Re: WiFi Fingerprinting

On Wed, 20 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <slrneh3cbv.psi.lee@xxxxxxxxxxxxxxxxxxxxxxxxx>, Lee Phillips wrote:

Check out this interesting but not very serious vulnerability:

http://lee-phillips.org/info/networking/sandia.html

Yeah, it's almost like the guys who wrote the press release pulled buzzwords
out of the paper, and sensationalized something from that.

Press Release:

LIVERMORE, Calif. - The next time you're sipping a latte and surfing the
Net at your favorite neighborhood wireless caf<E9>, someone just a few seats
away could be breaking into your laptop and causing irreparable damage to
your computer's operating system by secretly tapping into your network
card's unique device driver, researchers at Sandia National Laboratories
in have concluded.

There is, however, some cheerful news. By role-playing the position of an
adversary (also known as red teaming), Sandia researchers have
demonstrated a unique "fingerprinting" technique that allows hackers with
ill intent to identify a wireless driver without modification to or
cooperation from a wireless device. Revealing this technique publicly,
Sandia researchers hope, can aid in improving the security of wireless
communications for devices that employ 802.11 networking.

Paper:

9 Conclusion

We designed, implemented, and evaluated a technique for passive wireless
device driver fingerprinting that exploits the fact that most IEEE
802.11a/b/g wireless drivers have implemented different active scanning
algorithms. We evaluated our technique and demonstrated that it is capable
of accurately identifying the wireless driver used by 802.11 wireless
devices without specialized equipment and in realistic network conditions.

Through an extensive evaluation including 17 wireless drivers, we
demonstrated that our method is effective in fingerprinting a wide variety
of wireless drivers currently on the market. Finally, we discussed ways to
prevent fingerprinting that we hope will aid in improving the security of
wireless communication for devices that employ 802.11 networking.

Really brief synopsis: Wireless NICs actively scan for access points to
connect to by periodically sending out probe request frames. The algorithm
used to scan for access points is not explicitly defined in the 802.11
standard. Therefore, every NIC driver author is doing it "his way". By just
listening to the _rate_ at which a given NIC (identifiable by the MAC address
used during a session), you can ID the driver, and therefore may be able to
deduce which of your Junior Skript KiddieZ exploits to try to use to knock
over the system. As the NIC driver is running in kernel space, if you can
kick that door down, you 0wn3Z that box. Note that the paper does not talk
of any _exploits_ but merely that you can passively ID the driver.

I'm reminded of two (WW2 German Wehrmacht) sayings mentioned in "Instruments
of Darkness" by Alfred Price (1967, 1977, Chas. Scribner's Sons, 1978, ISBN
0-683-15806-X), which is a "standard" text on "radio warfare":

Feind h<F6>rt mit! (Sign on German military communications gear in WW2)
"The Enemy is Listening" (also seen posted as "Feind hoert mit!")

Aller Funkverkehr ist Landesverrat (Luftwaffe [WW2] Signals Command axiom)
"All radio traffic is high treason"

There was a recent demonstration at a Black-Hats convention, where two
presenters demonstrated an exploit that was targeting a third party driver
on an Apple - running OSX if I recall correctly. No details were released,
and there was some controversy about the demonstration. Try the newsgroup
alt.internet.wireless if interested - it was about 3-6 weeks ago.

About the only solution at the moment is to see that you stay up to date
with the updates for your distribution. This would _usually_ be a kernel
update, so ESPECIALLY if you are using wireless, loose the Macho about
uptime, and keep your kernel up to date - yes, it does mean rebooting,
and loosing all that umpty-dump days since last reboot.

Old guy
.

Relevant Pages

  • Re: Cant connect to Internet and e-mail.
    ... do you have any further ideas regarding my internet connection ... Would it be wise to run the Windows Wireless Wizard again on all ... Windows "roll back driver" feature but this did not correct the ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cant connect to Internet and e-mail.
    ... When I access the list of available wireless networks I find that the default is "Acquiring network address" but this never succeeds. ... I did choose to have Windows install a driver from Windows Update. ... I did try the Windows "roll back driver" feature but this did not correct the problem. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cant connect to Internet and e-mail.
    ... The Start bar Wireless icon has a small yellow dot moving back and forth and I do not obtain access to the 'Net. ... I did choose to have Windows install a driver from Windows Update. ... I did try the Windows "roll back driver" feature but this did not correct the problem. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cant connect to Internet and e-mail.
    ... Would it be wise to run the Windows Wireless Wizard again on all three ... error) to have Windows install a driver from Windows Update. ... "roll back driver" feature but this did not correct the problem. ...
    (microsoft.public.windowsxp.network_web)
  • Re: wlan in etch
    ... Detected Intel PRO/Wireless 2200BG Network Connection ... IntelPRO/Wireless 2915ABG Driver for Linux in support of: ... Wireless Extension Private Methods ...
    (Debian-User)
Loading