[86891] in North American Network Operators' Group
Re: Wifi Security
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Nov 21 11:07:49 2005
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Gadi Evron <ge@linuxbox.org>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>, nanog@nanog.org
In-Reply-To: Your message of "Mon, 21 Nov 2005 17:50:27 +0200."
<4381ECC3.1090206@linuxbox.org>
Date: Mon, 21 Nov 2005 11:05:00 -0500
Errors-To: owner-nanog@merit.edu
In message <4381ECC3.1090206@linuxbox.org>, Gadi Evron writes:
>> By setting up a fake AP, you can launch active attacks. Sure, people
>> won't get the right certificate -- and they're not going to notice,
>> especially if the (unencrypted) initial web splash page says something
>> like "For added security, all SSL connections from this hotspot will
>> use Starbucks-brand certificates. Please configure your browser to
>> accept them -- it will protect you from fraud."
>>
>> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>I am very happy to agree with Steve. But I'd also like to add something.
>
>Security does not have to be end-user based... risking the wrath of
>Randy, let us hail Vietnam for a moment..
>
>One of the technologies first employed in Vietnam (I may be wrong, my
>history isn't that good) was that of tracking radiation, and
>specifically, EM radiation by creating the first "smart bombs".
>
>You could see this type of "physical" electronic warfare also employed
>in Iraq with the US Gov't bombing the center of GSM-blocking signal
>generators.
>
>Locating where a transmission comes from, supposing it comes from a
>centralized source, is rather easy.
>
>Missiles for your local ISP to use? I find this rather amusing and a
>clear path to take.
Leaving the politics aside, it's a lot harder than it seems. After an
active attack at a security conference a few years ago, a prof had some
of his grad students investigate it. Multipath, variable signal
attenuation, and the like make it very, very hard. (If it worked, the
idea was to embed the localizer in a WiFi-equipped Sony Aibo -- a robot
dog to hunt down miscreants...)
Btw -- a lot of hot spots already do ARP-filtering to block ARP-level
attacks on the default router's MAC address. This problem is already
out there.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
