Upload
hailee-jewitt
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Accessing Public Wi-Fi: Security Issues
Sankar RoyDepartment of Computing and Information Sciences
Kansas State University
2
Acknowledgement
In preparing the presentation slides and the demo, I received help from• Professor Simon Ou• Professor Gurdip Singh• Professor Eugene Vasserman• Alex Bardas and Fengguo Wei
What is a public Wi-Fi?
• Provides a wireless access point (AP) via which your laptop or smart phone can connect to the Internet
• Wi-Fi hot spots are available in coffee shops, at airports, on KSU campus, in public libraries, etc.
More about a Public Wi-Fi Hotspot
• Note: Wi-Fi is a particular communication protocol (whose technical name is IEEE 802.11)
• The communication, is open in nature, i.e. any computer with an antenna in the region can communicate with the Access Point (AP).
AP
modem
Internet
Some Issues of the Public Wi-Fi
• Wireless communication is essentially a broadcast one– A neighboring attacker can sniff (eavesdrop) all the
data transmitted
AP
More Issues of the Public Wi-Fi
• Why no encryption is employed in a public Wi-Fi? – It will become complex from the admin perspective– It will hurt the current “plug and play” feature.– Encryption does not help if everybody shares the
password
• Why can’t you use a secure Wi-Fi protocol yourself?– The network admin has to make the protocol available– You (the user) do not have the admin access of the AP.
Attack 1: Eavesdrop Communication
• The attacker might be able to mine out secret information (e.g. a user’s emails, password, banking details, etc.) from the sniffed communication.
• Available attack-tools: airPcap, wireshark, driftnet, urlsnarf, etc.
8
Background Knowledge for Attack 2
• In some portals (e.g. Yahoo mail) the web session after successful login switches back to HTTP. The HTTP session is then authenticated only by a cookie.
• What is a cookie? – a login receipt containing the web session ID– The server can identify/authenticate the client’s session by
the cookie ID• Problem: client’s cookie can be stolen– (example) when the adversary does packet sniffing on the
Wi-Fi network where the client’s machine is• Outcome: the HTTP session can be hijacked (also called
sidejacked).
Attack 2: Sidejacking Web Sessions
Now the attacker can impersonate the user e.g. on LinkedIn or Yahoo email, etc. Attack Tools: Firesheep, Droidsheep, etc.
(1) After login, the victim sends requests to the web application using a cookie for authentication. (2) Because it is sent over HTTP, an adversary can eavesdrop it and capture the cookie. (3) the adversary uses this cookie to hijack the victim’s session. Acknowledgement: One-Time Cookies, GaTech.
Attack 3: Evil Twin
• It is basically a man-in-the-middle attack.• It can be launched by tools such as HermesAP and OpenAP.
The attacker node fools the user node to communicate with a fake AP, and hence redirects the traffic through itself.
AP Fake AP
Firesheep: One Web Session Hijacking Tool
• The attack scenario: – an innocent user Alice accesses her Yahoo email or LinkedIn
account using a public Wi-Fi at a hotspot (e.g. an airport)– a neighboring attacker Mallory (M) uses a Firefox add-on
(Firesheep) on a laptop and sniffs the user Alice’s communication
• Firesheep automatically grabs the cookie of each of Alice’s insecure web sessions (i.e. HTTP sessions)
• With the above cookies, Firesheep automatically hijacks Alice’s web sessions
Insecure Web Portal ExamplesAfter login is done, Yahoo email switch to HTTP connection, i.e. secure (HTTPS) connections are no longer used. Same problem with Facebook if its HTTP version is used.
How Firesheep Add-on Looks on Firefox?
Acknowledgement: Firesheep creator, Eric Butler
Attacker is Browsing Hijacked Sessions
Acknowledgement: Firesheep creater, Mr. Butler
A Demo: Web Session Hijacking
• We will use the attack tool called Droidsheep which runs on an Android tablet.
• The attack scenario: – Alice accesses her Yahoo email or LinkedIn account in a public Wi-
Fi hotspot – a neighboring attacker Mallory (M) is present there with an
Android tablet with Droidsheep tool running. • Droidsheep automatically grabs the cookie of each of Alice’s
insecure web sessions and shows the list of sessions.• Mallory can now hijack any of Alice’s web sessions just by a
simple “tap / click” on the list shown on the tablet screen.
Demonstration
How to Counter the Attacks: the Basic Idea
• The user Alice establishes a secure communication channel with the remote end (R) of the communication (e.g. email server, bank server, etc.)
• The communication between Alice and R is encrypted.• The attacker Mallory (M) cannot decrypt Alice’s data through sniffing.• M cannot launch sidejacking attack; Evil Twin does not have any impact.
R: email server
Alice
Mallory
AP
A Wi-Fi hotspot with a user and an attacker
Secure comm. channel
Solution 1: Browse Secure Web Only
• We can avoid the above attacks if we access only the HTTPS-enabled web sites (e.g. Gmail but not the Yahoo email)
• Many web portals (e.g. Facebook, Tweeter) provide both HTTPS and HTTP options; you have to choose the HTTPS option.
• We discussed how to use HTTPS web browsing in the previous class.
Choose “Secure Browsing” in Facebook
Fortunately, now the default option is HTTPS
Choose “Secure Browsing” in Tweeter
Fortunately, now the default option is HTTPS
Solution 2: VPN (Virtual Private Network)
• Alice uses VPN to create a secure “tunnel” between her machine and the remote target (e.g. KSU)
• Alice’s machine needs to have a VPN client; target network also needs to have a VPN server e.g. vpn.net.k-state.edu for KSU
S: VPN server
Alice
M
AP
A Wi-Fi hotspot with a user and an attacker M
VPN tunnel
R: target server
The KSU network Internet
General Scenario: Multiple Target Servers
• Caution: VPN (split mode ) does not redirect your communication with all of the servers (e.g. Yahoo email server) through the VPN server.
• In split mode, only the traffic destined to the VPN server’s network will be protected from the attacker M at the public Wi-Fi hotspot.
KSU VPN server Alice
M
AP
A Wi-Fi hotspot: user Alice is with Split Mode VPN
VPN traffic R1: target server (e.g. KSU email)
R2: target server(e.g. Yahoo)
regular traffic
General Scenario: Multiple Target Servers
• VPN (full mode ) redirects your communication with all of the servers (including Yahoo email server) through the VPN server.
• In full mode, all the traffic destined to all the target servers will be protected from the attacker M at the public Wi-Fi hotspot.
KSU VPN server Alice
M
AP
A Wi-Fi hotspot: user Alice is with full mode VPN
VPN traffic R1: target server(e.g. KSU email)
R2: target server(e.g. Yahoo)
VPN traffic Alice is atKSU
Setting up a VPN connection to KSU
• Install the Cisco VPN client in your machine from the ITS website (www.ksu.edu/its/security/vpn)
• Connect the VPN client with the KSU VPN server by providing your KSU eID and password.
• In both the full and split VPN options– VPN tunnel encrypts your traffic between your computer
and the VPN server. – But, the traffic between the VPN server and the target
server will NOT be encrypted, unless you are using SSL-enabled applications.
Installing the KSU VPN Client on Windows
Starting the KSU VPN Client – Part I
Starting the KSU VPN Client – Part II
Running the KSU VPN Client in Split Mode
Running the KSU VPN Client in Split Mode
Running the KSU VPN Client in Split Mode
Running the KSU VPN Client in Full Mode
Running the KSU VPN Client in Full Mode
Installing the KSU VPN Client on Mac
Installing the KSU VPN Client on Mac
Getting Statistics of the VPN Client on Mac
Managing Common Wi-Fi Settings
• Your laptop (or smartphone) may get connected automatically to a public Wi-Fi network if you have used the same network before
• The above can also happen if you have used a different network with the same name (SSID) before.
• How to avoid: change the default wireless network access policy of your laptop or smartphone
Similar Attacks to a Wired Network?
• Wired Ethernet network can be eavesdropped– If it is a network with a “hub”, then it builds a broadcast
channel like a Wi-Fi network. So, sniffing is easy– If it is a network with a “switch”, then the attacker needs
some additional step before being able to sniff• So, similar attacks can be launched in a wired
network where users access Internet via Ethernet cables in a public place.
• Note: this even applies to cable Internet connections at home.
38
Summary
• We discussed common security threats of using a public Wi-Fi hotspot
• We presented a few standard countermeasures to mitigate the risks
• Remainder:– the next homework is due before the next class (1pm
on February 14) – the next class will be held in Room 127