Nerdy 802.11n Threat Podcast

Fri, 18 Jul 2008 13:14:39 -0400

The good people at Network World called the other day and invited me to do a quick podcast about my work on identifying 802.11n threats. This follows a webcast I did for Airwave (registration required) and an article by Joanie Wexler in Network World.

Check out the 11 minute podcast on the Network World site. Comments are always welcome.

-Josh

BTfind Sneak Peek - Bluetooth Device Locating

Thu, 12 Jun 2008 13:59:56 -0400

Mike Kershaw and I have been working on a tool for the discovery and analysis of Bluetooth devices. Spawned by an assessment of the current tools available for Bluetooth analysis, we were disappointed to learn that there were no tools available to help an administrator both enumerate Bluetooth devices and locate them using RSSI analysis. Initially we looked at adding this functionality to the BlueScanner tool that I maintain for Windows XP systems. Unfortunately, none of the Bluetooth stacks from Microsoft, Widcomm/Broadcom, BlueSoleil or Toshiba support RSSI reporting of discovered devices (Widcomm does partially, but not in a way that is particularly useful for device locating analysis). So we started over again from scratch, developing a tool using the Linux BlueZ stack.

RSA2008 - 802.11n Risks Presentation

Fri, 11 Apr 2008 08:44:33 -0400

Yesterday morning I had the opportunity to present my research on the threats introduced with 802.11n networks to the early-morning crowd at the RSA2008 conference. This was my second year presenting at RSA, and the second time I got the 8:00 am crowd. I enjoy this speaking slot for three distinct reasons:

I get to set the bar for other speakers by being first of the day;
If people come to the session after a night of parties, they must *really* want to hear what I have to say;
People are usually eating, which means fewer questions (just kidding).

In the presentation I did a quick review of how 802.11n is revolutionizing wireless LAN deployments, making it possible to supplant wired deployments altogether with an 802.11n wireless network. This is possible not only through the performance benefits we get with 802.11n, but also with the increased reliability with the use of MIMO and other physical-layer enhancements. Next, I examined several threats that I see in 802.11n:

Dramatic lack of useable spectrum in the 2.4 GHz band with 40 MHz transmitters;
Extended range with MIMO vs. SISO (single input, single output) transmitters, exacerbated with the need to deploy MIMO networks in locations that support backward-compatibility with SISO clients;
Increased difficulty and reduced likeliness that channel-hopping WIDS systems will detect a short-lived attack with the explosion of 2.4 GHz and 5 GHz channels that need to be monitored at 20 and 40 MHz independently;
WIDS rogue AP evasion through leveraging high-throughput Greenfield Mode that cannot be detected by existing 802.11a/b/g WIDS sensors;
A new built-in denial-of-service vulnerability against 802.11n and block acknowledgement;
New 802.11n client and AP driver flaws from the increased complexity in frame handling.

My sincere thanks to everyone who attended the presentation. I've posted the slides on the Publications section of the site. The Metasploit fuzzing tools I wrote for testing 802.11n-specific features are posted in the Offensive security section.

I'm hoping to return to RSA again next year, hopefully presenting on some research I have been doing on using software-defined radios for new attacks against wireless protocols. As always, I welcome questions/comments/concerns.

-Josh