| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200405130700.i4D70a611135@singularity.tronunltd.com> From: Ian.Latter at mq.edu.au (Ian Latter) Subject: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) Interesting isn't it .. since it came up I've been wondering how hard it would be for one of these; http://www.wifiseeker.com/ .. to be "upgraded" to work as a sort of wireless flash-bang (for the life of the battery) .. throw it in a garden and walk off ... .. give our grounds keepers IT Security shirts and badges ;-) ----- Original Message ----- >From: "Sean Batt" <sean@...mbs.anu.edu.au> >To: <full-disclosure@...ts.netsys.com> >Subject: [Full-Disclosure] (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE 802.11 Wireless Devices (fwd) >Date: Thu, 13 May 2004 15:22:19 +1000 > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ========================================================================== = > AA-2004.02 AUSCERT Advisory > > Denial of Service Vulnerability in IEEE 802.11 Wireless Devices > 13 May 2004 > Last Revised: -- > > - --------------------------------------------------------------------------- > > > 1. Description > > A vulnerability exists in hardware implementations of the IEEE > 802.11 wireless protocol[1] that allows for a trivial but effective > attack against the availability of wireless local area network > (WLAN) devices. > > An attacker using a low-powered, portable device such as an > electronic PDA and a commonly available wireless networking card > may cause significant disruption to all WLAN traffic within range, > in a manner that makes identification and localisation of the > attacker difficult. > > The vulnerability is related to the medium access control (MAC) > function of the IEEE 802.11 protocol. WLAN devices perform Carrier > Sense Multiple Access with Collision Avoidance (CSMA/CA), which > minimises the likelihood of two devices transmitting > simultaneously. Fundamental to the functioning of CSMA/CA is the > Clear Channel Assessment (CCA) procedure, used in all > standards-compliant hardware and performed by a Direct Sequence > Spread Spectrum (DSSS) physical (PHY) layer. > > An attack against this vulnerability exploits the CCA function at > the physical layer and causes all WLAN nodes within range, both > clients and access points (AP), to defer transmission of data for > the duration of the attack. When under attack, the device behaves > as if the channel is always busy, preventing the transmission of > any data over the wireless network. > > Previously, attacks against the availability of IEEE 802.11 > networks have required specialised hardware and relied on the > ability to saturate the wireless frequency with high-power > radiation, an avenue not open to discreet attack. This > vulnerability makes a successful, low cost attack against a > wireless network feasible for a semi-skilled attacker. > > Although the use of WLAN technology in the areas of critical > infrastructure and systems is still relatively nascent, uptake of > wireless applications is demonstrating exponential growth. The > potential impact of any effective attack, therefore, can only > increase over time. > > 2. Platform > > Wireless hardware devices that implement IEEE 802.11 using a DSSS > physical layer. Includes IEEE 802.11, 802.11b and low-speed (below > 20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and > high-speed (above 20Mbps) 802.11g wireless devices. > > 3. Impact > > Devices within range of the attacking device will be affected. If > an AP is within range, all devices associated with that AP are > denied service; if an AP is not within range, only those devices > within range of the attacking device are denied service. > > Minimum threat characteristics: > > o An attack can be mounted using commodity hardware and > drivers - no dedicated or high-power wireless hardware is > required > > o An attack consumes limited resources on attacking device, > so is inexpensive to mount > > o Vulnerability will not be mitigated by emerging MAC layer > security enhancements ie IEEE 802.11 TGi > > o Independent vendors have confirmed that there is > currently no defence against this type of attack for DSSS > based WLANs > > The range of a successful attack can be greatly improved by an > increase in the transmission power of the attacking device, and > the use of high-gain antennae. > > 3. Workarounds/Mitigation > > At this time a comprehensive solution, in the form of software or > firmware upgrade, is not available for retrofit to existing > devices. Fundamentally, the issue is inherent in the protocol > implementation of IEEE 802.11 DSSS. > > IEEE 802.11 device transmissions are of low energy and short range, > so the range of this attack is limited by the signal strength of > the attacking device, which is typically low. Well shielded WLANs > such as those for internal infrastructures should be relatively > immune, however individual devices within range of the attacker > may still be affected. Public access points will remain > particularly vulnerable. > > The model of a shared communications channel is a fundamental > factor in the effectiveness of an attack on this vulnerability. > For this reason, it is likely that devices based on the newer IEEE > 802.11a standard will not be affected by this attack where the > physical layer uses Orthogonal Frequency Division Multiplexing > (OFDM). > > It is recognised that the 2.4G Hz band suffers from radio > interference problems, and it is expected that operators of the > technology will already have in place measures to shield their > networks as well as a reduced reliance on this technology for > critical applications. > > The effect of the DoS on WLANs is not persistent - once the jamming > transmission terminates, network recovery is essentially immediate. > > The results of a successful DoS attack will not be directly > discernable to an attacker, so an attack of this type may be > generally less attractive to mount. > > At this time, AusCERT continues to recommend that the application > of wireless technology should be precluded from use in safety, > critical infrastructure and/or other environments where > availability is a primary requirement. Operators of wireless LANs > should be aware of the increased potential for undesirable activity > directed at their networks. > > REFERENCES: > > [1] IEEE-SA Standards Board, "IEEE Std IEEE 802.11-1999 Information > Technology - Telecommunications and Information Exchange Between > Systems-Local and Metropolitan Area Networks - Specific Requirements > - Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer > (PHY) Specifications," IEEE 1999. > http://standards.ieee.org/getieee802/download/802.11-1999.pdf > > - ------------------------------------------------------------------------- > AusCERT would like to thank the Queensland University of Technology (QUT) > Information Security Research Centre (ISRC) for the information contained > in this advisory. AusCERT would like to thank all vendors that participated > in this process and provided recommendations for mitigation and/or > confirmed details of the vulnerability. > - ------------------------------------------------------------------------- > > - --------------------------------------------------------------------------- > > AusCERT has made every effort to ensure that the information contained > in this document is accurate. However, the decision to use the information > described is the responsibility of each user or organisation. The decision to > follow or act on information or advice contained in this security bulletin is > the responsibility of each user or organisation, and should be considered in > accordance with your organisation's site policies and procedures. AusCERT > takes no responsibility for consequences which may arise from following or > acting on information or advice contained in this security bulletin. > > If you believe that your computer system has been compromised or attacked in > any way, we encourage you to let us know by completing the secure National IT > Incident Reporting Form at: > > http://www.auscert.org.au/render.html?it=3192 > > AusCERT also maintains a World Wide Web service which is found on: > http://www.auscert.org.au. > > Internet Email: auscert@...cert.org.au > Facsimile: (07) 3365 7031 > Telephone: (07) 3365 4417 (International: +61 7 3365 4417) > AusCERT personnel answer during Queensland business > hours which are GMT+10:00 (AEST). On call after hours > for member emergencies only. > > Postal: > Australian Computer Emergency Response Team > The University of Queensland > Brisbane > Qld 4072 > AUSTRALIA > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Revision History > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > -----BEGIN PGP SIGNATURE----- > > iQCVAwUBQKLIGSh9+71yA2DNAQIH3gP8CtJ1vKa6zmDxAIUo20JE2CmmCYiWmyQq > lLomjl0hZLx+TPJPg2O6I9wlBCDy8grv96B8FT3RLDy7nqoT/QQAc02YiR6EnJl4 > Q9inQOgBhd6FUcW984uxl6MyK0K8wWrPg35dg8jW1ZbQBe8tWzABaOTdbqjAQgES > rg0vm/7RE5g= > =L8tY > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- Ian Latter Internet and Networking Security Officer Macquarie University
Powered by blists - more mailing lists