Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Businesses Wireless (Apple) Apple Hardware

Security Vulnerability in Apple's AirPort Base Station 60

inditek writes "At Stake has issued a security warning today about a vulnerability in Apple's AirPort Base Station: 'Apple's AirPort device is a wireless access point, providing 802.11 services to network clients. Authentication credentials are obfuscated, and then sent over the network. If an AirPort is administered over the Ethernet interface or via an insecure (non WEP) wireless connection, an attacker that can sniff the network can obtain administrative access to the AirPort.'"
This discussion has been archived. No new comments can be posted.

Security Vulnerability in Apple's AirPort Base Station

Comments Filter:
  • by Photar ( 5491 )
    Considering most Airports are at home.

    Oh no the hackers are telnetting from inside the house!

    Besides if you're using a switch instead of a stupid hub they can't sniff you anyway.
    • by Electrum ( 94638 ) <david@acz.org> on Monday May 12, 2003 @06:02PM (#5940525) Homepage
      Besides if you're using a switch instead of a stupid hub they can't sniff you anyway.

      You'd like to think that, wouldn't you? arpspoof [monkey.org] from the dsniff [monkey.org] package lets you sniff on a switched network. So does ettercap [sourceforge.net].
    • Considering most Airports are at home.

      My Graphite Airport Base Station is in my house. I still get the range when I'm about 50 meters from the building (yes, I did the ultimate nerdish test, walking around the property with an iBook and iChatting with a friend to see if I loose him). Unfortunately, this means that I would also catch Airport on the neighboring properties. Now, I'm not that much afraid of malicious hacker parking a big black van in front of my house, but actually if some neighbor kid would
      • Except that this exploit is over the copper ethernet. in which case, just look at the back of your airport :)

        Also, I'd suggest doing a ping instead of iChat, it would go faster.
      • > I'm not that much afraid of malicious hacker parking a
        > big black van in front of my house

        Two of my neighbors put up wireless Ethernet systems recently, and neither has very good security on them. In fact, one neighbor didn't password-protect his network, use WEP, or even change the default password on his router.

        Here's what's scary. If a person parked a car outside his house and started downloading something illegal, like child pornography, the NAT capabilities of the wireless base station would
    • OK, so somebody can obtain administrative access to my ABS. So what? I suppose that they could reprogram it to let them in, or keep me out. But since I have physical access to the station, I can always force a manual reset. I suppose that it might be useful as a preliminary step to turn off WEP, and avoid the work of cracking WEP.
  • duh (Score:5, Insightful)

    by trouser ( 149900 ) on Monday May 12, 2003 @06:02PM (#5940532) Journal
    I think what they're saying is that the Airport base station, which is an 802.11 base station, has exactly the same security vulnerability as an 802.11 base station.

    This is very old news.
    • OMFG! You mean data sent unencrypted over a wireless connection can be sniffed!? Gawsh, who'da thunk it!

      I'll just go back to wondering why this warrants being pointed out by @Stake, let alone mention on Slashdot.

    • Re:duh (Score:4, Insightful)

      by Lizard_King ( 149713 ) on Tuesday May 13, 2003 @08:13AM (#5943968) Journal
      uhhh... not exactly. If you read the article, you'll notice that they've discovered the obfuscation technique that the Airport uses to scramble it's administrative passwords. Quite interesting if you're keeping tabs on the different techniques between access points.

      True, you'll actually have to read the article to discover what the "News" is here, but it's a practice that I recommend.
      • Right.....I will fight you, you dirty article reader, I will fight you and you will lose.

        Damm you and your kind to hell, hell, hell.
  • Strange (Score:5, Informative)

    by bobibleyboo ( 13303 ) on Monday May 12, 2003 @06:04PM (#5940538)
    I wonder what promped them to release this. It is obvious that you could "sniff" the password for the airport since it uses clear text for the password. If this considered a security hole then linksys, dlink, belkin, cisco, 3com, asante, maxgate, netgear, samsung, unex and virtually every one else who makes wireless ap's has the same problem.
    • The password's XOR'ed with a key. A casual administrator might look at sniffer output and believe it was nontrivially encrypted, and get a false sense of security.

      Since it's apparently the same key every time, it might as well be plaintext as far as real security goes.
      • True when I did a security audit my display filter for ethereal auto magically converted the x'ord pass to clear text. Although this is marginally better than clear text I would argue that it does not provide any real security except perhaps a false sense.
  • read the advisory, they just XOR stuff and it's easily reversible. other basestations aren't quite so lame. my submitted post got edited, and one should read the links first anyway.
    • The Users & Groups passwords in Mac OS have the same problem. I wrote a MacPerl script [macperl.org] (and a Unix perl script [macperl.org]) that can quickly show you the usernames and passwords of all users on a Mac OS system (the MacPerl version gets the users automatically, from the host system, while the Unix version has to guess). Apple never bothered to fix it. Sometimes it seems they don't care about security unless a lot of people scream about it.
      • Sometimes it seems they don't care about security unless a lot of people scream about it.

        This is exactly what my experience has been with Apple. I have worked with them on two serious bugs now and both times they have treated me like it was my fault their software was broken.

        In one case it took Apple over a year to fix the problem.

        If Apple is going to truly compete in the enterprise market, they need to change their thinking. First, security is important and trumps even user experience. Second, the

  • by skinfitz ( 564041 ) on Monday May 12, 2003 @06:26PM (#5940730) Journal
    From the article: Authentication credentials are obfuscated, and then sent over the network. If an AirPort is administered over the Ethernet interface or via an insecure (non WEP) wireless connection, an attacker that can sniff the network can obtain administrative access to the AirPort.
    ...
    If an AirPort is administered over the Ethernet interface or via an insecure (non WEP) wireless connection, an anonymous attacker that can sniff the network can obtain administrative access to the AirPort. If WEP is enabled, then the attack is limited to WEP authenticated attackers.


    It is well known that WEP can quickly and easily be broken [sourceforge.net], so really what this is saying is that all Airport base stations that are administered are vulnerable, regardless of whether WEP is used or not

    Workaround: Only admin the Airport from a Mac connected directly to the cabled ethernet interface using a crossover cable until this issue is patched.
    • by Anonymous Coward
      Yeah, WEP isn't secure, but even without WEP some access points take some efforts to make the admin access a little less easy to get, since it's just hanging out out there.

      The point of the security advisory is that this access point's efforts in that realm are really silly and make it worse than the other access points. None of them are really "secure." The part you quoted seems to allude or infer that some are, and that's kind of dumb of them to say - but you're getting distracted from the point.
    • by Stigmata669 ( 517894 ) on Monday May 12, 2003 @08:31PM (#5941480)
      There is a common misconception that WEP is "quickly and easily broken" because there are several open source projects that work on a weakness in the RC-4 key scheduling.

      What many people don't realize is that these programs require the harvest of between 2000 and 10000 'weak' packets which can take as little as 20 hours and as long as a week of constant monitoring to collect. If you don't believe me, go read the FAQ of any WEP cracking program. These programs are only proof of concept models, and lack a practical implementation. I tried KisMAC against my own ap and failed to produce any results.

      WEP is perfectly secure for a standard network, and anyone who is willing to spend 100 hours standing in my driveway just for access to a network on which everything else is passworded is simply insane.

      Anyone who acts like WEP is worthless is simply misinformed.

      • I'd hit em with my car....that'll stop script kiddies on their iBook!
      • Additionally, many firmware implementations for 802.11 products have been updated to not use weak initialization vectores (IVs), which are used in ultimately decyphering a WEP key.
      • WEP is perfectly secure for a standard network, and anyone who is willing to spend 100 hours standing in my driveway just for access to a network on which everything else is passworded is simply insane.

        I'm afraid he doesn't need to stand in your driveway. Are you 100% positive your Airport network cannot be accessed from any neighboring building? If it can (and I think it's quite possible, actually), then you could be vulnerable for some smartass neighborhood kid. He can wait, he can break your network o
        • There is no building within range of my AirPort Base Station, apart from my own house. Some of us have elbow room. :-)
          • There is no building within range of my AirPort Base Station, apart from my own house. Some of us have elbow room. :-)

            Phew - no buildings near your base station. Looks like all those starbucks using Airport kit are secure after all.

            psst. it may be difficult for you to accept, but the world does not revolve around you see...
            • Phew - no buildings near your base station. Looks like all those starbucks using Airport kit are secure after all.

              psst. it may be difficult for you to accept, but the world does not revolve around you see...


              The post I was replying to said "Are you 100% positive your Airport network cannot be accessed from any neighboring building? If it can (and I think it's quite possible, actually), then you could be vulnerable for some smartass neighborhood kid." I think my response was appropriate. YMMV.
      • What many people don't realize is that these programs require the harvest of between 2000 and 10000 'weak' packets which can take as little as 20 hours and as long as a week of constant monitoring to collect. If you don't believe me, go read the FAQ of any WEP cracking program. These programs are only proof of concept models, and lack a practical implementation. I tried KisMAC against my own ap and failed to produce any results.

        What? You couldn't get any results from your own AP (with I'm guessing perhap
      • More importantly they have to be standing in your driveway while you ADMINISTER your AP for 100 hours!

        WEP is just fine for this level of security.

        Now as far as packet sniffing and random buggery, well it's certainly vulnerable and I wouldn't deploy it on a corporate level in any high traffic business district.
      • By "standard network", did you mean "standard home network"?

        20 hours is a bit pessimistic.

        "we were able to collect that many packets in a few hours on a partially loaded network", says the Stubblefield/Ioannidis/Rubin paper (ATT tech report TD-4ZCPZZ) about implementing the Fluhrer/Mantin/Shamir attack.

        What's important here is how that "few hours" compares to the amount of time the WEP key stays in service. If you've got a big network it's almost impossible to get everyone to change to a new WEP key. If
  • Is this seriously copnsidered a flaw given that most remote managed access points can be explioted in such a way - hmmm any network tbh. be it snmp or hidden udp ports for administration there there and can be found.

    --
    Nothing new to see here move along
    --
  • Unimportant (Score:4, Informative)

    by birdman666 ( 144812 ) <ericreid@mac. c o m> on Monday May 12, 2003 @08:54PM (#5941620) Homepage
    This has nothing to do with the Airport device in specific. The same is true for any 802.11 device. If you're connecting to it not using WEP, then it's insecure. We know this. It's not an Apple thing.
  • well, duh. (Score:3, Insightful)

    by option8 ( 16509 ) on Monday May 12, 2003 @09:24PM (#5941765) Homepage
    from the post (not having bothered to read the article, as it seems there's no point...): ...administered over the Ethernet interface or via an insecure (non WEP) wireless connection, an attacker that can sniff the network can obtain administrative access to the AirPort (emphasis mine)

    well, big frickin' duh, if you'll pardon my french.

    if i administrate any computer or for that matter any access point via an insecure connection or any connection that can be sniffed by an intruder well, no doubt it can be compromised!

    why is this news? why, more specifically is this apple news?

    why not create a new /. section - commonsense.slashdot.org - to address these kinds of posts.

  • There is no doubt (and certainly no argument) that this is a well known security vulnerability of 802.11b access points, the Airport being one of them.

    If you read the posting, @Stake is not laying claim to the vulnerability, rather the obfuscation technique used by Apple to transmit their passwords. While other wireless routers (linksys, netgear, etc.) all suffer from the same core vulnerability, they don't all use the same methods for transmitting password information. RTFA:

    The authentication credenti
    • Well, as long as the obfuscation, whatever be it, is constant, you don't even need to unobfuscate it, as sending the obfuscated password is enough to gain administrative access to the base station.

      Unobfuscating the password is merely a convenience to avoid patching the base administration software.

      On a security point of vue, this is the same as a login process. The Airport base would have to use secured login methods (like public key exchange or challenge/reply, etc) to prevent such flaws.

      This is true fo
  • All wireless devices need *correct use*. Use correctly your admin options.

    And don't intend the article as the other wireless systems being "more secure".
    I am surfing constantly on neighbors Linksys system - their covad is so much faster than our dsl. I've never sniffed to get it. It shows up on my airport menus .. to those pc users never occurred that their connection could have constant parassites - and i know 100 % i'm not the only one in this block of flats to do that - to slower their own surfing speed
  • A good blast with a mini Herf Gun will instantly fix all security exploits. ZAP


    The presence of a rat is well regarded in Japan, it is the sign of a good harvest.

  • I found that the biggest security risk is one's own laziness. Setting a password will most likely keep me from using your internet access from my house. But you didn't, so I have free internet access on my ibook (only in the dining room). Lucky for you, I was nice enough not to change the password so you could use it too.

"If you want to eat hippopatomus, you've got to pay the freight." -- attributed to an IBM guy, about why IBM software uses so much memory

Working...