Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Wireless Networking Hardware

A Look at the State of Wireless Security 107

An anonymous reader brings us a whitepaper from Codenomicon which discusses the state and future of wireless security. They examine Bluetooth and Wi-Fi, and also take a preliminary look at WiMAX. The results are almost universally dismal; vulnerabilities were found in 90% of the tested devices[PDF]. The paper also looks at methods for vendors to preemptively block some types of threats. Quoting: "Despite boasts of hardened security measures, security researchers and black-hat hackers keep humiliating vendors. Security assessment of software by source code auditing is expensive and laborious. There are only a few methods for security analysis without access to the source code, and they are usually limited in scope. This may be one reason why many major software vendors have been stuck randomly fixing vulnerabilities that have been found and providing countless patches to their clients to keep the systems protected."
This discussion has been archived. No new comments can be posted.

A Look at the State of Wireless Security

Comments Filter:
  • by 3seas ( 184403 ) on Sunday February 17, 2008 @01:37PM (#22454854) Homepage Journal
    ... when you don't do anything that needs to be secure, over it.

    IS that what this is saying?
    • by The Mighty Buzzard ( 878441 ) on Sunday February 17, 2008 @02:17PM (#22455168)
      On the up side, if we're talking a wireless setup with the weak signal most home setups have, anyone attempting to crack it is also within physical ass-kicking distance. Minimalist security, a fair IDS, and a lead pipe are all you need unless we're talking something with a larger coverage than most WAPs.
      • Re: (Score:3, Insightful)

        by baadger ( 764884 )
        Yeah ...except you're forgetting about the privacy concerns, which IMHO are much more scary than someone simply using my bandwidth.
      • Ever heard about "teh directional antenna" stuff?
        http://www.heise.de/english/newsticker/news/62328 [heise.de]
      • On the up side, if we're talking a wireless setup with the weak signal most home setups have, anyone attempting to crack it is also within physical ass-kicking distance.
        What do you do if you live in an apartment? Beat up twenty people who are close enough to latch on to your signal?
        • Who says you need to have wireless to have fun!
        • by kb0hae ( 956598 )
          The best solution to the problem is to NOT USE A WIRELESS NETWORK AT ALL! Its that simple. You can choose to have the security of not using wireless networking, or the convenience of using it, but having a much less secure network.

          At the present time, you can't have both.

          Your choice.
          • Not demonstrated. The sorry state of most wireless networks does not mean I can't secure mine. The article is alarmist, and a few years too late.

          • No, at present time you can have pretty decent security if you go through the trouble of enabling it, and even if you don't, you can make sure that anything important you do online is encrypted between your computer and the server.
      • by mlush ( 620447 )

        On the up side, if we're talking a wireless setup with the weak signal most home setups have, anyone attempting to crack it is also within physical ass-kicking distance. Minimalist security, a fair IDS, and a lead pipe are all you need unless we're talking something with a larger coverage than most WAPs.

        Your forgetting possible charges of assault and the difficulty of tracking the MAC ID back to a physical location. You could add breaking and entering to the charge list so you can be sure your beating up the right person...

      • you are telling me you can pinpoint someone from outside their house as to who in your neighborhood is stealing your bandwidth??? I would love to send you my employer's form, we will pay you whatever you want for this super power of yours. Welcome to the justice league...
      • This reminds me of the gun-control advocate who said no one needs to carry a weapon because you can just "put up your dukes".

        I relayed that wisdom to the frail old lady who lives next door and she laughed while she reloaded her P229.
  • by Anonymous Coward on Sunday February 17, 2008 @01:41PM (#22454882)
    ...in some kind of tube that we could install between the source and the destination.
    • This tubing system you have will not work. It's not like a big truck.
    • Re: (Score:2, Insightful)

      by iminplaya ( 723125 )
      You're right. Why is there no VPN and SSL in wireless? I hear that those things are pretty secure.
      • Re: (Score:3, Insightful)

        by swb ( 14022 )
        I'd guess that the vendors don't want to put in either faster CPUs or crypto codecs to keep performance from falling apart. But you'd think that's exactly what they would do, embed SSL encryption into the layer 2 transport, or at least make it a (default) option. Most 802.11 implementations are more likely for "convenience" wireless and not for high performance anyway, so I would imagine that some kind of default good cypto wouldn't be noticed by the 99% of WAP users.
      • by arivanov ( 12034 )
        Exactly. I am still using WEP and I do not give a flying fuck about any newer security schemes.

        I run a 256 bit AES OpenVPN with 2048 bit DSA keys over it. Before that I used to run IPSEC with 3DES of an RC4 PPTP tunnel. Either one works perfectly fine for most stuff you want to be secure. It is not much slower on modern systems either because things like the new Core2 laptops do the wireless crypto in software anyway.

        It looks like I am not the only one. I look for a relatively big telecoms company and it ha
      • SSL is a stream-based protocol, and wireless networks need to provide packet-based access. "VPN" can mean a wide variety of things, some of which are stream-based and some of which are packet-based, but in any case, offering packet-based encryption gets more complicated and produces much more overhead due to packet size limits and the fact that there is no guarantee that the packets will be delivered in order, if they are delivered at all.
    • You mean like the Internet? ;-)

    • by ettlz ( 639203 )
      Hmm, yes... just like 802.3...
  • OSS (Score:5, Insightful)

    by Anonymous Coward on Sunday February 17, 2008 @01:42PM (#22454890)
    What we need is a strong, coordinated, open-source effort to create new standards for networking devices, rather than rely totally on proprietary software.
    • Re: (Score:1, Interesting)

      by Anonymous Coward
      Majority of sold wireless devices (especially 802.11 base stations) already run with open source code. So the problem is not with proprietary software. In fact the problem might stem from companies wanting to save on software development costs and relying on "open source quality". It's expensive to have fuzzing tools and people running them in a coordinated manner.
    • Create new standards for networking devices, rather than rely totally on proprietary software.

      Standards and software are not the same thing. How would an FOSS implementation of existing standards be insufficient in freeing us from relying totally on proprietary software? How would a new standard guarantee that we won't rely on proprietary software? Are the current standards not implementable in FOSS? What makes new standards different?

      If the issue is lack of open-source drivers because there are no ava

  • by Marcion ( 876801 ) on Sunday February 17, 2008 @01:44PM (#22454902) Homepage Journal
    I agree that any attempts for security by proxy will always have vulnerabilities. If you haven't checked the code yourself, you can never trust it 100%. If no one can check the code but crackers with fuzzing tools, then you can't trust it at all.

    For most of readers here it will no doubt be obvious, but sadly this is lost on many people who buy software, even those who buy software for large companies.

    • If you haven't checked the code yourself, you can never trust it 100%. For most of readers here it will no doubt be obvious, but sadly this is lost on many people who buy software

      Not everyone who buys software can read code or understand the hardware which it controls. Not everyone who can do both - or thinks he can - can be trusted to detect every flaw.

      • by Marcion ( 876801 )
        Not everyone who buys software can read code or understand the hardware which it controls.

        Sure, but that does not affect my point, that often people are pretending that something can be trusted when there is no basis for that trust.

        If you can't read code then you have even less basis on which to trust it. Likewise, I am not a lawyer so I have no basis on which to trust the contract with my ISP.

  • by postbigbang ( 761081 ) on Sunday February 17, 2008 @01:59PM (#22455034)
    If you RTFA, you'll see that there are lots of wireless holes. It's a constant battle to keep things patched-- when the vendors elect to issue one. It's also a company that's done a lot of work, and is now looking for more work to do. It reminds me a bit of Symantec's Macintosh threat PR.

    This doesn't excuse the rotten wireless security we have today, it nonetheless doesn't provide models for improvements or other advice or recommendations on how security can be improved.
    • by louarnkoz ( 805588 ) on Sunday February 17, 2008 @03:22PM (#22455604)
      Yes, it is a company fishing for work. They are trying to sell "protocol fuzzers" for wireless devices. They demonstrate that you can send "artistically malformed" packets to Bluetooth or Wi-Fi devices, trigger a fault in the protocol implementation, and cause the device to crash. Possibly, you can get code to run on the device.

      This has nothing to do with the classic issue of "wireless security", such as the relative strength of WEP versus WPA or WPA2. Some attack works by sending control frames, i.e. the cleartext packets that are used to establish the wireless connection in the first place, without any security being applied. Other attacks allow a station to abuse its connection privileges -- instead of merely consuming a wireless service, it can take over the whole device.

      The same technique was demonstrated by Cache & Maynor with Wi-Fi in the summer of 2006. The lessons were quickly learned on the "client" side of the Wi-Fi networks. For example, the validation tools for Windows wireless drivers now include tests against fuzzing attacks. The technique is well known, and the tool advertsied in the article is just one of many available solutions.

      However, the article points to an interesting area, the quality of implementation in "appliances" such as Wi-Fi access points. PC and Mac drivers may be well tested now, but who knows what software is run in the average access point? Also, it is much easier to download a new driver for a PC or a Mac than to update the firmware in an access point. So, we may expect to see some interesting exploits against various appliances...

      -- Louarnkoz

  • by TheLink ( 130905 ) on Sunday February 17, 2008 @02:05PM (#22455074) Journal
    Current wireless solutions in practice don't have something like https usage.

    Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).

    If you have a WiFi network secured using a naive shared key method, anyone with the shared key can decipher the access of the other users. This might be fine in your house, but not good in some public cafe.

    Seems the way around this with current WiFi technology is to let every user use an account - username and password.
    Apparently in this case even if users share the same username and password, using WPA2 or whatever (I can't be bothered to keep accurate tabs on below par crap ;) ) they can't decrypt each others sessions. Not sure if this is 100% true given the track record ;).

    Assuming it's true, it would be much easier if Windows (and other O/Ses) would default to a standard username and password AND also check the cert of the AP (and issue warnings if it looks dodgy). You should be allowed to log in using a particular user account, or be prompted if the AP rejects the default.

    Then people like Starbucks/BK/etc could use certs for their WiFi networks, and customer can have reasonably secured comms at least between themselves and the AP.

    The WiFi Alliance should have copied the SSL _concepts_ and got the help of decent security people, rather than coming up with crap year after year (for how many years?).
    • WEP == Wired Equivalency Privacy, meaning that (if it were to work as designed) it is only designed to offer security similar to a wired network. In a wired network, you (conceptually) have control over who access it based on physical access control to the wire, but you can still see packets from other users (this used to be easier with hubs, it is still possible with switches, but takes a little more work). I'm not up to date on the various modes of WPA, but as far as I know, it was mostly designed to fi
      • by TheLink ( 130905 )
        The fact they were thinking that way (WEP) shows you how much they cared about security, and how ignorant/stupid they were. Wireless is definitely not the same as wired.

        As for wired security, you can configure decent switches so that clients can only see traffic from a "blessed" server (or network/port) but not each other (not even each other's broadcasts).

        The problem as I mentioned is even if _public_ WiFi service providers want to provide better security, it's so _hard_ with the current WiFi technology an
        • I agree that WiFi doesn't live up to what it was intended to be, but the problem I was getting at is people expect it to provide a service that it was never designed to. They expect WiFi to provide VPN. It doesn't. It was never intended to. My comment about DNS was that an SSL client needs more than the fact that the certificate was signed by a trusted CA, it also needs to know that the certificate was issued to the site the user is trying to connect to. It verifies this through the DNS name. Valid ce
          • by TheLink ( 130905 )
            Yes it was never designed for that. But I'm saying the design was crap, and still is crap. In other words WiFi is defective by design.

            I don't expect WiFi to provide VPN. It's just not nice to get broken stuff when it could have been avoided.

            Back when WiFi was first starting out the technology was there (SSL was already around, they could have just copied the ideas), but the WiFi bunch gave us crap instead. To compound the problem they kept rolling out broken stuff to fix broken stuff.

            Certificates do not hav
    • Whats the point of encrypting my connection between my laptop on the Starbucks AP if its all in clear when it leaves the AP? (and also when ATT is scanning the whole thing in a backroom)

      • by TheLink ( 130905 )
        To help protect you from other people in the area, and also help protect companies providing the access.

        What ATT does further upstream is between them and you.

        What happens at the sites, affects the people running those sites too.

        If someone sets up an AP and pretends to be Starbucks, it can create a fair amount of problems, even if it's not Starbucks fault. If it's too much hassle maybe Starbucks might just stop providing WiFi access.

        Someone could still jam the network, but such attacks are more detectable.
    • Current wireless solutions in practice don't have something like https usage. Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).

      Yes they do. It's called Opportunistic Encryption and you can get it for free on Linux (at least on Ubuntu) by just installing "openswan".

      That's not implemented at the wireless solution level though. It's done with IPSEC.

      If you install openswan on your computer at home and your laptop then you can contact your home computer securely without additional configuration.

      • by TheLink ( 130905 )
        You're addressing a totally different problem from what I'm talking about.

        Did you read the "Starbucks" bit? and the "current wireless solutions in practice" bit?

        How would Starbucks provide a safer WiFi service for its customers? They most certainly can't tell patrons to install openswan etc.

        The last I checked, Google/Yahoo don't support "Opportunistic Encryption", even Slashdot doesn't.

        Anyone solely using Opportunistic Encryption obviously lives in a very isolated corner of the Internet compared to everyone
        • Anyone solely using Opportunistic Encryption obviously lives in a very isolated corner of the Internet compared to everyone else, if anyone tries to attack their computer/data it'll probably be by accident. There's no significant money to make by targeting such niches.

          Don't worry about the money. Just install OE on any public servers and on your computer, and tell other people about it. That's all you can do. That, and try to make openswan OE work with windows OE (which is Kerberos-based, and probably only normally works in an AD environment.)

  • by Anonymous Coward on Sunday February 17, 2008 @02:05PM (#22455076)
    Which is a fuzzer. And most of the vulns are DOS and reboots.

    Not saying wireless security is a not an issue, but the pdf is an ad.
  • by lsw ( 95027 ) on Sunday February 17, 2008 @02:40PM (#22455328) Homepage

    vulnerabilities were found in 90% of the tested devices

    .... said the vendor that sells testing software......hooray for independent research
  • Like Military Intelligence, or Microsoft Excel.
  • by FlyingGuy ( 989135 ) <flyingguy@gm a i l .com> on Sunday February 17, 2008 @03:03PM (#22455502)

    Always has been, and always will be, the users, sorry thats just the way it is.

    I was in the military and crypto security is taken, very very very seriously. You fuck up and at minimum you will lose money, lose rank, lose your clearance or if you fucked up really bad you could go to prison.

    The problem is in business if the VP of Sales and Marketing can't make his new toy connect to your wireless infrastructure because his new toy doesn't support the same protocols he will start whining and crying that its "too hard" and you can bet your Linux live DVD you are going to be carving out an exception for the fucktard. Then he will start showing off his new toy, and then low and behold more people start buying the same thing and you have a fight on your hands. At this point the fucking CEO has to get involved and make the call and chances are security is going to lose because the VP of Sales & Marketing brings in the $profit$ and you don't regardless of how well thought out your argument is or how logical it is. Then what is going to happen is that your shit will get hacked, and that very same VP or sales and Marketing will hang it around your neck and you will be screwed.

    The only way around these kids of problems I think is two fold.

    • Device Control. You must have control over the devices that attach to your network. It has to be in hardware. Joe VP wants to bring his laptop in, then the only way he can connect is through a a USB wireless device that the IT department issues, that is burned to his ID AND his hardware and your network that way it will only work if its in HIS laptop, connected to YOUR network using HIS login credentials ( via biometrics ).
    • Policy. The adverse consequences for compromising the companies network security must be real, immediate and not left open to compromise. This has to come from the company owner if it is a private company or from the board if it is a public company.
    • Re: (Score:3, Interesting)

      by Cyberax ( 705495 )
      In the last company I worked, we had TWO wireless networks. One worked for anyone with only minimal authorization (WEP key pasted on the wall) and it didn't have access to the corporate internal network.

      The second one had strong WPA encryption with heavy logging and intrusion control.
      • Re: (Score:3, Interesting)

        Where I last worked I set up one wireless network. It was completely open (no encryption at all) and firewalled to limit what you could do with it. You could then fire up the VPN client (the same one you'd use if you were totally offsite like in a hotel) and you'd have access to the internal network.

        It really wasn't that hard to set up at all. We needed the VPN for offsite users anyway and so it seemed logical that wireless could simply be treated as if it were any other offsite network. When I set it

        • by Cyberax ( 705495 )
          Yes, we tried it.

          It turned out that it's easier to work without active VPN connection using only built-in Windows wireless. Besides, we have some additional security on VPN.
          • Not sure what you mean by this. You still obviously use the built-in Windows wireless on the clients, no different from a coffee shop or a hotel and even easier since I didn't have the stupid little initial splash page that most of those have. Then you just run a VPN on top of that. Since the people with laptops had to know how to use the VPN when they were offsite (e.g. hotels, coffee shops, whatever) it was very easy to train them just to think of our wireless network as being offsite.

            There was one o

            • by Cyberax ( 705495 )
              We used EAP-TLS with RADIUS (last time I checked they even started to use smartcards) in the 'secured' perimter and everything worked with the built-in Windows wireless.

              The outside VPN client required stupid Intel VPN, which is very annoying and not very stable.
    • by 0123456 ( 636235 )
      "using HIS login credentials ( via biometrics )."

      Ha-ha! He said 'biometrics'!

      Seriously, you made some good points, but biometrics have nothing to do with real security. Imagine if people were issued random passwords at birth, could never change them, had them tattooed over their bodies, using ink which would leave traces of some of their passwords on anything they touched, and had to give them to a wide variety of companies for 'security'; you'd write that off as crazy... but that's biometrics.
  • What a lot of people may not be realizing as they buy newer WAP and WAP2 protected 802.11g and n gear is that if they leave the ability to connected legacy 802.11b devices, they've left open the WEP vulnerability. Everything has to be upgraded, and that can get too expensive to do at once.
    • Huh? First, I think you mean "WPA" and not "WAP". Second, 802.11a, b, and g specify how data is encoded over the air. They have nothing to do with security. Don't want WEP? Don't turn it on. There are plenty of people running WPA/WPA2 over 802.11b. I think someone gave you some bad information,
      • Many devices made in earlier times only support WEP, or don't have new drivers that provide that support. Even things like the Nintendo DS doesn't support more than WEP.
  • This WPS business is a giant turd.

    No one has ever gotten it to work. I don't know why they put it in routers.

    I prevents you from actually connecting to an AP.

    I guess this is the security. If you can't actually connect to an AP you can't hack it.
  • by istartedi ( 132515 ) on Sunday February 17, 2008 @07:25PM (#22457384) Journal

    I use WPA. I know it can't be GEt V1AgrA N()W cracked. I made sure this thing was set up GET YOUR p3n!s enlarged NOW!!! as it should be.

  • Because more and more techniques are crammed into different subsystems without isolation from others and without the computer having any model of itself. What i mean is: let's dictinct "broken by design" and "implementation bugs". About the first one we cant do much on a short timescale, because a new design (e.g. mandatory encryption/authentication) requires user education (how to distribute keys) about bugs ii can only say: wireless network driver are doing things which are not driver-like (e.g. WPA). If
  • Wow, what a case of the emperor has no cl..

    *EUGH!!!! MY EYES! MY EYES!*

    Jesus! What is WRONG with you!
  • ...used together with wireless, this makes one hell of a tight drum.
  • So, I focused on this quote:

    Security assessment of software by source code auditing is expensive and laborious. There are only a few methods for security analysis without access to the source code, and they are usually limited in scope.

    If source code auditing is so expensive, and there are so few ways to analyze these code packages, where are all the holes coming from? Yikes, if external parties can find holes in 90% of the setups out there, imagine what they could do if the stuff was open source!?!

  • For a typical household Laptop --> Router configuration the following is probably the best way to do it:

    Laptop with OpenSSH Client --> Horribly insecure wireless protocol --> Router with OpenSSH Server and wired connection.

    Set the router to reject/drop wireless connections to everything but the SSH port, same with the laptop, and you're pretty much done for the vast majority of applications. Yes, the encryption slows down your connection, but unless you encrypt the data AT SOME POINT then there is

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...