING: Threadjack
The white paper said that "problems" were found in 90% of devices. FYI, not every problem is a vulnerability.
That is all.
Looks like someone here read Marcus Ranum's "Six Dumbest Ideas in Computer Security"...
So, I focused on this quote:
Security assessment of software by source code auditing is expensive and laborious. There are only a few methods for security analysis without access to the source code, and they are usually limited in scope.If source code auditing is so expensive, and there are so few ways to analyze these code packages, where are all the holes coming from? Yikes, if external parties can find holes in 90% of the setups out there, imagine what they could do if the stuff was open source!?!
For a typical household Laptop --> Router configuration the following is probably the best way to do it:
Laptop with OpenSSH Client --> Horribly insecure wireless protocol --> Router with OpenSSH Server and wired connection.
Set the router to reject/drop wireless connections to everything but the SSH port, same with the laptop, and you're pretty much done for the vast majority of applications. Yes, the encryption slows down your connection, but unless you encrypt the data AT SOME POINT then there is just no way to get a secure wireless transmission due to the very nature of wireless. Granted you could get better speed with a hardware accelerated encryption, but it has the disadvantage of being considerably harder to patch should a vulnerability in the implementation be discovered.
Now just to spell it out: No, you can't avoid doing the key exchange over a trusted channel, regardless of protocol, OpenSSH can't change this, and no other protocol can. Yes, you need to trust whoever supplies the hardware. Yes, you need to secure the physical access to the router / computer or trust whoever manage it to do so. Yes, OpenSSH isn't invulnerable, it may or may not have flaws, but good luck finding a more secure solution that is freely available.
I dare guess that in the vast majority of situations you are more likely to screw things up and make yourself vulnerable if you try some more "innovative" solution than if you just use SSH. Wireless is not a secure medium, SSH is designed to secure communication over insecure channels, it's what it does. It's open , widely scrutinized, and relies on peer reviewed algorithms. Long story short, if SSH isn't good enough for you then you should probably be using a wired connection.
The only major disadvantage I can think of is that SSH may be a bit tricky to set up for the typical user. The solution then is to create a nice cuddly fronted which guides the user through the process. I.e:
"Hi, to secure your connection please choose a passphrase. Good passphrases are... blah blah blah"
"Please use the suplied CAT5E cable to connect your Laptop to your router."
"Congratulations, your router is now ready to accept secure wireless connections from your laptop."
The catch to this scheme is that you do at some point need to make a secure physical connection between the router and the laptop. This could be avoided by pre-loading every router with a key based on its serial number or something, but this is obviously less secure ( thou perhaps insignificantly so ).