RSA2008 - 802.11n Risks Presentation

Friday, April 11, 2008

Yesterday morning I had the opportunity to present my research on the threats introduced with 802.11n networks to the early-morning crowd at the RSA2008 conference. This was my second year presenting at RSA, and the second time I got the 8:00 am crowd. I enjoy this speaking slot for three distinct reasons:

•I get to set the bar for other speakers by being first of the day;
•If people come to the session after a night of parties, they must *really* want to hear what I have to say;
•People are usually eating, which means fewer questions (just kidding).

In the presentation I did a quick review of how 802.11n is revolutionizing wireless LAN deployments, making it possible to supplant wired deployments altogether with an 802.11n wireless network. This is possible not only through the performance benefits we get with 802.11n, but also with the increased reliability with the use of MIMO and other physical-layer enhancements. Next, I examined several threats that I see in 802.11n:

•Dramatic lack of useable spectrum in the 2.4 GHz band with 40 MHz transmitters;
•Extended range with MIMO vs. SISO (single input, single output) transmitters, exacerbated with the need to deploy MIMO networks in locations that support backward-compatibility with SISO clients;
•Increased difficulty and reduced likeliness that channel-hopping WIDS systems will detect a short-lived attack with the explosion of 2.4 GHz and 5 GHz channels that need to be monitored at 20 and 40 MHz independently;
•WIDS rogue AP evasion through leveraging high-throughput Greenfield Mode that cannot be detected by existing 802.11a/b/g WIDS sensors;
•A new built-in denial-of-service vulnerability against 802.11n and block acknowledgement;
•New 802.11n client and AP driver flaws from the increased complexity in frame handling.

My sincere thanks to everyone who attended the presentation. I've posted the slides on the Publications section of the site. The Metasploit fuzzing tools I wrote for testing 802.11n-specific features are posted in the Offensive security section.

I'm hoping to return to RSA again next year, hopefully presenting on some research I have been doing on using software-defined radios for new attacks against wireless protocols. As always, I welcome questions/comments/concerns.

-Josh

Using the WiSpy 2.4x from Metageek (www.metageek.net), it is possible to visualize the RF spectrum. In this picture, we can see the impact of a 40 MHz transmitter operating in the 2.4 GHz band using a primary channel of 2.412 GHz (channel 1). This leaves only one remaining useable channel in the 2.4 GHz band. Imagine this same transmitter on channel 6 (2.423 GHz). The impact? No other useable channels in the 2.4GHz spectrum.