Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Embedded Server/Appliance)  >   Wireless 802.11 (Generic) Vendors:   [Multiple Authors/Vendors]
IEEE 802.11 Wireless LANs Can Be Disrupted By Remote Users Within Transmission Range
SecurityTracker Alert ID:  1010152
SecurityTracker URL:
CVE Reference:   CVE-2004-0459   (Links to External Site)
Updated:  May 20 2004
Original Entry Date:  May 13 2004
Impact:   Denial of service via network
Vendor Confirmed:  Yes  

Description:   A physical layer denial of service vulnerability was reported in the IEEE 802.11 protocol specification and the wireless devices that implement the specification. A remote user within range of a wireless local area network (WLAN) can cause the target WLAN to become unavailable.

AUSCERT issued an advisory (AA-2004.02) warning that a remote user can cause "significant disruption" to all WLAN traffic within the transmission range of the remote user. The attack causes the WLAN devices, including both clients and access points, to believe that the channel is busy for the duration of the attack.

The flaw reportedly resides in the Clear Channel Assessment (CCA) procedure performed by the Direct Sequence Spread Spectrum (DSSS) physical layer implementation. Affected devices include those that implement IEEE 802.11, 802.11b, and low-speed (below 20Mbps) 802.11g.

According to the report, devices that implement IEEE 802.11a and high-speed (above 20Mbps) 802.11g are not affected.

Impact:   A remote user with a physical layer device within range of a wireless local area network (WLAN) can cause the target WLAN to become unavailable.
Solution:   No solution was available at the time of this entry. AUSCERT reports that "at this time a comprehensive solution, in the form of software or firmware upgrade, is not available for retrofit to existing devices."
Cause:   State error

Message History:   None.

 Source Message Contents

Subject:  Denial of Service Vulnerability in IEEE 802.11 Wireless Devices

Hash: SHA1

AA-2004.02                     AUSCERT Advisory

       Denial of Service Vulnerability in IEEE 802.11 Wireless Devices
                                 13 May 2004
Last Revised: --

- ---------------------------------------------------------------------------

1.  Description

	A vulnerability exists in hardware implementations of the IEEE
	802.11 wireless protocol[1] that allows for a trivial but effective
	attack against the availability of wireless local area network
	(WLAN) devices.

	An attacker using a low-powered, portable device such as an
	electronic PDA and a commonly available wireless networking card
	may cause significant disruption to all WLAN traffic within range,
	in a manner that makes identification and localisation of the
	attacker difficult.

	The vulnerability is related to the medium access control (MAC)
	function of the IEEE 802.11 protocol.  WLAN devices perform Carrier
	Sense Multiple Access with Collision Avoidance (CSMA/CA), which
	minimises the likelihood of two devices transmitting
	simultaneously.  Fundamental to the functioning of CSMA/CA is the
	Clear Channel Assessment (CCA) procedure, used in all
	standards-compliant hardware and performed by a Direct Sequence
	Spread Spectrum (DSSS) physical (PHY) layer.

	An attack against this vulnerability exploits the CCA function at
	the physical layer and causes all WLAN nodes within range, both
	clients and access points (AP), to defer transmission of data for
	the duration of the attack. When under attack, the device behaves
	as if the channel is always busy, preventing the transmission of
	any data over the wireless network.

	Previously, attacks against the availability of IEEE 802.11
	networks have required specialised hardware and relied on the
	ability to saturate the wireless frequency with high-power
	radiation, an avenue not open to discreet attack. This
	vulnerability makes a successful, low cost attack against a
	wireless network feasible for a semi-skilled attacker.

	Although the use of WLAN technology in the areas of critical
	infrastructure and systems is still relatively nascent, uptake of
	wireless applications is demonstrating exponential growth. The
	potential impact of any effective attack, therefore, can only
	increase over time.

2. Platform

	Wireless hardware devices that implement IEEE 802.11 using a DSSS
	physical layer. Includes IEEE 802.11, 802.11b and low-speed (below
	20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and
	high-speed (above 20Mbps) 802.11g wireless devices.

3.  Impact

	Devices within range of the attacking device will be affected. If
	an AP is within range, all devices associated with that AP are
	denied service; if an AP is not within range, only those devices
	within range of the attacking device are denied service.

	Minimum threat characteristics:

		o An attack can be mounted using commodity hardware and
		drivers - no dedicated or high-power wireless hardware is

		o An attack consumes limited resources on attacking device,
		so is inexpensive to mount

		o Vulnerability will not be mitigated by emerging MAC layer
		security enhancements ie IEEE 802.11 TGi

		o Independent vendors have confirmed that there is
		currently no defence against this type of attack for DSSS
		based WLANs

	The range of a successful attack can be greatly improved by an
	increase in the transmission power of the attacking device, and
	the use of high-gain antennae.

3.  Workarounds/Mitigation

	At this time a comprehensive solution, in the form of software or
	firmware upgrade, is not available for retrofit to existing
	devices. Fundamentally, the issue is inherent in the protocol
	implementation of IEEE 802.11 DSSS.

	IEEE 802.11 device transmissions are of low energy and short range,
	so the range of this attack is limited by the signal strength of
	the attacking device, which is typically low. Well shielded WLANs
	such as those for internal infrastructures should be relatively
	immune, however individual devices within range of the attacker
	may still be affected. Public access points will remain
	particularly vulnerable.

	The model of a shared communications channel is a fundamental
	factor in the effectiveness of an attack on this vulnerability.
	For this reason, it is likely that devices based on the newer IEEE
	802.11a standard will not be affected by this attack where the
	physical layer uses Orthogonal Frequency Division Multiplexing

	It is recognised that the 2.4G Hz band suffers from radio
	interference problems, and it is expected that operators of the
	technology will already have in place measures to shield their
	networks as well as a reduced reliance on this technology for
	critical applications.

	The effect of the DoS on WLANs is not persistent - once the jamming
	transmission terminates, network recovery is essentially immediate.

	The results of a successful DoS attack will not be directly
	discernable to an attacker, so an attack of this type may be
	generally less attractive to mount.

	At this time, AusCERT continues to recommend that the application
	of wireless technology should be precluded from use in safety,
	critical infrastructure and/or other environments where
	availability is a primary requirement. Operators of wireless LANs
	should be aware of the increased potential for undesirable activity
	directed at their networks.


[1] IEEE-SA Standards Board, "IEEE Std IEEE 802.11-1999 Information
     Technology - Telecommunications and Information Exchange Between
     Systems-Local and Metropolitan Area Networks - Specific Requirements
     - Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer
     (PHY) Specifications," IEEE 1999.

- -------------------------------------------------------------------------
AusCERT would like to thank the Queensland University of Technology (QUT)
Information Security Research Centre (ISRC) for the information contained
in this advisory. AusCERT would like to thank all vendors that participated
in this process and provided recommendations for mitigation and/or
confirmed details of the vulnerability.
- -------------------------------------------------------------------------

- ---------------------------------------------------------------------------

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

AusCERT also maintains a World Wide Web service which is found on:

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                 AusCERT personnel answer during Queensland business
                 hours which are GMT+10:00 (AEST).  On call after hours
                 for member emergencies only.

Australian Computer Emergency Response Team
The University of Queensland
Qld  4072

Revision History




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC