Re: (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability

[Spiro Trikaliotis <trik-news () gmx de>]

Hello,

* On Thu, May 13, 2004 at 03:22:19PM +1000 Sean Batt wrote:

[...]

> Denial of Service Vulnerability in IEEE 802.11 Wireless Devices 
>                         13 May 2004
[...]

> A vulnerability exists in hardware implementations of the IEEE 802.11
> wireless protocol[1] that allows for a trivial but effective attack
> against the availability of wireless local area network (WLAN)
> devices.

Yes, that's nothing new. For example, the so-called "babbling idiot"
problem, which affects almost every network as Ethernet, WLAN, but also
field busses like CAN, LON or others.

> An attacker using a low-powered, portable device such as an electronic
> PDA and a commonly available wireless networking card may cause
> significant disruption to all WLAN traffic within range, in a manner
> that makes identification and localisation of the attacker difficult.

What exactly do you mean? It's not very hard to generate a "babbling
idiot" by sending some frames from a wireless device. Just let it send
out all the time, for example via UDP.

With some modifications to the hardware, it is even possible to use the
"virtual carrier" (network allocation vector, NAV) to stop the devices
from sending out, while the attacker does not need very much power or
sending time. A NAV of "-1" (all 1s) is very effective, as it has to be
respected by every 802.11 device to be compliant with the PCF access
method.

[...] 

 
> Previously, attacks against the availability of IEEE 802.11 networks
> have required specialised hardware and relied on the ability to
> saturate the wireless frequency with high-power radiation, an avenue
> not open to discreet attack. 

Why should this be needed? Just put a Bluetooth device (at least, with a
device from BT specification 1.0b) into the direct range, let it send
out UDP packets as fast as possible, and have a look at the throughput
of your WLAN. ;-) Almost it does not block each and every frame, a
packet loss of approx. 5% has been measured by us, which leads to a TCP
throughput of effectively not much more than 0 KB/s [1]. For BT/DSSS
interference, see also [2], [3], [4] (amongst *many* others).

Furthermore, even a microwave oven might be a big problem for wireless
LANs. Own measurements (never publicized) have shown that a microwave
oven might make a 802.11g network unusable. Another paper on microwaves
is [5].

One remark: These papers did not intend to have a look on these problems
from a security point of view, but from a technical point of view to
reduce the effects if this.

> This vulnerability makes a successful, low cost attack against a
> wireless network feasible for a semi-skilled attacker.

I think a microwave oven should be usable for a not even semi-skilled
attacker. Sending out UDP packets as fast as possible via 802.11 or
Bluetooth should be usable for any semi-skilled attacker.


> 2. Platform
>
> Wireless hardware devices that implement IEEE 802.11 using a DSSS
> physical layer. Includes IEEE 802.11, 802.11b and low-speed (below
> 20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and high-speed
> (above 20Mbps) 802.11g wireless devices.

Why should 802.11a/g not be affected? The microwave oven I told about
above did not harm the 802.11b network, but did much harm on an 802.11g
network, which is a contradiction to your statement.

 
> o Independent vendors have confirmed that there is currently no
> defence against this type of attack for DSSS based WLANs

This is not very surprising. They would confirm also not having
implemented any defence against an attack on an ethernet network, where
you cut the ethernet cable in the middle, remove the power from the
switches/hubs in between, or the like. ;-)


I ask myself what the value of this CERT is? There is nothing mentioned
that was not known when 802.11 was first set up 1997. It seems you are
at least 7 years too late. If not, can you show me where are the *new*
insights of this CERT?

Best regards, 
   Spiro.
   

[1] M. Gergeleit, E. Nett, S. Trikaliotis:
    Messung der gegenseitigen Störungen von Funk-Netzwerken nach den
    Standards 802.11b und 802.15 ("Bluetooth"). Die Jahrestagung der GI
    in Wien: Informatik 2001, 25. bis 28. September 2001, Wien,
    Österreich.  (sorry, german only!)

[2] J. C. Haartsen, S. Zubes, .Bluetooth voice and data performance in
    802.11 DS WLAN envi-ronment., Ericsson, Mai 1999.

[3] J. Zyren, .Reliability of WLANs in Bluetooth Environment., Harris
    Semiconductor, June 1999.

[4] M. Hännikäinen, T. Rantanen, J. Ruotsalainen, M. Niemi, T. Hämäläinen,
    and J. Saarinen, .Coexistance of Bluetooth and Wireless LANs., Proc.
    IEEE Int. Conf. On Telecommu-nications, Bucharest, Romania, June 2001.

[5] A. Kameerman, N. Erkocevic, .Microwave Oven Interference on Wireless
    LANs Operating in the 2.4 GHz ISM Band., Lucent Technolo-gies.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html