Sign in with
Sign up | Sign in
Your question

Vulnerabilities on microwave point-to-point broadcasts

Last response: in Wireless Networking
Share
Anonymous
a b 8 Security
August 15, 2005 12:19:37 PM

Archived from groups: (More info?)

I'm trying to assess what are the security risks of transmitting data
using a point-to-point microwave broadcast. Since the beam is a narrow
one, it limits of course the possibility of intercepting the signal
from accross the street.

1. Assuming an attacker inserts a fake receiver dish between the
transmitting and receiving antenna, could eavesdropping be performed
without disrupting the broadcasting between the 2 legit antennas ?

2. Are there any encryption standards when it comes specifically to
point-to-point microwave broadcast such as PPTP?

Thanks.

Paul
Anonymous
a b 8 Security
August 15, 2005 1:57:28 PM

Archived from groups: (More info?)

I agree. I would use an IPSEC tunnel before using PPTP.
Anonymous
a b 8 Security
August 15, 2005 2:06:55 PM

Archived from groups: (More info?)

That's a good point. I haven't seen much sites discussing
vulnerabilities on point-to-point microwave broadcast, so I don't know
what realistic these possibilities are.
Anonymous
a b 8 Security
August 15, 2005 2:35:39 PM

Archived from groups: (More info?)

On 15 Aug 2005 08:19:37 -0700, paul_silverman@mail.com wrote:

>I'm trying to assess what are the security risks of transmitting data
>using a point-to-point microwave broadcast. Since the beam is a narrow
>one, it limits of course the possibility of intercepting the signal
>from accross the street.

Assuming 2.4GHz, a 24dBi dish has a -3dB beamwidth of about 5 degrees.
However, there is enough leakage and side lobes around the antenna
that it can be heard from all angles but up close.. There isn't much
signal but it usually can be effectively sniffed. In order to hear
both sides of the link, either a location in between the antennas, or
two seperate sniffers are required.

>1. Assuming an attacker inserts a fake receiver dish between the
>transmitting and receiving antenna, could eavesdropping be performed
>without disrupting the broadcasting between the 2 legit antennas ?

Yes. The beam is not that narrow. It is not necessary to block the
signal in order to hear it. For example, at a distance of 1000ft, the
5 degree beamwidth dish antenna can be heard across a beam diameter of
88ft.

>2. Are there any encryption standards when it comes specifically to
>point-to-point microwave broadcast such as PPTP?

PPTP is point to point tunnelling protocol which is a form of VPN
(virtual private network). This is usually sufficient to provide the
necessary security. The wireless data itself can be encrypted with
WEP, which is terribly insecure and easily sniffed. Much better is
WPA, which has not been cracked except for badly chosen pass phrases.
WPA-TKIP, which does regular key exchanges, is even better.
WPA-AES2-TKIP is probably the most secure.

See "man in the middle attack" section:
http://csrc.nist.gov/publications/nistpubs/800-48/NIST_...

References:
http://www.drizzle.com/~aboba/IEEE/

If you really want decent security from sniffing, I suggest you
investigate FSO (free-space optical) links. For example:
http://www.plaintree.com
You won't like the price.

So, what problem are you trying to solve and what do you have to work
with?

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
AE6KS 831-336-2558
Anonymous
a b 8 Security
August 15, 2005 3:09:33 PM

Archived from groups: (More info?)

Jeff,

Thanks for the detailed response. My client is currently operating
microwave point-to-point broadcast between 2 buildings, and he asked me
to assess what are the risks that his data be intercepted by a
non-authorized user. Very little has been written on the subject (as
opposed to Wi-Fi vulnerabilities) and googling security sites with
"microwave" returns the usual stuff on Wi-Fi. Therefore it is actually
hard to find out what the "real" risks are for microwave point-to-point
broadcast.

Therefore a microwave point-to-point isn't totally secure (if such a
concept exist). Taking your scenario, anyone without a radius of 88
feet could intercept data if a rogue dish is pointed toward the
transmitting antenna. How easy it is then to extract information from
that data depends on encryption used.

Thanks.

Paul
Anonymous
a b 8 Security
August 15, 2005 3:12:41 PM

Archived from groups: (More info?)

paul_silverman@mail.com wrote:
> Very little has been written on the subject (as
>opposed to Wi-Fi vulnerabilities) and googling security sites with
>"microwave" returns the usual stuff on Wi-Fi. Therefore it is actually

Paul,

Wifi *is* microwave. It is just one of many different types of
microwave, and is the least expensive and most common form you'll
find today.

There are other types of microwave systems, but the essentials are
are the same, and only specific details differ. The whole point in
any case is that anyone with the same type of microwave can downlink
the signal, and unless it is encrypted can demodulate it to the same
data that the intended receiver delivers.

--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson&gt;
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
Anonymous
a b 8 Security
August 15, 2005 8:43:21 PM

Archived from groups: (More info?)

> 1. Assuming an attacker inserts a fake receiver dish between the
> transmitting and receiving antenna, could eavesdropping be performed
> without disrupting the broadcasting between the 2 legit antennas ?

Sure. Or how about one behind each of the other antennas? The beam
might be limited but not necessarily the length.

> 2. Are there any encryption standards when it comes specifically to
> point-to-point microwave broadcast such as PPTP?

PPTP isn't very strong and has published vulnerabilities. You should be
looking at something else.

David.
Anonymous
a b 8 Security
August 15, 2005 10:27:10 PM

Archived from groups: (More info?)

On 15 Aug 2005 11:09:33 -0700, paul_silverman@mail.com wrote:

>My client is currently operating
>microwave point-to-point broadcast between 2 buildings, and he asked me
>to assess what are the risks that his data be intercepted by a
>non-authorized user.

OK. He's running a wireless bridge. No clue on equipment, antennas,
distance, topology, location, or altitude. I can't offer any
specifics or opinions on the relative security of such an unspecified
installation.

Incidentally, he's not doing a "broadcast". I think the term
"wireless link" or "wireless bridge" might be more appropriate.
Broadcasting is one way.

>Very little has been written on the subject (as
>opposed to Wi-Fi vulnerabilities) and googling security sites with
>"microwave" returns the usual stuff on Wi-Fi.

Reading between the lines, I seem to smell that this system is NOT a
wi-fi link but some other proprietary or non-standard wireless link.
Quite a bit has been written on the standard methods of encryption for
wireless, that are used by various vendors. If I had some clue as to
what you're working with, I could offer some hints.

>Therefore it is actually
>hard to find out what the "real" risks are for microwave point-to-point
>broadcast.

Actually, it's quite simple. *ALL* microwave signals can be
intercepted given the proper equipment and antennas. Most modulation
methods and protocols can be captured and decoded. Therefore, you're
only real protection is the level of encryption present on the
wireless link. To the best of my knowledge, all current vendors of
point to point wireless system offer some level of encryption in their
radios.

>Therefore a microwave point-to-point isn't totally secure (if such a
>concept exist).

Totally secure to a small business is quite different from totally
secure for the NSA, CIA, FBI, etc. Security really depends upon how
much effort one is willing to expend on decryption. If I have a room
full of state-o-de-art dedicated computers simultaneously working on
one problem, then I'm highly likely to crack anything you throw at it.

>Taking your scenario, anyone without a radius of 88
>feet could intercept data if a rogue dish is pointed toward the
>transmitting antenna.

No. Not a radius. 88ft is the diameter of the 5 degree wide "beam"
at 1000ft for a parabolic dish with a gain of 24dBi at 2.4Ghz. Think
of it like a flashlight. It's the width of the spot of light on the
wall. Anyone inside the spot will see the light. Those outside,
won't see as much. Other gains, antenna types, and frequencies will
have different beamwidths.

>How easy it is then to extract information from
>that data depends on encryption used.

I have no idea. You define the type and level of encryption and I'll
pass judgment on the technology. Otherwise, I'm just guessing.

Drivel: I still do some computer work for one large corporation.
They once asked me to assess the security of their system. They
rented a nearby building and had a 5.7GHz wireless bridge between
buildings. Everyone thought I was going to attack the wireless link
with sniffers and decryption software. Instead, I social engineered
the lock on the phone closet in a likely hallway, found the CAT5 going
to the 5.7Ghz radios, peeled the insulation, and tapped the data pairs
with my handy dandy home made ethernet tap[1]. I was on their inside
network in about 5 minutes. I also identified about 15 other exposed
points where I could tap into the network. I captured some data from
the bridge and reassembled a few interesting email messages.

[1] Type 110 punchdown to RJ45 adapter block ($3) plus a heavily
modified ethernet hub.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
AE6KS 831-336-2558
Anonymous
a b 8 Security
August 17, 2005 11:06:03 AM

Archived from groups: (More info?)

Jeff, thanks for your detailed reply. I'd like to raise a final
question on this post.

Since Wi-Fi equipment is becoming cheaper each day, would it be
reasonable to say that wireless links using non-802.11 frequencies
(such as 5.7 GHz) is likely to become a thing of the past? On the
other hand, it might be possible as well to say that non-802.11
wireless links have their place since they won't interfere with the
gazillion of gadgets that crowd the 2.4 GHz frequency.

Paul
Anonymous
a b 8 Security
August 17, 2005 10:59:15 PM

Archived from groups: (More info?)

Well, yes and no.

First, just for clarification, there are several setups that run in the
unlicensed frequency range (900 MHz, 2.4GHz and 5GHz). Wifi is merely a
subset/protocol available using that frequency. Just because you use an
"off beat" system doesn't mean that you're in the clear for security
vulnerabilities and just because a system doesnt use the term WIFI,
doesn't mean it doesn't run in these spectrums.

Additionally, systems that run on licensed frequencies are very
expensive to maintain, and eventually the manufacturer will end-of-life
the product. Make sure that IF you change systems, ever, you do your
due dilligence, and select a system that is secure, sturdy, and cost
effective. I like orthogon (http://www.orthogonsystems.com) for their
use of the unlicensed spectrum, without the mechanisms of 802.11.
Additionally, the AES encryption of the data traversing the wireless
link is a huge bonus, for all. That says nothing for the wire-side, but
honestly, if someone gets access to your wire, you've got bigger
issues. :) 

I hope this helps. Please feel free to contact me with any questions or
comments.

Christopher M. Hutchison, CEO
NetSteady Communications, Ltd.

Phone: 614-853-0091
Fax: 614-436-1119
Skype: wifi_chris

http://www.netsteady.cc
Anonymous
a b 8 Security
August 18, 2005 3:54:59 AM

Archived from groups: (More info?)

On 17 Aug 2005 07:06:03 -0700, paul_silverman@mail.com wrote:

>Since Wi-Fi equipment is becoming cheaper each day, would it be
>reasonable to say that wireless links using non-802.11 frequencies
>(such as 5.7 GHz) is likely to become a thing of the past?

The surrest sign of success is pollution, and Wi-Fi is certainly
successful. Just wait until Zigbee and active RFID tags appear on
2.4GHz.

Slight correction. The Wi-Fi certification includes 2.4GHz 802.11b/g
and 5.7GHz 802.11a products. Wi-Fi is not specific to any particular
Part 15 band.

Personally, I expect to see the FCC allocate more unlicensed spectrum.
However, my guess is that they will do it in the same manner as the
new 3.6Ghz WiMax allocation. Lots of limitations and a requirement
for registration of xmitters. Basically, it's an automatic license
without an auction and no coordination requirement. When this will
happen is largely dependent on when the current fashion in monopoly
building at the FCC runs its course.

>On the
>other hand, it might be possible as well to say that non-802.11
>wireless links have their place since they won't interfere with the
>gazillion of gadgets that crowd the 2.4 GHz frequency.

Actually most non wi-fi schemes just clobber wi-fi. For example a
frequency hopper will hog the entire band and simply slow sown in the
presence of intereference, while Wi-Fi just dies if faces with FHSS
interference. A Proxim/Wmux Lynx radio belches continuous RF in both
directions, even if there's no data being passed. Not exactly what I
call being a considerate neighbor.

I don't know where your questions are leading or what problem you're
trying to solve. If you're trying to "future proof" your customers
radio system, go to licensed microwave. At least you're not going to
get clobbered by the local coffee shop hot spot or municpal mesh mess.



--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
AE6KS 831-336-2558
!