-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AA-2004.02 AUSCERT Advisory Denial of Service Vulnerability in IEEE 802.11 Wireless Devices 13 May 2004 Last Revised: -- - --------------------------------------------------------------------------- 1. Description A vulnerability exists in hardware implementations of the IEEE 802.11 wireless protocol[1] that allows for a trivial but effective attack against the availability of wireless local area network (WLAN) devices. An attacker using a low-powered, portable device such as an electronic PDA and a commonly available wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localisation of the attacker difficult. The vulnerability is related to the medium access control (MAC) function of the IEEE 802.11 protocol. WLAN devices perform Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), which minimises the likelihood of two devices transmitting simultaneously. Fundamental to the functioning of CSMA/CA is the Clear Channel Assessment (CCA) procedure, used in all standards-compliant hardware and performed by a Direct Sequence Spread Spectrum (DSSS) physical (PHY) layer. An attack against this vulnerability exploits the CCA function at the physical layer and causes all WLAN nodes within range, both clients and access points (AP), to defer transmission of data for the duration of the attack. When under attack, the device behaves as if the channel is always busy, preventing the transmission of any data over the wireless network. Previously, attacks against the availability of IEEE 802.11 networks have required specialised hardware and relied on the ability to saturate the wireless frequency with high-power radiation, an avenue not open to discreet attack. This vulnerability makes a successful, low cost attack against a wireless network feasible for a semi-skilled attacker. Although the use of WLAN technology in the areas of critical infrastructure and systems is still relatively nascent, uptake of wireless applications is demonstrating exponential growth. The potential impact of any effective attack, therefore, can only increase over time. 2. Platform Wireless hardware devices that implement IEEE 802.11 using a DSSS physical layer. Includes IEEE 802.11, 802.11b and low-speed (below 20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and high-speed (above 20Mbps) 802.11g wireless devices. 3. Impact Devices within range of the attacking device will be affected. If an AP is within range, all devices associated with that AP are denied service; if an AP is not within range, only those devices within range of the attacking device are denied service. Minimum threat characteristics: o An attack can be mounted using commodity hardware and drivers - no dedicated or high-power wireless hardware is required o An attack consumes limited resources on attacking device, so is inexpensive to mount o Vulnerability will not be mitigated by emerging MAC layer security enhancements ie IEEE 802.11 TGi o Independent vendors have confirmed that there is currently no defence against this type of attack for DSSS based WLANs The range of a successful attack can be greatly improved by an increase in the transmission power of the attacking device, and the use of high-gain antennae. 3. Workarounds/Mitigation At this time a comprehensive solution, in the form of software or firmware upgrade, is not available for retrofit to existing devices. Fundamentally, the issue is inherent in the protocol implementation of IEEE 802.11 DSSS. IEEE 802.11 device transmissions are of low energy and short range, so the range of this attack is limited by the signal strength of the attacking device, which is typically low. Well shielded WLANs such as those for internal infrastructures should be relatively immune, however individual devices within range of the attacker may still be affected. Public access points will remain particularly vulnerable. The model of a shared communications channel is a fundamental factor in the effectiveness of an attack on this vulnerability. For this reason, it is likely that devices based on the newer IEEE 802.11a standard will not be affected by this attack where the physical layer uses Orthogonal Frequency Division Multiplexing (OFDM). It is recognised that the 2.4G Hz band suffers from radio interference problems, and it is expected that operators of the technology will already have in place measures to shield their networks as well as a reduced reliance on this technology for critical applications. The effect of the DoS on WLANs is not persistent - once the jamming transmission terminates, network recovery is essentially immediate. The results of a successful DoS attack will not be directly discernable to an attacker, so an attack of this type may be generally less attractive to mount. At this time, AusCERT continues to recommend that the application of wireless technology should be precluded from use in safety, critical infrastructure and/or other environments where availability is a primary requirement. Operators of wireless LANs should be aware of the increased potential for undesirable activity directed at their networks. REFERENCES: [1] IEEE-SA Standards Board, "IEEE Std IEEE 802.11-1999 Information Technology - Telecommunications and Information Exchange Between Systems-Local and Metropolitan Area Networks - Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer (PHY) Specifications," IEEE 1999. http://standards.ieee.org/getieee802/download/802.11-1999.pdf - ------------------------------------------------------------------------- AusCERT would like to thank the Queensland University of Technology (QUT) Information Security Research Centre (ISRC) for the information contained in this advisory. AusCERT would like to thank all vendors that participated in this process and provided recommendations for mitigation and/or confirmed details of the vulnerability. - ------------------------------------------------------------------------- - --------------------------------------------------------------------------- AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 AusCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. Postal: Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- iQCVAwUBQKLIGSh9+71yA2DNAQIH3gP8CtJ1vKa6zmDxAIUo20JE2CmmCYiWmyQq lLomjl0hZLx+TPJPg2O6I9wlBCDy8grv96B8FT3RLDy7nqoT/QQAc02YiR6EnJl4 Q9inQOgBhd6FUcW984uxl6MyK0K8wWrPg35dg8jW1ZbQBe8tWzABaOTdbqjAQgES rg0vm/7RE5g= =L8tY -----END PGP SIGNATURE-----