> -----Original Message----- > From: Brett Lymn [mailto:[EMAIL PROTECTED]] > Sent: Saturday, June 01, 2002 3:27 PM > To: Ben Nagy > Cc: 'Ron DuFresne'; 'Brett Lymn'; [EMAIL PROTECTED] > Subject: Re: Opinions? Wireless access point, firewall, eth., DSL box > > > On Fri, May 31, 2002 at 10:14:18AM +0200, Ben Nagy wrote: > > > > Not trying to rain on anyone's parade, but do either of you > guys have > > any references for those two scenarios, out of interest? > > > > Nothing written down[1]... only verbal advice from our > "spook" interface when I queried him about whether running > wireless was acceptable or not.
This is what I got from a few folks that replied off list, too. Why is it that all the people that actually know, as in really know, anything about this stuff never sent anything to lists? (that's a rhetorical question). > > I'm interested in the possible TEMPEST [1] style attacks, > because they > > really shouldn't be possible except for up extremely close, > > > > OK, you are missing something here. Well, not really - I'm just trying to see if anyone can do better than speculation. > Most equipment is not > designed to emit RF at all so a TEMPEST attack has to rely on > accidental radiation of signals that the equipment was never > meant to radiate. This makes TEMPEST difficult because the > radiation is very low level and requires sensitive equipment > - even then some devices simply don't radiate enough. but.... Wellll - it's well known that CRT monitors spit RF like crazy, because the painting of the monitor rows is really prone to that, and low enough frequency that it's not really hard to grab - people do undergrad projects on it. Things like LCD screens are much much harder because the screen gets drawn differently and it's much lower power. This we know. For more sensitive stuff, like we're talking about, it's probably a much different story in terms of equipment required. > > > and > > certainly shouldn't leak as transmitted data, with any reasonable > > design of the AP.[...] > > > > And this is what you are missing... the AP is DESIGNED to > output RF, it is it's purpose in life... [...] > > The > interesting thing here is the link between the RF Modulator > and the network goop is an analogue interface, it is not an > on or off thing, if there is noise present at the input to > the modulator then it will be merrily modulated and spat out > the antenna. You tiny tempest signals have just been put > onto the airwaves by a real RF transmitter making them much > easier to pick up. Just think what you would get if the RF > input somehow picked up the clocking of the 10BaseT lan port > as noise... Right - but what I said originally was "with any reasonable design of the AP". I just assumed that if you're going to have an unencrypted network interface and an RF interface that supports encryption then you'd shield it. That's what I'd do - that makes sense. Apparently this is what _is_ done, and properly, by real crypto devices, which is why they cost so much. It may have been foolish of me to make assumptions of sanity about tiny devices made under license by the lowest bidder in Taiwan. However, I'd still really like to see some evidence - these are low power devices, often with external antennae. > Also, don't think just of an Access Point, think of a laptop > with a wireless card in it. There is a hell of a lot more > interesting noise that could be retransmitted from that. That's true, but I still think that laptops with wireless cards should be running IPSec (or something) clients if they're sending any sensitive data over a wireless link. Things could well get ugly, though, if the laptop has a PCMCIA ethernet card and a PCMCIA 802.11b card on top of each other... > [1] Well... maybe there is. I may be mistaken but I do > believe that in "Spycatcher" there was a story about a > certain embassy's encryptor that had an interesting habit of > leaking the unencrypted data at a lower level on to the > encrypted data channel, all the spies had to do was filter > off the encrypted data to pick up the unencrypted information. Sorry, but I really can't let you get away with quoting "Spycatcher" as a reference. 8) However, that overlay of plaintext onto the RF transmission of ciphertext is _exactly_ the story I got second hand offlist. I wouldn't have thought it would be on a lower level, though - more likely it would be tiny spikes or dips on top of the waveform of the main transmission, wouldn't it? For the real device that would just be ironed out as +/- in terms of signal, but for someone with a really expensive receiver it would be effectively the plaintext. All this still sounds a little too much like urban legend to me though... If someone has the resources to mount a sophisticated TEMPEST attack, then why wouldn't they just bust WEP - we already know it's pretty darn weak. And if there's only "safe" IP data going into the AP in the first place then where's the risk? The point you make, though, about laptops (or cash registers, PDAs, or any other single-point installation) brings up problems for that model, though. For a start, how does one make sure that they send pre-encrypted data to the wireless card? (probably solveable) And, on top of that, how do we know that internal cards are shielded well enough that they don't get some sort of noise sent through to the transmitter? > Brett Lymn So, what we still need are some references. I think that we can say that standalone APs would be safe as long as they're only getting pre-encrypted data in - people were recommending this beforehand anyway, since WEP is so weak. For systems that contain wireless cards, what we really need is someone that knows whether or not they have side-channel leakage. That may yield something useful in terms of best-practice design for some installations. Sadly, I suspect that nobody that has the equipment to do the testing required will oblige by making their tests public. Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
