WIRELESS NETWORKS AND SECURITY Hakan Tolgay

hakan@hakantolgay.com

Who am I

At Netas since 2008 and has experience on

Wireline and wireless telephony networks

VoIP - SIP systems

VoIP platform security for federal and goverment projets

Interested in

Radio Frequesny (RF) stuff

Physical security

HAM Radio Operator (TB2THT)

Agenda

Wireless networks today

IEEE 802.11 – WiFi

IEEE 802.11’s technology

Vulnerabilities

EM/RF leakİNG and tempest

Tools

Wireless Networks Today

In everywhere

Mostly unecrypted

Can be in any form, RF, light or sound

IEEE 802.11

802.11 standart

Uses unlicensed ISM spectrum which is provided by regulators

WiFi frequencies: 2.4 & 5Ghz & 60Ghz (on 2016 non-IEEE)

ISM Bands for WiFi

ISM (industrial, scientific and medical)

902 - 928 MHz

2.4 - 2.5 GHz

5.725 – 5875 GHz

All ISM Bands

Frequency range Bandwidth Center frequency Availability

6.765 MHz 6.795 MHz 30 kHz 6.780 MHz Subject to local acceptance

13.553 MHz 13.567 MHz 14 kHz 13.560 MHz Worldwide

26.957 MHz 27.283 MHz 326 kHz 27.120 MHz Worldwide

40.660 MHz 40.700 MHz 40 kHz 40.680 MHz Worldwide

433.050 MHz 434.790 MHz 1.74 MHz 433.920 MHz

Region 1 only and subject to

local acceptance

(within the amateur radio 70 cm

band)

902.000 MHz 928.000 MHz 26 MHz 915.000 MHz Region 2 only (with some

exceptions)

2.400 GHz 2.500 GHz 100 MHz 2.450 GHz Worldwide

5.725 GHz 5.875 GHz 150 MHz 5.800 GHz Worldwide

24.000 GHz 24.250 GHz 250 MHz 24.125 GHz Worldwide

61.000 GHz 61.500 GHz 500 MHz 61.250 GHz Subject to local acceptance

122.000 GHz 123.000 GHz 1 GHz 122.500 GHz Subject to local acceptance

244.000 GHz 246.000 GHz 2 GHz 245.000 GHz Subject to local acceptance

WiFi Legacy

In 1991 AT&T begins working on a wireless technology called WaveLAN

Now known as WaveLAN Classic

Operated in 900 MHz Spectrum

Developed in the Netherlands as a technology for wireless cashier systems

Supported data rates of 1 and 2 MegaBits Per second

Wifi Since Then

1997: 802.11-1997 «Legacy» 1-2 Mbps now obsolote

1999:802.11a – 5Ghz 54Mbps

Ortogonal Frequensy-Division Multiplexing

Signal Range Lower, didn’t penetrate walls as well

«Late to market»

1999:802.11b – 2.4Ghz 11Mbps

Nor-Ortogonal Frequensy-Division Multiplexing

Wifi Since Then

2003: 802.11g 54Mbps

Best of both world between A and G

Uses 2.4GHZ (B) and OFDM (G)

Problems in dense areas, only 3 non-overlapping

channels

Adopred earlywith drraft specifications

Wifi «Now»

2009: 802.11n

Teoritical maximum speed of 600 Mbps

Uses both 2.4 and 5 GHz bands

40 MHz wide channels, double that 802.11g

Backwards compatible 802.11g

MIMO Multiple Input Multiple Output

4 channels and 4 antennas

Parallel operation

WiFi «Now»

2012: 802.11ac

Operates only on 5GHz frequency band

Extended channel binding 80 and 160MHz

More MIMO streams

Upto 1300Mbps teoritical speed

WiFi in the Future

2016:802.11ad

Will operate only at 60GHz

Transfer rate upto 7Gbps

Wifi Channles on 2.4GHz - 802.11b,g,n

802.11b,g,n slice up their spectrum into channels

802.11b(DSSS) 22MHz wide channles

802.11g/n (OFDM) 20Mhz wide channels

5Mhz Spectrum buffers for each channel

Channels 1,6,11 and 14 are discrete

Channel Availability

Noth America: Channels 1 – 11

Everywhere else: 1 – 13

Japan: Channels 1 - 14

Wifi Channles on 5GHz - 802.11a,ac

All of non-overlapping channels

802.11a,n 20/40 MHz wide channles

802.11ac 20/40/80/160 MHz wide channles

Use of TDWR channels are prohibited by regulators

Wifi Channles on 60GHz - 802.11ad

The maximum bit-rate of a wireless channel is limited by its bandwidth.

83.5 MHz spectrum in the 2.4 GHz

0.55 GHz spectrum in the 5 GHz

7GHz spectrum in the 60 GHz

Total 4 channels each has 2.16 GHz bandwidth

Modes of WiFi

Master – Access Point or Base Station

Managed – Infrastructure Mode (client)

Ad-hoc – peer-to-peer

Mesh – Mesh cloud (planned ad-hoc)

Repeater

Monitor (promiscuous) - (DEMO)

Modes and capabilities of WiFi NICs

Not all WiFi NICs are same - DEMO

TX power

Limited based on counties law/regulations

In Europe

17dBm (or 50mW) TX power

Max Equivalent isotropically radiated power (EIRP) 20dBm (or 100mW)

Regulatory settings can be changed via kernel modification

Also you can move your country to another one with better regulations - DEMO

WiFi Frames

There are 3 main types of 802.11 Frame

Control Frames

Management Frames

Data Frames

Control Frames

Acknowledgement (ACK)

Request to Send (RTS) frame

Clear to Send (CTS) frame

Management Frames

Beacons

Probes

Authentication frames

Association frames

Beacons

DEMO

SSID Flood atack - DEMO

Probes

Authentication Frames

Authentication

Deathentication - DEMO

Comon Attacks and Vulnerabilities

Open Networks

Weak encryptions

Weak designs – WPS

Open Networks

No Encryption, everything is on the air - DEMO

Easy for Man-in-the-middle atacks (MITM)

Evil access points - DEMO

Weak encryptions – WEP (Wireless

equivalent Privacy)

Part of the 802.11 specification

Aims to make connection at least as secure as wired Connection

Used to protect MAC Protocol Data Units (MPDU)

802.11 describes WEP as having two main parts

The first being the Authentication part

The second being the Encryption part

Mostly used until 802.11i

Use RC4 algorithm for encryption which isn’t so secure

Easy to break, less than 5 minuets

WPA & WPA2

Dictionary attacks

Known passwords

Weak designs

WPS – WiFi Protected Setup

WPS can be used in 3 ways

WPS button press

Client generated 8 digit pin

Access point generated 8 digit pin

WPS vulnerability

Almost always written on the AP/Router/Modem

Pin is sent in two stage

Only 11000 possiblty to try

EM/RF leaking & Tempest

Leon Theremin - Video

The Thing - The Great Seal bug

Designed by Léon Theremin

Consisted of a tiny capacitive membrane

connected to a small quarter-wavelength

antenna

EM/RF leaking

Every wire is an antenna

Your screen and typing can be monitored even if you are not online

Tempest

TEMPEST is a National Security Agency specification and NATO certification[1][2] referring to

spying on information systems through

Radio or Electrical signals

Sounds

Vibrations

Tools

Ubertooth

RTL2832U – Realtek

HackRF

Ubertooth

A bluetooth sniffer

Can also inject frames

About 100$

RTL2832U - Realtek

A USB2.0 dvb-t TV card

Can operate as 25Mhz – 1.7Ghz Software Define Radio (SDR)

Only10$

DEMO (adsbsharp, adsbscope, hdsdr, GNU Radio Companion)

What you can do with it

HackRF

10MHz – 6GHz Transreceiver SDR

Need HAM Radio Operator license

About 350$

What you can do with it

References

http://www.scholartica.com/

http://www.hak5.org

http://wireless.kernel.org/en/users/Documentation/Bluetooth-coexistence

http://www.tekgear.com/PDF/WHP-050004-1V0%20Bluetooth%20and%20802.11%20Coexistence.pdf

http://www.freshpatents.com/Enhanced-2-wire-and-3-wire-wlan-bluetooth-coexistence-solution-

dt20070712ptan20070161349.php

https://greatscottgadgets.com

Thank you