Vulnerabilities on microwave point-to-point broadcasts

I'm trying to assess what are the security risks of transmitting data
using a point-to-point microwave broadcast. Since the beam is a narrow
one, it limits of course the possibility of intercepting the signal
from accross the street.

1. Assuming an attacker inserts a fake receiver dish between the
transmitting and receiving antenna, could eavesdropping be performed
without disrupting the broadcasting between the 2 legit antennas ?

2. Are there any encryption standards when it comes specifically to
point-to-point microwave broadcast such as PPTP?

Thanks.

Paul

> 1. Assuming an attacker inserts a fake receiver dish between the
> transmitting and receiving antenna, could eavesdropping be performed
> without disrupting the broadcasting between the 2 legit antennas ?

Sure. Or how about one behind each of the other antennas? The beam
might be limited but not necessarily the length.

> 2. Are there any encryption standards when it comes specifically to
> point-to-point microwave broadcast such as PPTP?

PPTP isn't very strong and has published vulnerabilities. You should be
looking at something else.

David.

I agree. I would use an IPSEC tunnel before using PPTP.

That's a good point. I haven't seen much sites discussing
vulnerabilities on point-to-point microwave broadcast, so I don't know
what realistic these possibilities are.

On 15 Aug 2005 08:19:37 -0700, (E-Mail Removed) wrote:

>I'm trying to assess what are the security risks of transmitting data
>using a point-to-point microwave broadcast. Since the beam is a narrow
>one, it limits of course the possibility of intercepting the signal
>from accross the street.

Assuming 2.4GHz, a 24dBi dish has a -3dB beamwidth of about 5 degrees.
However, there is enough leakage and side lobes around the antenna
that it can be heard from all angles but up close.. There isn't much
signal but it usually can be effectively sniffed. In order to hear
both sides of the link, either a location in between the antennas, or
two seperate sniffers are required.

>1. Assuming an attacker inserts a fake receiver dish between the
>transmitting and receiving antenna, could eavesdropping be performed
>without disrupting the broadcasting between the 2 legit antennas ?

Yes. The beam is not that narrow. It is not necessary to block the
signal in order to hear it. For example, at a distance of 1000ft, the
5 degree beamwidth dish antenna can be heard across a beam diameter of
88ft.

>2. Are there any encryption standards when it comes specifically to
>point-to-point microwave broadcast such as PPTP?

PPTP is point to point tunnelling protocol which is a form of VPN
(virtual private network). This is usually sufficient to provide the
necessary security. The wireless data itself can be encrypted with
WEP, which is terribly insecure and easily sniffed. Much better is
WPA, which has not been cracked except for badly chosen pass phrases.
WPA-TKIP, which does regular key exchanges, is even better.
WPA-AES2-TKIP is probably the most secure.

See "man in the middle attack" section:
http://csrc.nist.gov/publications/ni..._SP_800-48.pdf

References:
http://www.drizzle.com/~aboba/IEEE/

If you really want decent security from sniffing, I suggest you
investigate FSO (free-space optical) links. For example:
http://www.plaintree.com
You won't like the price.

So, what problem are you trying to solve and what do you have to work
with?

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
AE6KS 831-336-2558

Jeff,

Thanks for the detailed response. My client is currently operating
microwave point-to-point broadcast between 2 buildings, and he asked me
to assess what are the risks that his data be intercepted by a
non-authorized user. Very little has been written on the subject (as
opposed to Wi-Fi vulnerabilities) and googling security sites with
"microwave" returns the usual stuff on Wi-Fi. Therefore it is actually
hard to find out what the "real" risks are for microwave point-to-point
broadcast.

Therefore a microwave point-to-point isn't totally secure (if such a
concept exist). Taking your scenario, anyone without a radius of 88
feet could intercept data if a rogue dish is pointed toward the
transmitting antenna. How easy it is then to extract information from
that data depends on encryption used.

Thanks.

Paul

(E-Mail Removed) wrote:
> Very little has been written on the subject (as
>opposed to Wi-Fi vulnerabilities) and googling security sites with
>"microwave" returns the usual stuff on Wi-Fi. Therefore it is actually

Paul,

Wifi *is* microwave. It is just one of many different types of
microwave, and is the least expensive and most common form you'll
find today.

There are other types of microwave systems, but the essentials are
are the same, and only specific details differ. The whole point in
any case is that anyone with the same type of microwave can downlink
the signal, and unless it is encrypted can demodulate it to the same
data that the intended receiver delivers.

--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

On 15 Aug 2005 11:09:33 -0700, (E-Mail Removed) wrote:

>My client is currently operating
>microwave point-to-point broadcast between 2 buildings, and he asked me
>to assess what are the risks that his data be intercepted by a
>non-authorized user.

OK. He's running a wireless bridge. No clue on equipment, antennas,
distance, topology, location, or altitude. I can't offer any
specifics or opinions on the relative security of such an unspecified
installation.

Incidentally, he's not doing a "broadcast". I think the term
"wireless link" or "wireless bridge" might be more appropriate.
Broadcasting is one way.

>Very little has been written on the subject (as
>opposed to Wi-Fi vulnerabilities) and googling security sites with
>"microwave" returns the usual stuff on Wi-Fi.

Reading between the lines, I seem to smell that this system is NOT a
wi-fi link but some other proprietary or non-standard wireless link.
Quite a bit has been written on the standard methods of encryption for
wireless, that are used by various vendors. If I had some clue as to
what you're working with, I could offer some hints.

>Therefore it is actually
>hard to find out what the "real" risks are for microwave point-to-point
>broadcast.

Actually, it's quite simple. *ALL* microwave signals can be
intercepted given the proper equipment and antennas. Most modulation
methods and protocols can be captured and decoded. Therefore, you're
only real protection is the level of encryption present on the
wireless link. To the best of my knowledge, all current vendors of
point to point wireless system offer some level of encryption in their
radios.

>Therefore a microwave point-to-point isn't totally secure (if such a
>concept exist).

Totally secure to a small business is quite different from totally
secure for the NSA, CIA, FBI, etc. Security really depends upon how
much effort one is willing to expend on decryption. If I have a room
full of state-o-de-art dedicated computers simultaneously working on
one problem, then I'm highly likely to crack anything you throw at it.

>Taking your scenario, anyone without a radius of 88
>feet could intercept data if a rogue dish is pointed toward the
>transmitting antenna.

No. Not a radius. 88ft is the diameter of the 5 degree wide "beam"
at 1000ft for a parabolic dish with a gain of 24dBi at 2.4Ghz. Think
of it like a flashlight. It's the width of the spot of light on the
wall. Anyone inside the spot will see the light. Those outside,
won't see as much. Other gains, antenna types, and frequencies will
have different beamwidths.

>How easy it is then to extract information from
>that data depends on encryption used.

I have no idea. You define the type and level of encryption and I'll
pass judgment on the technology. Otherwise, I'm just guessing.

Drivel: I still do some computer work for one large corporation.
They once asked me to assess the security of their system. They
rented a nearby building and had a 5.7GHz wireless bridge between
buildings. Everyone thought I was going to attack the wireless link
with sniffers and decryption software. Instead, I social engineered
the lock on the phone closet in a likely hallway, found the CAT5 going
to the 5.7Ghz radios, peeled the insulation, and tapped the data pairs
with my handy dandy home made ethernet tap[1]. I was on their inside
network in about 5 minutes. I also identified about 15 other exposed
points where I could tap into the network. I captured some data from
the bridge and reassembled a few interesting email messages.

[1] Type 110 punchdown to RJ45 adapter block ($3) plus a heavily
modified ethernet hub.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
AE6KS 831-336-2558

Jeff, thanks for your detailed reply. I'd like to raise a final
question on this post.

Since Wi-Fi equipment is becoming cheaper each day, would it be
reasonable to say that wireless links using non-802.11 frequencies
(such as 5.7 GHz) is likely to become a thing of the past? On the
other hand, it might be possible as well to say that non-802.11
wireless links have their place since they won't interfere with the
gazillion of gadgets that crowd the 2.4 GHz frequency.

Paul

Well, yes and no.

First, just for clarification, there are several setups that run in the
unlicensed frequency range (900 MHz, 2.4GHz and 5GHz). Wifi is merely a
subset/protocol available using that frequency. Just because you use an
"off beat" system doesn't mean that you're in the clear for security
vulnerabilities and just because a system doesnt use the term WIFI,
doesn't mean it doesn't run in these spectrums.

Additionally, systems that run on licensed frequencies are very
expensive to maintain, and eventually the manufacturer will end-of-life
the product. Make sure that IF you change systems, ever, you do your
due dilligence, and select a system that is secure, sturdy, and cost
effective. I like orthogon (http://www.orthogonsystems.com) for their
use of the unlicensed spectrum, without the mechanisms of 802.11.
Additionally, the AES encryption of the data traversing the wireless
link is a huge bonus, for all. That says nothing for the wire-side, but
honestly, if someone gets access to your wire, you've got bigger
issues.

I hope this helps. Please feel free to contact me with any questions or
comments.

Christopher M. Hutchison, CEO
NetSteady Communications, Ltd.

Phone: 614-853-0091
Fax: 614-436-1119
Skype: wifi_chris

http://www.netsteady.cc