lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: Ian.Latter at mq.edu.au (Ian Latter)
Subject: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd)

Interesting isn't it .. since it came up I've been wondering how
hard it would be for one of these;  http://www.wifiseeker.com/
.. to be "upgraded" to work as a sort of wireless flash-bang (for 
the life of the battery) .. throw it in a garden and walk off ...  

.. give our grounds keepers IT Security shirts and badges ;-)




----- Original Message -----
>From: "Sean Batt" <sean@...mbs.anu.edu.au>
>To: <full-disclosure@...ts.netsys.com>
>Subject:  [Full-Disclosure] (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service 
Vulnerability in IEEE 802.11 Wireless Devices (fwd)
>Date: Thu, 13 May 2004 15:22:19 +1000
>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
==========================================================================
=
> AA-2004.02                     AUSCERT Advisory
> 
>       Denial of Service Vulnerability in IEEE 802.11 Wireless Devices
>                                 13 May 2004
> Last Revised: --
> 
> - ---------------------------------------------------------------------------
> 
> 
> 1.  Description
> 
> 	A vulnerability exists in hardware implementations of the IEEE
> 	802.11 wireless protocol[1] that allows for a trivial but effective
> 	attack against the availability of wireless local area network
> 	(WLAN) devices.
> 
> 	An attacker using a low-powered, portable device such as an
> 	electronic PDA and a commonly available wireless networking card
> 	may cause significant disruption to all WLAN traffic within range,
> 	in a manner that makes identification and localisation of the
> 	attacker difficult.
> 
> 	The vulnerability is related to the medium access control (MAC)
> 	function of the IEEE 802.11 protocol.  WLAN devices perform Carrier
> 	Sense Multiple Access with Collision Avoidance (CSMA/CA), which
> 	minimises the likelihood of two devices transmitting
> 	simultaneously.  Fundamental to the functioning of CSMA/CA is the
> 	Clear Channel Assessment (CCA) procedure, used in all
> 	standards-compliant hardware and performed by a Direct Sequence
> 	Spread Spectrum (DSSS) physical (PHY) layer.
> 
> 	An attack against this vulnerability exploits the CCA function at
> 	the physical layer and causes all WLAN nodes within range, both
> 	clients and access points (AP), to defer transmission of data for
> 	the duration of the attack. When under attack, the device behaves
> 	as if the channel is always busy, preventing the transmission of
> 	any data over the wireless network.
> 
> 	Previously, attacks against the availability of IEEE 802.11
> 	networks have required specialised hardware and relied on the
> 	ability to saturate the wireless frequency with high-power
> 	radiation, an avenue not open to discreet attack. This
> 	vulnerability makes a successful, low cost attack against a
> 	wireless network feasible for a semi-skilled attacker.
> 
> 	Although the use of WLAN technology in the areas of critical
> 	infrastructure and systems is still relatively nascent, uptake of
> 	wireless applications is demonstrating exponential growth. The
> 	potential impact of any effective attack, therefore, can only
> 	increase over time.
> 
> 2. Platform
> 
> 	Wireless hardware devices that implement IEEE 802.11 using a DSSS
> 	physical layer. Includes IEEE 802.11, 802.11b and low-speed (below
> 	20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and
> 	high-speed (above 20Mbps) 802.11g wireless devices.
> 
> 3.  Impact
> 
> 	Devices within range of the attacking device will be affected. If
> 	an AP is within range, all devices associated with that AP are
> 	denied service; if an AP is not within range, only those devices
> 	within range of the attacking device are denied service.
> 
> 	Minimum threat characteristics:
> 
> 		o An attack can be mounted using commodity hardware and
> 		drivers - no dedicated or high-power wireless hardware is
> 		required
> 
> 		o An attack consumes limited resources on attacking device,
> 		so is inexpensive to mount
> 
> 		o Vulnerability will not be mitigated by emerging MAC layer
> 		security enhancements ie IEEE 802.11 TGi
> 
> 		o Independent vendors have confirmed that there is
> 		currently no defence against this type of attack for DSSS
> 		based WLANs
> 
> 	The range of a successful attack can be greatly improved by an
> 	increase in the transmission power of the attacking device, and
> 	the use of high-gain antennae.
> 
> 3.  Workarounds/Mitigation
> 
> 	At this time a comprehensive solution, in the form of software or
> 	firmware upgrade, is not available for retrofit to existing
> 	devices. Fundamentally, the issue is inherent in the protocol
> 	implementation of IEEE 802.11 DSSS.
> 
> 	IEEE 802.11 device transmissions are of low energy and short range,
> 	so the range of this attack is limited by the signal strength of
> 	the attacking device, which is typically low. Well shielded WLANs
> 	such as those for internal infrastructures should be relatively
> 	immune, however individual devices within range of the attacker
> 	may still be affected. Public access points will remain
> 	particularly vulnerable.
> 
> 	The model of a shared communications channel is a fundamental
> 	factor in the effectiveness of an attack on this vulnerability.
> 	For this reason, it is likely that devices based on the newer IEEE
> 	802.11a standard will not be affected by this attack where the
> 	physical layer uses Orthogonal Frequency Division Multiplexing
> 	(OFDM).
> 
> 	It is recognised that the 2.4G Hz band suffers from radio
> 	interference problems, and it is expected that operators of the
> 	technology will already have in place measures to shield their
> 	networks as well as a reduced reliance on this technology for
> 	critical applications.
> 
> 	The effect of the DoS on WLANs is not persistent - once the jamming
> 	transmission terminates, network recovery is essentially immediate.
> 
> 	The results of a successful DoS attack will not be directly
> 	discernable to an attacker, so an attack of this type may be
> 	generally less attractive to mount.
> 
> 	At this time, AusCERT continues to recommend that the application
> 	of wireless technology should be precluded from use in safety,
> 	critical infrastructure and/or other environments where
> 	availability is a primary requirement. Operators of wireless LANs
> 	should be aware of the increased potential for undesirable activity
> 	directed at their networks.
> 
> REFERENCES:
> 
> [1] IEEE-SA Standards Board, "IEEE Std IEEE 802.11-1999 Information
>     Technology - Telecommunications and Information Exchange Between
>     Systems-Local and Metropolitan Area Networks - Specific Requirements
>     - Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer
>     (PHY) Specifications," IEEE 1999.
>     http://standards.ieee.org/getieee802/download/802.11-1999.pdf
> 
> - -------------------------------------------------------------------------
> AusCERT would like to thank the Queensland University of Technology (QUT)
> Information Security Research Centre (ISRC) for the information contained
> in this advisory. AusCERT would like to thank all vendors that participated
> in this process and provided recommendations for mitigation and/or
> confirmed details of the vulnerability.
> - -------------------------------------------------------------------------
> 
> - ---------------------------------------------------------------------------
> 
> AusCERT has made every effort to ensure that the information contained
> in this document is accurate.  However, the decision to use the information
> described is the responsibility of each user or organisation. The decision to
> follow or act on information or advice contained in this security bulletin is
> the responsibility of each user or organisation, and should be considered in
> accordance with your organisation's site policies and procedures. AusCERT
> takes no responsibility for consequences which may arise from following or
> acting on information or advice contained in this security bulletin.
> 
> If you believe that your computer system has been compromised or attacked in 
> any way, we encourage you to let us know by completing the secure National IT 
> Incident Reporting Form at:
> 
>         http://www.auscert.org.au/render.html?it=3192
> 
> AusCERT also maintains a World Wide Web service which is found on:
> http://www.auscert.org.au.
> 
> Internet Email: auscert@...cert.org.au
> Facsimile:      (07) 3365 7031
> Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
>                 AusCERT personnel answer during Queensland business
>                 hours which are GMT+10:00 (AEST).  On call after hours
>                 for member emergencies only.
> 
> Postal:
> Australian Computer Emergency Response Team
> The University of Queensland
> Brisbane
> Qld  4072
> AUSTRALIA
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Revision History
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> -----BEGIN PGP SIGNATURE-----
> 
> iQCVAwUBQKLIGSh9+71yA2DNAQIH3gP8CtJ1vKa6zmDxAIUo20JE2CmmCYiWmyQq
> lLomjl0hZLx+TPJPg2O6I9wlBCDy8grv96B8FT3RLDy7nqoT/QQAc02YiR6EnJl4
> Q9inQOgBhd6FUcW984uxl6MyK0K8wWrPg35dg8jW1ZbQBe8tWzABaOTdbqjAQgES
> rg0vm/7RE5g=
> =L8tY
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

--
Ian Latter
Internet and Networking Security Officer
Macquarie University


Powered by blists - more mailing lists