With all technologies, there are associated security risks, no question there. The real question is what's the threat level. I too listened in Joshua Wright's webcast and I though he was putting on a pretty good scarecrow show. Yes, there is an IDS gap, but if your WLAN is properly secured with WPA2 and *strong* authentication, the real risks are really limited to DOS attacks and rogue APs. On the DOS attacks, do you believe a hacker would waste so much time on block ACKs? It's much easier and more efficient to simply use a RF jammer if one really wants to do a DOS attack; now that's a higher level of risk which is still not addressed (there are tools to easily detect them, but not to mitigate them). As for rogue APs, if you deploy an 802.11n network which integrates WIDS today, you should be able to easily detect these. As for the driver exploits, I went to http://www.wve.org/ as recommended by Joshua, but couldn't find any recent entries on drivers (not since 802.11n draft 2 products are available anyway). Funny as Joshua made it sound as if this was a really big issue. I believe he was looking more for attention than anything else – and you gave it to him.
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Don't sensationalize non-issues!
1. If the company is worth 2 pennies, they can figure out detecting 40Mhz shouldn't have to take twice the time!
2. Please provide proof of driver vulnerability.
3. Have you heard of a 2.4Ghz phone? That is the easiest way to cause denial of service. Dont need to be a geek! And yeah, if you want to introduce packets in the an aggregate packet, you can do it in the clear only! With no encryption, you can do whatever you want. forget screwing with block ack windows. How about use s sniffer to reconstruct all the webpages somebody is browsing! With encryption packets incorporated will get dropped. so nothing new here, keep moving...!
Follow-up on issues reported
Thanks for the comments, I appreciate the chance to follow-up. It's hard to get many long hours of research into a 40-minute presentation, so my apologies if I wasn't able to convey the topic as clearly as I had hoped.
On the topic of 40 MHz channel scanning, with an 802.11n radio using 40 MHz on channel 36+/40- (e.g. channel 36 is the primary 20 MHz channel, and 40 is the secondary channel), a WIDS system listening on 36+ has the ability to observe both 20 and 40 MHz traffic on channel 36, but lacks the ability to observe 20 MHz traffic on channel 40. The WIDS sensor also lacks the ability to detect 40+/44- (a non-standard configuration) meaning that a greater number of channel configurations must be scanned. As an attacker, I'd want to configure my rogue AP and client driver to use these non-standard channel nuances to avoid detection, so the WIDS industry must provide a risk mitigation strategy to mitigate. Looking at my slides, this could have been clearer; thanks for the opportunity to clarify that.
Regarding the driver vulnerability issue, this is a widely-accepted threat, with many prior examples of vulnerabilities and exploits. A few that come to mind:
http://www.wve.org/entries/show/WVE-2006-0060 and http://www.uninformed.org/?v=8&a=4&t=txt
http://www.wve.org/entries/show/WVE-2007-0001
http://www.wve.org/entries/show/WVE-2007-0012
At this time, I'm not permitted to share details about 802.11n driver vulnerabilities (which is a lousy answer, I recognize). I am however allowed to share some Metasploit auxiliary modules I developed for 802.11n driver fuzzing available at http://www.willhackforsushi.com/code/rsa2008/fuzz_asmdu.rb and http://www.willhackforsushi.com/code/rsa2008/fuzz_proberesp_11n.rb.
The DoS attack comment regarding a 2.4 GHz phone is right-on, and a great point! DoS attacks are not new in wireless networks, and the problem isn't going away. With the Block ACK DoS issue, I wanted to present it as a new DoS risk because I found it technically intriguing. You are most welcome to not care about that threat, and I would not dispute that position. My goal in the presentation was to discuss the issue to people were informed as to the threats that exist, allowing you to make educated decisions about them. I mentioned that in the webcast, but it didn't make it to Joanie's article.
All in all, I'm happy to have to the chance to discuss these topics, and I thank the anonymous poster for sharing his/her feelings!
-Joshua Wright
11n risks
Thanks, Joshua and others
Thanks, Joshua, for all the followup comments, clarification and explanations. And to all who want longer articles with more issues and solutions - I completely understand. Some topics really merit them. Please note that the newsletter format is meant to be a quick look/introduction to an issue, trend, or news bit and isn't supposed to surpass 350 words per newsletter (so that it stays on one page). I have a tendency to pick topics that are really too long for this format, so please forgive me. - Joanie
Impact of 802.11n Risks
Another great set of comments, and I thank this poster for his insight. He/She makes a great point in that I did not spend a lot of time helping listeners apply an impact assessment for the threats I identified. I believe he/she may have missed the first few minutes of the presentation where I discussed my goal of wanting to inform the listeners for the threats that I recognized, allowing them to make an assessment as to the criticality of the problem. I could provide my perspective on the criticality of these issues, but it would not necessarily reflect the needs of different organizations. I felt I made it pretty clear that I was very excited about the advantages of 802.11n technology despite the risks I discussed, but my goal was to help educate about the problems, not make policy suggestions for organizations.
I do believe driver vulnerabilities are a significant issue, though the anonymous poster is correct in that we do not highlight any 802.11n driver vulnerabilities on the WVE site, today. I have strong confidence that will change in the future.
Thanks again for the opportunity to address these comments!
-Joshua Wright
Interesting, but wanted more ...
As usual, your article was very informative. I only wish that it were a bit longer. I felt like it lacked a conclusion and I would have liked to have seen more vulnerabilities listed than just the two - that is, if there were any others of note. :-)
Doesn't Joshua work for a Wi-Fi vendor?
Joanie :
Did you accidentally leave out the fact that Joshua works for a Wi-Fi vendor?
Not left out - that he works for Aruba is stated in a couple of
Not left out - that he works for Aruba is stated in a couple of places.
Post new comment