[NEWS] DoS Vulnerability in IEEE 802.11 Wireless Devices
From: SecuriTeam (support_at_securiteam.com)
Date: 05/16/04
- Previous message: SecuriTeam: "[NEWS] Opera Telnet URI Handler File Creation/Truncation Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 May 2004 16:39:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
DoS Vulnerability in IEEE 802.11 Wireless Devices
------------------------------------------------------------------------
SUMMARY
A vulnerability in the 802.11 WLAN protocol allows a remote attacker to
disrupt to network traffic using low-powered standard WiFi equipment.
DETAILS
A vulnerability exists in hardware implementations of the
<http://standards.ieee.org/getieee802/download/802.11-1999.pdf> IEEE802.11
wireless protocol that allows for a trivial but effective attack against
the availability of wireless local area network (WLAN) devices.
An attacker using a low-powered, portable device such as an electronic PDA
and a commonly available wireless networking card may cause significant
disruption to all WLAN traffic within range, in a manner that makes
identification and localization of the attacker difficult.
The vulnerability is related to the medium access control (MAC) function
of the IEEE 802.11 protocol. WLAN devices perform Carrier Sense Multiple
Access with Collision Avoidance (CSMA/CA), which minimizes the likelihood
of two devices transmitting simultaneously. Fundamental to the
functioning of CSMA/CA is the Clear Channel Assessment (CCA) procedure,
used in all standards-compliant hardware and performed by a Direct
Sequence Spread Spectrum (DSSS) physical (PHY) layer.
An attack against this vulnerability exploits the CCA function at the
physical layer and causes all WLAN nodes within range, both clients and
access points (AP), to defer transmission of data for the duration of the
attack. When under attack, the device behaves as if the channel is always
busy, preventing the transmission of any data over the wireless network.
Previously, attacks against the availability of IEEE 802.11 networks have
required specialized hardware and relied on the ability to saturate the
wireless frequency with high-power radiation, an avenue not open to
discreet attack. This vulnerability makes a successful, low cost attack
against a wireless network feasible for a semi-skilled attacker.
Although the use of WLAN technology in the areas of critical
infrastructure and systems is still relatively nascent, uptake of wireless
applications is demonstrating exponential growth. The potential impact of
any effective attack, therefore, can only increase over time.
Platform:
Wireless hardware devices that implement IEEE 802.11 using a DSSS physical
layer. Includes IEEE 802.11, 802.11b and low-speed (below 20Mbps) 802.11g
wireless devices. Excludes IEEE 802.11a and high-speed (above 20Mbps)
802.11g wireless devices.
Impact:
Devices within range of the attacking device will be affected. If an AP is
within range, all devices associated with that AP are denied service; if
an AP is not within range, only those devices within range of the
attacking device are denied service.
Minimum threat characteristics:
* An attack can be mounted using commodity hardware and drivers - no
dedicated or high-power wireless hardware is required.
* An attack consumes limited resources on attacking device, so is
inexpensive to mount
* Vulnerability will not be mitigated by emerging MAC layer security
enhancements ie IEEE 802.11 TGi
* Independent vendors have confirmed that there is currently no defense
against this type of attack for DSSS based WLANs
The range of a successful attack can be greatly improved by an increase in
the transmission power of the attacking device, and the use of high-gain
antennae.
Workarounds/Mitigation:
At this time a comprehensive solution, in the form of software or firmware
upgrade, is not available for retrofit to existing devices. Fundamentally,
the issue is inherent in the protocol implementation of IEEE 802.11 DSSS.
IEEE 802.11 device transmissions are of low energy and short range, so the
range of this attack is limited by the signal strength of the attacking
device, which is typically low. Well-shielded WLANs such as those for
internal infrastructures should be relatively immune, however individual
devices within range of the attacker may still be affected. Public access
points will remain particularly vulnerable.
The model of a shared communications channel is a fundamental factor in
the effectiveness of an attack on this vulnerability. For this reason, it
is likely that devices based on the newer IEEE 802.11a standard will not
be affected by this attack where the physical layer uses Orthogonal
Frequency Division Multiplexing (OFDM).
It is recognized that the 2.4G Hz band suffers from radio interference
problems, and it is expected that operators of the technology will already
have in place measures to shield their networks as well as a reduced
reliance on this technology for critical applications.
The effect of the DoS on WLANs is not persistent - once the jamming
transmission terminates, network recovery is essentially immediate.
The results of a successful DoS attack will not be directly discernable to
an attacker, so an attack of this type may be generally less attractive to
mount.
At this time, AusCERT continues to recommend that the application of
wireless technology should be precluded from use in safety, critical
infrastructure and/or other environments where availability is a primary
requirement. Operators of wireless LANs should be aware of the increased
potential for undesirable activity directed at their networks.
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.auscert.org.au/render.html?it=4091>
http://www.auscert.org.au/render.html?it=4091
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Opera Telnet URI Handler File Creation/Truncation Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
