>You mean, it's possible to obtain a false sense of security by
>ticking a few boxes.
And, likewise reading about attacks (such as the recent new attack
against WEP by Shamir and Mantin) need not give anybody a false sense
of insecurity either. Easy for the likes of the Weizmann institute
doesn't mean it is easy for the average hacker, nor does this really
pose a threat if you look a bit closer...
WECA says that the biggest problem with WEP is not the fact that it
can be broken, but the fact that network managers don't turn it on,
in which case you don't even need to launch an attack.
They also say that you should use WEP nevertheless. After all WEP was
not designed to be impenetrable it was designed to make it more
difficult than just leaving the door open.
You cannot point to a successful attack and declare the entire
technology insecure. You will need to take into account what
implications such an attack has depending on where WLAN is used:
* at home
you'll be pretty save if you use WEP and access control, because it
is unlikely someone will launch a full scale attack and program your
MAC address into their Ethernet cards. Besides, two nodes with
identical MAC addresses on the same network have the nasty side
effect that neither node can communicate properly anymore. What do
they stand to gain ? Free access to your cable modem while your
computer is turned off. Let me tell you something, if my neighbour
came to me and asked if they could have access to my WLAN for
Internet access, I would give them access.
* corporate environments
shouldn't rely on WEP alone, no matter what. They shouldn't feel
secure even on a wired LAN because it is much easier to tap into
wired Ethernet from within and outside the building. A corporate
environment should use IPsec or PGPnet for transmission of sensitive
data between two systems in any case.
* public access networks
will be pretty safe if they enable WEP. As I had described with the
example of the coffee shop, they should link access to consumption,
i.e. one coffee gives you 15 minutes access time from the time you
claim that access time via secure web form. This means an attacker
will first have to break the WEP encryption and then they have free
access to the entry form but cannot get past the router to get free
Internet access without consumption. So, what did they achieve ?
They would have to break SSL encryption plus whatever access tokens
the coffee shop distributes for those 15 minutes. Alternatively they
can sniff for MAC addresses of customers who have just got their 15
minutes and reprogram their Ethernet card with one of those MAC
addresses as soon as the customer leaves if they do so before their
15 minutes are up and then the attacker would gain the remainder of a
legitimate customer's 15 minutes. And once the 15 minutes are up they
will have to do that all over again.
I guarantee you that even the most determined will rather buy a
coffee. Or if they really don't want to pay, they could ask people in
the coffee shop who do not want to access the Internet discretely
whether they would give them their unused tokens. For the avoidance
of doubt, the tokens would likely be set to expire within a day if
they are not claimed.
If it was me in my twenties as a student, short on cash, I would
flirt with the waitress and get her to bring me all the unused tokens
or tokens for consumption where people didn't ask for a token. That
is much easier and would provide you with a steady stream of access
tokens.
And for customers who are concerned that someone may sniff their
email while they are sitting in the coffee shop downloading it over
the WLAN, it is very simple to put PGPnet on the backbone access node
and let those customers use PGPnet in which case even the Weizmann
Institute or the CIA would find it very difficult to tap in.
However, the most likely attack against a WLAN is not the
Shamir/Mantin attack, nor the Berkeley or Maryland attacks. The most
likely attack is that someone sets up a rogue base station with a
high RF output in the vicinity of another WLAN and tries to fool
clients that the fake base station is part of the network for it is a
true design flaw of 802.11 that the mobile station has no way of
authenticating a base station.
On a corporate WLAN this would be addressed by using IPsec or PGPnet.
In the coffee shop example, this could be used to steal a valid token
(worth 15 minutes) from an unaware customer. However, the token is
only worth 15 minutes to the attacker if the customer they stole it
from doesn't use it up. Therefore, the attacker's fake base station
would have to tell the customer that the token is invalid to stop
them from using it. The customer will then go to the cashier and ask
for a replacement, upon which the seemingly invalid token would be
entered into a black list which renders it invalid for use by the
attacker.
In most countries operating radio equipment for the purpose of
interfering with other transmissions is illegal (even if the
equipment used is operating in unlicensed spectrum) and
telecommunications agencies will be very quick to sweep the area and
triangulate the attacker's fake base station if the coffee shop
reports something fishy because too many of their tokens appear to be
invalid. An overpowering 802.11 base station is very easy to detect
and triangulate due to the use of DSSS which means it transmits on a
very broad spectrum (usually about 5 MHz).
Then again, perhaps the recent attack by Shamir/Mantin will be
spotted by the folks at Corsair, as US company that has a technology
which can identify a radio stations RF fingerprint, which like a
human fingerprint is unique and no two radios even from the same
assembly line have the same RF fingerprint. Something like this put
into 802.11 base stations would make it possible to identify each
transmitter without the chance for any attacker to spoof it.
AT&T wireless are using Corsair's RF fingerprint in the US to
authenticate AMPS mobiles in order to combat mobile phone cloning and
this has been very successful. Clone based fraud in cells equipped
with the RF fingerprint detectors (linked to a database) have gone
down to zero.
I understand this is all software and if mass deployed into 802.11
base stations, licenses could be very cheap. No, I don't have any
affiliation with Corsair nor do I own any shares in the company.
Besides, even with all doors open (network ID advertised, no WEP, no
access control) gaining access to the network doesn't mean access to
the systems in that network, which if networked should be properly
secured against intrusion anyway.
Today, the most popular way to break into computer systems is to
exploit email to get in. Did I hear anybody saying that email should
not be used and will soon be abandoned because it is insecure ?!
regards
benjamin
[ Need archives? How to unsubscribe? http://www.appelsiini.net/keitai-l/ ]
Received on Thu Aug 16 09:09:36 2001