Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep

Why Fingerprint 802.11?

Some 802.11 implementations have vulnerabilities that make devices that use the wireless technology vulnerable as well. Exploits developed for one implementation may not work for another so an attacker might prefer to identify the implementation first. Then they can choose the appropriate exploit rather than cycling through them and possibly drawing attention to themselves by crashing a device with the wrong exploit.

Fingerprints can also be used in a defensive way. A system administrator may maintain a database of authorized devices approved for use on their WLAN. Typically the devices are identified by their globally-unique 802.11 MAC addresses. But this is insufficient because a MAC address can be easily cloned by an authorized user using an unauthorized device. A better approach is to use an 802.11 fingerprint. Knowing which 802.11 implementations are vulnerable, an administrator can monitor their environment for wireless activity, observe 802.11 fingerprints, and be notified of an authorized user who is using a device with a vulnerable 802.11 implementation even if the device clones the 802.11 MAC address of an authorized, and presumably secure, implementation. There are a variety of monitoring products on the market today, generally called Wireless Intrusion Detection Systems (WIDS), where 802.11 fingerprints could be observed.