802.11 Association Hijacking

It has recently been discovered that there are a few 802.11 access points and clients that, when used in conjunction with each other, allow the access point to "hijack" any association attempt that the client tries to make, whether or not it is intended for that access point.  This is a very big problem that needs to be addressed as soon as possible by the manufacturers of the devices in question.  Unfortunately, it has proven to be a struggle just to get some of them to admit that there is a problem to begin with, much less get a fix out of them for it.

The purpose of this page is to document all of the information that I have been able to gather about this phenomenon as well as to document any progress that I have managed to make with various different manufacturers whose products demonstrate this bug.  The intent is to make this information as public as possible, both to help out others who have been affected by this bug as well as to put some pressure on the manufacturers to fix their products.

What you can expect to find throughout the remainder of this document is a brief description of the symptoms of the problem, a list of devices that are defective in this manner, information about progress being made to resolve the bug in specific devices, and finally a detailed look at exactly what is happening behind-the-scenes along with Kismet captures of the raw 802.11 frames to help with the demonstration.

Special Thanks

I want to publicly thank and acknowledge the good folks at Tranzeo Wireless for all of their help in trying to track down and help diagnose this problem, and for being all around awesome guys to work with.

Site Updates

11/11/04 -

Agere, sadly, will not release a flashable fix for the "hijacking vulnerability" bug for Hermes 1 clients!  Fixed a typo regarding the new RAM-downloadable firmware revision that comes with the new drivers for Hermes 2 cards (1.68 -> 1.64).

11/07/04 -

A partial fix for the hijacking vulnerability in Hermes-based cards has been found!  News updates now appear in reverse-chronological order to make new items more readily apparent.  Added a link regarding "updating Prism card's firmware" to the Spotlight section.

11/03/04 -

Updated the Hermes and Linksys sections with new news; updated the Netgear section to include older news.  Added a new section with links to more information about this problem.

11/02/04 -

Updated the Test Conditions section to list the specific ORiNOCO firmware revision used during tests; clarified the language used under the Analysis section with regard to filtering Beacon frames with Ethereal; clarified the language describing the improper behavior that the Netgear WGR614v4 router exhibits.

10/29/04 -

Initial version.

Description of the Problem

If certain buggy clients are within range of certain buggy access points, they will more often than not associate to the buggy access point even if the SSID specified for the client to connect to does not match that of the buggy access point.  For example, if I have 1 buggy 802.11 client within range of 1 buggy access point with SSID buggy and 1 properly behaving access point with SSID compliant, if I instruct the buggy client to connect to compliant, it will (depending on certain factors) most likely end up associating to buggy, even though the client was explicitly told to connect to compliant.  Thus the use of the term "hijack."  The association attempt has been "intercepted" by the one access point even though it was not intended for it.

Furthermore, if an SSID is specified in a buggy client for an SSID that does not exist, it will associate to the buggy AP, which doesn't just merely hijack connections to valid APs, but ALL association attempts regardless of their validity.

Why is this a Problem?

I hope that the reasons why this is a problem are fairly clear.  When this bug is in effect, if someone has multiple APs (either all buggy or a combination of buggy and non-buggy), there is no guarantee that you will connect to the one that you want to connect to.  This is a nuisance, especially if the one that you want to connect to (but didn't, because the association was hijacked by the other AP) is the logical choice given each AP's distance from the client.

This bug is more than just a mere nuisance for WISPs (wireless ISPs), though.  If the WISP's own 802.11 access points that their customers associate to are not buggy and fully compliant with the spec, but a neighbor between the customer and their shot to the WISP's tower is running one of these broken access points, the customer's connection to their ISP could be hijacked by this neighbor's AP if the signal is strong enough.  We here at First Step Internet have now had to deal with this problem on more than one occasion, and it is quickly becoming old both for us as well as for our customers.  In order to work around the problem for the customers that have encountered this problem, we've had to replace gear and in some cases even go with a non-802.11 solution.

This scenario should never be allowed to occur.  The fact that it does indicates that something is quite obviously broken.  If you specify an SSID to connect to, the only time that an association should occur is if there is an access point in your vicinity that is programmed to answer to that SSID.  The client should not associate to an access point with an SSID other than the one that was specified, and if there is no access point around that answers to that SSID, then the client should not associate to anything, period.

Association Hijacking in the Spotlight

I've been trying to germinate some discussion about this issue on a couple different public forums.  Here are some links to places where this issue has received some attention:

Known Broken Devices

The following APs/routers and wireless clients have demonstrated this problem in tests as well as in the field.  I will continue to maintain this list and provide you with updates as I discover how the manufacturers have been trying to deal with fixing the problem.  Please e-mail me if you run across a device that should be added to this list or if you have further information about one of the devices already listed here:

Broken Routers that Hijack Associations

Broken Clients that are Vulnerable to Hijackings

Netgear

News:

10/29/04 - I e-mailed my Tier 2 contact at Netgear, asking him to re-open my trouble ticket and pass on the URL of this website to engineering.

The WGR614 v4 wireless router is an 802.11g/b access point, router, and ethernet switch whose wireless functionality is based off of the Marvell Libertas chipset.  Interestingly, one of the Tranzeo guys that I have been communicating with mentioned to me first that "there is a register in the Marvell chipset that can create this behavior."  After he told me this, I did some research to find out which chipset was being used inside this particular model of Netgear router, and sure enough, what do I find but that the Libertas is being used in this very same revision of the WGR614.  Presumably, if it is just a single register that needs to be set, Netgear could theoretically fix this behavior in their firmware pretty easily.  It does disturb me to hear, though, that Marvell included such an exploit in their chipset and labelled it as a "feature."  If I were to hazard a guess, it would be that the default action of the Libertas chipset when working as an AP is to have this "feature" enabled unless that register is initialized with a specific value meant to disable it.

As of 10/07/04, I have opened a trouble ticket with Netgear Support about this very issue.  My ticket number is 1008121.  For the most part, I can report that the Netgear support personnel have been pleasant enough to deal with; I was especially pleased with the quickness and courteousness of the response that I did get from a Level 2 representative so shortly after filing the bug with them.  However, on the negative side, I have not heard much from them after my case was escalated to engineering, and have been given no ETA as to when I can expect the problem to be resolved.  I am still optimistic, though, based on my experiences thus far with Netgear Support, that they will eventually manage to come up with a solution.

Linksys

News:

11/02/04 - I sent Linksys a bug report and the URL to this site through their web site's technical support request form.

The Linksys WAP11 v2.8 wireless access point is an 802.11b wireless access point and wireless <-> ethernet bridge whose wireless functionality is based off of the ADMtek ADM8638 chipset.  We first discovered that WAP11s have this great "feature" after it did this in the field to a customer of ours; in fact, this was our very first exposure to the problem at all.  After we ran across it and decided to try and replicate the problem internally, we found that we had 2 WAP11s at our disposal for testing, a v2.2 and a v2.8, and the 2.2 did NOT hijack the Hermes and Prism clients, and I believe that the 2.2 is based on Atmel.  (You cannot identify a v2.8 WAP11 by a version number on the packaging...the v2.8 has a Cisco logo on it and is labelled "Wireless-B Access Point" rather than "Instant Wireless Access Point".)  I currently know next-to-nothing about the ADMtek chipset and whether its hijacking actions would be considered a bug by its manufacturer or a "feature" much like the Marvell, but it does show nearly the exact same symptoms as the Netgear product does.

I have not yet opened up a trouble ticket with Linksys, so I cannot comment on their support mechanism or willingness to help yet, but I will be doing so shortly.

Just yesterday (10/28/04), I also encountered another Linksys product that hijacks 802.11 connections.  I'm not sure what exact model it was.  The only information that I have at this time is that it hijacked my connection while I was trying to troubleshoot one of our own access points, that its MAC began with 00:0F:66 (Cisco-Linksys), and that the access point identified itself to me as "Marvell" (this is the AP name, not the SSID).  Marvell...Hmmmmm...

D-Link

News:

Nothing to report thus far!

We don't really have much to report on the D-Link front, except that we know at least some D-Links do it, and we know this because when we look at the BSSID that devices which have been hijacked are reporting themselves as being associated to, we see a MAC address that begins with 00:0F:3D, and when we look that up in the OUI Database, we see that the manufacturer of said device is D-Link.

I will not be opening up a trouble ticket with D-Link on this issue yet until I can determine exactly which models of their devices have this defect in order to be fair to their support department. :-)

Prism

News:

11/06/04 - Updating your Prism card's firmware.

The Prism chipset, previously owned by Intersil and now owned by Conexant (yes, that Conexant...the former Rockwell, manufacturer of modem chipsets) is a nice, stable, widely-used and well-proven 802.11 chipset that multiple manufacturers use in their products.  Unlike the more popular host-controlled designs of today (like Atheros), this chipset functions autonomously from the host and its functions are controlled by firmware on the card itself.  (Some Prism 3 cards don't have an EEPROM, but still have RAM that the firmware is loaded into and then executed by the driver during card initialization.)  So I guess that you could call this the "hardware modem" of 802.11 chipsets (in contrast with WinModem-esque designs like Atheros, which, to be fair, does have its advantages...Atheros is more flexible and programmable than firmware-based designs like Prism).

Only certain wireless clients will allow themselves to be hijacked by these access points listed earlier in this document, and the Prism II and 2.5 chipsets are unfortunately among those numbers.  The wireless cards/chipsets are not the only devices at fault, though: the Prism-based cards won't allow themselves to be hijacked by just ANY access points, just by the ones mentioned above, so obviously those access points are doing something non-kosher as well.

The good news is that if you find that your Prism-based card has this bug, you can fix your card yourself immediately because the bug in question has been squashed by the Prism firmware developers in later firmware versions.  I have successfully tested Secondary Station firmware version 1.7.1 for Prism II as well as 1.8.0 for Prism 2.5, and in both cases the card did not allow itself to fall victim to the buggy access points after the firmware was upgraded on the card.  For information and instructions on how you can upgrade your card's firmware, I recommend visiting Jun Sun's page on flashing Prism chipsets.

Hermes

News:

11/11/04 - The latest news from my Agere contact is that they "can not spend time looking into legacy versions of Hermes1 firmware for this issue," meaning that they are not willing to release a version of the fix that does not require a tertiary firmware download to use.  Naturally, this comes as disappointing news to me, as I am sure it also is to you; I was hoping that they would recognize this as the serious problem that it is and take ownership of the issue.  This considerably decreases our confidence in Agere and in their products or products based on their technology, which we can no longer in good conscience recommend any longer.

11/05/04 - A (partial) fix is available!  I discovered something interesting last night: multi-vendor drivers from Agere which are newer than any drivers that Proxim has up for download on their web site.  Even better, these drivers have embedded in them a Variant 2 (RAM-downloadable/"tertiary") station firmware revision that actually fixes this bug!  The version number of this firmware (9.42) suggests that it is quite a bit newer than the last official Variant 1 (flashable/"secondary") station firmware released by Agere, 8.72 (which is also the same Variant 2 version embedded in Proxim's "newest" drivers available from their site).  Those of you who need to merely have the "hijacking" bug fixed on their Windows-based platform should upgrade to these drivers (and don't forget the new Client Manager, too).  Those of you, though, who are using their ORiNOCO cards in non-PC devices (such as YDI's EtherAnts) will have to wait until Agere and/or Proxim releases a flash updater that can permanently flash this new firmware on the card.  The RAM-downloadable Hermes 2 firmware was also updated from 1.24 to 1.64 and, just like the newer Hermes 1 firmware, fixes the bug for the Hermes 2 chipset.

11/04/04 - I've been exchanging e-mail with one of the engineers over at Agere.  Once I know something more, I'll update the site.

11/03/04 - I have not heard word one from Proxim support ever since my last attempt to contact them.  However, thanks to a new friend I made on the broadbandreports.com forums, there may be some promising developments brewing over at Agere.  I'll update this section once I know something more definitive.

10/29/04 - I e-mailed Proxim support again asking them to re-open my trouble ticket and to consult this web site for details on how to reproduce the bug.

The Hermes chipset, as it is commonly called, officially goes by the WaveLAN moniker in Agere's marketing literature.  Or, at least it used to.  I just received word from Agere that they expect to have completed their exodus from the Wi-Fi market within a year or so.  I was under the impression that Agere would hold on to the chip fabrication end of things when Proxim took over the ORiNOCO line, but apparently the whole business, chipsets and branding and all, was sold completely over to Proxim.

Hermes is a bit unusual in that for the majority of its life, Lucent/Agere produced the chipset as well as the products that were based on it (the ORiNOCO line of products) rather than reselling the chipset parts to other manufacturers.  The Hermes design is very similar to the Prism design; in fact, they share a common heritage (along with Symbol and Aironet), which could explain why they both have this bug.  There are two versions of this chipset, commonly referred to as Hermes I and Hermes II (there is also another "variant" called Ruby, but I've not been able to find much information on exactly what Ruby is; my impression is that it is merely a small revision of Hermes I, but people with more information should feel free to contact me about it).  Some (read: YDI) believe that Hermes II does not have the bug that makes it vulnerable to the hijacking, but I am the unfortunate owner of a Hermes II-based PCMCIA card (a Proxim-labelled ORiNOCO 802.11b "Silver" PCMCIA card, Proxim model 8421-WD/Agere model 0110-PC, FCC ID: IMRPC2411B), and I can tell you matter-of-factly that it does indeed allow itself to be hijacked by the routers listed on this page.

Agere has apparently told YDI in the past that they feel that "the AP is to blame and that 'but for' the AP improperly responding, there would not be an issue."  My tests show otherwise.  Furthermore, Agere has been silent on the issue in my own dealings with them; since they are exiting the market and are no longer actively selling the chips, I guess they feel that they have no responsibility to fix the issue.  I did manage to open up a trouble ticket with Proxim on 10/20/04 and was assigned ticket number 041020-000106.  This ticket was promptly closed by Proxim earlier this week when they claimed that they could not reproduce the problem.  I will be re-opening the ticket and submitting the results of my own tests to them for their examination.  Whether or not Proxim has the ability to do anything about it (unless they really did take over all of Agere's Wi-Fi engineers and are fabbing the chips themselves now) remains to be seen.

Detailed Examination of the Problem

In order to figure out just what the heck is going on between these cards and these access points, and in order to determine whose fault it is, I set up a testing environment that allowed me to confirm the presence of the bug and watch what was happening on a layer 2 level.  What follows is a description of the tests that I ran and a brief analysis of what the problem appears to be.

Here are the conditions under which these tests were conducted:

  1. Six 802.11 devices were involved:

    1. A Tranzeo TR-2118 containing a Prism 2.5 card (a Zcomax XI-325) which was flashed to the 1.8.0 secondary/station firmware.  I configured this device to act as an access point and used it as my test "good AP."  The SSID was set to eagletest.
    2. An IBM ThinkPad 770 running Slackware Linux and containing a Prism 2.5 card (a Zcomax XI-325HP/SMC EliteConnect 2532W-B) which was flashed to the 1.8.0 secondary/station firmware.  I used this computer to run Kismet in order to monitor the transmissions between the client and the APs.
    3. An IBM ThinkPad 600 running Windows 2000 and containing a Lucent ORiNOCO Silver "Hermes I"-based card (model PC24E-H-FC, FCC ID: IMRWLPCE24H) which was flashed to the latest publicly available version of the Hermes I firmware from Proxim's web site, version 8.72.  I used this computer as my test "buggy client."
    4. A Tranzeo TR-CPE containing an Atmel 802.11b chipset and Tranzeo's 2.0 Single MAC firmware revision for the TR-CPE.  I used this CPE as my test "good client."
    5. A Netgear WGR614 v4 wireless router running the latest posted firmware on Netgear's website.  The SSID was set to NETGEAR.
    6. A Linksys WAP11 v2.8 wireless access point running the latest posted firmware on Linksys's web site.  The SSID was set to linksys.

  2. The two broken APs (the Netgear and the Linksys) were never run simultaneously.  The purpose of testing the Netgear out was to see what exacty was going on between the Netgear and the client.  The purpose of testing out the Linksys was to compare what it was doing to what the Netgear was doing.

  3. No WEP or WPA was used during the course of these tests.

  4. As I noted above in the equipment list, I used Kismet under Linux to snoop in on the conversation between the card and the various APs.

  5. The tests were conducted in an area where little other organized activity in the 2.4GHz band could be observed.  A couple faint signals from other 802.11 access points nearby could be picked up every now and then, but they did not seem to be causing the the test client any difficulties (no hijacking).  I had Kismet filter them out/ignore them so that only the devices that I was testing show up in the logs.

  6. I discovered that the way Kismet tries to cover the entire spectrum that 802.11b is allowed to broadcast on is by rapidly changing the channel a number of times per second on the card that is being used as the monitoring device.  This is done because the card apparently is not able to listen in on all channels simultaneously.  Because of this, I noticed that, in the first few logs that I generated using Kismet, stages of the association process that I would expect to see were sometimes missing; this is because Kismet had changed the channel either before the process had finished, or only stumbled across my test gear's transmissions after it was halfway through the process.  In order to ensure that Kismet captured every packet and that I didn't lose any, I was forced to set all of the APs that I was testing to broadcast on the same channel (I picked channel 3) and then turn off channel hopping in Kismet, telling it instead to stay on channel 3 at all times.  Please note, though, that just because all of the APs were broadcasting on the same channel did not make the hijacking more or less likely.  The defective APs are not hijacking because they are on the same channel;  the symptoms of hijacking show up independent of channel or SSID settings.

  7. In the room that I performed these tests in, I had my two laptops (the Kismet station and the "buggy client") and the TR-CPE situated all in a row on a desk which was roughly in the middle of the room.  I placed the Tranzeo access point behind me and the two buggy APs (the Netgear and Linksys) in front of me.  The Netgear and Linksys were roughly the same distance from the desk containing the clients and Kismet monitor as the Tranzeo was from them.  Note, though, that the Tranzeo's wireless card was connected to an 18dB panel antenna which was pointed roughly toward the desk while the two consumer APs were left with their default antenna(s).

  8. You may notice, if you review the logs carefully, that when I set up the test client to associate to the "good" access point eagletest, neither the Netgear nor Linksys successfully hijacked the connection.  The reason(s) why it sometimes may happen and sometimes may not will become clearer as you continue to read, but the reason why I suspect that I was unable to get the Netgear or Linksys to hijack the association to the Tranzeo AP in this case may perhaps be because the client "heard," received, and accepted the Tranzeo's answer first before it received the response either from the Netgear or the Linksys.  This may be because, although I tried to make sure the distance between the various access points and the client was roughly the same, the Tranzeo possibly had a distance advantage, or it could also be because of the beefier antenna attached to the Tranzeo.  Note, though, that I have seen Netgear and Linksys devices hijack connections outside of the lab on numerous different occasions.  Usually when this happens, the buggy AP is closer in proximity to the client than the good AP.  ALSO note that these tests show that if the "buggy client" tries to associate to an SSID that no other access point in the vicinity are programmed to respond to, the Netgear and Linksys access points manage to hijack those association attempts.  The behavior of both the buggy client and buggy APs is the same in both cases, as you will see; it just so happened that in this particular batch of tests, the "luck of the draw" favored the Tranzeo.

I produced four dumpfiles with Kismet aiming to show how different clients and access points interact with each other during the association process.  You may download them here:

    1. Kismet dumpfile #1: 802.11 management frames between an ORiNOCO/Hermes client and a non-buggy AP (Prism 2.5 w/ tertiary AP firmware)
    2. Kismet dumpfile #2: 802.11 management frames between an ORiNOCO/Hermes client and a buggy AP (Marvell Libertas/Netgear)
    3. Kismet dumpfile #3: 802.11 management frames between an Atmel chipset-based client and a buggy AP (Marvell Libertas/Netgear)
    4. Kismet dumpfile #4: 802.11 management frames between an ORiNOCO/Hermes client and a buggy AP (ADMtek ADM8638/Linksys)

I haven't yet tried to test a pre-bugfix Prism firmware in place of the ORiNOCO.  Results, I'm guessing, would be very similar if not the same.

Analysis of the Dumps

In order to view these dumpfiles, I highly recommend the free Ethereal network protocol analyzer.  Kismet logged all 802.11 management frames between the client and the APs including all of the Beacon frames, but because of their sheer numbers, you may find it difficult to wade through them all in order to get a "big picture" sense of what the log files are showing.  In Ethereal, you can filter out the Beacons by using the filter expression "not wlan_mgt.fixed.beacon"  Please note, though, that when you do this, you will also end up filtering out all of the Probe Response frames as well; presumably Ethereal does this because a Probe Response packet is essentially a unicast Beacon frame.  You will need to be able to view these Probe Response frames, because they are key to what is happening between the buggy clients and the buggy APs, so you will not want to have the Beacon filters engaged all the time.

  1. In the first test, I kept both the Netgear and Linksys routers powered off and had the buggy client try to connect to the Tranzeo AP in order to see what the process should look like.  I initiated a connection to eagletest both at the start and the end of the logfile.  In the middle, you will see that I tried to connect to an SSID entitled eagleray, but since there were no access points in the area that respond to that SSID, and since no access points in the area were hijacking access points, no association was made.  Notice the order in which the process happens (note that this is an open authentication example, and no WEP is being used):

    Steps to 802.11 Association
    Action
    		 Expected Result
    1. APs send out beacons.
    		 1. Clients become aware of AP.
    2. Client sends out Probe Request frame.
    		 2. AP receives Probe and prepares appropriate response.
    3. AP sends out Probe Response frame.
    		 3. Client receives answer from AP.
    4. Client sends out Authentication frame.
    		 4. AP receives request and prepares appropriate response.
    5. AP sends out Authentication frame.
    		 5. Client receives acceptance or denial for authentication.
    6. Client sends out Association Request frame.
    		 6. AP receives request and prepares appropriate response.
    7. AP sends out Association Response frame.
    		 7. Client has completed the association process to the AP.

    Also note that when the client tries to associate to the non-existant eagleray SSID, the client doesn't get any responses back from anybody because none of the APs within its range recognize that SSID as belonging to them.  This is the correct behavior: no AP should send a Probe Response packet unless the Probe Request that it heard contained its SSID.

  2. For the second test, I lit up the Netgear WGR614 v4.  I then attempted associations both to the Tranzeo with the eagletest SSID as well as to the non-existant eagleray SSID.  Looking at this log, the problem comes into focus more clearly.  Notice that the Netgear is sending out a Probe Response to EVERY Probe Request generated by ANY client even if the Probe Request did not contain its SSID or the broadcast SSID, which is not proper behavior.  Also notice that it doesn't appear that the Netgear is trying to be sneaky about anything, either, since the Probe Response that it sends actually contains the Netgear's real SSID; it isn't "spoofing" the SSID in its response that it should have been looking for in the Probe Request frame.  It seems that the Netgear is being "SSID agnostic" when it comes to Probe frames.

    Also notice, though, that the Netgear is not the only device at fault here.  When you examine the Probe Response frames from the Netgear, you can clearly see that they contain the Netgear's SSID, which is not the SSID that I asked the ORiNOCO client to connect to, and is not the SSID contained in the ORiNOCO's original Probe Request frame.  And yet the ORiNOCO still associates to it!!  From this, we can conclude that the ORiNOCO/Hermes cards accept the FIRST Probe Response that they get from ANY AP, even if the SSID in the response does not match the one in the request that it sent out!  It need hardly be pointed out that this is not proper behavior, either.

  3. For the third test, I decided to try a client other than either an ORiNOCO/Hermes or a Prism with old, buggy firmware in order to compare results and see if my reading of these logs is correct.  The TR-CPE uses an Atmel 11b chipset.  (Please note that a little ways into the dump, you will see the client MAC address change from one thing to another; that is because the TR-CPE I was using had the old firmware on it that clones the MAC address of the device on its LAN side instead of using MAC-NAT like later "multi-MAC" firmware versions do.  I did not realize this until after I had already completed all of the packet captures and was sitting down to analyze them.  It didn't prove to be a problem at all, it just proved to be initially confusing until I realized what had happened.)  As you can see from the dumpfiles, I tried to connect both to eagletest as well as to the non-existant eagleray.  I connected to eagletest just fine, and when I tried to connect to eagleray, the TR-CPE didn't associate to anything.  This is proper behavior.  Please also note that the Netgear was powered on the entire time and dutifully sent out a response to each and every Probe Request that the TR-CPE sent out, and even so, the CPE was never duped into associating to it.  It actually looked at the contents of the response packets and ignored ones that did not contain the right SSID, just as it should have.

  4. For the fourth and final test, I swapped the Netgear out for the Linksys WAP11 v2.8 access point.  In short, it appears to be doing exactly the same thing as the Netgear, except that, interestingly, it does look at first glance like it sends out these incorrect Probe Responses perhaps a bit less frequently than the Netgear does.  Still, this is incorrect behavior.

Conclusion

It appears to me, after looking at the logs, that both devices are at fault here: the AP for answering all probe requests and the client for accepting any probe responses.  My conclusions here seem to be in line with the conclusions that YDI themselves reached as detailed in this post to the isp-wireless mailing list (which I also referenced earlier).  The unfortunate combination of the two (buggy AP and buggy client) ensures that in a good many cases, the client won't talk to anything other than that AP if that AP is present.  My guess is that the client is only being discriminatory about Probe Responses that it accepts based on the destination MAC address; remember that Probe Responses are just unicast versions of Beacon frames, so the ORiNOCO/Hermes and old Prism cards are just assuming that since the Probe Response was sent specifically to them that it must have been from the AP it probed for, and thus they do not bother to look at the SSID listed in the contents of the Response packet until after they have already accepted it and it comes time to make the association request.

Please send me questions/comments/corrections/updates!

--
Nathan Anderson
First Step Internet, Inc.
nathana@fsr.com

(Last updated 11/11/04)

This page has been viewed times since 10/29/04