Feeds

Research spies holes in Fortune 1000 wireless nets

Frequency hopping. It's not a security protocol

Website security in corporate America

Overlooked design weaknesses in a widely used type of wireless network are seriously jeopardizing the network security of the retailers and manufacturers that rely on them, a security expert has determined.

So-called FHSS, or frequency-hopping spread spectrum, networks are an early form of the 802.11 wireless data standard. Although transmission speeds, at about 2 Mbps, lag far behind more recent 802.11 technologies, they remain widely used by many Fortune 1000 companies, particularly those with large warehouses or factory floors.

As their name suggests, FHSS networks transmit radio signals by changing their frequency channel extremely rapidly - about once every 400 milliseconds. For more than a decade, the presumption even among many security professionals has been that it's impossible for outsiders to eavesdrop on the networks without spending tens of thousands of dollars on spectrum analyzers, oscilloscopes, and other sophisticated equipment.

Now, Rob Havelt, Practice Manager for Penetration Testing at security firm Trustwave, has devised a low-cost means to crack those networks using off-the-shelf hardware and custom-built software that cracks frequency-hopping algorithms. That leaves corporate networks at companies that use FHSS wide open because there's usually nothing separating one from the other.

"These networks present a large, gaping hole into a lot of organizations because they're not architected with security in mind," said Havelt, who plans to present his findings at the Black Hat security conference in Amsterdam. Companies "have them deployed and they're just basically waiting for somebody to get in that way."

FHSS networks carry signals on one of 79 channels in a sequence that's hard for outsiders to predict. Havelt's method employs a cheap radio that uses custom-built software based on the GNU Radio Project to locate a FHSS network's beacon frame. In turn, the beacon frame gives out the network's SSID, or service set identifier, and hop pattern.

Finding the SSID and hop pattern takes only a few seconds of monitoring with the software-based radio. From there, an intruder need only use a laptop armed with a FHSS-compliant network interface card to join the network. Although some FHSS networks use encryption to prevent unauthorized access, the protection is based on 40-bit WEP, or wired equivalent privacy, which is easily cracked.

"Once you have the correct SSID, the client is going to send association requests," Havel told The Register. After connecting, attackers generally have unfettered access to the organization's network.

In some respects, FHSS networks are the wireless equivalent of mainframe computers. With entire fleets of barcode scanners that rely on them, and the high cost of replacing them with more modern equipment, many organizations have chosen to hold on to the older gear despite their technical inferiority.

Havelt said it's not uncommon for penetration testers and other security consultants to tell their clients that FHSS networks are generally safe from intruders. His demonstration in two weeks is designed, once and for all, to put that misconception to rest.

"Frequency hopping is definitely not a security protocol or security mechanism, and it can't be relied upon as a security mechanism," he said. "To do so is basic security through obscurity." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.