New risks in 802.11n

Security expert identifies emerging wireless vulnerabilities

Along with the potential performance and coverage benefits of 802.11n come a few new security risks, says industry security guru Joshua Wright. Wright presented a Webinar last week that outlined several new vulnerabilities that high-speed 802.11n networks introduce.

Wright, who has spent a decade ferreting out wireless security attacks, is an instructor for the SANS Institute, an information technology watchdog organization that offers information security training, certification and information resources. He's also a senior security researcher at Aruba Networks.

Here are a few 802.11n vulnerabilities he highlighted:

Wireless intrusion detection system (WIDS) gap

If using channel bonding to transmit across 40MHz channels (recommended primarily for the channel-abundant 5GHz band), it will take WIDSs twice as long to scan the frequencies for malicious patterns as it did to scan earlier 20MHz channels. The situation effectively doubles the time a hacker has to penetrate a given frequency until the scanner makes its way around to that frequency again - from about 4 seconds to about 8 seconds, Wright says.

Viewed another way, in a 20MHz channel, an attack must last about 4 seconds to be detected; in a 40MHz channel, it has to last 8 seconds. What kind of attack could be mounted in 4 to 8 seconds? "Mostly driver exploits [see below], which are 1- or 2-packet attacks," says Wright.

Driver exploits

Wright says there is "lots of vulnerable code out there driven by the [industry] frenzy to get 802.11n into the hands of users. When you have a driver vulnerability, a hacker can gain administrative access."

Of possible help here is a free tool from Aruba called the WiFi Driver Enumerator (WiFiDEnum). Using a database of known wireless vulnerabilities, WiFiDEnum assesses the versions of installed drivers and produces a vulnerability report, identifying systems and specific drivers that are at risk to wireless driver exploit attacks.

No protection yet for "block" acknowledgements (ACK)

IEEE 802.11n introduces a mechanism to acknowledge a block of packets, instead of individual packets, identified by a beginning and ending sequence identifier. "This block ACK mechanism is not protected; any attacker can spoof one of these messages and create an obscenely large window within which frames can be sent with no ACK," thereby creating an 802.11n denial-of-service vulnerability, says Wright. At this juncture, "There is no fix for this mechanism," he says.

Josh Wright is senior security architect for Aruba Networks

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joanie Wexler

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?