ZDNet - Security flaws in the 802.11 wireless LAN protocol.

From: Mike Dierken (mike@DataChannel.com)
Date: Tue Apr 03 2001 - 20:30:24 PDT

For those interested in wireless LANs, security, etc.


April 3, 2001 2:15 PM PT
A University of Maryland research team said Tuesday that it had identified
several more security flaws in the much-maligned 802.11 wireless LAN
Earlier this year, researchers at the University of California at Berkeley
discovered several vulnerabilities in the encryption protocol used on
wireless LANs.

"When you combine this with the stuff that the Berkeley guys found, it
pretty much covers all of the security in these wireless access points,"
said William Arbaugh, assistant professor of computer science at the
University of Maryland in College Park.

The latest problems have to do with the way the protocol handles access
control and authorization requests. Arbaugh said finding the problems was
"exceedingly easy" and that exploiting them was trivial.

Potentially the most serious of the three flaws is a hole that allows an
eavesdropper to sniff the name of the network -- which is used as a shared
secret for authentication purposes in some 802.11 implementations, including
the Lucent Technologies Inc. Orinoco cards that Arbaugh's team used -- and
then use the information to access the network.

This would be prevented by the WEP (Wireless Equivalent Privacy) encryption
used in 802.11, but the messages containing the network name are always
broadcast in cleartext, Arbaugh said.

The team also identified a problem with the MAC (media access control)
addresses used on wireless LAN cards. Like the network name, MAC addresses
are broadcast in cleartext and can therefore be easily captured by an
eavesdropper. The attacker can then program the address onto his or her card
and access the network.

The final attack involves capturing via eavesdropping the plaintext and
ciphertext of the shared keys used for authentication. Using this
information, an attacker can compute the valid authentication response and
then compute a new integrity check value using another known exploit and
join the network.


This archive was generated by hypermail 2b29 : Sun Apr 29 2001 - 20:25:29 PDT