[34903] in bugtraq
Denial of Service Vulnerability in IEEE 802.11 Wireless Devices
daemon@ATHENA.MIT.EDU (albatross@tim.it)
Sat May 15 14:30:07 2004
From: <albatross@tim.it>
To: <bugtraq@securityfocus.com>
Date: Sat, 15 May 2004 13:33:08 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=____1084620788735_)VJ_z5iyCm"
Message-Id: <20040515113308.YNMC20228.fep03-svc.tim.it@localhost>
------=____1084620788735_)VJ_z5iyCm
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
As requeste I repost it as attachment with the AUSCert PGP Pubblic Key.
------=____1084620788735_)VJ_z5iyCm
Content-Type: text/plain;
name="802.11 vuln.txt"
Content-Disposition: inline;
filename="802.11 vuln.txt"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2004.02 AUSCERT Advisory
Denial of Service Vulnerability in IEEE 802.11 Wireless Devices
13 May 2004
Last Revised: --
- ---------------------------------------------------------------------------
1. Description
A vulnerability exists in hardware implementations of the IEEE
802.11 wireless protocol[1] that allows for a trivial but effective
attack against the availability of wireless local area network
(WLAN) devices.
An attacker using a low-powered, portable device such as an
electronic PDA and a commonly available wireless networking card
may cause significant disruption to all WLAN traffic within range,
in a manner that makes identification and localisation of the
attacker difficult.
The vulnerability is related to the medium access control (MAC)
function of the IEEE 802.11 protocol. WLAN devices perform Carrier
Sense Multiple Access with Collision Avoidance (CSMA/CA), which
minimises the likelihood of two devices transmitting
simultaneously. Fundamental to the functioning of CSMA/CA is the
Clear Channel Assessment (CCA) procedure, used in all
standards-compliant hardware and performed by a Direct Sequence
Spread Spectrum (DSSS) physical (PHY) layer.
An attack against this vulnerability exploits the CCA function at
the physical layer and causes all WLAN nodes within range, both
clients and access points (AP), to defer transmission of data for
the duration of the attack. When under attack, the device behaves
as if the channel is always busy, preventing the transmission of
any data over the wireless network.
Previously, attacks against the availability of IEEE 802.11
networks have required specialised hardware and relied on the
ability to saturate the wireless frequency with high-power
radiation, an avenue not open to discreet attack. This
vulnerability makes a successful, low cost attack against a
wireless network feasible for a semi-skilled attacker.
Although the use of WLAN technology in the areas of critical
infrastructure and systems is still relatively nascent, uptake of
wireless applications is demonstrating exponential growth. The
potential impact of any effective attack, therefore, can only
increase over time.
2. Platform
Wireless hardware devices that implement IEEE 802.11 using a DSSS
physical layer. Includes IEEE 802.11, 802.11b and low-speed (below
20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and
high-speed (above 20Mbps) 802.11g wireless devices.
3. Impact
Devices within range of the attacking device will be affected. If
an AP is within range, all devices associated with that AP are
denied service; if an AP is not within range, only those devices
within range of the attacking device are denied service.
Minimum threat characteristics:
o An attack can be mounted using commodity hardware and
drivers - no dedicated or high-power wireless hardware is
required
o An attack consumes limited resources on attacking device,
so is inexpensive to mount
o Vulnerability will not be mitigated by emerging MAC layer
security enhancements ie IEEE 802.11 TGi
o Independent vendors have confirmed that there is
currently no defence against this type of attack for DSSS
based WLANs
The range of a successful attack can be greatly improved by an
increase in the transmission power of the attacking device, and
the use of high-gain antennae.
3. Workarounds/Mitigation
At this time a comprehensive solution, in the form of software or
firmware upgrade, is not available for retrofit to existing
devices. Fundamentally, the issue is inherent in the protocol
implementation of IEEE 802.11 DSSS.
IEEE 802.11 device transmissions are of low energy and short range,
so the range of this attack is limited by the signal strength of
the attacking device, which is typically low. Well shielded WLANs
such as those for internal infrastructures should be relatively
immune, however individual devices within range of the attacker
may still be affected. Public access points will remain
particularly vulnerable.
The model of a shared communications channel is a fundamental
factor in the effectiveness of an attack on this vulnerability.
For this reason, it is likely that devices based on the newer IEEE
802.11a standard will not be affected by this attack where the
physical layer uses Orthogonal Frequency Division Multiplexing
(OFDM).
It is recognised that the 2.4G Hz band suffers from radio
interference problems, and it is expected that operators of the
technology will already have in place measures to shield their
networks as well as a reduced reliance on this technology for
critical applications.
The effect of the DoS on WLANs is not persistent - once the jamming
transmission terminates, network recovery is essentially immediate.
The results of a successful DoS attack will not be directly
discernable to an attacker, so an attack of this type may be
generally less attractive to mount.
At this time, AusCERT continues to recommend that the application
of wireless technology should be precluded from use in safety,
critical infrastructure and/or other environments where
availability is a primary requirement. Operators of wireless LANs
should be aware of the increased potential for undesirable activity
directed at their networks.
REFERENCES:
[1] IEEE-SA Standards Board, "IEEE Std IEEE 802.11-1999 Information
Technology - Telecommunications and Information Exchange Between
Systems-Local and Metropolitan Area Networks - Specific Requirements
- Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer
(PHY) Specifications," IEEE 1999.
http://standards.ieee.org/getieee802/download/802.11-1999.pdf
- -------------------------------------------------------------------------
AusCERT would like to thank the Queensland University of Technology (QUT)
Information Security Research Centre (ISRC) for the information contained
in this advisory. AusCERT would like to thank all vendors that participated
in this process and provided recommendations for mitigation and/or
confirmed details of the vulnerability.
- -------------------------------------------------------------------------
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
iQCVAwUBQKLIGSh9+71yA2DNAQIH3gP8CtJ1vKa6zmDxAIUo20JE2CmmCYiWmyQq
lLomjl0hZLx+TPJPg2O6I9wlBCDy8grv96B8FT3RLDy7nqoT/QQAc02YiR6EnJl4
Q9inQOgBhd6FUcW984uxl6MyK0K8wWrPg35dg8jW1ZbQBe8tWzABaOTdbqjAQgES
rg0vm/7RE5g=
=L8tY
-----END PGP SIGNATURE-----
------=____1084620788735_)VJ_z5iyCm
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream;
name="auscert.asc"
Content-Disposition: inline;
filename="auscert.asc"
LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tDQpWZXJzaW9uOiAyLjYuM2kN
CkNvbW1lbnQ6IGh0dHA6Ly93d3cuYXVzY2VydC5vcmcuYXUvcmVuZGVyLmh0bWw/aXQ9MTk2
Nw0KDQptUUNOQWk1MlJ3d0FBQUVFQUo4RmwrYnRZaGxtMXExYmpGMUthSE1DSWNKMTUwSEdR
cUtMQ1NUMFNabkMvYVV6DQo2Vzd1YitGdGtnNytaWGhtQjR1akxPemhTUThwTmlPTlU1UTJs
Y2xNMS9RS2IyV0dMK3pQYnVvMFNyVXd2QVd3DQowR2x4cm92cllkaURaTGdDeWRuNlA2OWd4
eG04bjhaaHh1YkZGME1GcEZYM2xlZVNFaWg5KzcxeUEyRE5BQVVSDQp0Q0JCVlZORFJWSlVJ
RHhoZFhOalpYSjBRR0YxYzJObGNuUXViM0puTG1GMVBva0FsUU1GRURDQytGOGYyK0JEDQp4
bExKY1FFQnVUTUQvUnNVYWZFaEw1S1dIb1JlSnQvRkZxS214VFBndlQ0clU5amxZbytPR2p4
Qlkzb1RacTRPDQpJQjJySU0yMHkzeEFhbnpjT0E4eThWTytML0pXMTd2OEkrMW5vdC9XZ3hQ
aDNpWlFldzVkK0FjcmNkSk4rT2lUDQpwMEMrdjdvRzFBZUxBSFpJSHovNUo3S1RGWHlwOTVj
UzFDMjJ2eDAvc1ZPWThDcWl5TWlBUk9XdWlRQ1ZBd1VRDQpNSUwzM3loOSs3MXlBMkROQVFF
Z1FRUC9Wby9UNDNWSno5TWZ0eTJUMkYvcGpjVkNWQUg3MXRmN0ZmTmcxOUMwDQp3d3dQSmNU
a0hYa1Z6bXRNYzFwMndUa2pWT2lmQ25RdlJJanhmWUN1V2NiNXE5ckJnSEFpcitTZXFwVXV5
dGY0DQo2Sk9aOFBmbE1HRTBrY1pZK0c2QzZ3OWIxamFXMGlOcVB1b2FVVVdwUENzcjBsRTlX
TjM5MThMbjFON1QyUXd1DQpuaDZKQUpVQ0JSQXZPZFZTQkNaOWVZNEtTZEVCQVZWVEEvOUxX
Q1Z1SlEwU3lGVWJRVDZFVzFWWkxmL1NQZXZSDQpEbjlDeXJoYjBNQnR2c0lSNTF0dkxkMDZQ
YVNySHFyQ01HYlcrc2RSdDFXdm8yUnhaNTZUYUVYbUM5dm44Wlh4DQpSTFB0Z0ZsckZPWkZu
VjFQWDllSWZPaVVkN1BhVmQ0YWtaa004K0ZPbk9HSmtsam9OSUoxMU81S1FiQWNpcE1YDQp0
SnV3enZpckFhRmF6NGtBbFFJRkVDNnVEZDVFVHl0UTFCQzM5UUVCT2xzRC9pdFhMWnE2SFZo
ZFh3R3dEY3hCDQplWkJWcnkrRlYyUjBUNjVYdjRPL2NTRzk2Nk1jK29vUEwwaG9TYzdCWlVq
bjFqR2lYWU1Od0xXdVp0WkNOVkREDQpTclRhNUJNMEd3eU02VzlRYlVBamY0TUhGRWVjRmth
cnN2ek1NYnp0clNlZlBXNFRlaGZheFV5UEt4UmF1UU5RDQpXbFAzUTRoOGpTeWRnc2x1SWIx
SWhiMTNpUUNWQWdVUUxxNE1xcXRMM3ZoVHF2SlpBUUhSNndQK09FdExhcjBYDQo3cTVTeHI0
Ny9qZ21aeW55ZWFjdWpMdm0vQkNRdzg1L2FPNGlZL3ltR2dqYVVPdlRZWm9yeHRpRWh0OFIw
M2xPDQpvc25TdVB4TDFqOHNUUExZa3J2Q2RMWUEzTGtQUDk3MmZUVFFCaWJrcnhoMENlNHUx
WDVDdElpZzVlaEtsanloDQptd3FZekpsSDV5R1FZS0lJNUY0aElobFZ3alBNNmNRa00wR0pB
SlVEQlJBdWd0MGh5bThyZy93TUF0VUJBVjlyDQpBLzltZGUrdGI2aDl6MjNZb3NzQ3JKNWFa
WUdQeVpsV0RDZnBCd1R1QUxpdU1DaTlyemhMRVM2SGIyd3BxUXh2DQo4aGNvSFZVdHc2VFd2
R2F5eW5mTlNYME5rSWZxcnJjSjAxQng2TlA2WDRQN1phLzlURks1cW5kNjVjZWNGeDRIDQpt
NlZseVdiaXlkdG1Ldy8wSUh4NmZuUzd6dWdCaGlvL0tib3p3K0FkTUU4T0NBPT0NCj15M1Ru
DQotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tDQoNCg==
------=____1084620788735_)VJ_z5iyCm--
