Feeds

Research spies holes in Fortune 1000 wireless nets

Frequency hopping. It's not a security protocol

5 things you didn’t know about cloud backup

Overlooked design weaknesses in a widely used type of wireless network are seriously jeopardizing the network security of the retailers and manufacturers that rely on them, a security expert has determined.

So-called FHSS, or frequency-hopping spread spectrum, networks are an early form of the 802.11 wireless data standard. Although transmission speeds, at about 2 Mbps, lag far behind more recent 802.11 technologies, they remain widely used by many Fortune 1000 companies, particularly those with large warehouses or factory floors.

As their name suggests, FHSS networks transmit radio signals by changing their frequency channel extremely rapidly - about once every 400 milliseconds. For more than a decade, the presumption even among many security professionals has been that it's impossible for outsiders to eavesdrop on the networks without spending tens of thousands of dollars on spectrum analyzers, oscilloscopes, and other sophisticated equipment.

Now, Rob Havelt, Practice Manager for Penetration Testing at security firm Trustwave, has devised a low-cost means to crack those networks using off-the-shelf hardware and custom-built software that cracks frequency-hopping algorithms. That leaves corporate networks at companies that use FHSS wide open because there's usually nothing separating one from the other.

"These networks present a large, gaping hole into a lot of organizations because they're not architected with security in mind," said Havelt, who plans to present his findings at the Black Hat security conference in Amsterdam. Companies "have them deployed and they're just basically waiting for somebody to get in that way."

FHSS networks carry signals on one of 79 channels in a sequence that's hard for outsiders to predict. Havelt's method employs a cheap radio that uses custom-built software based on the GNU Radio Project to locate a FHSS network's beacon frame. In turn, the beacon frame gives out the network's SSID, or service set identifier, and hop pattern.

Finding the SSID and hop pattern takes only a few seconds of monitoring with the software-based radio. From there, an intruder need only use a laptop armed with a FHSS-compliant network interface card to join the network. Although some FHSS networks use encryption to prevent unauthorized access, the protection is based on 40-bit WEP, or wired equivalent privacy, which is easily cracked.

"Once you have the correct SSID, the client is going to send association requests," Havel told The Register. After connecting, attackers generally have unfettered access to the organization's network.

In some respects, FHSS networks are the wireless equivalent of mainframe computers. With entire fleets of barcode scanners that rely on them, and the high cost of replacing them with more modern equipment, many organizations have chosen to hold on to the older gear despite their technical inferiority.

Havelt said it's not uncommon for penetration testers and other security consultants to tell their clients that FHSS networks are generally safe from intruders. His demonstration in two weeks is designed, once and for all, to put that misconception to rest.

"Frequency hopping is definitely not a security protocol or security mechanism, and it can't be relied upon as a security mechanism," he said. "To do so is basic security through obscurity." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.