News

Intel may have to bring forward its high-speed Centrino release date to avoid new hacking trick

by Guy Kewney | posted on 14 May 2004


Any wireless network can be jammed. All you need is a powerful transmitter to blot out the signal, and the data stream is lost in the noise. But what makes the Queensland University jamming trick for WiFi special, is the way it can be done with a simple PDA.

Guy Kewney

And the easy way to avoid it, is to stop using older WLAN devices - including the Intel Centrino wireless standard.

The hacking trick is done by fooling the Ethernet collision avoidance algorithm - which is inherent in any LAN. By transmitting a signal which triggers this algorithm in all local devices, an attacker can put them offline without swamping them. All affected devices simply sit there, waiting for the imaginary congestion to clear.

Apparently, they'll stay like this indefinitely - until the attacking device switches off.

Exactly how important this trick might be to the WLAN industry isn't easy to guess. For a start, the researchers at Queensland University who uncovered it, say that it is a way of disabling "a channel" of 802.11b WiFi - and there are 13 channels available.

It's also not a flaw that you'll find in either 802.11g or 802.11a networks, they say, unless the 11g network is operating in 11b mode. So if you have an 802.11g network and you do get attacked like this, it's simple enough to immunise yourself: merely switch the network into "11g-only" mode. The penalty is that all Centrino-based (and other legacy WLAN) clients will not be usable.

According to the Australian Computer Emergency Response Team (Auscert) the vulnerability "is related to the medium access control (MAC) function of the IEEE 802.11 protocol."

The Team's report says: "WLAN devices perform Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), which minimises the likelihood of two devices transmitting simultaneously. Fundamental to the functioning of CSMA/CA is the Clear Channel Assessment (CCA) procedure, used in all standards-compliant hardware and performed by a Direct Sequence Spread Spectrum (DSSS) physical (PHY) layer."

DSSS is 11b; the 802.11g standard can talk to 11b protocol devices, but it's optional.

There are good reasons for disabling 11b anyway: for most WLAN 11g access points, the overall throughput is more than doubled if 11b devices are disallowed, and the actual area covered can be larger because more users can be accommodated. However, when Intel was putting together its Centrino package, it decided to be conservative and go with the 11b standard, because at that time, the 11g standard was in confusion. Since January, Centrino devices have been 11g compatible, but they remain vulnerable to 11b exploits unless or until Intel disables the 11b mode.

The main danger created by this exploit is probably going to be from drug dealers, and pranksters.

For example, if you have a personal enemy who is trying to use a public wireless hotspot, you would be able to take that hotspot offline at will, if armed with a pocket PC with WiFi, and running software to trigger the anti-collision algorithm.

Wireless security systems do exist, of course. Westminster Council is putting WiFi video cameras all over the City, and one of its big advantages over standard CCTV snoopers is that they can be moved with minimal notice.

According to Westminster's CEO, police have already managed a major drugs bust simply because they were able to re-locate a monitor video camera overnight - covering a doorway where dealers believed they were out of sight. Dealers wouldn't scruple to try jamming such mobile WiFi cameras! - but jamming requires significant personal risk, since you have to have pretty high power microwave transmitters. By contrast, the Queensland exploit would be a simple matter for even the least expert PDA owner once they had the code.

At this point, it's hard to imagine who else might regard it as worth doing. To carry out the attack, you have to be there personally, or else you have to be prepared to abandon your pocket PC; it's not untraceable. And pocket PCs quickly run out of battery power if left continually talking to a WLAN; the jamming system won't last an hour, and then everything returns to normal.

However, Intel has been continually re-assessing the launch window for an 11g-only-based Centrino; and up to now, it has constantly moved the date further into the future.

This procrastination may be about to end, if the Queensland exploit is seen as sufficiently high profile. Intel won't want to be seen purveying obsolete hardware.

For more detail see Security Focus


You can discuss this article on our discussion board.