[20000] in bugtraq
Design Flaw in Lucent/Orinoco 802.11 proprietary access control-
daemon@ATHENA.MIT.EDU (Bill Arbaugh)
Tue Apr 3 15:44:58 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.SOL.4.21.0104022033550.6061-100000@laffytaffy.cs.umd.edu>
Date: Mon, 2 Apr 2001 20:35:05 -0400
Reply-To: Bill Arbaugh <waa@CS.UMD.EDU>
From: Bill Arbaugh <waa@CS.UMD.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Name: Lucent/Orinoco Closed Network design flaw
Products: Most access points based on Orinoco wireless cards.
Severity: An attacker can determine the network name, or SSID,
which controls access to the network. Knowledge of the
SSID permits a client to associate/join the
network. If WEP is not enabled, the attacker gains
unrestricted access to the network immediately.
Author: William A. Arbaugh
waa@cs.umd.edu
http://www.cs.umd.edu/~waa
Vendor Status: Vendor informed of the problem on April 1, 2001 via
electronic mail. Vendor responded that this is just
"one little hurdle .." to gaining access on April 2,
2001 via electronic mail.
Details:
Lucent has defined a proprietary access control
mechanism entitled Closed Network [1]. With this
mechanism, a network manager can use either an open or
a closed network. In an open network, anyone is
permitted to join the network. In a closed network,
only those clients with knowledge of the network name,
or SSID, can join. In essence, the network name acts
as a shared secret. Claims are made in [1] that a
Closed Network prevents unauthorized users from
accessing the network.
In practice, security mechanisms based on a shared
secret are robust provided the secrets are
well-protected in use and when
distributed. Unfortunately, this is not the case with
Lucent's proprietary access control mechanism. Several
802.11 management messages contain the network name,
or SSID, and these messages are broadcast in the clear
by access points and clients. The actual message
containing the SSID depends on the vendor and model of
the access point. The end result, however, is that an
attacker can easily sniff the network name-
determining the shared secret and gaining immediate
access to the ``protected'' network if WEP is not
enabled. Even with WEP enabled, however, the attacker
could utilize previously disclosed WEP flaws [2,3] to
gain access by forging packets.
A description of this flaw and others contained in
802.11 are described in [4].
References:
[1] Lucent Orinoco, User's Guide for the ORiNOCO
Manager's Suite, November 2000.
[2] J. Walker, "Unsafe at any key size: An analysis of
the WEP encapsulation", Tech Rep. 03628E, IEEE 802.11
committee, March 2000.
http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip.
[3] N. Borisov, I. Goldberg, and D. Wagner,
Intercepting Mobile Communications: The Insecurity of
802.11. http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
[4] W. Arbaugh, N. Shankar, and Y. Wan, Your 802.11
Wireless Network has No Clothes.
http://www.cs.umd.edu/~waa/wireless.pdf
