Full Disclosure mailing list archives
Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd)
From: Gunter Luyten <gunter.lists () haxor be>
Date: Thu, 13 May 2004 20:36:47 +0200
Hi full-disclosure readers, Sean Batt wrote: [quoted relevant parts only]
A vulnerability exists in hardware implementations of the IEEE 802.11 wireless protocol[1] that allows for a trivial but effective attack against the availability of wireless local area network (WLAN) devices.
I don't see what this has to do with the hardware implementation of 802.11. It's not the hardware that is vulnerable, but the medium. Nothing new about this. All communication that relies upon a shared medium is vulnerable to this type of "DoS".
An attacker using a low-powered, portable device such as an electronic PDA and a commonly available wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localisation of the attacker difficult.
It even needn't be that sophisticated. Anything that transmits on the same frequency can be used. Of course, you can transmit enough TCP packets to let collision avoidance make all other devices keep quiet, but in fact it's enough to jam the frequency. This is similar to communication over whatever shared medium. If someones "talking", all the rest must keep quiet. When to parties are transmitting at the same time, the result is noise.
The vulnerability is related to the medium access control (MAC) function of the IEEE 802.11 protocol. WLAN devices perform Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), which minimises the likelihood of two devices transmitting simultaneously. Fundamental to the functioning of CSMA/CA is the Clear Channel Assessment (CCA) procedure, used in all standards-compliant hardware and performed by a Direct Sequence Spread Spectrum (DSSS) physical (PHY) layer. An attack against this vulnerability exploits the CCA function at the physical layer and causes all WLAN nodes within range, both clients and access points (AP), to defer transmission of data for the duration of the attack. When under attack, the device behaves as if the channel is always busy, preventing the transmission of any data over the wireless network. Previously, attacks against the availability of IEEE 802.11 networks have required specialised hardware and relied on the ability to saturate the wireless frequency with high-power radiation, an avenue not open to discreet attack. This vulnerability makes a successful, low cost attack against a wireless network feasible for a semi-skilled attacker.
OK, I also just mentioned the "old" attack, but I still don't get what's so new about this. I can for instance place my wireless access point in "test-mode", letting it transmit continuously on a channel. Since it also has enough power, it even does both attacks at once ;-)
The "new" attack is just a consequence of the old frequency jamming attack.
o Independent vendors have confirmed that there is currently no defence against this type of attack for DSSS based WLANs
If they keep using a shared medium, this will always be the case. It's just physics. I think it is not possible to solve this. Maybe only in one case; if the attacker uses low transmit power, and is separated far enough from the access point and the other clients, there is a possible workaround. If one device is "jamming" a frequency, but other devices are close enough to eachother, they can push away the jamming signal. But when the jamming source moves in between them, it's not possible anymore.
The model of a shared communications channel is a fundamental factor in the effectiveness of an attack on this vulnerability. For this reason, it is likely that devices based on the newer IEEE 802.11a standard will not be affected by this attack where the physical layer uses Orthogonal Frequency Division Multiplexing (OFDM).
That might be possible indeed, but this confirms to me that this "vulnerability" is based upon radio physics rather than shortcomings in the CSMA/CA protocol.
It is recognised that the 2.4G Hz band suffers from radio interference problems, and it is expected that operators of the technology will already have in place measures to shield their networks as well as a reduced reliance on this technology for critical applications.
I think it will be difficult to shield a network... After all, when you're implementing a wireless network, you do this do have network access everywhere is a certain range. If you shield this range from outside, it's indeed not possible for someone standing on your parking lot to disrupt your network, but the vulnerability within the shield still remains. For critical applications, one should stick to more reliable media, like cables. But of course, be sure not to use a hub than... Although it's harder to disrupt this because you need physical access to the hub or one of its cables.
If vendors would come with a "workaround", then there will most likely be a new way to disrupt service again. Like you mentioned 802.11a using OFDM, this will make an attack more complicated, but not impossible. As long as you can disrupt the communication between two peers, no protocol or technique can prevent similar DoS attacks.
At this time, AusCERT continues to recommend that the application of wireless technology should be precluded from use in safety, critical infrastructure and/or other environments where availability is a primary requirement. Operators of wireless LANs should be aware of the increased potential for undesirable activity directed at their networks.
I totally agree with this. Best regards, Gunter Luyten _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Sean Batt (May 12)
- Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability Spiro Trikaliotis (May 13)
- Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Jerome Poggi (May 13)
- Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Valdis . Kletnieks (May 13)
- Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Gunter Luyten (May 13)
- <Possible follow-ups>
- Re:(AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Ian Latter (May 12)