Feeds

Research spies holes in Fortune 1000 wireless nets

Frequency hopping. It's not a security protocol

Internet Security Threat Report 2014

Overlooked design weaknesses in a widely used type of wireless network are seriously jeopardizing the network security of the retailers and manufacturers that rely on them, a security expert has determined.

So-called FHSS, or frequency-hopping spread spectrum, networks are an early form of the 802.11 wireless data standard. Although transmission speeds, at about 2 Mbps, lag far behind more recent 802.11 technologies, they remain widely used by many Fortune 1000 companies, particularly those with large warehouses or factory floors.

As their name suggests, FHSS networks transmit radio signals by changing their frequency channel extremely rapidly - about once every 400 milliseconds. For more than a decade, the presumption even among many security professionals has been that it's impossible for outsiders to eavesdrop on the networks without spending tens of thousands of dollars on spectrum analyzers, oscilloscopes, and other sophisticated equipment.

Now, Rob Havelt, Practice Manager for Penetration Testing at security firm Trustwave, has devised a low-cost means to crack those networks using off-the-shelf hardware and custom-built software that cracks frequency-hopping algorithms. That leaves corporate networks at companies that use FHSS wide open because there's usually nothing separating one from the other.

"These networks present a large, gaping hole into a lot of organizations because they're not architected with security in mind," said Havelt, who plans to present his findings at the Black Hat security conference in Amsterdam. Companies "have them deployed and they're just basically waiting for somebody to get in that way."

FHSS networks carry signals on one of 79 channels in a sequence that's hard for outsiders to predict. Havelt's method employs a cheap radio that uses custom-built software based on the GNU Radio Project to locate a FHSS network's beacon frame. In turn, the beacon frame gives out the network's SSID, or service set identifier, and hop pattern.

Finding the SSID and hop pattern takes only a few seconds of monitoring with the software-based radio. From there, an intruder need only use a laptop armed with a FHSS-compliant network interface card to join the network. Although some FHSS networks use encryption to prevent unauthorized access, the protection is based on 40-bit WEP, or wired equivalent privacy, which is easily cracked.

"Once you have the correct SSID, the client is going to send association requests," Havel told The Register. After connecting, attackers generally have unfettered access to the organization's network.

In some respects, FHSS networks are the wireless equivalent of mainframe computers. With entire fleets of barcode scanners that rely on them, and the high cost of replacing them with more modern equipment, many organizations have chosen to hold on to the older gear despite their technical inferiority.

Havelt said it's not uncommon for penetration testers and other security consultants to tell their clients that FHSS networks are generally safe from intruders. His demonstration in two weeks is designed, once and for all, to put that misconception to rest.

"Frequency hopping is definitely not a security protocol or security mechanism, and it can't be relied upon as a security mechanism," he said. "To do so is basic security through obscurity." ®

Security for virtualized datacentres

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.