Wireless technology may be on its way to becoming ubiquitous in developed countries, but there's a tremendous difference between having a WiFi connection on every corner and having a (reasonably) secure WiFi connection on every corner. All of the modern wireless standards have their own security implementations, but the degree to which these standards are active and available can vary widely from hotspot to hotspot. If a recent report from Codenomicon is correct, simply activating the appropriate security protocols isn't nearly enough—the company has produced a report (PDF) claiming that a large number of supposedly secure devices can be hacked thanks to flaws in their security implementations. Even if security standards are correctly implemented, the inherent complexity of a given software stack can open a device to potential hackers.

Before I dig into the report itself, it's important to note that Codenomicon is not a neutral research firm in the field of wireless security technology. The company develops and produces a comprehensive security evaluation program called DEFENSICS. The report's test results were reached via the use of this tool and the company praises DEFENSICS at several points within the body of the paper. While this does introduce the possibility of bias, the fact that the company produces security tools does not, ipso facto, disqualify it from using its own tools to document accurate wireless security test results.

Codenomicon's tests focused on "fuzzing" the relevant wireless devices, with the goal of determining their level of robustness. According to the paper, fuzzing is defined as "the systematic creation of a very large number of protocol messages, from thousands to several million test cases, containing exceptional elements simulating malicious attacks." According to the company, a large number of the security vulnerabilities that are reported are robustness failures. Given this, robustness testing is paramount, and Codenomicon just happens to have the perfect tool for doing so—its own DEFENSICS software suite. If the results are indicative of what other software suites would indicate, a number of vendors have shipped devices that can be fuzzed with relative ease, as illustrated in the tables below. Table 1 gives results for the 31 Bluetooth devices that were tested, while Table 2 gives results for 7 wireless access points (AP1-AP7 across the top column of the table).

Interface/profile Number of implementations tested with a fuzzer Number of implementations that failed in the test Percentage of failed products L2CAP 31 26 84 SDP 31 24 77 RFCOMM 31 28 90 A2DP 2 2 100 AVRCP 3 3 100 HCRP 1 1 100 HID 1 1 100 OPP 15 12 80 FTP 5 5 100 IRMC Synch 1 1 100 BIP 1 1 100 BPP 1 1 100 HFP 5 2 40 HSP 5 2 40 FAX 2 0 0 DUN 5 2 40 SAP 4 4 100

AP1 AP2 AP3 AP4 AP5 AP6 AP7 Fail rate

Percent WLAN Inc. Fail Inc. Fail N/A Inc. Inc. 33 IPv5 Fail Pass Fail Pass N/a Fail Inc. 60 ARP Pass Pass Pass N/A Fail Pass Pass 16 TCP N/A N/A Fail N/A Fail Pass N/A 66 HTTP N/A Pass Fail Pass Inc. Fail Fail 50 DHCP Fail Fail Inc N/A Fail Fail N/A 80 Fail rate

Percent 50 40 50 33 75 50 25

Codenomicon doesn't provide any information on the specific devices tested, but the trend is not encouraging. According to the company, one reason for the high number of security flaws in the various Bluetooth and WiFi products tested is the software stack complexity of both standards. Although WiMAX devices aren't readily available at this point, Codenomicon implies that the same sorts of robustness and implementation flaws are likely to appear in devices based on the new standard as well. Unsurprisingly, given that this is a paper written about their own product, Codenomicon discovers that it's a really good idea to test software robustness with a product specifically designed for that purpose before releasing it.

Further Reading: