Wireless Access Points and ARP Poisoning: Wireless vulnerabilities that expose the wired network Bob Fleck <rfleck@cigital.com>, Jordan Dimov <jdimov@cigital.com> Address resolution protocol (ARP) cache poisoning is a MAC layer attack that can only be carried out when an attacker is connected to the same local network as the target machines, limiting its effectiveness only to networks connected with switches, hubs, and bridges; not routers. Most 802.11b access points acts as transparent MAC layer bridges, which allow ARP packets to pass back and forth between the wired and wireless networks. This implementation choice for access points allows ARP cache poisoning attacks to be executed against systems that are located behind the access point. In unsafe deployments, wireless attackers can compromise traffic between machines on the wired network behind the wireless network, and also compromise traffic between other wireless machine including roaming clients in other cells. Of particular note is the vulnerability of home combination devices that offer a wireless access point, a switch, and a DSL/cable modem router in one package. These popular consumer devices allow a wireless attacker to compromise traffic between computes connected to the built-in switch. http://www.cigitallabs.com/resources/papers/download/arppoison.pdf -- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum
