[MLB-WIRELESS] Security problems with Netgear 802.11g kit and WEP??

Andrew Harcourt gfg687472609 at geckomail.org
Tue Jul 8 16:12:15 EST 2003


G'day!

> However, if it is implemented as suspected below, this
> is a Bad Thing(tm).
> Coming up with your MAC address via ARP doesn't
> necessarily mean that the AP is doing anything horrendously
> bad. What would be quite terrible though, is if it is
> truly passing packets unencrypted from the wired side
> of the AP to the wireless.

It doesn't; see below.

> If possible, it would be great if you could manually
> set an IP on one of your wireless clients and attempt
> to ping something on the far side of the wireless/wired
> bridge, whilst running tcpdump on an internal machine.

> If the ICMP packets come up, then this is truly bad. 
> Interesting though.

Worse than that: DHCP request packets are also permitted onto the wired
network. Running tethereal on the DHCP server's ethernet segment shows
that my DHCP requests are being received successfully by the server. I
saw a bunch of DHCP OFFER packets being sent back to me; thankfully the
packet dump I was running on the client machine didn't show anything,
and I didn't actually get a lease.

This is *definitely* a Bad Thing though: once the DHCP server offers an
address to a prospective client, it's quite possible it will flag it as
allocated or abandoned if the client doesn't respond. (I know, I know,
it shouldn't do that - but many primitive servers do - for example, some
that you find in cheap DSL routers...)  If that's the case, it could be
possible to exhaust the address pool..

What worries me is the ability to inject arbitrary traffic onto the
network - this is almost as bad as not having WEP at all, *and* it will
give people a false sense of security :(. This shouldn't happen - period
- and there didn't seem to be a configuration option in the AP that
would allow me to turn it off.

Pity I've forgotten the firmware version - I've asked the owner of the
toy to mail it to me; perhaps it's already been fixed...




Regards,
Andrew










To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message



More information about the Melbwireless mailing list