4

For instance, discovery of 802.11 devicesis a common practice, often referred to as“war-driving,” however many networkingprofessionals do not know how thisprocess works or how to limit an attack-ers’ ability to find devices. Bluetooth, aPersonal Area Network protocol that hasrapidly gained adoption around theworld, has had little public securityresearch into the device discovery process.Bluetooth is relatively obscure within thehacker community, but over the next fewyears the protocol will come under morescrutiny as even more radios aredeployed.

802.11802.11 networks generally use a type ofwireless signaling called Direct SequenceSpread Spectrum (DSSS) or OrthogonalFrequency Division Multiplexing(OFDM). The original 802.11 specifica-tion called for other types of signaling,however these never really caught on.DSSS and OFDM are complicated, phys-ical-layer mechanisms that are well out-side the scope of this article. What isimportant with both mechanisms is theydivide the frequency range into a series ofchannels. These channels, which are afraction of the available frequency band,are used by devices to send packets toeach other. In an 802.11 network, devicesare configured to use one channel for allcommunications. The devices do notmove around to different channels whenthey communicate. Therefore, in order tointercept traffic between devices on an802.11 network, you simply need to lis-ten to the channel the network is on.

802.11 networks have a very limitednumber of channels to choose from. Forinstance, 802.11b in the US is limited to11 channels. If an attacker wants to scanall channels for traffic, they simply need toswitch channels periodically to listen fortraffic. 11 channels can be cycled rapidlyin software to work on most wireless cards.Cisco has a hardware-switching mode thatmakes the switching transparent to theuser allowing nearly continuous monitor-ing of all channels. Regardless of themechanism used, 802.11 networks can bediscovered in fractions of a second.

CloakingThe 802.11 protocols specify packets thatcan be sent by an access point to allowwireless clients to easily find it. This pack-et, called a beacon, is sent at a regularinterval (usually 100ms) so clients canrapidly find the access point and form anassociation. However, if the client alreadyknows the name of the desired accesspoint, the beacon packet is not required.Therefore, the beaconing can be turnedoff to create a cloaked network.

This cloaking prevents standard clientsfrom finding the access point. It also pre-vents some common war-driving tools,such as NetStumbler1 from discovering theaccess point. However, more advancedwar-driving tools such as AirSnort2, willfind the access point even if the beaconsare disabled. Tools such as AirSnort eaves-drop for any 802.11 traffic on the airwavesand therefore will find any device that gen-erates traffic. Because of this promiscuouslistening, these tools will not only find802.11 access points but any 802.11

clients in the area as well. Because of its use of DSSS and

OFDM, 802.11 traffic is relatively easy to discover. Almost any wireless card onthe market can be combined with variousfree wardriving software to allow anattacker nearly instant discovery of802.11 devices using commodity-gradehardware.

BluetoothBluetooth is an entirely different animal.Bluetooth uses Frequency HoppingSpread Spectrum (FHSS) for its communication. Rather than occupying one channel for extended peri-ods of time, devices that use FHSS hoprapidly between many different locationsin the frequency band. In the case of Bluetooth, these hops happen every625 microseconds and rotate through 79 hop locations. All devices in an FHSS network must use the same hop-ping pattern so they are jumping to the right locations. Also, the devices mustbe in the same place in the pattern toensure they are jumping at the right time.

This hopping process makes FHSSdevices harder to find thanDSSS/OFDM devices. In order to findan FHSS device, the discovery devicemust jump around rapidly to all the hoplocations in an attempt to find the otherdevices. This can be a time consumingprocess, regardless if you are an attackeror a legitimate device. Compared to themilliseconds it takes for 802.11 devices tofind each other, it usually takes between 2and 10 seconds for Bluetooth devices tofind each other.

Bluetooth cloakingWhile Bluetooth does not have beacons,devices can be in a Discoverable mode.When a device is discoverable, it willrespond to inquiries from other deviceswhen they examine what other Bluetoothdevices are in the area. However, when adevice is not discoverable, remote devicesmust know the MAC address of the localdevice in order to access it.

Wireless Device DiscoveryBruce Potter

In order to attack or audit a wireless network, you must first determine whichdevices are nearby. Understanding how wireless devices are discovered is a key piecein assessing the risk involved in using wireless networks. Different wireless tech-nologies require different discovery techniques in order to effectively find all localdevices.

W

W I RE LESSW I RE LESS SECURITYSECURITY

Keeping devices out of Discoverablemode is an effective cloaking mechanismfor Bluetooth networks. Unlike 802.11,there is currently no known way to easilyfind non-Discoverable Bluetooth devices using commodity hardware.@Stake released RedFang3, a tool whichtries to guess the MAC address of nearby,non-Discoverable devices. The ShmooGroup has written a wrapper, BlueSniff4,to put a war-driving UI in front of RedFang. While this method doeswork with commodity hardware, it can take an impractical amount of time.Over the next few years, familiarity with the existing hardware, refinement of techniques, and more usable user interfaces will potentially make find-ing non-Discoverable Bluetooth deviceseasy.

Advanced discoveryThe above discussion focused on how anattacker (or auditor) can find wirelessdevices using low-cost hardware. For thosemore motivated and well funded, there are

far more options. Many companies makeprotocol analyzers for both 802.11 andBluetooth that can overcome the limita-tions of discovering devices of each type.In particular, the Bluetooth discoveryequipment is effectively a spectrum ana-lyzer that can listen to large frequencybands and find devices regardless of wherethey are in their hopping pattern.

These specialized discovery devicesstart at $5000 and rapidly get moreexpensive. However, while this type ofequipment is impressive, the averageattacker will likely not have access tothis type of machine. It is important toremember the issues raised earlier in thisarticle; regardless if you are using 802.11or Bluetooth, an attacker can finddevices on your network using inexpen-sive equipment, free software, and a lit-tle bit of time. And once the deviceshave been discovered, they can then bedirectly attacked or their traffic can besubverted. Since there is little you cando to prevent the discovery of your wire-less equipment, it is imperative that you

employ higher-level security mecha-nisms to protect your assets.

References1http://www.netstumbler.com/ 2http://airsnort.shmoo.com/3http://www.atstake.com/research/tools/info_gathering/ 4http://bluesniff.shmoo.com/

About the authorBruce Potter has a broad information secu-rity background that includes deployment ofwireless networks. Trained in computer sci-ence at the University of Alaska Fairbanks,Bruce served as a senior technologist at sev-eral hi-tech companies. Bruce is the founderand President of Capital Area WirelessNetwork. In 1999 Bruce founded TheShmoo Group, a group of security profes-sionals scattered throughout the world.Bruce co-authored 802.11 Security pub-lished through O'Reilly and Associates. Hehas coauthored Mac OS X Security. BrucePotter is currently a senior security consul-tant at Cigital.

5

Where to outsource?

There are three main donor regions ofsuch services:

• China.

• The Indian subcontinent.

• Russia along with the ex-Soviet statessuch as Ukraine.

There is certainly a strong perceptionthat all three pose security threats. In thecase of Russia the main concerns are general lawlessness, unreliability, and apervasive Mafia culture, with the threatthat organized crime might see opportu-nities within the country’s growing off-shore software industry for industrialespionage leading to a black market inintellectual property. In the case of thesub-continent, the main fear is cyber-ter-rorism, but China is deemed the greatestrisk for a different reason, because of itslong-standing economic espionage pro-gramme against western countries, espe-cially the US.

Against these risks are the huge savingsthat can be made through outsourcing tothese countries, all of which are acknowl-edged to have high quality developersequal to those in the west, but at half orless the salary levels. Given that cost is

Security Issues with Offshore Outsourcing

Offshore coding booming, but is it safe? Answer is a qualifiedyes, but only if you do your homework.

Philip Hunter

Offshore coding is booming throughout North America and Europe, with Gartnergroup predicting that by 2004 80% of US companies will consider outsourcing crit-ical services to foreign-based developers. But as this offshore outsourcing trendaccelerates, concerns that enterprises are exposing themselves to undue risk of cyber-terrorism and industrial property theft are increasing.