Wireless VOIP
Wireless-VOIP.Com

It's depressing how often we see that those who don't remember history are doomed to repeat it. When cordless phones and the first analog cell phones hit the market, anybody with a scanner that operated at the right frequency could easily listen to calls not intended for them. The same cycle played out with 802.11 equipment.

Vendors first claimed that spread-spectrum modulation made it hard to build a receiver. That assertion was true in a limited sense. Traditional RF receivers listen at a narrow band for the signal, and spread spectrum uses wide bands. However, the claim is also a silly assertion because the receiver of a frame must, by definition, be able to receive and process it. Therefore, any 802.11 interface must, by definition, be the receiver that vendors claimed didn't exist.

Finding wireless networks is easy. By necessity, wireless access points must announce themselves to the world. 802.11 beacon frames, used to broadcast network parameters, are sent unencrypted. By monitoring beacon frames, wandering users with an 802.11 receiver can find out about wireless networks in the area simply by putting up an antenna. A few people made headlines by attaching high-gain antennas to their automobiles and running custom software to log the wireless networks they found while driving around .

By analogy to "war dialing" (dialing every number looking for a modem backdoor into a network), driving around looking for access points was called "war driving." War driving can be surprisingly effective. On one trip I took into San Francisco, I found half a dozen wireless networks without even trying.

Had I been serious, I would have been using a high-gain antenna mounted on the roof of my vehicle, rather than the relatively low-gain built-in antenna sitting on the passenger seat next to me, where radio signals could be blocked by the metal passenger door. Tools to assist with war driving are now famous (or infamous, if you prefer). One of the better known tools is NetStumbler. 

Once a wireless network has been located, there was originally only one standardized provision for restricting access to a wireless network in the 802.11 standard, and it required implementing WEP, the Wired Equivalent Privacy specification.

Many vendors did not implement WEP initially, and needed to develop an alternative security solution that could be deployed quickly. MAC-address filtering emerged as the solution. Like all other IEEE 802 networks, 802.11 uses 48-bit station identifiers in the frame headers. Address filtering was based on the dubious theory that IT departments are responsible for issuing wireless LAN cards to users and should therefore be able to maintain a corporate-wide list of MAC addresses allowed to connect to a wireless network. During the initial connection procedures, wireless access points can check the MAC address of connecting stations to ensure the station is on the list of known good MAC addresses.

Address filtering was never part of the standard, but it has been widely deployed anyway. It is not, however, a serious security solution. Addresses identify stations, not users. Malicious attackers with a "good" MAC address are not prevented from accessing the network. Addresses do not validate that the system software is free from tampering. Stations on the "good" list may have any number of eavesdropping programs, spyware, or Trojan horses installed. Granting access to a station with the right wireless card but the wrong software can have disastrous consequences for your network security.

Most importantly, addresses are not strong authentication. Users with sufficient operating-system privileges can alter addresses to masquerade as an allowed wireless-network user. Obtaining a list of authorized wireless stations can be done quite economically.

Sniffers can be built entirely from open-source components. To turn a Linux laptop into a sniffer, the only additional cost would be less than $100 for a wireless LAN card based on the Intersil PRISM chipset. Once an attacker has built a sniffer, all that remains is to gather a list of allowed addresses. The sniffer can be used to monitor stations which successfully associate with the wireless LAN, and then the attacker can easily adopt one of the addresses on the authorized list.

Tags:  wireless network addresses networks access stations driving address users receiver