802.11b Firmware-Level Attacks

By | November 5, 2006

Denial of Service (DoS) attacks are a common threat to 802.11 wireless networks. Using widely available software and an inexpensive wireless LAN card, an attacker can halt the service of a wireless LAN at their whim. While very effective, these tools lack persistence in their operation – when the attacker stops the attack or leaves the range of the victim network, client workstations automatically resume their connectivity to the network.

When an 802.11b wireless card from a variety of manufacturers is in a state where it expects a probe response packet, a bug exists in the firmware by which a maliciously injected probe response with the SSID tag length set to 0 can cause a lockup of the card itself, and depending on the platform and drivers, of the host operating system. Once the 802.11b card has locked, it nearly always requires a reset of the adapter (via eject/insert for PCMCIA and USB adapters or a full reboot for PCI or other adapters). Some operating systems and drivers require a full reboot to reinitialize the driver.

The 802.11 specification makes extensive use of management frames for a variety of functions including controlling access to the medium, advertising wireless service availability, station authentication and association, and power management. All 802.11 frames use the same standard header to identify packet source, destination, network identification information and frame type (data, management or control). Management frames utilize fixed or variable length fields in the packet payload to identify the various functions they perform.

This paper describes a new style of DoS attack against 802.11 networks that abuses flaws in the firmware of popular 802.11 wireless cards. The impact of this attack is more damaging than other 802.11 DoS attacks, requiring as few as two packets from an attacker to deny service to all target users, often requiring a system restart to recover from the attack. It is the author’s hope that the public disclosure of this flaw will motivate 802.11 product manufacturers to resolve firmware flaws in their products, and to make those updates freely available to customers.

Click here to download the full paper

Leave a Reply