document updated 15 years ago, on Jan 2, 2009

WiFi security is worse than you thought

While WEP has gotten a lot of press, there are quite a few other major problems with 802.11 that hackers and end-users need to be more aware of:

There are numerous layer 1 & 2 DoS attacks available, they're very effective, they don't require the attacker to authenticate first, and for most of them, the only way to fix them properly is to upgrade the protocol. This means that even the most professional network can be taken down at any time.
While it's obvious to most experts, the fact that wi-fi uses a shared physical medium has important implications that users must be mindful of. This issue makes many powerful attacks available that aren't normally possible on typical switched networks. (it's much easier to hijack TCP, spoof DNS, the list goes on and on). To counter this, never be on a network with untrusted users unless you fully encrypt everything, and always use protocols that verify the authenticity of servers (including DNS). Which brings us to:
Vulnerabilities related to public hotspots have been written about, but this deserves more attention. Even if users are careful to avoid rogue access points, they're still vulnerable to unseen ARP spoofing attacks that give the attacker enormous control. This is most evident in the recent Firefox unsigned certificate debate. Most users, even somewhat sophisticated ones, fall for SSL/SSH man-in-the-middle attacks, which literally leaves them open to having banking information stolen. SSL MITM attacks don't get much attention because they're rare in most cases, but they're much easier to do on public hotspots.
Currently, most home gateways bridge the wired and wireless networks, making even the wired computers vulnerable to ARP spoofing from wireless users. This means that you never want to leave your access point open (or WEPed), because it's equivalent to putting all your computers on a hub, and hanging an ethernet cable out the window for strangers to sniff from. Alternatively, open access points should only use equipment that segregates the wireless LAN from the wired LAN.

In short, if you're a black-hat, wifi networks are a fun playground right now. But if you're a normal user, you have to be really careful out there.

Upcoming improvements

standards changes
- 802.11w would prevent forging of management frames.
- DNSSEC would prevent DNS reply forgery.
proprietary enhancements to access points
- Cisco has LOTS of stuff [1]
  - Cisco's MFP (Management Frame Protection) allows clients to verify that management frames are authentic. However, this requires proprietary client support too, no?

DoS attacks

physical layer
- "dumb"/signal generator wifi jammers exist
- Clear Channel Assessment — tell everyone that the channel is busy for a very long time.
MAC layer (management frames and control frames can be sent without authenticating first, and can be forged by anyone)
- Dissociation attack
- Deauthentication attack
- use large durations on CTS or RTS frames (this one doesn't work on a lot of cards, because they incorrectly implement the 802.11 spec)
  - framespam tool, HOWTO
- Probe Request flood, Authentication Request flood, Association Request flood — all were effective in tying up an access point's CPU/mem/IO resources
more
more

Things a shared medium makes far easier

TODO

Things I'd like to do sometime, just to find out how easy there are to do (i.e. how vulnerable we all are), but also because hands-on stuff can be really informative, and one doesn't often get the opportunity to stuff like this.

use ARP spoofing to sniff a wired client from the wireless side
SSL MITM — there's almost nothing more invasive than this. (so do it on myself) (but still, to know you're able to do this... hehe)