Wireless Access Points and ARP Poisoning

From: aleph1@securityfocus.com
Date: 10/19/01

Date: Fri, 19 Oct 2001 11:48:43 -0600
From: aleph1@securityfocus.com
To: secpapers@securityfocus.com
Subject: Wireless Access Points and ARP Poisoning
Message-ID: <20011019114843.B16608@securityfocus.com>

Wireless Access Points and ARP Poisoning:
Wireless vulnerabilities that expose the wired network
Bob Fleck <rfleck@cigital.com>, Jordan Dimov <jdimov@cigital.com>

Address resolution protocol (ARP) cache poisoning is a MAC layer attack that
can only be carried out when an attacker is connected to the same local
network as the target machines, limiting its effectiveness only to networks
connected with switches, hubs, and bridges; not routers. Most 802.11b access
points acts as transparent MAC layer bridges, which allow ARP packets to
pass back and forth between the wired and wireless networks. This
implementation choice for access points allows ARP cache poisoning attacks
to be executed against systems that are located behind the access point. In
unsafe deployments, wireless attackers can compromise traffic between
machines on the wired network behind the wireless network, and also
compromise traffic between other wireless machine including roaming clients
in other cells. Of particular note is the vulnerability of home combination
devices that offer a wireless access point, a switch, and a DSL/cable modem
router in one package. These popular consumer devices allow a wireless
attacker to compromise traffic between computes connected to the built-in


Elias Levy
Si vis pacem, para bellum

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/