Feeds

Research spies holes in Fortune 1000 wireless nets

Frequency hopping. It's not a security protocol

Internet Security Threat Report 2014

Overlooked design weaknesses in a widely used type of wireless network are seriously jeopardizing the network security of the retailers and manufacturers that rely on them, a security expert has determined.

So-called FHSS, or frequency-hopping spread spectrum, networks are an early form of the 802.11 wireless data standard. Although transmission speeds, at about 2 Mbps, lag far behind more recent 802.11 technologies, they remain widely used by many Fortune 1000 companies, particularly those with large warehouses or factory floors.

As their name suggests, FHSS networks transmit radio signals by changing their frequency channel extremely rapidly - about once every 400 milliseconds. For more than a decade, the presumption even among many security professionals has been that it's impossible for outsiders to eavesdrop on the networks without spending tens of thousands of dollars on spectrum analyzers, oscilloscopes, and other sophisticated equipment.

Now, Rob Havelt, Practice Manager for Penetration Testing at security firm Trustwave, has devised a low-cost means to crack those networks using off-the-shelf hardware and custom-built software that cracks frequency-hopping algorithms. That leaves corporate networks at companies that use FHSS wide open because there's usually nothing separating one from the other.

"These networks present a large, gaping hole into a lot of organizations because they're not architected with security in mind," said Havelt, who plans to present his findings at the Black Hat security conference in Amsterdam. Companies "have them deployed and they're just basically waiting for somebody to get in that way."

FHSS networks carry signals on one of 79 channels in a sequence that's hard for outsiders to predict. Havelt's method employs a cheap radio that uses custom-built software based on the GNU Radio Project to locate a FHSS network's beacon frame. In turn, the beacon frame gives out the network's SSID, or service set identifier, and hop pattern.

Finding the SSID and hop pattern takes only a few seconds of monitoring with the software-based radio. From there, an intruder need only use a laptop armed with a FHSS-compliant network interface card to join the network. Although some FHSS networks use encryption to prevent unauthorized access, the protection is based on 40-bit WEP, or wired equivalent privacy, which is easily cracked.

"Once you have the correct SSID, the client is going to send association requests," Havel told The Register. After connecting, attackers generally have unfettered access to the organization's network.

In some respects, FHSS networks are the wireless equivalent of mainframe computers. With entire fleets of barcode scanners that rely on them, and the high cost of replacing them with more modern equipment, many organizations have chosen to hold on to the older gear despite their technical inferiority.

Havelt said it's not uncommon for penetration testers and other security consultants to tell their clients that FHSS networks are generally safe from intruders. His demonstration in two weeks is designed, once and for all, to put that misconception to rest.

"Frequency hopping is definitely not a security protocol or security mechanism, and it can't be relied upon as a security mechanism," he said. "To do so is basic security through obscurity." ®

Internet Security Threat Report 2014

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.