Guys, I was the orignal designer of the WEP Cloaking feature released by AirDefense. I can field any questions you guys may have on it.

I can assure you it works. Here are couple points on the technology.

1. The actual fake data traffic is silently dropped by both the client and the AP, and throughput tests indicate a negligable impact at both 54 and 11 Mbps. We don't flood the air.

2. You can't filter the traffic out, we have several dynamic engines to circumvent filtering. We've had several independent teams attempt to pentest even with the real WEP key and they have failed. I've already been through signal strength filtering, retry filtering, sequence filtering, client filtering, distributed sniffing, etc etc. None work. AirDefense is the best in class solution and I assure you the work on this project is on par. I'm not being cocky, I'm just saying that this isn't a hacked job. We have spent over a year developing and refining this technique.

Ok here's the thing. This technology was designed to save millions of dollars in cost to large retailers still running WEP technology. The technology isn't fool-proof, but it's the best option they have. What you get for a fraction of the cost of a fork-lift upgrade is extended life on existing hardware as well as a world class Wireless IDS/IPS as well as a platform for other AirDefense technologies.

Now, I'm sure someone smart will figure out some super-clever way to bypass it but AirDefense has multiple layers of protection. We will of course refine the technology as it gets deployed and used in the field. Like any true Second generation WIDS/WIPS. We have Legacy Encryption Protection (WEP), Intrusion Detection with Auto-Classification of devices (monitor anyone actually making it past the encryption/vlans) and Intrusion Protection (keeping them off once you find out they have the real WEP key).

For those currently using WEP. Here are some tips to help make WEP cracking harder without WEP Cloaking.

1. Use PSPF mode (aka AP Isolation). There is a mode on most radio's that disallow clients to communicate with eachother. Essentially by filtering out broadcast and multicast traffic. Enabling this feature will prevent ARP injection techniques and will prevent Aircrack-ptw from working. Yes it can still be cracked but requires the hacker to capture traffic passively, and in a retail environment with low traffic it can take a while.

2. VLANS on the ap's. Currently Aircack and other such tools don't filter out VLAN traffic (you need to write your own tool to filter it out, scapy works for me), so if you have multiple VLAN's don't use the MBSSID feature and keep all your VLAN's on one BSSID. Technically MBSSID's are way better, but we are talking older hardware.

3. Multiple APs. Clients connect to multiple AP's and when you start injecting they'll roam, forcing you to use secondary radios to keep the device on it or follow it around and combine the traffic later. Not really a good point, but makes life harder with off the shelf tools.

4. If possible, do the basics. MAC filtering, throughput limiting (54Mbps/11Mbps only), signal strength filtering.

For those wanting check out the technology, contact me and I'll let you know where and when we will be demoing the technology.

Nico Darrow
Office of the CTO
AirDefense, Inc.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Cedric Blancher
Sent: Tuesday, May 08, 2007 3:19 AM
To: Joshua Wright
Cc: wifisec (at) securityfocus (dot) com [email concealed]
Subject: Re: Perpetuating weak wireless security

Le lundi 07 mai 2007 à 10:44 -0400, Joshua Wright a écrit :
> While I haven't seen this technology in action yet, I have a pretty
> good idea how it works, and I think it's a mistake to trust said
> technology or common variants for the protection of sensitive networks.

Idea of adding dummy traffic to legit WEP traffic has been mentioned
here before. A quick answer to this could be:

1. spot real MAC addresses
2. PCAP filter your capture

I don't think they want to overload real clients and AP with dummy WEP
traffic...

--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
SyScan'07: 2 days of WiFi training and practice in Singapore
http://syscan.org/reg_training.html

[ reply ]