Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/23/2006
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Metro-Mesh: A Hacker's Paradise?

The hidden dangers of the hotzone

Wireless metro-mesh technology promises a new era in anytime, anywhere public access Internet for the masses.

So-called mesh technology -- in case you've been living under a rock for the last year -- allows 802.11 wireless access points to pass data amongst themselves over the air, removing the need for multiple wired connections back to the Internet. Proponents of the technology, which has been taken up in cities such as Philadelphia and San Francisco over the past year, say that it will enable low-cost metropolitan WiFi access as well other services such as VOIP.

There is, however, one question that doesn't often seem to get asked about metro-mesh technology in the cavalcade of press coverage and industry hype: Just how secure is this technology?

On the face of it sounds secure enough. Most of the established and startup vendors in this space encrypt the wireless traffic sent over the mesh access points -- or "nodes," as the industry prefers to call them.

"We haven't had any reports of that," says Karrie Rockwell, the marketing director of MobilePro, when asked about hacks at the mesh network the firm runs in Tempe, Ariz. She points out that everything run over the network, which uses equipment from Strix Systems, has 128-bit encryption.

As previous wireless LAN attacks have shown, however, a cunning hacker may not necessarily need to crack the code to get user information or damage the network.

Security researcher Shawn Merdinger, who has previously worked with Cisco and TippingPoint, says that municipal metro deployments are going to be "a very serious security challenge to many people."

He foresees two main forms of attack:

Spoofing: This is essentially where hackers make users believe that they are logging onto the legitimate network when in fact they are connecting to the hacker's AP. Such "evil twin" attacks could potentially allow hackers to steal all kinds of personal information.

"Using gear like cheap Linksys WRT54Gs [APs], they'll run custom firmware like FairuzaUS and other Linux firmware images to conduct attacks like man-in-the-middle, scans, and exploiting vulnerabilities on the connecting clients," says Merdinger. "Since these boxes are so cheap, there's almost a throwaway cost here."

Denial of service: Since most mesh WiFi networks run in the unlicensed 2.4GHz band, hackers may not even need to use WiFi to conduct denial-of-service attacks against these networks.

"I think we'll see more esoteric attacks come into play as there is now a free wireless infrastructure in place," Merdinger says. "For example, widespread Bluetooth attacks and Bluetooth spamming are a real possibility with muni WiFi networks combined with small PCs like GumStix with Bluetooth."

As such networks evolve, Merdinger also imagines that WiFi-savvy users will use the free access to increase their personal bandwidth.

"For example, a single normal client might get 128-kbit/s download speed over muni WiFi; by consolidating several of these connections together using multiple cards in a box folks can abuse the systems," the security wonk explains. "The long-distance capability of yagi WiFi antennas makes it likely that they'll be able to make connections to APs far away from their immediate area."

It's impossible to know yet how much of a threat these kinds of attacks pose because very few major cities have actually launched metro-mesh networks yet. It is not hard to imagine, however, that certain hackers will see the next big target not as their local superstore but their local municipal network.

We sent Merdinger's potential security risks list to several mesh vendors and analysts but have not yet received any response.

— Dan Jones, Site Editor, Unstrung, special to Dark Reading

Organizations mentioned in this article:

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • FairuzaUS
  • GumStix
  • MobilePro Corp.
  • Strix Systems Inc.
  • TippingPoint Technologies Inc.

    Dan is to hats what Will.I.Am is to ridiculous eyewear. Fedora, trilby, tam-o-shanter -- all have graced the Jones pate during his career as the go-to purveyor of mobile essentials. But hey, Dan is so much more than 4G maps and state-of-the-art headgear. Before joining the ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 11/19/2020
    New Proposed DNS Security Features Released
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
    The Yellow Brick Road to Risk Management
    Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: He hits the gong anytime he sees someone click on an email link.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-29128
    PUBLISHED: 2020-11-26
    petl before 1.68, in some configurations, allows resolution of entities in an XML document.
    CVE-2020-27251
    PUBLISHED: 2020-11-26
    A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
    CVE-2020-27253
    PUBLISHED: 2020-11-26
    A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
    CVE-2020-27255
    PUBLISHED: 2020-11-26
    A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
    CVE-2020-25651
    PUBLISHED: 2020-11-26
    A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...