Full Disclosure mailing list archives
Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability
From: Spiro Trikaliotis <trik-news () gmx de>
Date: Thu, 13 May 2004 09:08:05 +0200
Hello, * On Thu, May 13, 2004 at 03:22:19PM +1000 Sean Batt wrote: [...]
Denial of Service Vulnerability in IEEE 802.11 Wireless Devices 13 May 2004
[...]
A vulnerability exists in hardware implementations of the IEEE 802.11 wireless protocol[1] that allows for a trivial but effective attack against the availability of wireless local area network (WLAN) devices.
Yes, that's nothing new. For example, the so-called "babbling idiot" problem, which affects almost every network as Ethernet, WLAN, but also field busses like CAN, LON or others.
An attacker using a low-powered, portable device such as an electronic PDA and a commonly available wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localisation of the attacker difficult.
What exactly do you mean? It's not very hard to generate a "babbling idiot" by sending some frames from a wireless device. Just let it send out all the time, for example via UDP. With some modifications to the hardware, it is even possible to use the "virtual carrier" (network allocation vector, NAV) to stop the devices from sending out, while the attacker does not need very much power or sending time. A NAV of "-1" (all 1s) is very effective, as it has to be respected by every 802.11 device to be compliant with the PCF access method. [...]
Previously, attacks against the availability of IEEE 802.11 networks have required specialised hardware and relied on the ability to saturate the wireless frequency with high-power radiation, an avenue not open to discreet attack.
Why should this be needed? Just put a Bluetooth device (at least, with a device from BT specification 1.0b) into the direct range, let it send out UDP packets as fast as possible, and have a look at the throughput of your WLAN. ;-) Almost it does not block each and every frame, a packet loss of approx. 5% has been measured by us, which leads to a TCP throughput of effectively not much more than 0 KB/s [1]. For BT/DSSS interference, see also [2], [3], [4] (amongst *many* others). Furthermore, even a microwave oven might be a big problem for wireless LANs. Own measurements (never publicized) have shown that a microwave oven might make a 802.11g network unusable. Another paper on microwaves is [5]. One remark: These papers did not intend to have a look on these problems from a security point of view, but from a technical point of view to reduce the effects if this.
This vulnerability makes a successful, low cost attack against a wireless network feasible for a semi-skilled attacker.
I think a microwave oven should be usable for a not even semi-skilled attacker. Sending out UDP packets as fast as possible via 802.11 or Bluetooth should be usable for any semi-skilled attacker.
2. Platform Wireless hardware devices that implement IEEE 802.11 using a DSSS physical layer. Includes IEEE 802.11, 802.11b and low-speed (below 20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and high-speed (above 20Mbps) 802.11g wireless devices.
Why should 802.11a/g not be affected? The microwave oven I told about above did not harm the 802.11b network, but did much harm on an 802.11g network, which is a contradiction to your statement.
o Independent vendors have confirmed that there is currently no defence against this type of attack for DSSS based WLANs
This is not very surprising. They would confirm also not having implemented any defence against an attack on an ethernet network, where you cut the ethernet cable in the middle, remove the power from the switches/hubs in between, or the like. ;-) I ask myself what the value of this CERT is? There is nothing mentioned that was not known when 802.11 was first set up 1997. It seems you are at least 7 years too late. If not, can you show me where are the *new* insights of this CERT? Best regards, Spiro. [1] M. Gergeleit, E. Nett, S. Trikaliotis: Messung der gegenseitigen Störungen von Funk-Netzwerken nach den Standards 802.11b und 802.15 ("Bluetooth"). Die Jahrestagung der GI in Wien: Informatik 2001, 25. bis 28. September 2001, Wien, Österreich. (sorry, german only!) [2] J. C. Haartsen, S. Zubes, .Bluetooth voice and data performance in 802.11 DS WLAN envi-ronment., Ericsson, Mai 1999. [3] J. Zyren, .Reliability of WLANs in Bluetooth Environment., Harris Semiconductor, June 1999. [4] M. Hännikäinen, T. Rantanen, J. Ruotsalainen, M. Niemi, T. Hämäläinen, and J. Saarinen, .Coexistance of Bluetooth and Wireless LANs., Proc. IEEE Int. Conf. On Telecommu-nications, Bucharest, Romania, June 2001. [5] A. Kameerman, N. Erkocevic, .Microwave Oven Interference on Wireless LANs Operating in the 2.4 GHz ISM Band., Lucent Technolo-gies. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Sean Batt (May 12)
- Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability Spiro Trikaliotis (May 13)
- Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Jerome Poggi (May 13)
- Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Valdis . Kletnieks (May 13)
- Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Gunter Luyten (May 13)
- <Possible follow-ups>
- Re:(AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Ian Latter (May 12)