Research spies holes in Fortune 1000 wireless nets
Frequency hopping. It's not a security protocol
Overlooked design weaknesses in a widely used type of wireless network are seriously jeopardizing the network security of the retailers and manufacturers that rely on them, a security expert has determined.
So-called FHSS, or frequency-hopping spread spectrum, networks are an early form of the 802.11 wireless data standard. Although transmission speeds, at about 2 Mbps, lag far behind more recent 802.11 technologies, they remain widely used by many Fortune 1000 companies, particularly those with large warehouses or factory floors.
As their name suggests, FHSS networks transmit radio signals by changing their frequency channel extremely rapidly - about once every 400 milliseconds. For more than a decade, the presumption even among many security professionals has been that it's impossible for outsiders to eavesdrop on the networks without spending tens of thousands of dollars on spectrum analyzers, oscilloscopes, and other sophisticated equipment.
Now, Rob Havelt, Practice Manager for Penetration Testing at security firm Trustwave, has devised a low-cost means to crack those networks using off-the-shelf hardware and custom-built software that cracks frequency-hopping algorithms. That leaves corporate networks at companies that use FHSS wide open because there's usually nothing separating one from the other.
"These networks present a large, gaping hole into a lot of organizations because they're not architected with security in mind," said Havelt, who plans to present his findings at the Black Hat security conference in Amsterdam. Companies "have them deployed and they're just basically waiting for somebody to get in that way."
FHSS networks carry signals on one of 79 channels in a sequence that's hard for outsiders to predict. Havelt's method employs a cheap radio that uses custom-built software based on the GNU Radio Project to locate a FHSS network's beacon frame. In turn, the beacon frame gives out the network's SSID, or service set identifier, and hop pattern.
Finding the SSID and hop pattern takes only a few seconds of monitoring with the software-based radio. From there, an intruder need only use a laptop armed with a FHSS-compliant network interface card to join the network. Although some FHSS networks use encryption to prevent unauthorized access, the protection is based on 40-bit WEP, or wired equivalent privacy, which is easily cracked.
"Once you have the correct SSID, the client is going to send association requests," Havel told The Register. After connecting, attackers generally have unfettered access to the organization's network.
In some respects, FHSS networks are the wireless equivalent of mainframe computers. With entire fleets of barcode scanners that rely on them, and the high cost of replacing them with more modern equipment, many organizations have chosen to hold on to the older gear despite their technical inferiority.
Havelt said it's not uncommon for penetration testers and other security consultants to tell their clients that FHSS networks are generally safe from intruders. His demonstration in two weeks is designed, once and for all, to put that misconception to rest.
"Frequency hopping is definitely not a security protocol or security mechanism, and it can't be relied upon as a security mechanism," he said. "To do so is basic security through obscurity." ®