Never resting on their laurels, on the invitation of Defcon 15 organizers AirDefense took advantage of their monitoring role to identify new attacks and incorporate what they discovered into updated detection and mitigation methods for their enterprise wireless IDS/IPS product.
While this "hacker" event is not nearly the size of major venues such as Interop or CES, it does provide a unique forum for experimentation. According to AirDefense, 17 variations of DoS (denial of service) attacks were performed during the three days they monitored traffic. In an interview with Richard Rushing, chief security officer of AirDefense, he shared that while jamming singular channels has been around for some time, this was the first time they saw attacks that expanded this to all channels using off-the-shelf 802.11 wireless card. AirDefense also detected intentional packet corruption. While a good client or access point (AP) transmits, the attacker simultaneously generates traffic that corrupts the signal, making it difficult and sometimes impossible for the receiver to properly demodulate the signal and assemble a valid packet. Not having received an ACK from the receiver, the transmitter will send again, at which time the rogue device interferes again and again. Interestingly enough, Meru Networks claims a similar technology in their own wireless IDS/IPS module for rogue client/access point mitigation.
AirDefense also detected more advanced multipot attacks. This class of attacks uses one or more rogue soft access points to draw clients away from good access points after which a man-in-the-middle attack is possible. Just like the DoS attacks, this is not new, but Rushing said that the toolkits have been improved to automate and therefore accelerate and increase the success of the attack.
It's important to note that Defcon is not representative of the threat intensity that a typical enterprise will experience. WPA/WPA2-Enterprise user authentication, encryption and message authentication currently remain secure, but the attacks detected at this event do confirm that both wireless researchers and hackers of all shades have not exhausted all the possible ways to disrupt the integrity and reliability of wireless networks. The upcoming IEEE standard, 802.11w, will address management frame protection, but there remain many avenues for Layer 1 and 2 attacks.