RE: Wireless device vulnerability?

["Toni Heinonen" <Toni.Heinonen () teleware fi>]

Good morning!

> > After all, you'll never be safe from jamming or eavesdropping on a
> > shared media. You'll never get 100 % security, but with today's
> > wireless networks, jamming is >very hard and will require
> > sophisticated equipment.  
>
> You speak of jamming at layer 1.  What about jamming at layer 2 using
> RTS/CTS?  I've never tried it, but it seems as if you could flood an
> AP with RTS's and disrupt (read: jam) normal communications in that
> manner...

You're absolutely correct. Most of the time, level 2 jamming will be even bigger a risk than physical layer jamming, 
because jamming at l2 often requires even less expertise, because one need not to build a hardware device, but using an 
off-the-shelf WLAN card will do.

Indeed, WLANs have many design defiencies, and some of them are clearly related to the RTS/CTS-mechanisms and other 
"intelligent" features of the transmission technology, features which haven't been seen in network technologies before 
trickier technologies, such as WLANs. For instance, in Ethernet, there was no need for features like medium reservation.

All and all, WLANs do have a security mechanism, WEP. WEP is supposed to protect you from attacks such as the one you 
describe. Yes, continuously reserving the medium through RTS-requests would effectively stop traffic, or at least slow 
it down a lot (after all, every once in a while, a WLAN client wishing to transmit would be faster than you and would 
get her/his datagram to the AP before the AP got your RTS).

Of course, WEP itself is broken and can be compromised. As long as WEP works, your safe from attacks such as that. But 
if someone has gotten hold of your WEP key, and they are able to send RTS messages to the AP, they can also send any 
other messages to the AP, effectively gaining access to your internal network, so denial of service might not be their 
first priority, but rather compromising your network.

All and all, most people seem to suggest WLAN is secure as long as you place your APs behind a firewall and VPN, and 
while your at it, you can forget WEP. Maybe so, but then you open your network to DoS attacks such as this.

Additionally, the 802.11 WLAN standard contains a lot more holes that open your WLAN to DoS attacks. For instance, WEP 
protects only data traffic, and most (if not all?) management traffic traverses the airways bare-bottom. This 
management traffic includes association/deassociation messages, which are used to join or dejoin, respectively, a WLAN 
station from the network. So Harry Hacker could send deassociation messages to the AP, and he can put Joe's name in the 
messages, and soon Joe will notice, that his WLAN connection has been disconnected and he must reinitialize the 
connection (i.e., take out his WLAN PCMCIA card and put it back in).

All and all, L2 DoS attacks should be stopped with the wireless technology's normal safeguards. No one should be able 
to send RTS-messages, association/deassociation messages or even inquiry messages to either stations or APs before they 
have been authenticated.

TONI HEINONEN, CISSP
   TELEWARE OY
   Telephone  +358 (9) 3434 9123  *  Fax  +358 (9) 3431 321
   Wireless  +358 40 836 1815
   Kauppakartanonkatu 7, 00930 Helsinki, Finland
   toni.heinonen () teleware fi  *  www.teleware.fi