Vulnerability Development mailing list archives

Wireless LANs ?

From: sa () HOGIA NET (Sebastian Andersson)
Date: Tue, 14 Dec 1999 14:26:05 +0100


Have there been some real security evaluations done of the BreezeNET
PRO.11 wireless lan serie (802.11 compatible) ?

Most of breezecom's documentation says - you already have other, more
likely security holes, it is easy to snoop on normal ethernet as well,
etc... They also refer to the military and since they use it, it must
be secure... :-) In parts of their documentation they recommand that
military and financial users of the products should use software to
encrypt all lan traffic. That doesn't help the SNMP messages to/from
the wireless AP/SP equipment though.

How hard is it for an attacker to listen to the conversation on the
lan?  How hard is it for an attacker to send a single packet?
How hard is it for an attack to join the lan?  What are the possible
attacks?

I know next to nothing about hardware and radio transmissions, but
from what I've gathered from BreezeCOMs own webpage, they use 79 1MHz
channels and frequency hopping 50 times per second (in another
part of the documentation they say that it is configurable how
often it hops, the documentation contradicts itself), based on some
list one can configure.  I don't know their encoding technique, but if
they get 1Mbps out of each 1MHz channel, they send around 20kbit before
they change channel. Wouldn't it be possible for some reciever to
listen to just one channel and try to get the info out of it? Quite a
lot of information can be send in 20 kbits (the SNMP community names
for example). 79 1MHz channel receivers would be able to listen to all
of the traffic. With a jammer, it might be possible to make the units
resend traffic on perhaps half of the channels? If a packet is sent as
a whole, you get it on each channel. If the packet is fragmented, you'll
have the headers needed for assembling them again.

The question is, how hard would it be to make such a receiver? What would
it cost?

Is it possible to syncronize the receivers with the access point, so even
if you don't know the hopping sequence, you know when to send?

Given one has such a receiver, could one "borrow" a MAC adress from some
other card, and send a packet to all channels at the same time? Or try
200 times on a single channel? Maybe an SNMP command to ask for info
from an AP/SP ?

/Sebastian

Current thread:

Idiocy "exploit" Roy Wilson (Dec 01)
- Re: Idiocy "exploit" Blue Boar (Dec 01)
  - Re: Idiocy "exploit" Joel Eriksson (Dec 03)
  - Owning privileged processes under UnixWare Tellier, Brock (Dec 06)
    - Re: Owning privileged processes under UnixWare Elias Levy (Dec 06)
    - Re: Owning privileged processes under UnixWare Blue Boar (Dec 07)
    - rpcclient 2.0.5a crashed services.exe Blue Boar (Dec 13)
    - Wireless LANs ? Sebastian Andersson (Dec 14)
    - [Fwd: rpcclient 2.0.5a crashed services.exe] Blue Boar (Dec 15)
    - BSD chfn bug Pavol Luptak (Dec 20)
    - Re: BSD chfn bug Przemyslaw Frasunek (Dec 21)
    - Re: BSD chfn bug Warner Losh (Dec 21)
    - Re: BSD chfn bug Tellier, Brock (Dec 23)
    - Re: BSD chfn bug Stanislav N. Vardomskiy (Dec 25)
    - Re: BSD chfn bug Michal Zalewski (Jul 21)
    - ssh quirks... Scott D. Yelich (Dec 26)
    - Re: ssh quirks... Ryan Permeh (Dec 27)
    - Re: ssh quirks... Scott D. Yelich (Dec 27)

(Thread continues...)