by Berislav Kucan - Wednesday, 6 August 2003.
During the 802.11 Planet Expo in Boston, wireless security company AirDefense
monitored WLAN activity and published their findings in the July 2003 edition of WLAN Watch newsletter. These are some of the fun facts AirDefense stumbled across. Suspicious and malicious activity at the 802.11 Planet Expo included:
- 149 network scans from tools such as Netstumbler, Wellenreiter and commercial scanners
- 105 Denial-of-Service attacks that included 27 de-authenticate attacks against stations, 48 de-authenticate attacks against access points, 12 de-authenticate "cloud" attacks, 16 ARP floods and two EAP floods against authentication servers
- 84 identity thefts where user stations spoofed MAC addresses of other stations or access points;
- Three successful Man-in-the-Middle attacks (32 were attempted); and
- Eight instances where malicious stations searched for known exploits in access points.
Among the 230 access points that AirDefense identified on the showroom floor:
- 92 did not encrypt or authenticate the WLAN traffic with WEP, 802.1x, LEAP, PEAP or WPA;
- 15 were connected directly into hubs, which caused the access point to openly broadcast all wired traffic into the airwaves;
- 38 were improperly configured with default settings, overlapping channels or conflicting modes of authentication where access points allowed both 802.1x and open authentication;
- 95 experienced excessive network interference which forced the access point to retransmit traffic more than 50 percent of the time; and
- 7 were "softAPs" where laptops were functioning as rogue access points.
AirDefense also identified attacks and suspicious events on the wireless LANs at Networld+Interop.
- 224 individual stations that scanned the wireless LANs with tools such as Netstumbler and MiniStumbler;
- 16 Denial-of-Service attacks including 8 de-authentication floods against individual stations, 4 disassociate floods against specific access points, 2 broadcast floods with disassociate and de-authenticate commands against access points and 2 DOS Cloud attacks that jammed the airwaves for multiple access points and stations;
- 10 identity thefts from spoofed MAC addresses from stations; and
- 15 IP-based attacks that exposed vulnerabilities on access points.