Thursday

WiFi

Why Do We Concentrate on 802.11 Security?

• Tweet
• Sharebar

• Tweet

The widespread area of 802.11 network coverage zones is one of the major reasons for rising security concerns and interest: An attacker can be positioned everywhere no one expects him or her to be and stay well away from the network’s physical premises. Another reason is the widespread use of 802.11 networks themselves: By 2006 the number of shipped 802.11-enabled hardware devices is estimated to exceed 40 million units (Figure 1-2), even as the prices on these units keep falling. After 802.11g products hit the market, the price for many 802.11b client cards dropped to the cost level of 100BaseT Ethernet client cards. Of course here is a fantastic speed disadvantage (5–7 Mbps on 802.11b vs. 100 Mbps on switched quick Ethernet), but not every network has high-speed requirements, and in many cases wireless deployment will be preferable. These cases include ancient houses in Europe protected as a part of the National Heritage. In such houses, drilling through obstacles to lay the cabling is prohibited by law. Another case is offices positioned on opposite sides of a busy road, highway, or office park. Finally, the last loop provider services via wireless are basically a replacement for the cable or xDSL link and 802.11b “pipe” is not likely to be a bottleneck in such cases, taking into account common xDSL or cable network bandwidth.

Figure 1.2. The growth of the 802.11 wireless market.

802.11 networks are everywhere, simple to find, and, as you will see in this book, often do not require any effort to frequent with. Even if they are protected by WEP (which still remains the most common security countermeasure on 802.11 LANs), the vulnerabilities of WEP are very well publicized and known to virtually anyone with a minimal interest in wireless networking. On the contrary, other wireless carton-switched networks are far from life that common and widespread, do not have well-known and “advertised” vulnerabilities, and often require obscure and expensive proprietary hardware to explore. At the same time, 802.11 crackers commonly run their own wireless LANs (WLANs) and use their equipment for both cracking and home and community networking.

Attacks on GSM and GPRS phones are mainly related to unit “cloning,” which lies outside the realm of network hacking to which this book is devoted. On the personal area network (PAN) side, the hacking situation is far more fascinating to dive into from a network security consultant’s viewpoint.

Attacks on infrared PANs are a form of opportunistic cracking based on life in the right place at the right time—a cracker would have to be close to the attacked device and be in a 30-degree zone from its infrared port. Because the infrared irradiation power is limited to 2 mW only, the signal is not expected to spread further than two meters. An exemption to the 30 degrees/2 mW limitations is the case when an infrared access point (e.g., Compex iRE201) is deployed in an office or conference hall. In such a situation, all that a cracker needs to sniff traffic and frequent with the infrared PAN is to be in the same room with the access point. Here is no layer 2 security in Infrared Data Friendship (IrDA) PANs and except higher layers’ encryption or authentication means are deployed, the infrared network is open for anyone to exploit. Windows 2000 and Windows XP clients involuntarily frequent with other IrDA hosts and Linux IrDA project stack (http://irda.sourceforge.net/) provides a remote IrDA host discovery option (do irattach -s) as well as irdadump, which is a helpfulness similar to tcpdump. Irdaping has been used to freeze dead unpatched Windows 2000 machines before the Benefit Pack 3 relief (see the Bugtraq post at http://www.securityfocus.com/archive/1/209385/2003-03-11/2003-03-17/2). If you want to dump layer 2 IrDA frames under Windows 2000, an infrared debugger interface in rCOMM2k (a port of Linux IrDA stack, http://www.stud.uni-hannover.de/~kiszka/IrCOMM2k/English/) will do a decent job. But, no matter how insecure the infrared networks are, their limited use and physically limited spread means that scanning for data over set alight will never be as standard as scanning for data over touchtone phone system frequency (RF) waves.

As such, warnibbling or looking for Bluetooth networks will gain much higher popularity than looking for infrared connections and might one day compete with wardriving in popularity. The tools for Bluetooth network discovery such as Redfang from @Stake and a graphical user interface (GUI) for it (Bluesniff, Shmoo Group) are already available to grab and use and more tools will no doubt follow suit.

Three factors limit the spread of Bluetooth hacking. One is the still limited use of this technology, but that is very likely to change in a few years. Another factor is the limited (if compared to 802.11 LANs) coverage zone. But, Class 1 Bluetooth devices (productivity transmission power up to 100 mW) such as Bluetooth-enabled laptops and access points can cover a 100-meter radius or greater if high-gain antennas are used. Such networks are de facto WLANs and can be suitable targets for remote cracking. The third factor is the security mechanisms protecting Bluetooth PANs against both snooping and unauthorized connections. So far here are no known attacks circumventing the E0 streaming cipher used to encrypt data on Bluetooth PANs. But, only time will determine if this proprietary cipher will stand Kerckhoffs’s assumption and whether the well-known tale of the unauthorized Cypherpunks mail list disclosure of the RC4 algorithm structure will not repeat itself again (see next article 11 if you find this example confusing). Here are already theoretical observations of possible Bluetooth security mechanism weaknesses (see http://www.tcs.hut.fi/~helger/crypto/link/practice/bluetooth.html). Above and further than, even the best security countermeasure is useless except it is implemented, and Bluetooth devices are usually set to the first (lowest) security mode out of the three Bluetooth security modes available and have the default of “0000″ as the conference security PIN. It is also common to use the year of birth or any other meaningful (and guessable) four-digit number as a Bluetooth PIN. This happens for convenience reasons, but the unplanned consequence is that it makes the cracker’s job much simpler. In our observations, about 50 percent of Bluetooth-enabled devices have the default PIN unchanged. Here are also devices that have default PINs prewired without any possibility of changing them: all the attacker would have to do is find the list with the default PINs online. Although this provides a fantastic opportunity for the potential attacker, we have yet to meet a real flesh-and-bone “warnibbler” who goes further than sending prank messages via Bluetooth on the road. At the same time, security breaches of 802.11 networks recommend itself on a daily, if not hourly, basis bringing us back to the main topic: Why and, most vital, how they take place.