Previous Section  < Day Day Up >  Next Section

Why Do We Concentrate on 802.11 Security?

The widespread area of 802.11 network coverage zones is one of the major reasons for rising security concerns and interest: An attacker can be positioned where no one expects him or her to be and stay well away from the network's physical premises. Another reason is the widespread use of 802.11 networks themselves: By 2006 the number of shipped 802.11-enabled hardware devices is estimated to exceed 40 million units (Figure 1-2), even as the prices on these units keep falling. After 802.11g products hit the market, the price for many 802.11b client cards dropped to the cost level of 100BaseT Ethernet client cards. Of course there is a great speed disadvantage (5–7 Mbps on 802.11b vs. 100 Mbps on switched fast Ethernet), but not every network has high-speed requirements, and in many cases wireless deployment will be preferable. These cases include old houses in Europe protected as a part of the National Heritage. In such houses, drilling through obstacles to lay the cabling is prohibited by law. Another case is offices positioned on opposite sides of a busy street, highway, or office park. Finally, the last loop provider services via wireless are basically a replacement for the cable or xDSL link and 802.11b "pipe" is not likely to be a bottleneck in such cases, taking into account common xDSL or cable network bandwidth.

Figure 1.2. The growth of the 802.11 wireless market.


802.11 networks are everywhere, easy to find, and, as you will see in this book, often do not require any effort to associate with. Even if they are protected by WEP (which still remains the most common security countermeasure on 802.11 LANs), the vulnerabilities of WEP are very well publicized and known to practically anyone with a minimal interest in wireless networking. On the contrary, other wireless packet-switched networks are far from being that common and widespread, do not have well-known and "advertised" vulnerabilities, and often require obscure and expensive proprietary hardware to explore. At the same time, 802.11 crackers commonly run their own wireless LANs (WLANs) and use their equipment for both cracking and home and community networking.

Attacks on GSM and GPRS phones are mainly related to unit "cloning," which lies outside the realm of network hacking to which this book is devoted. On the personal area network (PAN) side, the hacking situation is far more interesting to dive into from a network security consultant's viewpoint.

Attacks on infrared PANs are a form of opportunistic cracking based on being in the right place at the right time—a cracker would have to be close to the attacked device and be in a 30-degree zone from its infrared port. Because the infrared irradiation power is limited to 2 mW only, the signal is not expected to spread further than two meters. An exemption to the 30 degrees/2 mW limitations is the case when an infrared access point (e.g., Compex iRE201) is deployed in an office or conference hall. In such a situation, all that a cracker needs to sniff traffic and associate with the infrared PAN is to be in the same room with the access point. There is no layer 2 security in Infrared Data Association (IrDA) PANs and unless higher layers' encryption or authentication means are deployed, the infrared network is open for anyone to exploit. Windows 2000 and Windows XP clients automatically associate with other IrDA hosts and Linux IrDA project stack ( provides a remote IrDA host discovery option (do irattach -s) as well as irdadump, which is a utility similar to tcpdump. Irdaping has been used to freeze dead unpatched Windows 2000 machines before the Service Pack 3 release (see the Bugtraq post at If you want to dump layer 2 IrDA frames under Windows 2000, an infrared debugger interface in rCOMM2k (a port of Linux IrDA stack, will do a decent job. However, no matter how insecure the infrared networks are, their limited use and physically limited spread means that scanning for data over light will never be as popular as scanning for data over radio frequency (RF) waves.

As such, warnibbling or looking for Bluetooth networks will gain much higher popularity than looking for infrared connections and might one day compete with wardriving in popularity. The tools for Bluetooth network discovery such as Redfang from @Stake and a graphical user interface (GUI) for it (Bluesniff, Shmoo Group) are already available to grab and use and more tools will no doubt follow suit.

Three factors limit the spread of Bluetooth hacking. One is the still limited use of this technology, but that is very likely to change in a few years. Another factor is the limited (if compared to 802.11 LANs) coverage zone. However, Class 1 Bluetooth devices (output transmission power up to 100 mW) such as Bluetooth-enabled laptops and access points can cover a 100-meter radius or greater if high-gain antennas are used. Such networks are de facto WLANs and can be suitable targets for remote cracking. The third factor is the security mechanisms protecting Bluetooth PANs against both snooping and unauthorized connections. So far there are no known attacks circumventing the E0 streaming cipher used to encrypt data on Bluetooth PANs. However, only time will determine if this proprietary cipher will stand Kerckhoffs's assumption and whether the famous story of the unauthorized Cypherpunks mail list disclosure of the RC4 algorithm structure will not repeat itself again (see Chapter 11 if you find this example confusing). There are already theoretical observations of possible Bluetooth security mechanism weaknesses (see Besides, even the best security countermeasure is useless unless it is implemented, and Bluetooth devices are usually set to the first (lowest) security mode out of the three Bluetooth security modes available and have the default of "0000" as the session security PIN. It is also common to use the year of birth or any other meaningful (and guessable) four-digit number as a Bluetooth PIN. This happens for convenience reasons, but the unintended consequence is that it makes the cracker's job much easier. In our observations, about 50 percent of Bluetooth-enabled devices have the default PIN unchanged. There are also devices that have default PINs prewired without any possibility of changing them: all the attacker would have to do is find the list with the default PINs online. Although this provides a great opportunity for the potential attacker, we have yet to meet a real flesh-and-bone "warnibbler" who goes beyond sending prank messages via Bluetooth on the street. At the same time, security breaches of 802.11 networks occur on a daily, if not hourly, basis bringing us back to the main topic: Why and, most important, how they take place.

    Previous Section  < Day Day Up >  Next Section