Vulnerability Development mailing list archives
Wireless LANs ?
From: sa () HOGIA NET (Sebastian Andersson)
Date: Tue, 14 Dec 1999 14:26:05 +0100
Have there been some real security evaluations done of the BreezeNET PRO.11 wireless lan serie (802.11 compatible) ? Most of breezecom's documentation says - you already have other, more likely security holes, it is easy to snoop on normal ethernet as well, etc... They also refer to the military and since they use it, it must be secure... :-) In parts of their documentation they recommand that military and financial users of the products should use software to encrypt all lan traffic. That doesn't help the SNMP messages to/from the wireless AP/SP equipment though. How hard is it for an attacker to listen to the conversation on the lan? How hard is it for an attacker to send a single packet? How hard is it for an attack to join the lan? What are the possible attacks? I know next to nothing about hardware and radio transmissions, but from what I've gathered from BreezeCOMs own webpage, they use 79 1MHz channels and frequency hopping 50 times per second (in another part of the documentation they say that it is configurable how often it hops, the documentation contradicts itself), based on some list one can configure. I don't know their encoding technique, but if they get 1Mbps out of each 1MHz channel, they send around 20kbit before they change channel. Wouldn't it be possible for some reciever to listen to just one channel and try to get the info out of it? Quite a lot of information can be send in 20 kbits (the SNMP community names for example). 79 1MHz channel receivers would be able to listen to all of the traffic. With a jammer, it might be possible to make the units resend traffic on perhaps half of the channels? If a packet is sent as a whole, you get it on each channel. If the packet is fragmented, you'll have the headers needed for assembling them again. The question is, how hard would it be to make such a receiver? What would it cost? Is it possible to syncronize the receivers with the access point, so even if you don't know the hopping sequence, you know when to send? Given one has such a receiver, could one "borrow" a MAC adress from some other card, and send a packet to all channels at the same time? Or try 200 times on a single channel? Maybe an SNMP command to ask for info from an AP/SP ? /Sebastian
Current thread:
- Idiocy "exploit" Roy Wilson (Dec 01)
- Re: Idiocy "exploit" Blue Boar (Dec 01)
- Re: Idiocy "exploit" Joel Eriksson (Dec 03)
- Owning privileged processes under UnixWare Tellier, Brock (Dec 06)
- Re: Owning privileged processes under UnixWare Elias Levy (Dec 06)
- Re: Owning privileged processes under UnixWare Blue Boar (Dec 07)
- rpcclient 2.0.5a crashed services.exe Blue Boar (Dec 13)
- Wireless LANs ? Sebastian Andersson (Dec 14)
- [Fwd: rpcclient 2.0.5a crashed services.exe] Blue Boar (Dec 15)
- BSD chfn bug Pavol Luptak (Dec 20)
- Re: BSD chfn bug Przemyslaw Frasunek (Dec 21)
- Re: BSD chfn bug Warner Losh (Dec 21)
- Re: BSD chfn bug Tellier, Brock (Dec 23)
- Re: BSD chfn bug Stanislav N. Vardomskiy (Dec 25)
- Re: BSD chfn bug Michal Zalewski (Jul 21)
- ssh quirks... Scott D. Yelich (Dec 26)
- Re: ssh quirks... Ryan Permeh (Dec 27)
- Re: ssh quirks... Scott D. Yelich (Dec 27)
- Re: Idiocy "exploit" Blue Boar (Dec 01)