Students uncover new Wi-Fi vulnerability

Students at the Queensland University of Technology Information Security Research Centre in Australia have uncovered a flaw in an IEEE 802.11 (Wi-Fi) protocol that allows attackers with a simple Wi-Fi-enabled handheld device to effectively shut down a wireless local area network.

Free IT resource Hear how top CIOs turn change into a competitive advantage. Sponsored by HP Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

The report, published by AusCERT (Australian Computer Emergency Response Team), a not-for-profit organization based at the university, reports that a DoS attack is made possible by a vulnerability in the MAC (Medium Access Control) function of the IEEE 802.11 protocol.

The report states:

"WLAN devices perform Carrier Sense Multiple Access with Collision Avoidance [CSMA/CA], which minimizes the likelihood of two devices transmitting simultaneously. Fundamental to the functioning of the CSMA/CA is the standards-compliant hardware and performed by a Direct Sequence Spread Spectrum [DSSS] physical layer."

The report says that attackers can exploit the CA (Collision Avoidance) function and cause both access points and client devices within range of the attacker to "defer transmission of data for the duration of the attack."

If an attack occurs, devices act as if the channel is busy, thus putting a halt to any transmission of data over the network.

According the report, the flaw in the CA layer can be exploited by a "semi-skilled" attacker using a simple wireless device.

Frank Hanzlik, managing director for the Wi-Fi Alliance, said the Alliance is aware of this latest attack scenario and is "looking into the claims that there are low-cost hardware [devices] that can do this."

However, Rich Mironov, who calls himself a "reformed engineer" and is a vice president of marketing at AirMagnet, said DoS attacks are sometimes inadvertent.

"At the Javits Center in New York at an Apple show, somebody was wandering the show floor with a broadcasting card in his laptop. Everywhere he went he shut down the network for a couple of hundred feet by crowding out traffic in all directions. His device was randomly running up and down all the channels," Miranov said.

AirMagnet has a tool that can locate the attacker by discovering the MAC address of the attacker's device. The AirMagnet tool clicks louder and louder as it approaches the attacker. It can also identify sixteen different attacks, said Mironov.

The AusCERT report concludes by saying the vulnerability of the CA layer will not be mitigated by emerging MAC layer security enhancements in IEEE 802.11i.