Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd)

[Gunter Luyten <gunter.lists () haxor be>]

Hi full-disclosure readers,

Sean Batt wrote:

[quoted relevant parts only]

>         A vulnerability exists in hardware implementations of the IEEE
>         802.11 wireless protocol[1] that allows for a trivial but effective
>         attack against the availability of wireless local area network
>         (WLAN) devices.

I don't see what this has to do with the hardware implementation of 
802.11.  It's not the hardware that is vulnerable, but the medium. 
Nothing new about this.  All communication that relies upon a shared 
medium is vulnerable to this type of "DoS".

>         An attacker using a low-powered, portable device such as an
>         electronic PDA and a commonly available wireless networking card
>         may cause significant disruption to all WLAN traffic within range,
>         in a manner that makes identification and localisation of the
>         attacker difficult.

It even needn't be that sophisticated.  Anything that transmits on the 
same frequency can be used.  Of course, you can transmit enough TCP 
packets to let collision avoidance make all other devices keep quiet, 
but in fact it's enough to jam the frequency.  This is similar to 
communication over whatever shared medium.  If someones "talking", all 
the rest must keep quiet.  When to parties are transmitting at the same 
time, the result is noise.

>         The vulnerability is related to the medium access control (MAC)
>         function of the IEEE 802.11 protocol.  WLAN devices perform Carrier
>         Sense Multiple Access with Collision Avoidance (CSMA/CA), which
>         minimises the likelihood of two devices transmitting
>         simultaneously.  Fundamental to the functioning of CSMA/CA is the
>         Clear Channel Assessment (CCA) procedure, used in all
>         standards-compliant hardware and performed by a Direct Sequence
>         Spread Spectrum (DSSS) physical (PHY) layer.
>
>         An attack against this vulnerability exploits the CCA function at
>         the physical layer and causes all WLAN nodes within range, both
>         clients and access points (AP), to defer transmission of data for
>         the duration of the attack. When under attack, the device behaves
>         as if the channel is always busy, preventing the transmission of
>         any data over the wireless network.
>
>         Previously, attacks against the availability of IEEE 802.11
>         networks have required specialised hardware and relied on the
>         ability to saturate the wireless frequency with high-power
>         radiation, an avenue not open to discreet attack. This
>         vulnerability makes a successful, low cost attack against a
>         wireless network feasible for a semi-skilled attacker.

OK, I also just mentioned the "old" attack, but I still don't get what's 
so new about this.  I can for instance place my wireless access point in 
"test-mode", letting it transmit continuously on a channel.  Since it 
also has enough power, it even does both attacks at once ;-)
The "new" attack is just a consequence of the old frequency jamming attack.

>                 o Independent vendors have confirmed that there is
>                 currently no defence against this type of attack for DSSS
>                 based WLANs

If they keep using a shared medium, this will always be the case.  It's 
just physics.  I think it is not possible to solve this.  Maybe only in 
one case;  if the attacker uses low transmit power, and is separated far 
enough from the access point and the other clients, there is a possible 
workaround.  If one device is "jamming" a frequency, but other devices 
are close enough to eachother, they can push away the jamming signal. 
But when the jamming source moves in between them, it's not possible 
anymore.

>         The model of a shared communications channel is a fundamental
>         factor in the effectiveness of an attack on this vulnerability.
>         For this reason, it is likely that devices based on the newer IEEE
>         802.11a standard will not be affected by this attack where the
>         physical layer uses Orthogonal Frequency Division Multiplexing
>         (OFDM).

That might be possible indeed, but this confirms to me that this 
"vulnerability" is based upon radio physics rather than shortcomings in 
the CSMA/CA protocol.

>         It is recognised that the 2.4G Hz band suffers from radio
>         interference problems, and it is expected that operators of the
>         technology will already have in place measures to shield their
>         networks as well as a reduced reliance on this technology for
>         critical applications.

I think it will be difficult to shield a network... After all, when 
you're implementing a wireless network, you do this do have network 
access everywhere is a certain range.  If you shield this range from 
outside, it's indeed not possible for someone standing on your parking 
lot to disrupt your network, but the vulnerability within the shield 
still remains.  For critical applications, one should stick to more 
reliable media, like cables.  But of course, be sure not to use a hub 
than...  Although it's harder to disrupt this because you need physical 
access to the hub or one of its cables.

If vendors would come with a "workaround", then there will most likely 
be a new way to disrupt service again.  Like you mentioned 802.11a using 
OFDM, this will make an attack more complicated, but not impossible.  As 
long as you can disrupt the communication between two peers, no protocol 
or technique can prevent similar DoS attacks.

>         At this time, AusCERT continues to recommend that the application
>         of wireless technology should be precluded from use in safety,
>         critical infrastructure and/or other environments where
>         availability is a primary requirement. Operators of wireless LANs
>         should be aware of the increased potential for undesirable activity
>         directed at their networks.

I totally agree with this.

Best regards,

Gunter Luyten

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html