RE: Wireless device vulnerability?

["Toni Heinonen" <Toni.Heinonen () teleware fi>]

> Sorry to jump into the middle of this and I don't have 
> anything to offer
> that is even close to the technical level you guys are 
> talking about but for
> 802.11a/b networks why not just configure an access point 
> with the same SSID
> and channel, plant a big ole' antenna (tm) on it and simply 
> over power the
> real AP? Not an ongoing DoS but a pretty effictive short term 
> one I would
> think.

Indeed, that would be possible. However, if clients are configured with WEP, I don't think they will log on to an AP 
that has simply WEP turned off, they will simply fail in their attempt to authenticate to the AP with WEP.

What you can do is, make a rogue AP, like simply a Linux computer that you configure as an AP. WEP doesn't define 
two-way authentication, i.e. the AP doesn't authenticate to the client. This is a big problem with WEP.

Make your own AP software for linux that replies to all WEP authentication requests by a "password correct" message and 
all the clients will try to send their packets to your AP. You can simply discard the packets, creating an effective 
Denial of Service attack.

I believe it is task group I of the 802.11 working group that is developing new security mechanisms for WLANs. There 
have been some good ideas on how to improve WEP or on what to come up as a successor for WEP, and all the technologies 
contain two-way authentication, so you can't just spoof the network name and pretend to be a real AP.

TONI HEINONEN, CISSP
   TELEWARE OY
   Telephone  +358 (9) 3434 9123  *  Fax  +358 (9) 3431 321
   Wireless  +358 40 836 1815
   Kauppakartanonkatu 7, 00930 Helsinki, Finland
   toni.heinonen () teleware fi  *  www.teleware.fi