A look into Black Hat’s wireless network
Aruba Networks, which provided and maintained the wireless network for last week’s Black Hat USA 2011 conference, today provided some interesting statistics around the network’s use.
The device-fingerprinting capabilities of the Aruba network enabled visibility into exactly who was using what on the network:
- Apple devices were most prevalent at 43.3 percent of all devices (28.4 percent alone for iOS iPad and iPhone, with another 14.9 percent running OS X)
- Linux users composed 35 percent of the total
- Windows users represented 21.8 percent.
Aruba broadcast three network SSIDs at Black Hat USA 2011: one WPA pre-shared key (PSK) for the conference generally, one PEAP network with user self-registration and one EAP-TLS network (for iOS devices) with Aruba’s Mobile Device Access Control (MDAC) solution.
While the majority of attendees used the Black Hat PSK network, Aruba was pleased to find almost 200 attendees utilizing the PEAP/EAP-TLS “secured” network.
This secured network was provisioned using Aruba Amigopod, requiring attendees to accept certificates before being granted network access.
“This scheme seemed to work very well in a hostile environment like Black Hat with no pre-established trust in users or secure means to provision credentials,” said Aruba engineer Robbie Gill, Ph.D., who led the design and deployment of the Black Hat network. “We also managed to capture a huge amount of security events, the most interesting of which were IP spoofing, AP spoofing, Power save DoS attacks and Block ACK attacks. The Aruba controller was configured to block all spoofing attacks and no communication was permitted between users at any network layer in order to protect them from each other.”
The wireless network for the conference, designed and deployed by Aruba Networks, and based on the Aruba Mobile Virtual Enterprise (MOVE) architecture, included more than 30 Aruba AP-134 access points distributed over more than 200,000 square feet in the Caesar’s Palace Conference Center.
The network was accessed by more than 2,400 attendees, with 853 as the maximum number of concurrent users. The network detected and contained more than 8,790 independent security events, including 670 rogues, 191 AP flood attacks, 489 instances of AP spoofing, 579 instances of IP spoofing, 1,659 “Hotspotter” attacks and 1,799 “Block ACK” attacks.