6

The legally allowable band for WiFI in the US covers channels 1-11. Europe goes to 13, Japan to 14. I suspect that most tools use the WiFi driver of the machine and only scan for the channels it is limited to. Do you know of any tools that scan higher channels by default? With configuration?

For some examples of things that will detect these:

  • A modified firmware Linksys with extra channels opened up and run in analyzer mode.
  • A radio spectrum analyzer.
  • A USRP (kind of like above, but we can decode and talk back).

EDIT AND REDIRECT: I know how to perform this attack and detect a rogue access point that is out-of-band, whether it be WiFi or any other continuously operating transmission device. The point of this question is to discern whether most organizations would pick this attack up or are even aware of it in cases where somebody has placed an access point without company knowledge. I am aware of FCC communication rules and how they prohibit this. That said, it is the detection of such a device that is of concern, and that does not rely on illegal transmission.

Many security reviews include scanning for unauthorized WiFi devices, including the PCI DSS standards (11.1). What I seek are answers related to whether this attack vector is commonly accounted for.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • I've always wondered about this. If I travel to europe and someone has a hotspot at channel 13, I wouldn't be able to use it with my American laptop? – user606723 Aug 24 '11 at 14:14
  • 2
    For one example discussing that, see http://support.apple.com/kb/TA25972 – Jeff Ferland Aug 24 '11 at 14:26
  • @user606723: Yes, and even worse - if you have a laptop in Europe, and Windows Update pushes an updated yet American-standard WiFi driver at you, poof! channels 12+13 cease to exist for you, as far as the OS is concerned (this appears to be a limitation enforced by the OS-specific device driver, at least with some Broadcom WLAN cards). See my question at SU: http://superuser.com/questions/263930/how-to-find-and-revert-driver-update-winupdate-broke-wifi-channels-1213 – Piskvor left the building Aug 24 '11 at 15:05
  • Security though obscurity: fail. – rook Aug 24 '11 at 23:35
  • 2
    Aaargh... it's not security! It's anti-security! It's a rogue device on your network that your IT department failed to pick up because it was obscure! – Jeff Ferland Aug 25 '11 at 00:30

4 Answers4

6

Usually within the U.S., special-ordered equipment is required to scan channels not permitted for operation by the FCC. This could be WiFi devices imported from overseas, or specially-licensed equipment manufactured specifically for spectrum analysis.

Since consumer electronic devices (including Wi-Fi) sold within the U.S. must conform to FCC Part 15 regulations, which do not permit operation in certain channels, I'm fairly confident hardware manufacturers have taken every measure to ensure that their devices are literally incapable of operating (transmitting or receiving) on those frequencies. At the very least, I expect specialized firmware hacks would be required to work around those measures. On the higher end, it's entirely conceivable that the device has been physically engineered so that it cannot work on those frequencies regardless of what it's told to do.

It should be noted however that:

  1. As already stated, unlicensed operation in channels 12-14 on the 2.4 GHz band (as well as a number of channels in 5 GHz) is illegal in the U.S.. One may be subject to fine by the FCC if caught in violation.
  2. Operating in such frequencies where not allowed by law is not a real security measure. It is simply another form of "security by obscurity". If an attacker has knowledge that a network is using illegal frequencies, or has equipment that can detect and connect to networks operating in those frequencies, that network is as vulnerable to the attacker as any network that is operating legally.
Iszi
  • 26,997
  • 18
  • 98
  • 163
  • 1
    I know of cases where the device is not physically engineered to work on those frequencies. See http://wiki.openwrt.org/toh/netgear/wndr3700?s#wireless.regulatory.issues for an explanation. – user606723 Aug 24 '11 at 14:30
  • 1
    Your points about obscurity / legality are valid, but the goal of asking is detection of undesired devices / covert network access. – Jeff Ferland Aug 24 '11 at 15:45
  • @JeffFerland - You might want to re-phrase the question title, then. The body looks a bit more oriented toward detection, but the title seems more worded toward detection avoidance. – Iszi Aug 24 '11 at 15:51
  • Well, if I'm an attacker, I consider this a strong choice because I think most scans would fail to detect it. As a security professional, I want to get a sense of whether my guess about this holds true based on how others scan or know of scans being done. – Jeff Ferland Aug 24 '11 at 16:23
  • 1
    Can you explain why an "attacker" considers having a channel 14 network? How do you attack someone with a network that most people don't know about? – user606723 Aug 24 '11 at 16:30
  • @Jeff Ferland: I'm with user606723: Both devices (hacker / router) have to communicate over the same channel. If your router is set to channel 10, then there is absolutely no reason for a hacker to be on channel 14. – NotMe Aug 24 '11 at 18:25
  • 1
    Rogue Access Points -- installed by an insider or outsider who got physical access and uses it for continued easier external access. – Jeff Ferland Aug 24 '11 at 18:27
  • @JeffFerland - I think I understand what you're asking now. However, to accurately answer your question would probably require new research and industry polling which is beyond the scope of this site. – Iszi Aug 25 '11 at 02:57
  • @user606723, perhaps they have a [spectrum analyser](http://www.metageek.net/products/wi-spy/) that goes up to channel 14 (2.484ghz)? You don't have to use the channel with a computer or even transmit to know that something is happening on those frequencies. If a hacker happens to be a network tech then it wouldn't be surprising at all that he has a spectrum analyser. – Zoredache Aug 29 '11 at 23:49
5

Using this as a source, it appears we can conclude that-

(in relation to consumer devices)-

  1. Any device purchased in the USA cannot be configured (through normal means) to be operate on channels 12-14, even when changing the locale to EU or JP because it's illegal to provide a device that you can simply configure to break regulations.
  2. A device imported from outside the USA may be able to operate outside these frequencies if configured for a location where this is allowed. [2]
  3. Many devices may not be physically limited to operate in a certain regulation, and modified open source drivers will allow operation outside this frequency. This appears to be the case with many atheros chips.
  4. Many devices purchased outside the USA may also not be configured to operate in these frequencies because of a manufacture's laziness / relative importance of compliance in USA.

Also see- http://smorgasbord.gavagai.nl/2010/09/wifi-regulatory-compliance-and-how-to-fix-it/

user606723
  • 822
  • 5
  • 10
  • 2
    So, basically, by getting a WiFi device made for/in Japan (which should be able to use channels 1-14), and bringing it to the US, you would get the desired functionality - but it could also get you into hot water with FCC, should they find out? – Piskvor left the building Aug 24 '11 at 15:48
  • 1
    @Piskvor - I think that about sums it up. – Iszi Aug 24 '11 at 16:10
  • a) 14 is only used on 802.11b; b) Most devices sold in Japan don't include it anylonger c) It is not really a question of just the FCC "finding out"... Channel 14 interferes with air traffic control, so anyone using channel 14 near air control can be found easily. d) you might can use channel 12 or 13, but they overlap with 11. – MikeP Dec 05 '16 at 18:35
2

FON routers are purchased world wide, and can be set to operate in pretty much any International wifi band. And if you've got a locked firmware on many "standard" devices, you need only load a firmware from a different region. (Especially for USB devices) the hardware is the same, but the firmware itself is soft loaded and can be manipulated with a little effort.

I can say with certainty that this equipment I have purchased in the US and can definitely passively monitor traffic on the 802.11 12-14 channels. This is not even a question. You can definitely test this yourself with a WRT54Gv2/v3 running kismet. And if it becomes something we want to prove out I have pcaps to show incidents where these systems are most certainly in service in the US.

If you are using a home brewed WIDS (using kismet sensors in distribution on waps) you would pick it up. On a Cisco WIDS, you would not pick this up. Which makes it a little difficult to pick up if used as an exfiltration connection.

Ori
  • 2,757
  • 1
  • 15
  • 29
1

To answer Jeff's updated question.

If your network is controlled enough where you are worried about rouge access points, then you would also be using wired security. (802.1x or otherwise.)

Besides using a rogue wifi access point, you could be using an undetectable wireless connection on the 700mhz band.

It's easier to make sure that everything connected to the authenticated rather than look for signal on random wireless bands.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
user606723
  • 822
  • 5
  • 10