informa
/
Risk
News

Metro-Mesh: A Hacker's Paradise?

The hidden dangers of the hotzone

Wireless metro-mesh technology promises a new era in anytime, anywhere public access Internet for the masses.

So-called mesh technology -- in case you've been living under a rock for the last year -- allows 802.11 wireless access points to pass data amongst themselves over the air, removing the need for multiple wired connections back to the Internet. Proponents of the technology, which has been taken up in cities such as Philadelphia and San Francisco over the past year, say that it will enable low-cost metropolitan WiFi access as well other services such as VOIP.

There is, however, one question that doesn't often seem to get asked about metro-mesh technology in the cavalcade of press coverage and industry hype: Just how secure is this technology?

On the face of it sounds secure enough. Most of the established and startup vendors in this space encrypt the wireless traffic sent over the mesh access points -- or "nodes," as the industry prefers to call them.

"We haven't had any reports of that," says Karrie Rockwell, the marketing director of MobilePro, when asked about hacks at the mesh network the firm runs in Tempe, Ariz. She points out that everything run over the network, which uses equipment from Strix Systems, has 128-bit encryption.

As previous wireless LAN attacks have shown, however, a cunning hacker may not necessarily need to crack the code to get user information or damage the network.

Security researcher Shawn Merdinger, who has previously worked with Cisco and TippingPoint, says that municipal metro deployments are going to be "a very serious security challenge to many people."

He foresees two main forms of attack:

Spoofing: This is essentially where hackers make users believe that they are logging onto the legitimate network when in fact they are connecting to the hacker's AP. Such "evil twin" attacks could potentially allow hackers to steal all kinds of personal information.

"Using gear like cheap Linksys WRT54Gs [APs], they'll run custom firmware like FairuzaUS and other Linux firmware images to conduct attacks like man-in-the-middle, scans, and exploiting vulnerabilities on the connecting clients," says Merdinger. "Since these boxes are so cheap, there's almost a throwaway cost here."

Denial of service: Since most mesh WiFi networks run in the unlicensed 2.4GHz band, hackers may not even need to use WiFi to conduct denial-of-service attacks against these networks.

"I think we'll see more esoteric attacks come into play as there is now a free wireless infrastructure in place," Merdinger says. "For example, widespread Bluetooth attacks and Bluetooth spamming are a real possibility with muni WiFi networks combined with small PCs like GumStix with Bluetooth."

As such networks evolve, Merdinger also imagines that WiFi-savvy users will use the free access to increase their personal bandwidth.

"For example, a single normal client might get 128-kbit/s download speed over muni WiFi; by consolidating several of these connections together using multiple cards in a box folks can abuse the systems," the security wonk explains. "The long-distance capability of yagi WiFi antennas makes it likely that they'll be able to make connections to APs far away from their immediate area."

It's impossible to know yet how much of a threat these kinds of attacks pose because very few major cities have actually launched metro-mesh networks yet. It is not hard to imagine, however, that certain hackers will see the next big target not as their local superstore but their local municipal network.

We sent Merdinger's potential security risks list to several mesh vendors and analysts but have not yet received any response.

— Dan Jones, Site Editor, Unstrung, special to Dark Reading

Organizations mentioned in this article:

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • FairuzaUS
  • GumStix
  • MobilePro Corp.
  • Strix Systems Inc.
  • TippingPoint Technologies Inc.
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5