Wireless Insecurity Utz Roedig University College Cork, Ireland, [email protected]

Wireless Insecurity

Utz Roedig

University College Cork, Ireland, [email protected]

Knowledge Business Centre

Overview

Introduction

Using wireless networks Application scenarios Basic functionality and security mechanisms

Attacking wireless networks Targets and goals Methods and examples

How to protect wireless networks Basics: WEP, MAC filter, … Network separation and security policy

Summary


Introduction

Why using wireless networks? Give users some flexibility and freedom Reduce network cost

Available solutions Wi-Fi (IEEE 802.11) HomeRF, Bluetooth, …


Terminology

Wlan Wireless Local Area Network

Wi-Fi Catchier than 'IEEE 802.11b direct sequence'

A marketing name for products based on 802.11 802.11

Specification of PHY and MAC layer

a/g/n different modulations and data rates WEP

Wired Equivalent Privacy (Ha!, we will see)

WPA

Wi-Fi Protected Access (WPA and WPA2)


Application Scenario

Standard company network Servers: data and services

Workstations: laptop, pc, (pda) Router: internet connection



Wireless company network Servers: data and services

Workstations: laptop, pc, (pda) Router: internet connection, wireless network connection



Wireless company network insecurity Servers: data and services

Workstations: laptop, pc, (pda) Router: internet connection, wireless network connection


802.11 - Basics

Physical layer (PHY)

Defines coding and modulation

Operates in the 2.4 - 2.8 GHz band

Medium Access Control layer (MAC)

Organizes access to the shared medium

Uses carrier sense multiple access with collision avoidance

All nodes in the vicinity have to participate in PHY/MAC

Denial of service (DOS) is very simple!

PHY: signal jamming

MAC: misbehaving node


802.11 - MAC Problem scope

If everyone talks at the same time I can not understand you A protocol is needed to organize who is talking when

Predefinition Everyone talks using packets Everyone uses a number (MAC address) so we know who is talking

Packet transmission (Logical) A node first listens to ensure no other node is transmitting If the channel is clear, the node transmits the packet Otherwise, the node chooses a random back-off time and tries again

Packet transmission (technical, RTS/CTS mechanism) Snd: ready-to-send (RTS) Rcv: clear-to-send (CTS) Snd: data transmission (DATA) Rec: acknowledgement (ACK)


Hardware and Operation

Wireless Network Card Provides access to the 802.11 network

Access point Provides bridge functionality

Between 802.11 and the fixed network Provides additional functionality

Security: Firewall, Network Address Translation (NAT), … Network: DHCP, DNS, WWW cache, ….

Mode of operation Infrastructure mode

All traffic passes through the access points Ad-hoc mode

All computers talk directly to each other


Network Structure

Basic Service Set (BSS) Stations form a BSS

Distribution System (DS) A DS interconnects the BSS’s

Extended Service Set (ESS) BSS’s form together an ESS

Handover requirements Station type

Mobile Portable

Roaming type Within ESS: PHY/MAC handover Between different ESS: PHY/MAC and network layer handover


802.11 - Security

WEP Wired Equivalent Privacy One key is shared among all users Payload is transmitted encrypted

Content is secured, not the communication itself!

WPA Wi-Fi Protected Access Each user can be separately authenticated

Session keys are derived/negotiated and periodically changed

Payload is transmitted encrypted

WPA-2 Wi-Fi Protected Access version 2 Similar to WPA, updated cryptographic methods


Attacker - Goals

Denial of Service (DoS) Denial the use of the

Wireless Network Denial the use of the

complete company network Denial the use of services

Unauthorized infrastructure use Use of the internet access Use of services (e.g. WWW)

Information theft Access file servers Access database servers

What now?


Attacker - Steps

Step 1 (PHY) Laptop with WLAN card Get close enough

(e.g. next door, car park, …) Get WLAN access

Modulation, channel, … ESS ID

Step 2 (MAC) Join the (wireless) network Bypass MAC filters, … if necessary Bypass WEP if necessary

Step 3 (Network, Services) Attack the services as usual

Step 1Step 2

Step 3


Attacker - Step 1

Selection of modulation, channel, … Handled by the NIC

Case I: Unprotected (out-of-the-box)

Attacker selects the company network Selection by ESS ID

Attacker joins the network

Case II: Hidden ESS ID Attacker uses a scanner (e.g. aireplay)

Attacker obtains the ESS ID

Now it is Case I


Attacker - Step 2

Case I: MAC filter in place Attacker starts a program scanning the air for a while (e.g. kismet) Attacker changes his MAC into an accepted MAC (e.g. ifconfig) Attacker joins the network

Case II: WEP security in place Attacker uses a scanner (e.g. kismet) After ESS ID and channel is known, packets

are captured (e.g. airodump) For 64 bits WEP key between about 50000 and 20000 packets For 128 bits between 200000 and 700000

Crack the key (e.g. aircrack) Attacker joins the network


Attacker - Step 2

Case III: WAP-PSK security in place Force an authenication handshake (e.g. aireplay) Collect the handshake packets (e.g. airodump) Dictionary Brute Force (e.g. aircrack) Attacker joins the network

Possible problems No traffic WAP using RADIUS Additional security mechanisms (Firewall, Proxy, …)


Attacker - Step 3

The attacker is now in the network Virtually sitting with his laptop at your desk! What will he do?

Using your bandwidth and ID to access the Internet Possible lawsuit (download or offer illegal content) Possible cost (if charged per MB) …

Using your servers Free storage space (with backup!) Free web servers Free …

Stealing your data/information! DOS (maybe by accident)


Defender - Goals & Steps

Keep the attacker out! Step1: Secure the wireless network (if possible!) Step2: Secure the core network

In case the attacker gets somehow in the wireless network Step3: Define rules of operation

Logging, monitoring, key management, emergency plans, …

What now?


Defender - Step 1

Even if security mechanisms are flawed, use them!

Most hacker/attacker will choose the easy victim

Use several layers of protection

Useful security mechanisms

Use WAP with RADIUS if possible

If WEP/WAP-PSK is used, change keys frequently

Use MAC filtering

Summary

The wireless network can not be secured!

Step2/3 is needed if a wireless network is used!


Defender - Step 2

Separate the wireless network from the core network Use a firewall between wireless and core network

Might be integrated in the base-station Might offer user authentication

Restrict services available from the wireless network Do people have to mount the fileserver from the laptop? Is it necessary to have Internet access from the laptop?

Use higher layer security/encryption Create a VPN (PPTP, L2TP) IPSec Only access services secure

Terminal: telnet -> ssh Mail: POP -> IMAP (or Webmail with HTTPS) …


Defender - Step 3

Logging Activity in the network should be recorded

Records might be needed to detect an attacker

(Records might be needed for forensic analysis)

Monitoring Someone should look periodically at the records!

Maintenance Security needs maintenance!

Periodic update of keys

Add/Delete users, mac addresses, update firewall rules, …

Emergency plans What will we do if we detect an attacker?


Summary

Covered topics Basic functionality and application scenarios Attacking wireless networks Securing wireless networks

Conclusions Setting up a wireless network is simple Setting up a secure wireless network is somewhat complicated!

Do you really need a wireless network?

Documents

Wireless Insecurity Utz Roedig University College Cork, Ireland, [email protected]