DEF CON Jam

By Adam Stone

August 13, 2002

Security specialists at the worlds largest hacker convention saw attack after attack on the show's wireless LAN, and consider it a harbinger of things to come.

If the folks at wireless-security firm AirDefense are right, your wireless LAN is far less prepared for a hacker attack than you think.

This month AirDefense engineers attended the DEF CON 10 hacker convention in Las Vegas, where they saw first hand how hackers are stepping up both the intensity and the creativity of their attacks against wireless networks.

"Two years ago they only had a wired network there. This year all they had was a wireless LAN, so that is a pretty good gauge of where their interest lies," said Fred Tanzella, chief security officer of AirDefense. His company's products are meant to give an early warning of security breaches, "and we generated 13,000 alarms almost as soon as we turned on our system there."

Analysts are alarmed not just by the quantity of these attacks, but by their ingenuity. No longer content to merely sniff the air, hackers now are finding ways to hijack wireless networks. They are changing management frames, for example, and masquerading as legitimate access points. "They only had eight access points deployed at the convention," said Tanzella, "but we saw 35 of them. So they have laptops running in access-point mode, and their signal strength was stronger than the actual access points."

And it gets worse.

"A real scary one is ad hoc network attacks," said Tanzella. "If you look at your wireless card, it can operate in infrastructure mode, which is normal mode, but then there is also ad hoc mode, where you do peer-to-peer networking. Well, now [hackers] can change your card to ad hoc mode, where they are connected directly to your PC and can access all your information, including your access codes."

Analysts say these kinds of stepped-up hacker efforts were only to be expected.

"Last year a number of researchers exposed flaws in WEP that expose it to hacking. As a result hackers have increasing begun developing techniques to exploit these weaknesses," said Navin Sabharwal, an analyst with Allied Business Intelligence. "This is a particular threat to enterprises that have deployed 802.11 infrastructure."

In addition to the attacks described above, AirDefense engineers registered a number of other creative attacks during their two hours of monitoring hacker activity: 807 attacks, to be exact.

Of these, 490 were wireless probes from tools such as Netstumbler . These scans were used to evaluate the network and determine who was most vulnerable to greater attacks.

The team also witnessed 190 incidents of identity theft, in which hackers spoofed Media Access Control (MAC) addresses and Service Set Identifiers (SSIDs) in order to assume the identity of another user.

Hackers also launched 100 forms of denial-of-service attacks. They either jammed the airwaves with noise to shut down an access point, targeted specific stations by continually disconnecting them from an access point, or forced stations to route their traffic through other stations that ultimately did not connect back to the network.

As the hacker threat grows, opinions vary as to effective counter-measures.

In the long term, said Sabharwal, the solution may be found in the IEEE 802.11i specification. "This specification, which will be delivered by end of 2002, will apply a new security scheme to all the 802.11 protocols," he noted. Many in the 802.11 community are counting on the new spec to seal the leaks, but others say more aggressive action is needed now.

Some say the best defense today is a good offense -- or at least a vigilant guard at the door. They say the surest way to safeguard wireless data right now is to detect attacks as they occur.

"You need to actively monitor for intrusions," said Dr. Sandeep Singhal, CTO of ReefEdge, a wireless-security firm. "If you can discover anomalous behavior that does not match what a legitimate user would be doing, then you can stop them while they are actively trying to break in."

AirDefense agrees that real-time monitoring is a vital part of the over security architecture. "We recommend a layered approach, starting by setting in place your security policy and blocking off your firewalls, then using a VPN with strong authentication, and then having an intrusion detection [application] to make sure everything is working properly and to identify possible breaches," said Tanzella.

On the other hand, maybe it's all overkill.

"Certainly with the state of encryption today, I am not surprised that they would get these kinds of results," said Gartner Research analyst Ken Dulaney of the AirDefense findings. But on the other hand, he said, the skills of hackers may not actually matter all that much.

"You have to play probabilities, and for most people today, 40-bit WEP encryption is sufficient," he said. "These types of attacks could certainly defeat it, but most companies would never get attacked, just because of who they are. The fact is, nobody cares" about their data.

Got a comment or question? Discuss it in the 802.11 Planet Forums with moderator Jim Geier.


Comment and Contribute
(Maximum characters: 1200). You have
characters left.