Slashdot Mirror
A Look at the State of Wireless Security
An anonymous reader brings us a whitepaper from Codenomicon which discusses the state and future of wireless security. They examine Bluetooth and Wi-Fi, and also take a preliminary look at WiMAX. The results are almost universally dismal; vulnerabilities were found in 90% of the tested devices[PDF]. The paper also looks at methods for vendors to preemptively block some types of threats. Quoting:
"Despite boasts of hardened security measures, security researchers and black-hat hackers keep humiliating vendors. Security assessment of software by source code auditing is expensive and laborious. There are only a few methods for security analysis without access to the source code, and they are usually limited in scope. This may be one reason why many major software vendors have been stuck randomly fixing vulnerabilities that have been found and providing countless patches to their clients to keep the systems protected."
Which is a fuzzer. And most of the vulns are DOS and reboots.
Not saying wireless security is a not an issue, but the pdf is an ad.
Lack of security in wireless isn't that huge of a deal. If you meet a skilled hacker, no matter what you throw at him/her they will be able to beat it.
Bzzzt! Wrong! I really hope you aren't a programmer.
There are encryption algorithms and protocols that are so good that nobody has figured how to defeat them, most likely even including the secret labs of various governments. Mostly what happens is that in practice they are misapplied or the person applying them doesn't understand them well enough and cuts a corner that results in a fatal implementation flaw.
What I really don't get is public standards that have this problem.
Those facile assumptions of yours as well as the pervasive defeatist attitude are likely the main reason there are so many problems in various commercial products.
Need a Python, C++, Unix, Linux develop
This has nothing to do with the classic issue of "wireless security", such as the relative strength of WEP versus WPA or WPA2. Some attack works by sending control frames, i.e. the cleartext packets that are used to establish the wireless connection in the first place, without any security being applied. Other attacks allow a station to abuse its connection privileges -- instead of merely consuming a wireless service, it can take over the whole device.
The same technique was demonstrated by Cache & Maynor with Wi-Fi in the summer of 2006. The lessons were quickly learned on the "client" side of the Wi-Fi networks. For example, the validation tools for Windows wireless drivers now include tests against fuzzing attacks. The technique is well known, and the tool advertsied in the article is just one of many available solutions.
However, the article points to an interesting area, the quality of implementation in "appliances" such as Wi-Fi access points. PC and Mac drivers may be well tested now, but who knows what software is run in the average access point? Also, it is much easier to download a new driver for a PC or a Mac than to update the firmware in an access point. So, we may expect to see some interesting exploits against various appliances...
-- Louarnkoz
What a lot of people may not be realizing as they buy newer WAP and WAP2 protected 802.11g and n gear is that if they leave the ability to connected legacy 802.11b devices, they've left open the WEP vulnerability. Everything has to be upgraded, and that can get too expensive to do at once.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Tokens are useless until they are initialized. It's possible to compromise individual who has authorized access, but it's much harder. You probably won't be doing it unless you need to steal something VERY important.
Your example with Tony Blair is a bad one - there was no security breach, it was that just low-level security did not know the true situation.
Speaking in theory to generate cryptographically useful pseudo random bits you need a seed only as big as a key for your favorite symmetrical algorithm. So we aren't talking about generating gigabytes of real random bytes (which would be indeed hard to get without any traffic) but about generating 10-20 bytes (during the whole previous life of the router!) random enough that you can't bruteforce it. Still you say how do you generate different pseudo random data with a device that is identical with the one in your lab. Well if the devices are identical and they are fed the same data yes they will give you the same output. However in order to reproduce this you will need:
- access to all data stored on the flash (not only mac, serial number but all saved credentials)
- access to all start/stop times of the router during its lifetime down to mili/microsecond
- access to all traffic the router saw ever (over wireless AND over wired network). This is harder than it looks as wireless traffic looks different to different receivers so you would need to physically modify the router and tap inside it to get the traffic
This is not dry theory, it is as real life as it gets (see http://en.wikipedia.org/wiki/Urandom for reference). Even if you save the random seed only in the RAM you still don't have access to the ROM and to all the traffic the machine sees for that session (or if you do have access it is game over already).
Yes there might be bad implementations but this is far from broken even in a thought experiment. We know how to make it work and any *nix has a nice implementation already.