[unisog] Taking down a university network with your phone!

Michael Kaegler Michael.Kaegler at marist.edu
Thu Jul 19 18:38:52 GMT 2007


At 10:26 AM -0600 7/19/07, Stephen John Smoogen wrote:
>Well from the way the article is hyped.. I figured the subject should be
>equivalent. Do people have an idea of what the issue is exactly, and
>  what the 'security' implications might be

The educause wireless list has had some discussion since before the 
story broke on Monday. Duke admin Kevin Miller is involved in the 
thread.

He describes the traffic as follows (educause guidelines don't have a 
problem with forwarding this information):
At 6:52 AM -0400 7/17/07, Kevin Miller wrote:
>[MAC Address of iPhone] > [MAC Address B] ARP who-has [IP A] tell [IP B]
>Where MAC Address B "looks" like the MAC address of a home router of
>some sort (OUI is assigned to such a manufacturer).
>IP A looks like a home router gateway IP (192.168.1.1, 10.0.1.1,
>192.168.2.1, etc)
>IP B looks like an IP that might be assigned on a home router
>(192.168.1.5, etc)
--http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0707&L=wireless-lan&T=0&F=&S=&P=2592

The ARPs come in at almost 11,500 per second, which is enough to 
knock out their APs (I run the same Cisco autonomous APs, I haven't 
seen this happen). The exact source of the issue seems buried in the 
iphone somewhere (and arguably, in the APs, as external forces 
shouldn't be able to make an AP unavailable).

There's been speculation that its a side effect of iphone "special 
sauce" roaming code, but no real evidence of that. The Yahoo article 
quotes Ashok Agrawala from UoM; it appears he was just asked about 
"wireless problems" and had no other information to work with.

The security implications? I don't see many that one doesn't already 
have in other mobile 802.11 clients. The one difference I see here is 
that new code releases for the iphone could be deployed to tens of 
thousands of your customers at once. It dosn't take a heck of a lot 
of enterprise networking experience to see the risk there (although 
arguably a similar threat is posed by windows update).
-porkchop


-- 
Michael "Porkchop" Kaegler, Sr. Network Analyst
(845) 575-3061 Marist College, Poughkeepsie, NY


More information about the unisog mailing list