|
|
|
|
Technical Summary of Denial of Service Attack against IEEE 802.11 DSSS based Wireless LAN'sChris Wullems, Kevin Tham, Jason Smith, and Mark Looi1 Information Security Research Centre, Queensland University of Technology, Brisbane, Australia ContentsBackgroundOn May 13 2004, AusCERT announced2the presence of a denial of service (DoS) vulnerability in IEEE 802.11 devices (IEEE-STD-802.11-19993). This announcement was echoed by US-CERT4and widely reported in the technical media, including Computerworld5 This technical summary has been prepared to clarify the significance of the vulnerability and to respond to a number of questions and comments that have arisen out of the CERT announcements and media coverage.
Attack DetailsAs reported, this attack exploits the behaviour of the lower layers of the IEEE 802.11b DSSS specification. Specifically it takes advantage of a test mode (PLME_DSSSTESTMODE) of operation present in a range of ``off the shelf'' 802.11b WLAN adapters to continuously transmit a DSSS signal on a target channel. This continuous transmission effects all stations within range of the attacker (whether clients or access points) using the target channel, resulting in the clear channel assessment (CCA)6 reporting the media as busy for the duration of the attack. The impact of this is that no station within range of the attacker will be able to sieze the media for transmission - resulting in denial of service of the target channel. Obviously we do not wish to provide a step-by-step guide on how to mount the attack (as there is currently no effective mitigation strategy) but we do encourage researchers wanting to independently validate our findings to contact us.
Attack SignificanceThis attack is significant for a number of reasons, but primarily because it requires only commodity off the shelf hardware and a low level of skill to mount. Essentially the attack is a jamming attack, but it is jamming attack that requires only low power and no specialised or custom hardware. The attack described is possible not only because of the design of the MAC protocols of 802.11 - the CCA is a feature, not a bug and is required for the shared communications channel to operate effectively - but because unnecessary engineering functionality (DSSSTESTMODE) was not removed from production release hardware and documents describing how to access this mode of operation are freely available on the Internet. When the devastating ease with which the attack can be mounted is combined with the increasing use of commmodity wireless LAN technology in a range of critical environments, the significance of the attack becomes more evident. Anyone deploying IEEE 802.11 DSSS WLAN technology in an environment where availability is a requirement could now be considered negligent if an attack against the availability of that service was successfully mouted and resulted in some form of loss.
Attack MitigationAt present there are no known strategies for mitigating the attack other than not to use 802.11b based technology in environments where ongoing availbility of communications is required. 802.11a based WLAN technology which operates at a different frequency to 802.11b is not known to be vulnerable. Similarly, 802.11g in a ``non-mixed mode'' of operation - that is in ``g'' only mode without legacy support for 802.11b based cards7 is not known to be vulnerable to this specific attack. Emerging security improvements to the 802.11 based standards coming from the security working group 802.11i will not provide any defense against this attack. 802.11i security only protects MAC layer PDUs. This attack operates below the MAC layer at the Packet Layer Convergence Procedure (PLCP) layer so will not be affected.
Response to CommentsA number of erroneous and questionable comments have been made in the media concerning this attack and the underlying vulnerabilities that make it possible. This section of the summary hopes to clarify any confusion that may exist on the attack. Firstly, the main issue to be recognised is the presence of unnecessary engineering functionality in production hardware. This attack would have been far more complex to mount if 802.11 radio chipset manufacturers had not left a test mode of operation readily accessible in commodity devices8. Secondly, it has been claimed by some that this work was no different to vulnerabilites to 802.11 presented at USENIX 2003 by Bellardo and Savage9. Suffice to say that the denial of service attacks described by Bellardo and Savage were targeted at the MAC layer and above, whereas this new attack operates at the PLCP (sub MAC) layer. It is important to note that a number of the attacks presented by Bellardo and Savage will be mitigated by the emerging 802.11i security enhancements, whereas the 802.11i security enhancements will offer no relief from this new attack.
Finally, 802.11b based networking equipment can no longer be used to
detect the presence of this type of attack (the monitor itself can
be targeted) so detection of this new attack is likely to require
specialised RF monitoring hardware, increasing the cost of detecting
and responding to wireless based attacks.
Footnotes
Jason Smith |