managing the client-side risks of ieee 802.11 networkspki public-key infrastructure pmk pairwise...

Managing the Client-side Risks

of IEEE 802.11 Networks

Daan Stakenburg

Technical Report

RHUL–MA–2013– 9

01 May 2013

Information Security Group

Royal Holloway, University of London

Egham, Surrey TW20 0EX,

United Kingdom

www.ma.rhul.ac.uk/tech

http://www.ma.rhul.ac.uk/tech

Royal Holloway University of London


Managing the Client-side Risksof IEEE 802.11 Networks

dissertation by:J.M.D. Stakenburg, (ISC)2 CISSP

supervised by:Professor J. Crampton

Submitted as part of the requirements for the award ofthe Master of Science degree in Information Security at

Royal Holloway, University of London

Table of Contents

Acronyms v

Glossary ix

Executive Summary xviii

1 Introduction 11.1 Problem and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Objectives and Methodology Used . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Glossary, Citing and Reference Methods Used . . . . . . . . . . . . . . . . . . . . 31.4 Extracurricular activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Background 52.1 IEEE 802.11: The Wi-Fi Standard . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 IEEE 802.11: Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3 IEEE 802.11-2007: Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.3.1 Preventative Security Measures . . . . . . . . . . . . . . . . . . . . . . . . 82.3.2 Detective Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.4 IEEE 802.11-2007: Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.5 IEEE 802.11-2007: Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.5.1 PSK Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.5.2 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.5.3 Universal Access Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.6 IEEE 802.11-2012: The latest Wi-Fi Standard . . . . . . . . . . . . . . . . . . . . 202.6.1 IEEE 802.11-2012: 802.11u . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.7 Other Security measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.7.1 Network Location Awareness . . . . . . . . . . . . . . . . . . . . . . . . . 232.7.2 Graphical User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.8 User behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.8.1 Surveys on Wi-Fi Hotspot Use . . . . . . . . . . . . . . . . . . . . . . . . 27

2.9 Developer behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

IY5500-DST-v120114-0857 i

Table of Contents

3 Wireless Experiments 303.1 Experiment 1: Clients associated with an Open Wireless network . . . . . . . . . 30

3.1.1 Experiment 1: Set-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.1.2 Experiment 1: Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.1.3 Experiment 1: Possible Exploits . . . . . . . . . . . . . . . . . . . . . . . 343.1.4 Experiment 1: Vulnerable App found . . . . . . . . . . . . . . . . . . . . . 393.1.5 Experiment 1: Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.2 Experiment 2: Wireless networks with 802.1x access control . . . . . . . . . . . . 403.2.1 Experiment 2: Set-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.2.2 Experiment 2: Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.2.3 Experiment 2: Possible Exploits . . . . . . . . . . . . . . . . . . . . . . . 433.2.4 Experiment 2: Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4 Open Wireless Network Authentication Protocol 454.1 OWNAP Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.1.1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454.1.2 X.509 Certi�cate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464.1.3 New Generic Top-Level Domain: .wi� . . . . . . . . . . . . . . . . . . . . 494.1.4 Establishing a unique PMK . . . . . . . . . . . . . . . . . . . . . . . . . . 494.1.5 Protocol Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.2 Backward compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524.3 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.3.1 Certi�cate distribution to APs . . . . . . . . . . . . . . . . . . . . . . . . 524.3.2 Certi�cate chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534.3.3 Certi�cate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534.3.4 User Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534.3.5 Certi�cate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534.3.6 Threats to Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.4 Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544.4.1 Updating IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544.4.2 Existing alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554.4.3 Emerging alternative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

5 Final Conclusion 56

Bibliography I

A Vulnerable iPhone App VI

B Hotspot Walk-Through VII

IY5500-DST-v120114-0857 ii

List of Figures

2.1 Infrastructure Basic Service Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Extended Service Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3 Rogue Access Point Detection and de-Association . . . . . . . . . . . . . . . . . . 112.4 Rogue Access Point Triangulation . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.5 Survey on NU.nl on Wi-Fi vs Mobile . . . . . . . . . . . . . . . . . . . . . . . . . 172.6 Di�erent Captive Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.7 Di�erent UAM setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.8 DeviceScape Survey Responses #1 . . . . . . . . . . . . . . . . . . . . . . . . . . 222.9 Microsoft's Network GUID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.10 HTTPS in the di�erent Internet Browsers . . . . . . . . . . . . . . . . . . . . . . 242.11 EV HTTPS in the di�erent Internet Browsers . . . . . . . . . . . . . . . . . . . . 252.12 DeviceScape Survey Responses #2 . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.1 Open Wireless Set-up (802.11b/g) . . . . . . . . . . . . . . . . . . . . . . . . . . 313.2 Selecting the Network Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.3 Connecting to an Open Wireless Network . . . . . . . . . . . . . . . . . . . . . . 333.4 Process Flow SSL Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343.5 Process Flow SSL Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353.6 Untrusted Certi�cate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.7 Secure Login of a Dutch Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373.8 Insecure Login of a Dutch Bank via SSLStrip . . . . . . . . . . . . . . . . . . . . 373.9 Dual Homed Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383.10 WPA2 Enterprise Setup (802.11i/802.1X) . . . . . . . . . . . . . . . . . . . . . . 413.11 EAP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.12 Windows 7 Certi�cate Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.13 EAP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.14 FreeRADIUS WPE Access Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443.15 LEAP Dictionary Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4.1 OWNAP Message Sequence Chart . . . . . . . . . . . . . . . . . . . . . . . . . . 504.2 Wireless List on OWNAP capable devices . . . . . . . . . . . . . . . . . . . . . . 514.3 Wireless List on a OWNAP incompatible station . . . . . . . . . . . . . . . . . . 52

IY5500-DST-v120114-0857 iii

List of Figures

B.1 Initial Hotspot Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VIIB.2 Selecting the Premium Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VIIB.3 Account Login/Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VIIIB.4 Redirection to Payment Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . VIIIB.5 Creditcard Selected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VIII

IY5500-DST-v120114-0857 iv

Acronyms Used

The descriptions of the terms used in this dissertation have been collected from the followingsources: �Network Security: Private communication in a public world� [B:KPS02], �MetaSploitToolkit� [B:May+07], �CISA Study Guide� [B:Can11], �Internetworking with TCP/IP�[B:Com06]and Wikipedia.com.

APAccess Point

ADActive Directory

AESAdvanced Encryption Standard

ASN.1Abstract Syntax Notation One

APIApplication Programming Interface

BSSBase Service Set

BSSIDBasic Service Set Identi�cation

CACerti�cate Authority

CCMPCounter Mode with CBC-MAC

CNCommon Name

CPUCentral Processing Unit

CRLCerti�cate Revocation List

CSRCerti�cate Signing Request

DNSDomain Name System

DoSDenial of Service

EAPExtensible Authentication Protocol

EAP-TLSEAP-Transport Layer Security

EAPOLEAP over LAN

ESSExtended Service Set

FQDNFully Quali�ed DomainName

FWRFirewall Router

GUIGraphical User Interface

IY5500-DST-v120114-0857 v

Acronyms Used

GUIDGlobally Unique Identi�er

GSMGlobal System for MobileCommunications

gTLDGeneric Top-Level Domain

HSTSHTTP Strict Transport Security

HTTPHyperText Transfer Protocol

HTTPSHyperText Transfer Protocol over SSL

IANAInternet Assigned Numbers Authority

IBSSIndependent Basic Service Set

ICANNInternet Corporation for AssignedNames and Numbers

IEEEInstitute of Electrical and ElectronicsEngineers

IETFInternet Engineering Task Force

IPInternet Protocol

IPSecIP Security

ISOInternational Standards Organisation

ISPInternet Service Provider

LANLocal Area Network

LDAPLightweight Directory Access Protocol

MACMedia Access Control

MACMessage Authentication Code

MIMOMultiple-Input and Multiple-Output

NICNetwork Interface Card

NLANetwork Location Awareness

OCSPOnline Certi�cate Status Protocol

OFDMOrthogonal Frequency-DivisionMultiplexing

OSOperating System

OSIOpen Systems Interconnection

OWNAPOpen Wireless Network AuthenticationProtocol

PCI-DSSPayment Card Industry Data SecurityStandard

PEAPProtected Extensible AuthenticationProtocol

PKIPublic-Key Infrastructure

PMKPairwise Master Key

PIIPersonally Identi�able Information

PINPersonal Identi�cation Number

PHYPhysical Layer

PSKPairwise Master Key

PTKPairwise Transient Key

IY5500-DST-v120114-0857 vi

Acronyms Used

PDUProtocol Data Unit

PKCPublic Key Cryptography

PRNGPseudorandom Number Generator

RADIUSRemote Authentication Dial In UserService

RFCRequest for Comments

RLDPRogue Location Discovery Protocol

RSNRobust Security Network

SIMSubscriber Identity Module

SOHOSmall O�ce/Home O�ce

SSIDService Set Identi�er

SSLSecure Socket Layer

STAWireless Station or Client

STSStation-to-Station Protocol

SVRServer

TKTemporal Key

TKIPTemporal Key Integrity Protocol

TLDTop-Level Domain

TLSTransport Layer Security

TTLSTunnelled Transport Layer Security

UAMUniversal Access Method

UDRPUniform Domain-NameDispute-Resolution Policy

UMTSUniversal Mobile TelecommunicationsSystem

VLANVirtual LAN

W3CWorld Wide Web Consortium

WANWide Area Network

WCCPWeb Cache Communication Protocol

WEPWired Equivalent Privacy

Wi-FiWireless Fidelity

WISPWireless Internet Service Provider

WISPrWireless Internet Service Providerroaming

WLANWireless Local Area Network

WLCWireless LAN Controller

WPAWi-Fi Protected Access

WPA2Wi-Fi Protected Access version 2

WMWireless Medium

XMLExtensible Mark-up Language

IY5500-DST-v120114-0857 vii

Glossary

The descriptions of the terms used in this dissertation have been collected from the followingsources: �Network Security: Private communication in a public world� [B:KPS02], �MetaSploitToolkit� [B:May+07], �CISA Study Guide� [B:Can11], �Internetworking with TCP/IP�[B:Com06]and Wikipedia.com.

802.11The IEEE Standard for Wireless Local Area Networks

802.11iAn amendment to the original IEEE 802.11 specifying security mechanisms for wirelessnetworks

802.1xPort-based network access control allows a network administrator to restrict the use ofIEEE 802 R© Local Area Network service access points (ports) to secure communicationbetween authenticated and authorised devices

Abstract Syntax Notation OneA standard and �exible notation that describes rules and structures for representing, en-coding, transmitting, and decoding data in telecommunications and computer networking

Access PointAny entity that has Station functionality and provides access to the distribution services,via the Wireless Medium for associated Stations

Active AttackOne in which an attacker does something other than simple eavesdropping, for instance,transmits data, modi�es data, or subverts the system so that it can impersonate an address

Active DirectoryA directory service created by Microsoft for Windows domain networks

Advanced Encryption StandardA speci�cation for the encryption of electronic data

Application Programming InterfaceA speci�cation intended to be used as an interface by software components to communicate

IY5500-DST-v120114-0857 ix

Glossary

with each other

AppCommon name for software made for mobile devices

AuthenticationThe process of reliably determining the identity of a communicating party

Base Service SetA single Access Point together with all associated Stations

Basic Service Set Identi�erThe hardware address of the access point in an Infrastructure Basic Service Set

BotnetA botnet is a collection of compromised computers connected to the Internet (these arealso known as bots)

Central Processing UnitThe hardware within a computer system which carries out the instructions of a computerprogram by performing the basic arithmetical, logical, and input/output operations of thesystem

Certi�cateA message signed with a public key digital signature stating that a speci�ed public keybelongs to someone or something with a speci�ed name

Certi�cate AuthoritySomething trusted to sign Certi�cates

Certi�cate Revocation ListA digitally signed data structure listing all the Certi�cates created by a given Certi�cateAuthority that have not yet expired but are no longer valid

Certi�cate Signing RequestA message sent from an applicant to a Certi�cate Authority in order to apply for a digitalidentity certi�cate

Clear-TextA message that is not encrypted

Common NameCommon Name attribute type speci�es an identi�er of an object

Denial of Servicean attempt to make a machine or network resource unavailable to its intended users

Domain Name SystemThe naming convention de�ned by RFC 1033. DNS names are often referred to as internetaddresses or internet names

EAP-MD5The IETF Standards Track based EAP method, using the MD5 as hashing function

EAP-SIMThe authentication and session key distribution for EAP using the GSM SIM card

IY5500-DST-v120114-0857 x

Glossary

EAP-AKAAn EAP mechanism for authentication and session key distribution using the UMTS forAuthentication and Key Agreement

End-userthe person who uses a product; the consumer

EV-SSLAn Extended Validation Certi�cate is an X.509 public key certi�cate issued according toa speci�c set of identity veri�cation criteria

Extended Service SetA set of one or more interconnected Basic Service Sets and integrated Local Area Networkthat appear as a single Basic Service Set to the logical link control layer at any stationassociated with one of those Basic Service Sets

Extensible Authentication ProtocolA protocol that enables extensible network access authentication and supports multipleauthentication methods

EAP over LANA protocol that de�nes the encapsulation of EAP over IEEE 802 network protocols likeEthernet

Extensible Mark-up LanguageA universal program architecture designed to share information between di�erent program-ming languages

FirewallA mechanism placed between two networks to provide security

Firewall RouterA Firewall and Router in a single system

Fully Quali�ed Domain NameA domain name that speci�es its exact location in the tree hierarchy of DNS

Generic Top-Level DomainOne of the categories of TLDs maintained by IANA for use in the DNS of the Internet

Global System for Mobile CommunicationsA standard set developed by ETSI to describe technologies for second generation digitalcellular networks

Graphical User InterfaceA type of user interface that allows users to interact with electronic devices using imagesrather than text commands

Globally Unique Identi�erA unique string that is produced by the Microsoft Windows Operating System or bysome Microsoft Windows Applications to identify a particular component, application,�le, database entry, and/or user

HopA direct communication channel between two computers. in a complex computer network,a message might take many hops between its source and destination

IY5500-DST-v120114-0857 xi

Glossary

HTTP Strict Transport SecurityA web security policy mechanism whereby a webserver declares that complying user agents(such as a web browser) are to interact with it using secure connections only

HyperText Transfer ProtocolAn application protocol for distributed, collaborative, hypermedia information systems(e.g. the retrieving of web pages)

HyperText Transfer Protocol over SSLAn application protocol for distributed, collaborative, hypermedia information systems(e.g. the retrieving of web pages) encrypted using a Secure Socket Layer

Independent Basic Service SetA Basic Service Set that forms a self-contained network, and in which no access to aDistribution System is available

Institute of Electrical and Electronics EngineersA non-pro�t professional association that is dedicated to advancing technological innova-tion and excellence

internetA connected collection of computer networks

InternetLarge and still growing network that started as the ARPANET, a research network fundedby the US Department of Defense

Internet Assigned Numbers AuthorityA department of ICANN that oversees global IP address allocation, autonomous systemnumber allocation, root zone management in the DNS, media types, and other InternetProtocol-related symbols and numbers

International Standards OrganisationAn international organisation tasked with developing and publishing standards

Internet Corporation for Assigned Names and NumbersThe name of the organisation who coordinates the Domain Name System, Internet Proto-col addresses, space allocation, protocol identi�er assignment, generic (gTLD) and countrycode (ccTLD) Top-Level Domain name system management, and root server system man-agement functions

Internet Engineering Task ForceAn open standard organisation that develops and promotes Internet standards, cooperat-ing closely with the W3C and ISO/IEC standards bodies and dealing in particular withstandards of the TCP/IP and Internet Protocol suite

Internet Service ProviderA company that sells connectivity to the Internet

IP SecurityA security standard used with Internet Protocol datagrams. IPSec uses cryptographictechniques, and allows the sender to choose authentication or con�dentiality

Key EscrowKeeping a copy of a key at a third party so it can be restored if the owner loses it, or if

IY5500-DST-v120114-0857 xii

Glossary

law enforcement or some other party wishes to decrypt the key owners data

Lightweight Directory Access ProtocolAn application protocol for accessing and maintaining distributed directory informationservices over an Internet Protocol network

Local Area NetworkA method of interconnecting multiple systems in such a way that all transmissions overthe Local Area Network can be listened to by all systems on the Local Area Network

MalwareMalicious software designed to disrupt computer operation, gather sensitive information,or gain unauthorised access to computer systems

Man-in-the-middle AttackAn active attack which involves getting on the path between two legitimate users, relayingtheir message to each other, and thereby spoo�ng each of them into thinking they aretalking directly to the other

Media Access ControlA unique identi�er assigned to network interfaces for communications on the Physicalnetwork segment

Message Authentication CodeA short piece of information used to authenticate a message

Multiple-Input and Multiple-OutputThe use of multiple antennas at both the transmitter and receiver to improve communi-cation performance

Network Interface CardA computer hardware component that connects a computer to a computer network

Network Location Awarenesstbd

Online Certi�cate Status ProtocolAn Internet protocol used for obtaining the revocation status of an X.509 digital certi�cate

Open Systems InterconnectionThe name of the computer networking standards approved by ISO

Operating SystemA computer software program that interfaces between hardware devices and the user'sapplication

Open Wireless Network Authentication ProtocolA new protocol to authenticate and associate Wireless Access Points with their SSID to aWireless Station

Orthogonal Frequency-Division MultiplexingA method of encoding digital data on multiple carrier frequencies

Pairwise Master KeyA shared secret more commonly referred to as the Pre-shared Key, which was previouslyshared between the two parties using some secure channel before it needs to be used

IY5500-DST-v120114-0857 xiii

Glossary

Pairwise Transient KeyA key derived from the PMK

Passive AttackAn attack in which an attacker only eavesdrops

PasswordA supposedly secret string to prove ones identity

Payment Card Industry Data Security StandardAn actionable framework for developing a robust payment card data security process

PDF417PDF417 is a stacked linear barcode symbol format used in a variety of applications, primar-ily transport, identi�cation cards, and inventory management. PDF stands for PortableData File

Personally Identi�able InformationInformation that can be used to uniquely identify, contact, or locate a single person

Personal Identi�cation NumberA short sequence of digits used as a password

Physical LayerThe �rst and lowest layer in the seven-layer OSI model of computer networking

Protected Extensible Authentication ProtocolA protocol that encapsulates EAP within a potentially encrypted and authenticated TLStunnel

ProtocolA formal description of message formats and the rules two or more machines must followto exchange messages

Protocol Data UnitAn ISO term for a Packet

ProxyA computer network service that allows clients to make indirect network connections toother network services

Pseudorandom Number GeneratorAn algorithm for generating a sequence of numbers that approximates the properties ofrandom numbers

Public Key CryptographyA cryptographic system requiring two separate keys, one to lock or encrypt the plaintext,and one to unlock or decrypt the ciphertext

Public-Key InfrastructureA set of hardware, software, people, policies, and procedures needed to create, manage,distribute, use, store, and revoke digital certi�cates

Rainbow TableA pre-computed table for reversing cryptographic hash functions, usually for crackingpassword hashes

IY5500-DST-v120114-0857 xiv

Glossary

Remote Authentication Dial In User ServiceA protocol used to provide centralised authentication, authorisation and accounting

RC4A widely used software stream cipher created by Ron Rivest

Request for Commentsa memorandum published by the IETF describing methods, behaviours, research, or inno-vations applicable to the working of the Internet and Internet-connected systems

Robust Security NetworkA security network that allows only the creation of Robust Security Network Associations

Rogue Location Discovery ProtocolAn active approach to locate a Rogue Access Point

Secure Socket LayerSession-layer security and encryption between a user and a server

ServerAn application program that supplies service to Clients over a network

Service Set Identi�erThe identi�er of a Basic or Extended Service Set

Station-to-Station ProtocolA cryptographic key agreement scheme based on classic Di�e-Hellman that provides mu-tual key and entity authentication

Subscriber Identity ModuleAn integrated circuit that securely stores the IMSI and the related key used to identifyand authenticate subscribers on mobile telephony devices

Temporal KeyA key to encrypt/decrypt unicast data packets

Top-Level DomainOne of the domains at the highest level in the hierarchical DNS of the Internet

Universal Access MethodA method used by WiFi operators to allow access to a wireless network or access to anothernetwork while roaming

Uniform Domain-Name Dispute-Resolution PolicyA process established by ICANN for the resolution of disputes regarding the registrationof internet domain names.

Universal Mobile Telecommunications SystemA third generation mobile cellular technology for networks based on the GSM standard

Virtual LANA concept of partitioning a physical network, so that distinct broadcast domains are created

Walled Gardena Service Provider's control over applications, content, and media on platforms and re-striction of convenient access to non-approved applications or content

IY5500-DST-v120114-0857 xv

Glossary

Web Cache Communication ProtocolA Cisco-developed content-routing protocol that provides a mechanism to redirect tra�c�ows in real-time and allowing utilization of Cache Engines

Wi-Fi HotspotPublic Access Wireless Local Area Network that o�ers Internet access

Wi-Fi Protected AccessA security protocol and security certi�cation program developed by the Wi-Fi Alliance tosecure wireless computer networks

Wide Area NetworkA telecommunication network that covers a broad area (i.e., any network that links acrossmetropolitan, regional, or national boundaries)

Wildcard Certi�cateA certi�cate that is usually valid for multiple sub-domains or hostnames in a domain. Itis however possible to create a wildcard certi�cate that is valid for all domains and all TopLevel Domains

Wired Equivalent PrivacyA security protocol developed by the IEEE to secure wireless computer networks

Wireless FidelityThe brand name for products using the IEEE 802.11 family of standards for transferringdata over a Wireless Network

Wireless Internet Service ProviderISP with networks built around wireless networking

Wireless Internet Service Provider roamingA draft protocol submitted to the Wi-Fi Alliance that allows users to roam between wirelessInternet service providers, in a fashion similar to that used to allow cellphone users to roambetween carriers

Wireless LAN ControllerA wireless LAN controller is used in combination with the Lightweight Access Point Pro-tocol (LWAPP) to manage light-weight access points in large quantities by the networkadministrator or network operations center

Wireless Local Area NetworkA wireless method of interconnecting multiple systems in such a way that all transmissionsover the Wireless Local Area Network can be listened to by all systems on the WirelessLocal Area Network

Wireless MediumThe medium used to implement the transfer of Protocol Data Units between peer physicalentities of a Wireless Local Area Network

Wireless Station or ClientAny device that contains an IEEE 802.11-conformant Medium Access Control and Physicallayer interface to the Wireless Medium

World Wide Web ConsortiumThe main international standards organization for the World Wide Web

IY5500-DST-v120114-0857 xvi

Glossary

X.500A CCITT Standard for Directory Services

X.509A CCITT Standard for Security Services within the X.500 Directory Services Framework

X.520ITU-T Recommendation X.520 | ISO/IEC 9594-6 de�nes a number of attribute types andmatching rules which may be found useful across a range of applications of the Directory.

IY5500-DST-v120114-0857 xvii

Executive Summary

This dissertation focuses on the risks and vulnerabilities associated with Open Wireless Fidelity(Wi-Fi) networks also known as Wi-Fi Hotspots, a popular technology that allows nearby clientdevices to connect to Internet services.Wireless transmissions of messages have always had the same challenges when it comes to au-thenticity and con�dentiality:

• Is the sender the perceived entity;

• Is the receiver the intended recipient;

• Does the received message correspond to the one sent;

• Does the message still have the same level of con�dentiality after transmission, as themessage may have been received by others.

Most wireless technologies in use today include mechanisms to resolve these challenges. One ofthe exceptions are Wi-Fi Hotspots due to their con�guration. The primary focus of these Wi-FiHotspots is to provide its users simplest possible access to the Internet; with or without relyingon other mechanisms for granting access to that Internet service. A Wi-Fi Hotspot network isa public wireless network that will allow anyone to connect to it. In many cases, access to theInternet service is free. In other cases, users will be redirected to a Captive Portal and asked toprovide:

• A username and/or password; or• A prepaid voucher code; or• A payment; and in most cases• Acknowledgement of the Terms of Use

This solution will control the access to the Internet service, but it will not result in a secureconnection between the user's device and the wireless access point. Given this open design, itallows attackers to eavesdrop on any clear-text message transmitted or even spoof the identityof such a network. The latter will allow an attacker more control over the transmissions beingsent and received and perform so-called Man-in-the-middle Attacks. These attacks may directlyresult in the leaking of sensitive information being transmitted or indirectly through gainingunauthorised access to that information by using leaked credentials.

IY5500-DST-v120114-0857 xviii

Executive Summary

ExperimentsTo show some of the possible attacks, two experiments were undertaken with the followinghypotheses:

• Client devices will not automatically connect to just any wireless network with the sameidenti�er called the Service Set Identi�er (SSID);

• The authentication protocol 802.1x would be able to provide mutual authentication ofboth End-user and a Wi-Fi Hotspot.

Both hypotheses were proven to be incorrect: most clients are unable to distinguish the di�er-ence between two wireless networks using the same SSID. 802.1x is currently not a viable optionas it requires the device to be pre-con�gured with credentials, trusted authentication servers andsigning Certi�cate Authorities in advance.

OWNAPTo combat the challenges with Wi-Fi Hotspot authentication, this dissertation is proposing anew protocol called Open Wireless Network Authentication Protocol (OWNAP). OWNAP willprovide authentication of both the wireless network and associated access points. It will alsoensure the establishment of a secret key that will be used to encrypt the transmissions betweenthe client and the access point. During the research for this dissertation, the Wi-Fi Hotspotsindustry has evolved as well. IEEE has rati�ed a new standard called 802.11u that will use theSubscriber Identity Module (SIM) card of mobile devices to perform the authentication processwith wireless networks. 802.11u may however result into vendor lock-in. Users may want tohave the option to choose another Wi-Fi Hotspots, either because a compatible 802.11u networkis not available or because the local service is less expensive. OWNAP leaves the decisionwhich network to select to the user and that is why OWNAP is a better solution to secure thecommunications between client device and wireless access point.

IY5500-DST-v120114-0857 xix

CHAPTER 1

Introduction

While digital or electrical wired communications, like the telegraph, pre-dates wireless digi-tal communications, the latter has, in its non-digital and rudimentary form, been in use sinceanimals walked and crawled the earth.Although it is believed that elephants and whales can communicate over hundreds of squaremiles, it was mankind who started to use tools, like �re and drums, to encode and transmitmessages across vast distances with or without line of sight.The Great Wall of China (500BC) not only defended against enemies crossing its borders. Italso had signalling towers which were used to send military communications. Beacon �res orlanterns were used during the night and smoke signals during the day [O:Enc12b].But the number of unique messages one could send using �re signals was limited. To over-come this limitation the Greek Polybius created one of the �rst telegraphic encodings called thePolybius Square or Checkerboard in 150BC. He devised a means of encoding letters into pairsof symbols. The Square is a true bilateral substitution and presages many elements of latercryptographic systems [O:Enc12a].Claude Chappe invented a wireless telegraph for the French government in 1794. The so-calledsemaphore or signalling system used �ags to exchange messages and the system was used tocommunicate across France, Germany, Italy, Belgium and the Netherlands. Given its large scaleuse, one could consider it to be the �rst European wireless telecommunication system of theindustrial age [T:Dil01], pre-dating the more famous Samuel Morse signalling and telegraphsystem by at least 50 years. Just like Chappe's �ag signalling system, Morse code itself is notan encryption algorithm, it just encodes/translates a human readable message into a systemtransmittable language.

IY5500-DST-v120114-0857 1 of 57

Chapter 1: Introduction

All these man-made solutions share the same challenges with current (wireless) communicationswhen it comes to authenticity and con�dentiality:

• Is the sender the perceived entity or is it under the control of an adversary;

• Is the receiver the intended recipient or is it under the control of an adversary;

• Was the message maliciously altered during transmission, as it may have crossed one ormore stations or devices;

• Does the message still have the same level of con�dentiality after transmission, as all thesystems mentioned above are broadcasting their transmissions into the open air for anyoneto hear or see.

Chappe solved the con�dentiality issue by introducing a code book. The code book was onlyavailable at main stations and under the supervision of the station master. An intermediatestation o�cer did not need to know the actual message transmitted as he would just repeat thesignal received [T:Dil01].Most wireless technologies in use today include mechanisms to protect against these vulnerabili-ties, of which the most commonly used are explained in the next chapter. One of the exceptionsthat do not have these mechanisms in place are publicly accessible wireless networks due to theircon�guration.

1.1 Problem and Scope

This dissertation focuses on publicly accessible Wireless Fidelity (Wi-Fi) networks also knownas open Wi-Fi networks or Wi-Fi Hotspots, a popular technology that allows nearby devicesto connect to Internet services. Open Wi-Fi networks are seen as an extra service to increaseones' customer base, resulting in a direct or indirect e�ect on ones' revenue: indirect by cus-tomers preferring the establishment, e.g. hotels, with a complimentary wireless service over anestablishment that does not; or indirect as customers may extend their stay in an establishment,resulting in additional revenue through additional sales of e.g. food and beverages in bars andrestaurants.These networks have not addressed the challenges mentioned earlier and are relying on othertechnologies or higher level Protocols running on top of the wireless Protocol to prevent eaves-dropping of the wireless transmissions.The primary focus of these Wi-Fi Hotspots is just to provide its users simplest possible accessto the Internet with or without relying on other mechanisms for granting access1. The problemwith this form of Internet access is the fact that these networks may give its users a false senseof security. Especially when a well-established name is used as a network identi�er. It may notbe obvious but anyone can set up a wireless network with a name of his/her choosing. Thereis no proper identi�cation or authentication or other assurance method in place that actuallyguarantees that the network one is connected to, is actually managed on behalf of the establish-ment or company it pertains to be part of. The device of the user may have several controls inplace to keep an attacker out, but this paper will show that having control over the path overwhich data is transferred can also result in several attack vectors. Several of these attacks havebeen performed in a lab and will be presented in Chapter 3 on page 30.

1See �2.5.3 on page 18

IY5500-DST-v120114-0857 2 of 57


1.2 Objectives and Methodology Used

The use of Wi-Fi has become mainstream and its use already widespread, but it is actually stillexpanding. This dissertation will show that there are some cases where ease-of-use has prevailedover security and one is relying to much on the knowledge of the user. Most users and notexperts and the lack of security has resulted in a negative impact on the security of sensitiveinformation that is transmitted over these wireless networks. This dissertation will identify thisimpact by performing:

• A literature research on the possible access methods to Wi-Fi networks and their applica-tion in di�erent environments;

• A literature research on any newly drafted access methods to Wi-Fi networks;

• A laboratory test to research the security of open Wi-Fi networks and to �nd answers tothe following question:

� What are the possible attack vectors, related vulnerabilities and risks for End-usersusing open Wi-Fi networks.

• A laboratory test to research the potential of using 802.1x access controls as an alternativeto Universal Access Method (UAM) by:

� Investigating a potential Authentication vulnerability on a feigned 802.11i Wi-Fi net-work, that uses 802.1x for Authentication.

� Investigating the requirements and limitations of using 802.1x on 802.11i networks;

• An investigation into other attack vectors, related vulnerabilities and risks of using Wi-FiHotspots;

• An investigation into the available options for mitigation of all vulnerabilities and risksfound.

Finally this dissertation will propose a high-level design of a new protocol called Open Wire-less Network Authentication Protocol (OWNAP) that will provide mutual authentication andencryption between open Wi-Fi Access Point (AP) and connected client devices using existing802.11i technology.

1.3 Glossary, Citing and Reference Methods Used

The following methods have been used to enhance the reading experience:

Acronyms and GlossaryAcronyms will be expanded once each chapter in the following format: Meaning (ACRONYM).Each chapter will expand each acronym on �rst use. In the digital version of this documentall acronyms are coloured blue and linked to the meaning of the acronym. The complete Listof Acronyms starts on page v. Most acronyms will also link to the Glossary giving a formalexplanation of the terminology used. The Glossary starts on page ix.

IY5500-DST-v120114-0857 3 of 57


Citations and BibliographyBoth verbatim and non-verbatim citations have been used and will reference the original authoror source using the LATEX Bibliography style Alpha consisting of an abbreviation of the authorsname and the year of publishing between square brackets. The reference may also include thepage number where possible and/or applicable. Verbatim citations will be in italics and centredon the page.The Bibliography has been split up into �ve sub-bibliographies:

• Book references will be pre�xed with a B; and

• Technical Reports and Articles will be pre�xed with a T; and

• Software Tools Used will be pre�xed with an S; and

• Attributed artistic works will be pre�xed with an A; and �nally

• News Articles will be pre�xed with a N.

• Other references will be pre�xed with an O.

The Bibliography can be found on page I in the back of this dissertation and include the ISBNnumbers for the cited books, and shortened URLs for all on-line sources. The URLs include thedate when the URL was last checked.

Cross-referencingCross-references between pages will either be speci�cally mentioned or referenced through theuse of footnotes.

Graphics and DiagramsAny graphic or diagram that depicts or has been based on existing work, will have a referenceto its original author in its caption. That being said, most client side graphical user interfaceswere taken from the current and most common computer platforms: Microsoft Windows XP, itssuccessor Windows 7 and Apple iOS.An overview of all graphics and diagrams can be found in the List of Figures starting on pageiii.

1.4 Extracurricular activities

During my research on Wi-Fi Hotspots, I was asked and did present some of my �ndings at theeCrime Europe conference of 2011 in a presentation titled: �Welcome to the Wireless Workforce:Road Warriors or Deer Staring into the Headlights? � [O:AKJ11].I took on the challenge to write this dissertation in LATEX, a document markup language previ-ously unknown to me.

IY5500-DST-v120114-0857 4 of 57

CHAPTER 2

Background

This chapter will discuss the components of a wireless network, including the current securitymeasures available today and provide a better understanding of the risks associated with Wi-FiHotspots. It has therefore been split into several sections.The �rst section will explain and discuss the IEEE 802.11 standard of 2007, discussing:

• The architecture and components associated with such a network;

• The preventive and detective security measures;

• The methods of encryption used;

• The methods of authentication used.

A brief overview will be given of the latest 802.11 standard that was released in 2012, includinga section on a new amendment called 802.11u.The �nal section will discuss indirectly related security measures and vulnerabilities. These willinclude some technical discussions, but will also draw conclusions on surveys and �ndings relatedto the behaviour of people, from now on referred to as End-users.All the sections will show that some designs can result in toxic combinations giving End-users afalse sense of security when there are actually few or no security measures in place.

For more details on the technical topics discussed the reader is advised to read: �IEEE 802.11-2007 Standard� [T:IEE07], �IEEE 802.11-2012 Standard� [T:IEE12], �802.11 Wireless Networks:The De�nitive Guide, Second Edition� [B:Gas05, �6, �7 and �22], �802.11 Security� [B:PF03] and�Wi-Fi Hotspots� [B:Gei06, �10].

IY5500-DST-v120114-0857 5 of 57

Chapter 2: Background

2.1 IEEE 802.11: The Wi-Fi Standard

The Wireless Fidelity (Wi-Fi) standards have been developed by the Institute of Electrical andElectronics Engineers (IEEE): an organisation that develops and advances global technologiesby bringing together individuals and organisations from a wide range of technical and geographicpoints of origin [O:IEE12]. The original 802.11 standard was published in 1999 and has undergoneseveral revisions and amendments. The commonly known 2007 version consisting of amendmentsa through e and g through j has recently (March 2012) been replaced by the 2012 revision1. Theamendments 802.11b, g, i and n are currently the most deployed, with [T:IEE07]:

802.11a using the 5 GHz band and allowing for a maximum data transmission rate of 54Mb/s,but with less range as 802.11b or 802.11g, due to the frequency used;

802.11b using the 2.4 GHz band and allowing for a maximum data transmission rate of 11Mb/s;

802.11g using the same 2.4 GHz band as 802.11b, but allowing for a maximum data transmis-sion rate of 54Mb/s by reusing the modulation technique Orthogonal Frequency-DivisionMultiplexing (OFDM) found in 802.11a;

802.11i introducing Wi-Fi Protected Access (WPA) that provides mutual authentication andencryption of data transmissions;

802.11n enhancing 802.11a and 802.11g even further, allowing data transmission rates up to600Mb/s using Multiple-Input and Multiple-Output (MIMO) modulation techniques2.

This dissertation is based on the client-side risks associated with the 802.11-2007 standard.

2.2 IEEE 802.11: Architecture

An 802.11 architecture consists of several devices: Access Points (APs) which act as the bridgebetween wireless and wired network. They can also act as gatekeepers ensuring that onlyauthorised wireless clients, referred to as Wireless Station or Clients (STAs), are able to connect.One AP with one or more STAs is referred to as a Base Service Set (BSS) or Infrastructure BSS(see Figure 2.1. Two STAs are however also able to set up an ad-hoc wireless connection withoutthe use of an AP, known as an Independent Basic Service Set (IBSS).

RTR

APSTA#1 STA#2

APRTRSTA

: Wireless Access-Point: Router: Wireless Station

Figure 2.1: Infrastructure Basic Service Set [T:IEE07; A:Sta12]

1See �2.6 on page 202Note that 802.11n is not part of 802.11-2007

IY5500-DST-v120114-0857 6 of 57


When multiple BSSs share and provide access to the same physical local area network, the setup is referred to as an Extended Service Set (ESS). A BSS will determine if a transmission isdestined for itself, by checking if the Basic Service Set Identi�cation (BSSID) included in thetransmission is theirs. Two nearby APs or BSSs would otherwise not be able to distinguish ifthe transmission is destined for either of them.

STA#1AP#1 AP#3

AP#2

STA#2

RTR

SW

APRTRSTASW

: Wireless Access-Point: Router: Wireless Station: LAN Switch

Figure 2.2: Extended Service Set [T:IEE07; A:Sta12]

STAs will need to have a means to identify a Wi-Fi network. An AP will therefore broadcastidenti�cation or beacon frames announcing the name of the wireless network(s) to which itcan provide access. This identi�er is called the Service Set Identi�er (SSID) and is a word ofno more than 32 ASCII characters (32 octets). Any word or identi�er can be selected, onecould even use existing ones like BTOpenZone, EDUROAM, CampusNet. There is, however, noproper validation if the SSID is actually a�liated with the company or network one thinks oneis connecting to.

In ascertaining quality, consumers will often rely on the cognitive shortcut pro-vided by a brand name, and will even pay a premium for products with brand namesthey associate with a reputation for quality.

[B:Sch12, p. 95]

Given this statement potential End-users of these networks may assume that the wireless networknames or SSIDs listed are indeed a�liated and genuine, so a potential. There is, however,nothing stopping an attacker from setting up a wireless network with a well-known SSID andfake a�liation with a brand or nearby establishment. This will allow an attacker to induce oreven technically force End-users to connect to his access point.

IY5500-DST-v120114-0857 7 of 57


This makes these networks prone to several Man-in-the-middle Attacks:

• Given the fact that Wi-Fi Hotspots have no or at best very limited security measures thatwill validate the network, an attacker could replicate the original landing page and ask theuser for their credentials or credit-card information prior to access3;

• Many client devices store SSIDs of networks they were connected to previously and whichwill reconnect automatically the moment any AP announcing such a SSID is in range4.The connection is established without asking the user for con�rmation and thus potentiallywithout the user noticing. If these applications do not include security mechanisms toprotect sensitive information (e.g. passwords), an attacker will be able to easily extractthis sensitive information.

In other words, having control over the AP allows an attacker to control messages sent andreceived to a certain extent, examples of which will be shown in Chapter 3.

2.3 IEEE 802.11-2007: Security

Wi-Fi uses radio signals which are usually broadcasted omni-directionally: in all possible direc-tions. Radio signals do have a limited range: depending on the signal strength, path obstructingparticles/materials (e.g. air or walls) and the radio band used. The latter because the higherthe frequency the less reach a signal will have.Physical wiring requires an attacker to have physical access to the cable. Only then will anattacker be able to place a device nearby or inline, allowing him to eavesdrop or even alter thetra�c. Because a wireless signal can pass through a multitude of physical boundaries, it requiresother countermeasures to stop attackers from eavesdropping or interfering. Next to encryption5

providing con�dentiality and authentication6 providing the necessary access control, there arealso other preventative and detective security measures.Most of these security measures can't be implemented in combination with the open nature ofWi-Fi Hotspots, as will be shown in the following paragraphs.

2.3.1 Preventative Security Measures

Signal BlockingBy making sure that a wireless signal can't reach a public area, one can limit the access tothe wireless network. This can be achieved by reducing the initial signal strength or placingradiation �lters on walls and windows. One thing to remember though is the fact that anattacker could use an enhanced wireless transmitter and receiver to connect. Using this featurefor Wi-Fi Hotspots would ensure that only customers of an establishment could gain access tothe services provided, but it should not be the only security measure for wireless networks incorporations.

3See �2.5.3 on page 184See �3.1 on page 305See �2.4 on page 126See �2.5 on page 14

IY5500-DST-v120114-0857 8 of 57


SSID ObfuscationIn the past the security of Wi-Fi networks was not particularly good (e.g. Wired EquivalentPrivacy (WEP) security was shown to have severe security weaknesses) and an intermediatesolution was suggested to no longer broadcast the SSID on a regular basis. This method onlyobscures the network's identity and does not stop attackers from identifying a wireless networkas any active transmissions would actually include the SSID. Stopping the broadcast of the SSIDwill only hide the network while it is not in use and it should therefore not be considered a goodsecurity measure.It is also not a good security measure for Wi-Fi Hotspots as one wants the SSID of a Wi-FiHotspot to be visible allowing easy access to visitors.

MAC FilteringAnother security measure is to limit or �lter the Media Access Control (MAC) addresses of STAsthat are allowed access to one or more APs. Next to the administrative overhead of tracking theallowed addresses, is the fact MAC addresses are no longer hard-coded into a Network InterfaceCard (NIC) and/or can be altered through software, allowing an attacker to spoof the MACof a trusted or known device. An attacker will just have to wait and listen for an approvedSTA accessing the wireless network, copy its MAC address, which is always visible in Wi-Fitransmitted network frames, resulting in access to be granted.Some Wi-Fi Hotspot deployments actually use this security measure to block unauthenticatedusers from accessing the Internet service provided. The MAC �ltering is, however, not per-formed on the AP, but at the gateway, as one still want unauthenticated devices to access thewireless network. Only when a device tries to connect to the service provided (e.g. Internet ser-vice) through the gateway will access control be enforced. The gateway ascertains if the sourceMAC address of a packet is known to be from an authorised user/device and act accordingly.If no other security measures are taken, this method of access authorisation can easily be abused.

Wireless Client IsolationThis countermeasure will stop STAs connected to the same AP from communicating with eachother. At �rst glance this sounds like an excellent preventative security measure. However, itwill not prevent an attacker from setting up a rogue AP with the same SSID that would forcewireless clients to connect through it defeating this countermeasure. It will also not stop anattacker from eavesdropping on one's tra�c. Wireless Client Isolation is only e�ective whenused in combination with Extensible Authentication Protocol (EAP) based authentication as itrequires more information for the setup of the rogue AP that is not publicly available to theattacker. Even when EAP is used, similar security measures have to be put in place on thephysical Local Area Network (LAN). If this is not done, a wireless isolated STA can still beaccessed by other devices on the LAN or by other STAs connected to another AP. The isolationis just between STAs connected to the same AP.This security measure should still be enabled on Wi-Fi Hotspots as a �rst thin line of defenseto protect against things like malicious computer worms, but as mentioned will not prevent theuse of a rogue AP nor the capability of eavesdropping.

IY5500-DST-v120114-0857 9 of 57


2.3.2 Detective Security Measures

There also security measures that allow for the detection of rogue STAs and APs. However,these measures require additional human resources that may not be available.

Rogue Station DetectionUsually a number of APs are deployed across a building to provide reliable wireless coverage. Inthat case, it is advantageous to deploy a Wireless LAN Controller (WLC) as well. The WLC isthere to centrally manage the con�guration, alerts and �rmware of the deployed APs. By havingthis management capability, one can be alerted when there is a STA that is continuously tryingbut failing to gain access to an AP continuously. When having su�cient coverage, triangulationthrough the managed APs could be used to locate the rogue STA.This security measure should be enabled on Wi-Fi Hotspots, but may be administratively infea-sible: there cannot be an IT expert at every deployed Wi-Fi Hotspot to take any type of action,especially in restaurant-chains or hotels where provided Wi-Fi network is considered a hospital-ity service and not the core business of the company in question. The cost of employment of alocal IT expert to triangulate the abusive user, will quickly outweigh the �nancial loss of one ormore persons not paying for their Internet service use.

Rogue Access Point DetectionThrough its managed APs, the WLC (the green device in Figure 2.3) can check if there are anyother APs in signal range that are not managed by the WLC. An AP that is in the vicinityof a managed AP and does not fall under its administration is considered a rogue AP. Sucha rogue AP only becomes a real risk when it is using the same SSID (Figure 2.3a) and/or isgranting access to the same wired LAN (Figure 2.3b). The latter is a threat as the rogue APis potentially not using the same access controls as the managed APs. To determine if a rogueAP is connected to the same LAN, the WLC can [T:Cis10]:

• Use an active approach by instructing a managed AP to connect to the rogue AP as aclient and try to send a Rogue Location Discovery Protocol (RLDP) back to the WLC. Ifthe message is received then one can assume that the rogue AP is connected to the samenetwork;

• Use a passive approach by asking a managed APs to collect the MAC addresses on theLAN and see if one corresponds to the MAC from the rogue APs.

To partially resolve the issue of a rogue AP, a managed AP can be instructed to broadcastde-associate packets with the spoofed source address of the rogue AP when it sees a STA con-necting to the rogue AP (Figure 2.3c). This will stop or prevent the STA from associating withthe rogue AP and could result in the STA connecting to a valid AP (Figure 2.3d), if the STA iscon�gured for the o�cial wireless network.By using triangulation of signals received by the managed AP, a WLC can determine the loca-tion of the rogue AP (see Figure 2.4). An administrator can then take measures e.g. demandingthe AP to be removed from the LAN.The option to spoof the identity of an AP and force connected STAs to disconnect/de-associatefrom a rogue access point seems nice, but it can be used by an attacker as well forcing STAs toconnect to a rogue AP. It would be far better to resolve the inability to properly authenticatean AP and related SSID.

IY5500-DST-v120114-0857 10 of 57


AP STA Rogue AP

(a) A rogue AP on di�erent LAN

AP STA Rogue AP

(b) A rogue AP on the same LAN

AP STA Rogue AP

(c) Broadcasting spoofed de-associate frames

AP STA Rogue AP

(d) Reconnecting to o�cial AP

Figure 2.3: Rogue Access Point Detection and de-Association [T:Cis10; A:Sta12]

IY5500-DST-v120114-0857 11 of 57


Figure 2.4: Rogue Access Point Triangulation [A:Cis06]

Rogue Access Point Detection could be enabled on Wi-Fi Hotspots, but may be administrativelyinfeasible for the same reasons mentioned for Rogue Station Detection. Even when using acentrally managed WLC that controls all deployed access-points.In preparation for this dissertation the Wi-Fi Hotspot department of a large Dutch InternetService Provider (ISP) was asked if Rogue Access Point Detection was being used in theirnetwork. They were however unwilling to comment on the matter. Setting up a rogue AP totest this hypothesis could be considered a crime and it is therefore assumed that at least thisISP has concluded it to be an acceptable risk.On their website, they do mention the potential risk of rogue APs or network and are providing aservice to their regular customers to mitigate the risk: a VPN connection that terminates in theirdata-centre [O:KPN12b]. This extra VPN service does require pre-registration, but will ensurethat all data is encrypted between the STA, across any AP used and the VPN concentrator.This will render eavesdropping on the wireless part of the network path useless.One could wonder if an End-user would disconnect from a rogue AP that actively blocks the useof the VPN service. Hey may assume the service is just unavailable and use the service withoutthat extra layer of protection. It also requires an additional (manual) step to be performed bythe End-user who may or may not �nd this to be acceptable.This security measure is a typical example of a bolted-on, non-transparent security measure.This is not how a security measure should be implentend according to eight Security Principlesof �The Protection of Information in Computer Systems� [T:SS75].

2.4 IEEE 802.11-2007: Encryption

Wireless encryption could be considered a preventative security measure: it keeps the bad guyout as it requires a STA or End-user to know a secret (e.g. a set of valid credentials). It alsoprovides a level of con�dentiality by encrypting messages transmitted between AP and STA and,depending on the method used, a level of AP, STA or even End-user authentication.Encryption was initially possible using WEP, but with the insecurities found in WEP, a new linklayer encryption protocol was needed and found in Temporal Key Integrity Protocol (TKIP).WPA-TKIP was actually an intermediate solution and a draft version of the 802.11i standard.

IY5500-DST-v120114-0857 12 of 57


It was later replaced by the full implementation of 802.11i, referred to as Wi-Fi Protected Ac-cess version 2 (WPA2) or Robust Security Network (RSN). The main reason for TKIP to beimplemented �rst was the fact that both WEP and TKIP use the RC4 stream cipher. With RC4built-in as a hardware module, existing AP hardware could be upgraded via a software updateto WPA-TKIP without an increased load on the Central Processing Unit (CPU) of the AP.WPA2 uses Counter Mode with CBC-MAC (CCMP) as the encryption protocol which uses Ad-vanced Encryption Standard (AES) for encryption and thus required new AP hardware to bedeployed that supported AES.802.11i security rests on the exchange of a secret key: the Pairwise Master Key (PMK). To pro-tect the PMK it is used in a four-way handshake and establishes another key called the PairwiseTransient Key (PTK). The PTK is divided into several keys including the actual Temporal Key(TK). This TK is the actual key used for the secure transmission of data between AP and STA.The PMK can be exchanged via several means: via a pre-sharing mechanism, commonly re-ferred to as WPA/WPA2-Personal; or as the result of an authentication process using 802.1xalso known as EAP over LAN (EAPOL), commonly referred to as WPA/WPA2-Enterprise7.

PSK or WPA/WPA2-PersonalThe most common way of exchanging the PMK is by sharing the key prior to access usingan alternative path: either pre-deployed via some sort of automatic con�guration (e.g. ActiveDirectory (AD)); or as straightforward as handing it on a piece of paper to the person requestingaccess. This method is mostly deployed in small Small O�ce/Home O�ce (SOHO) set ups andcommonly known as WPA(2)-Personal.The biggest advantage of using a Pre-Shared Key (PSK) is the ease of con�guration: Wirelessrouter vendors or ISPs include it in their quick-setup guides or make it part of the setup wizard.Some even deliver their devices with unique pre-con�gured SSID and PSK, which an End-userjust has to con�gure on their Wi-Fi enabled devices.Pre-setting of the SSID and PSK does require a unique and random key to be used. ThePSK should not be derived from the SSID, as was done by an ISP in the Netherlands allowingattackers to recover the PSK for thousands of APs [N:RTL12].A more generic disadvantage of a pre-shared key is the fact that it is prone misuse as anyonewith knowledge of the PSK can access the network or may even be able to eavesdrop on tra�cof other STAs. The biggest disadvantages of using a PSK are:

• An attacker is not blocked from trying to guess the PSK either by trying to gain accesswith a di�erent PSK or by trying to decrypt transmissions from valid STAs. The PSKshould therefore be regularly replaced; and

• In case of (potential) key compromise all APs and authorised End-users will have to benoti�ed of the new PSK.


IY5500-DST-v120114-0857 13 of 57


Depending on the size of the Wi-Fi Hotspot environment (e.g. an airport) the use of a PSK isnot an option, especially due to issues with key management:

• The PSK would be the same for all End-users and may be shared limiting the ability tocharge for Wi-Fi Hotspot use.

• The PSK would need to be changed regularly to ensure regular visitors could still becharged for Wi-Fi Hotspot use. Changing the key on a regular basis would require currentlyconnected devices to replace their PSK.

• If the PSK would be known to an attacker he could set up a rogue access point with thesame PSK or derive the possible session keys to eavesdrop on someone else's tra�c.

A small establishment like a pub could consider using a PSK for its regular customers.

2.5 IEEE 802.11-2007: Authentication

There are several ways for End-user and/or their STAs to authenticate with an AP: the earlierdiscussed method of using a PSK, authentication using the 802.1x protocol and �nally UniversalAccess Method (UAM)8. The latter is commonly used for granting access to Internet services atWi-Fi Hotspots.

2.5.1 PSK Authentication

Due to the fact that the PMK is shared as a PSK amongst multiple STAs and End-user othermethods are required to properly identify the device or End-user that has connected. In thatrespect, there is no unique STA authentication taking place when using PSK.The combination of the SSID with a valid PSK provides a level of authentication of the associatedAPs, or does it? Connecting to an AP that announces the SSID and accepts the PSK as a validcould be considered as part of the expected network. However, using a PSK actually allowsanyone that has knowledge of that PSK to set up an AP and pretend to be part of the genuinenetwork. There is no additional validation to check that that speci�c AP is actually part ofthat genuine network. It could therefore be under the control of an attacker and result inMan-in-the-middle Attacks.

2.5.2 802.1X Authentication

As stated earlier, the use of a single PSK is decidedly ine�cient in large wireless networks.802.1x, EAPOL or more commonly known as WPA(2)-Enterprise provides authentication andaccess control based on a unique set of credentials.These credentials can be username/passwordbased, but could also be based on digital certi�cate.Once the device or End-user is authenticated and authorised to access the network behind theAP, a PMK is exchanged and the TK is derived to encrypt further transmissions between STAand AP.EAP is de�ned in RfC 3748 and allows for authentication processes to take place on point-to-point connections [T:Abo+04]. There are several variants of the EAP of which the mostcommonly deployed are discussed in the next paragraphs.

8Note: UAM is not part of the 802.11-2007 standard

IY5500-DST-v120114-0857 14 of 57


PEAP and TTLSFor ease of deployment and positive user experience, most corporate wireless networks preferto re-use existing authentication systems like Microsoft Active Directory or other existing au-thentication realms. Both Protected Extensible Authentication Protocol (PEAP) and TunnelledTransport Layer Security (TTLS) allow the reuse of these legacy methods of authentication byencapsulating the authentication process into EAP. PEAP and TTLS are very similar in theway they perform the authentication process. They both. . .

. . . use the server certi�cate in the TLS tunnel to provide the �rst-stagenetwork-to-user authentication, and use the TLS tunnel to encrypt theuser credentials used for the user-to-network authentication in the second stage. . .

[B:Gas05, �22.2.2.2]

I strongly disagree with the notion that PEAP and TTLS perform network authentication.It is not the network, but the Remote Authentication Dial In User Service (RADIUS) serverthat is being authenticated to the STA and End-user.The only implied trust that has been established is the fact that AP and RADIUS have gonethrough some kind of authentication process that allows the AP to use the RADIUS server forauthenticating users that connect to the SSID.An attacker could set up his own AP with the same SSID and his own RADIUS server. Depend-ing on the awareness of the End-user and con�guration of the STA the attacker could performseveral eavesdropping attacks, including the retrieval of the valid credentials of the End-userfor the genuine network9. So the quote should state server-to-user and user-to-server

authentication.Only when the wireless network is pre-con�gured on the STA linking RADIUS server, certi�cateand SSID together is there su�cient authentication of the provided identities. Most STAs how-ever allow for exceptions and present an alert when the RADIUS server certi�cate is untrusted.The End-user is asked whether or not he wants to trust the certi�cate prior to connecting. How-ever, the only information presented to the End-user is the certi�cate of the RADIUS server,which does not tell him/her anything about the network he is about to connect to.802.1x is also used on wired networks. A wired network has a physical boundary so it is quitesafe to assume that a network-cable laying on a desk in an o�ce is part of that network. Awireless network is not restricted by a physical boundary so the only way to properly authenti-cate a wireless network is to use a protocol like Open Wireless Network Authentication Protocol(OWNAP)10

EAP-TLSEAP-TLS is an open standard de�ned in RfC5216 [T:SAH08]. Instead of using a usernameand password, it provides mutual authentication through the use of digital certi�cates by theinvolved parties: the RADIUS server and the STA.As part of the TLS tunnel establishment, the RADIUS server sends its public certi�cate to theSTA. The STA will check if the certi�cate is signed by a trusted Certi�cate Authority (CA) andif it has not expired.Provided that the RADIUS server certi�cate is validated, the STA will transmit the End-user'scerti�cate for similar validation by the RADIUS server.

9See �3.2 on page 4010See �4 on page 45

IY5500-DST-v120114-0857 15 of 57


PKI for PEAP, TTLS and EAP-TLSUsing PEAP, TTLS and EAP-TLS does require a Public-Key Infrastructure (PKI) to gener-ate the required certi�cates, and preferably one that runs in-house or at least does not signcerti�cates to other companies, but:

For an organisation of any size, this is not an issue to be undertaken lightly.There are many issues, technical and otherwise, involved in running a CA.

[B:PF03, �14.3.3]

One could use public CA that signs certi�cates for other companies, but that could create thefollowing attack scenario on e.g. PEAP and TTLS:

• The attacker con�gures a special RADIUS server that, while stealing the credentials sub-mitted, will reply �AUTHENTICATED� to any authentication request received

• The attacker initiates a connection to wireless network he wants to gain access to;

• The attacker is presented with a certi�cate and the associated certi�cate chain, showingthe CA used to sign the certi�cate;

• The attacker creates a certi�cate for the hostname for his rogue RADIUS server and sub-mits the related Certi�cate Signing Request (CSR) to the same CA that signed the genuineRADIUS server certi�cate. The CA will not be aware for which service the certi�cate willbe used and will thus sign the request, validating the certi�cate for o�cial use;

• The attacker con�gures his now signed certi�cate on his rogue RADIUS server and con-�gures his rogue AP to use his RADIUS server for authentication.

• The attacker con�gures his rogue AP with the same SSID as the genuine network andwaits for clients seeking connection with the genuine network;

• STA that trust the CA to have signed any RADIUS server certi�cate will send thosecredentials without any alert to the End-user.

This vulnerability exists due to the fact that the RADIUS server is the only entity that isvalidated by the certi�cate, not the SSID nor the AP. It is a similar to the scenario mentionedin the paragraph �PEAP and TTLS�, but this time the STA may not even alert the End-useras the CA is trusted as the signer of any RADIUS server certi�cate. It is worth noting thatsome Operating Systems (OSs) do provide additional options for pre-requisites like only trustingcertain hostnames. This will eliminate the ability of an attacker to use another RADIUS serverhostname and thus eliminate the ability for an attacker to get the correct certi�cates signed.With EAP-TLS both the server and the user are authenticated with certi�cates and the relatedkeys are used to en/decrypt challenges and responses, the above attacks becomes infeasible asthe attacker lacks the access to those keys. It may be infeasible, but not impossible as the APand SSID are still not being properly authenticated.

IY5500-DST-v120114-0857 16 of 57


EAP-SIMNeither of the above mentioned authentication mechanisms are very successful when deployed ina Wi-Fi Hotspot environment. They both require users to pre-register with a service provider,install a client or walk up to a booth or machine to purchase the required credentials. Mobilephone networks do not have these issues. Mobile phones can roam from base station to basestation and even roam onto an a�liated mobile network when abroad or out of reach of theirhome mobile network.This is all possible due to the fact that a mobile phone contains a Subscriber Identity Module(SIM) that contains a secret de�ned by the mobile operator when the SIM was manufacturedand which is used to authenticate the SIM and thus the mobile phone when it connects to themobile network. The authentication of the SIM can span the mobile network and can even crossa semi-trusted mobile network ensuring that the keys used are not compromised and reused inan unauthorised manor. More information on the authentication process of GSM and UMTScan be found in �Everyday Cryptography� [B:Mar12, pp. 434-444].With the increase use of smart phones, mobile network operators have trouble keeping up withthe insatiable hunger for bandwidth of the applications running on these devices. Their regularrevenue stream of phone minutes is going down while data usage is going up. As a result, themobile operators put limitations on mobile data usage plans, allowing users to only consume acertain amount of bandwidth per month unless the customer is willing to pay extra. This causesmobile customers to switch to an alternative: Wi-Fi Hotspots that are readily available and ina lot of cases free of charge.Even with EU directive to lower roaming tari�s as of July 1st [T:Com12], Dutch End-users stillprefer to use Wi-Fi Hotspots as shown in the survey below:

Of the 8000+ respondents, 54% stated they would prefer to use Wi-Fi Hotspots over the newrates (18%) and only 20% stated they would not be using mobile internet at all.

Figure 2.5: Survey on NU.nl on Wi-Fi vs Mobile [O:NU.12]

IY5500-DST-v120114-0857 17 of 57


The o�oading to wireless reduces the load on mobile networks, but it also reduces the revenuestream of the mobile operator as customers no longer require bigger data plans. To reclaim someof this revenue back, a new standard has been launched called 802.11u11 which uses EAP-SIMto authenticate mobile phone users to special 802.11u enabled Wi-Fi Hotspots. These Wi-FiHotspots are either managed by the customer's mobile network operator or by an a�liatedWireless Internet Service Provider (WISP) that will recharge the use back to the customer'smobile network operator.

2.5.3 Universal Access Method

Except for EAP-SIM, the paragraphs above have clearly shown that requiring keys prior toaccessing public wireless networks is not a viable option for providing wireless network serviceto the public. That is why the notion of a Wi-Fi Hotspot was created. Wi-Fi Hotspots arenot part of the 802.11 standard, but they are regularly used by WISPs or other establishments(e.g. hotels) to control access to their wireless (Internet) services. The initial connection to thewireless network is open: no authentication takes place during the association between STA andAP. This service is commonly revered to as UAM that redirects any unauthorised users to aspecial website called a Captive Portal (see Figure 2.6):

(a) RHUL CampusNet Captive Portal

(b) Embedded password-only Captive Portal

(c) Dutch ISP Captive Portal onMobile phone

Figure 2.6: Di�erent Captive Portals

11See �2.6 on page 20

IY5500-DST-v120114-0857 18 of 57


Once the STA is connected to the wireless network, the STA either loads the Captive Portal pageautomatically or the browser of the STA is initially redirected to the Captive Portal page. Thisdepends on the type of STA used and the con�guration of the Wi-Fi Hotspot one is connectingto.As shown in Figure 2.6, the Captive Portal is a special web site on which the End-user is askedto provide:

• A valid username and/or password; or

• A valid prepaid voucher code; or

• A credit card to pay for the service.

In most cases, the End-user is also asked to accept an Acceptable Use or Terms of Use Policy.

A Captive Portal can be embedded on the AP itself (AP#1 in Figure 2.7) for small set ups orbe a central webserver where new, yet to-be authorised STAs are redirected to.In some cases the payment of any fees is handed o� to yet another service provider12.Some initial free services may be available through a Walled Garden principal: the bandwidthis either capped to a reduced speed or only certain websites are accessible for free (e.g. hotelreservation system). Once a STA has successfully authenticated these limitations are lifted.The MAC address of the STA plays a key role in this as it is used to identify STA once theauthentication on the Captive Portal has taken place. The MAC is placed on the approved clientlist on the UAM Gateway, allowing full access or the STA may be asked to reassociate with theAP and placed from an isolated Virtual LAN (VLAN) (STA#3 in Figure 2.7) where only theCaptive Portal was accessible; onto a VLAN that provides full access (STA#2a in Figure 2.7).The latter is used in large scale setups like a university campus with a large ESS.Once authenticated the MAC address of the STA is stored centrally and when the STA roamsbetween APs the MAC is recognised and the STA connected to the same full access network(STA#2a and b in Figure 2.7 ).

IsolatedVLAN

Internet

UAM AP#1

RTR#1

STA#1 STA#2a STA#2b

STA#3

Figure 2.7: Di�erent UAM setups [A:Sta12]

12See �B on page VII

IY5500-DST-v120114-0857 19 of 57


UAM is a very user-friendly solution as users can quickly connect to the network. Sometimeswithout additional steps required and/or without leaving the chair they sit in. The CaptivePortal may be a secured website for the purpose of collecting credit card information or othersensitive information of the End-user, but this is not an enforced requirement nor somethingthat the End-user may notice13.Even with a Secure Socket Layer (SSL) certi�cate in place on the Captive Portal, there isagain no validation of the network the STA or End-user is connecting to. The certi�cate onlyauthenticates the webserver the STA is connecting to. The Captive Portal could be a copy of anearby WISP or something that an attacker created himself. This would allow the attacker tosteal the requested credit card information presented by the End-user. The End-user would benone the wiser until his credit card was used to purchase items he/she did not order.It is actually more secure to register in advance and buy vouchers that allow access for a limitedperiod of time. Credentials for a WISP may be linked to an account that includes credit cardor other personal information. When those credentials are collected by the attacker and amanipulated Captive Portal, he can use those credentials to gain access to the real CaptivePortal and gain access to the personal information stored.The ad-hoc nature of Wi-Fi Hotspots: access within 2 minutes as a �rst-time customer, is whatmakes them so successful. Pre-registration or the requirement of having certain software pre-installed is less favourable and a related subscription-based service only favoured by frequenttravellers.

2.6 IEEE 802.11-2012: The latest Wi-Fi Standard

During the research for this dissertation it became clear that IEEE rati�ed a new version of the802.11 standard which included several interesting updates [T:IEE12]:

802.11k Ensures better radio resource management;

802.11n Improves network throughput for the previous standards 802.11a and 802.11g;

802.11p A new standard for Wireless Access in Vehicular Environments; (WAVE)

802.11r Ensures faster and secure hand-o�s when moving quickly between base stations;

802.11s De�nes the ability to interconnect and create a Wireless Local Area Network (WLAN)mesh network;

802.11u Allowing for interworking with external networks;

802.11v Allows STAs to become aware about the wireless environment they are located result-ing in an improved service;

802.11w Increases the security of 802.11 management frames;

802.11y De�nes the new 3650 to 3700 MHz band that has been released for public use in theUnited States;

802.11z De�nes mechanisms that allow STAs to connect directly between themselves, whileremaining associated with an AP;

13See �2.7.2 on page 24

IY5500-DST-v120114-0857 20 of 57


2.6.1 IEEE 802.11-2012: 802.11u

The 802.11u amendment was rati�ed by the IEEE in February 2011 and will be deployed andcerti�ed by the Wi-Fi Alliance under the name Passpoint

TM, enabling seamless access to Wi-

Fi Hotspots. The Passpoint framework includes a device certi�cation for STAs and APs andassociated technical speci�cations and requirements named Hotspot 2.0.In regular wireless networks STAs use active probing techniques or listen for AP beacons todiscover APs. When initiating a connection to an unknown network, it is the End-user thatneeds to recognise the SSID. The discovery process of 802.11u is still the same, but it includesnew information in the beacon and probe response frames allowing STAs to query an 802.11uenabled AP for more information. This includes information if the STA is able to authenticateand roam via the AP similar to how a mobile phone roams on guest networks [B:Mar12, pp. 434-444].The primary focus of this amendment is mobile devices and the earlier mentioned method ofauthentication called EAP-SIM14 which stores the required credentials on the SIM card of themobile device.

Legacy clients with the correct credentials and supporting the correct EAP meth-ods can connect to Passpoint APs. Legacy clients which do not have the cor-

rect credentials and support for the correct EAP methods must use open-

system, browser-based authentication, where WPA2 may not be required

and therefore security is not guaranteed.

[T:All12, p. 9]

Because 802.11u uses 802.1x for authentication it may be possible to perform the same attacks,especially as TTLS is supported which has been shown to have vulnerabilities15. It all dependson the underlying con�guration and limitations on the certi�cates and CAs used. Informationis limited at the moment, but one can assume that the solution involves RADIUS servers thatproxy for other RADIUS servers. Any certi�cates presented, will have to be signed by a CAand if that CA accepts requests from non-WISPs, it could be abused and sign a certi�cate fora rogue RADIUS server. Although it does not use certi�cates, EAP-SIM does use the build-inmechanism of the SIM and authentication-triplets (or quintets in case of EAP-AKA) to performthe authentication [T:Gem10].Because these mechanisms have been trialed and tested over the years they will probably resistmost attacks. It is worth noting though, that these mechanisms were used on mobile networkswhere a potential attacker had limited or no access to as the related Base Station hardware isnot cheap nor easy to come by.Though abuse may be less likely due to the additional complexity, the wireless network itself isstill not authenticated: it's still the RADIUS server(s) involved that are authenticated not theSSID nor the AP.802.11u uses either the earlier mentioned EAP-SIM [T:HS06] or EAP-AKA [T:AH06]. BothRequest for Commentss state that although they have been veri�ed to be compatible with EAP. . . no other review has been done, including validation of the security claims.EAP-AKA uses Universal Mobile Telecommunications System (UMTS) which allow the SIMto con�rm if the home network has actually produced the challenge because the associatedauthentication quintet includes the (encrypted) sequence number that is incremented for eachauthentication event.

14See �2.5.2 on page 1715See �2.5.2 on page 15

IY5500-DST-v120114-0857 21 of 57


EAP-SIM uses the GSM authentication triplets, where a possible attack could be sought in asuccessful Man-in-the-middle Attack that forces the weaker encryption algorithm A5/2 to beused. The use of a weaker encryption algorithm may allow an attacker to eavesdrop on theinformation exchanged.

Roaming with 802.11uThen there is also the matter of choice: 802.11u will allow mobile service provider to charge forboth mobile and Wi-Fi roaming as long as they have an agreement with the nearby local WISP.Even if a End-user has a 802.11u enabled device, he or she may prefer to use another nearbywireless network that is free of charge instead of paying roaming charges.It is unclear at this time if the EAP-SIM or EAP-AKA will be able to store or allowed to storemultiple credentials or use some kind of federated identity service, allowing for the reuse of theEAP-SIM or EAP-AKA credentials for di�erent (competing) providers. The chances of thishappening are slim as it is not in the interest of the mobile service provider to provide such aservice.

802.11u will increase transparency and ease of use and when one has to pay for the Wi-Fi service,will not require an End-user to submit its credit card details it tries to connect to, which is abig security advantage.Surveys performed by DeviceScape,a leader in Wi-Fi o�oading services [O:Dev12], clearly showa preference under its 10 million members for free wireless networks. However, their surveys alsoshow that End-users prefer to automatically connect to a nearby Wi-Fi networks as well. Giventhose statistics it is di�cult to guess if 802.11u will prevail over free or cheaper Wi-Fi Hotspots.

(a) Do you search for free Wi-Fi when roaming (Q2-2012)(b) Do you prefer auto-connecting to Wi-Fi (Q4-2011)

Figure 2.8: DeviceScape Survey Responses #1 [O:Dev12]

IY5500-DST-v120114-0857 22 of 57


2.7 Other Security measures

2.7.1 Network Location Awareness

Microsoft Windows 7 includes a service called Network Location Awareness (NLA). It is aservice that checks if the network accessed has been connected to previously. It does this by �rstattempting to identify a logical network via reverse Domain Name System (DNS). If that fails,NLA identi�es will check the registry for any con�gurations stored and if that fails aggregatethe network information available to the device.

Hop ID Link ID Network ID

48 bytes

Subnet 1 Subnet 2

Internet

Figure 2.9: Microsoft's Network GUID [O:Yao05, p.7]

The NLA Globally Unique Identi�er (GUID) consists of 48 bytes and is a concatenation of[T:Ste07]:

• the Network ID that corresponds with the DNS su�x of the network; and

• the Link ID that corresponds to the MAC address of default gateway; and

• the Hop ID that corresponds to the BSSID of the AP

At the time of writing this dissertation, the resulting GUID is compared with existing GUIDand if found result in the automatic selection of a host �rewall pro�le. If the GUID is not found,the user may be prompted to select the correct pro�le16.The related patent submitted by Microsoft [T:Ste07] suggests that Microsoft may be consideringto automatically recon�gure or at least make (network) applications aware of network changesbased on the Network GUID. Spoo�ng a known network may result in the lowering of theclient defense mechanisms and again shows the importance that one ensures that the network isproperly authenticated and not based on information of which the integrity can't be guaranteed.Examples of which will follow in the next paragraphs.

16See �3.1.2 on page 32

IY5500-DST-v120114-0857 23 of 57


2.7.2 Graphical User Interfaces

Of course it is essential that if security measures fail and/or exceptions occur, that the End-useris noti�ed. However, even before or when those exceptions occur an End-user should be providedtrustworthy and clear information so that he/she can make an informed decision.

Available Wireless Network listFigure 3.3 on page 33 shows a list of networks on Microsoft Windows 7. It does state thatinformation sent might be visible to others, but it does not say anything about the fact that theSSID and thus the perceived network may not be the network one thinks one is connecting to.

Web BrowsersEnd-users may think that certi�cates used on websites are just for encrypting tra�c betweenclient and server. However, their initial task is to authenticate the site one is visiting. When aclient browser visits a SSL enabled website, the following checks occur:

• the presented certi�cate includes a Fully Quali�ed Domain Name (FQDN) that shouldcorrespond with the host address of the website visited; and

• the presented certi�cate should be signed by a trusted CA; and

• the presented certi�cate has not expired or been revoked by the CA; and

• the certi�cate contains a signed hash to ensure that the certi�cate has not been tamperedwith.

If all these checks are con�rmed, the website is considered authenticated and the establishingof a shared session key/secret continues. Once a secure connection is established the End-useris presented with some changes in the Graphical User Interface (GUI) that a secure connectionis established. But studies [T:Sch+07] show that users ignore warnings or will submit sensitiveinformation when a website is not secure.

Figure 2.10: HTTPS in the di�erent Internet Browsers[A:Hun11]

IY5500-DST-v120114-0857 24 of 57


The fact that the European Union has now forced Microsoft to provide End-user the option whichbrowser to use [T:Eur09] may make it worse as each browser has a di�erent way of representinga secure connection. It will at least make it more di�cult for the owners of secure websites (likebanks) to educate their customers. With the release of EV-SSL the security industry has triedto provide an extra level of assurance and the user is given another visual aid to identify a siteprotected with an EV-SSL certi�cate.

Figure 2.11: EV HTTPS in the di�erent Internet Browsers[A:Dig12]

However, End-users are not necessarily informed of this enhancement, nor is it presented in thesame way in all webbrowers (see Figure 2.11). There is also no information given when such acerti�cate should be used or expected.Browser should actually have some sort of technology that identi�es websites and demandscertain a category of sites to use a secure channel of communication.Google has started to do exactly that with their browser Chrome using a method called HTTPStrict Transport Security (HSTS) and Certi�cate Pinning. HSTS will ensure that the websiteonly accepts SSL connections and prevent SSL stripping attacks. An SSL stripping attack is aMan-in-the-middle Attack whereby all requests for secure pages are converted into requests fortheir non-secure counterparts. If the user pays no attention to the fact that there is no secureconnection and the service can be reached via both a secure and insecure channel, an attackercan eavesdrop on all information transmitted.Certi�cate Pinning will ensure that the certi�cate presented is actually signed by a pre-de�nedCA. This is due to the fact that there is no dedicated CA for websites ending with e.g. .com.So a CA should check if another CA has already signed a similar certi�cate or at least ensurethat the requester is the owner of the domain one is requesting a signature for.These procedures can be circumvented and once a second certi�cate is signed there is no way formost browsers to verify if the presented certi�cate is signed by the wrong CA, unless the abusedCA revokes the certi�cate.This is what exactly happened during the breach at DigiNotar. During this breach, severalcerti�cates were signed by the CA of Diginotar, including one for Google Gmail [T:Pri11].

IY5500-DST-v120114-0857 25 of 57


According to a blog of Google, Certi�cate Pinning actually protected Iranian Chrome users fromusing an insecure connection to GMail, by alerting them of the unauthorised certi�cate as it wasnot signed by the correct CA [N:Adk11].Certi�cate Pinning is a nice solution, but it is currently not very scalable to ensure the right CAis used for all secure websites in the world. It would require a lot of synchronisation and wouldneed to be very well protected to ensure the integrity of the Certi�cate Pinning information.

Mobile AppsAlthough mobile webbrowsers do include the infamous padlock, mobile Apps actually do notpresent a padlock at all, when transmitting sensitive information. One has to assume theconnection is secure, but there is no visible con�rmation of that. One could also assume thatApps are checked for using a secure connection prior to release, but several news items and apersonal �nding17 suggest otherwise.A suggestion could be to show a padlock at the top of the screen, when a secure connection ismade, but users may ignore it as mentioned before. Maybe it is better to only notify End-users ifexceptions occur. However, not providing users with a con�rmation if a connection is secure doesimply, that as a developer, you have the obligation to ensure sensitive information is protectedduring transmission. It would therefore be a good idea that the online App stores check ifsensitive information is properly protected during their mandatory checks prior to launchingnew Apps to the store. Another possible solution would be to provide developers of Apps onlywith secure Application Programming Interfaces (APIs) methods, enforcing the use of thesemethods for exchanging sensitive information (e.g. only allowing secure user authenticationmethods).

2.8 User behaviour

The following report concluded that people's minds work in unexpected ways when o�ered eitherfree or cheap items:

Contrary to a standard cost-bene�t perspective, the results show that, in the zero-price condition, the proportion of participants choosing the less attractive, but freechocolate dramatically increases, while the proportion of participants choosing themore attractive chocolate dramatically decreases. Thus, individuals seem to act as ifpricing a good as free not only decreases its cost, but also adds to its bene�ts.

[T:SA06]

Although not part of the investigation, one could assume that the same could hold true whenan End-user connects to a free Wi-Fi Hotspot. He/she may be considering it as safe as theirwireless network at home. Many End-users may lack the understanding of all intricacies of thedi�erent parts involved as described in this chapter, resulting in them potentially falling victimto an (targeted) attack.

17See �3.1.3.1 on page 36

IY5500-DST-v120114-0857 26 of 57


2.8.1 Surveys on Wi-Fi Hotspot Use

DeviceScape is a leader in data o�-load solutions and performs surveys on a quarterly basisamongst its user base of 10 million members. The results of these surveys are published ontheir website [O:Dev12] and show the importance of (free) Wi-Fi Hotspots to its users. Severalsurveys were reviewed and an excerpt of the results from Q1 of 2011 to Q2 of 2012 can be foundbelow.Although these results show some interesting �gures, there was no trending information available,as little or no questions were repeated over the years.

(a) Preference Smartphone Browsing (Q2-2012) (b) Preference Tablet Browsing (Q1-2012)

(c) Preferred network while roaming (Q3-2011) (d) Importance of Wi-Fi (Q3-2011)

Figure 2.12: DeviceScape Survey Responses #2 [O:Dev12]

The results clearly show a preference for Wi-Fi Hotspots, especially when roaming. This is dueto the fact that abundant (free) Wi-Fi Hotspots are no competition for the roaming charges onehas to pay when using 3G/4G networks. The results of the NU.nl survey on page 17 con�rmthis as well.

IY5500-DST-v120114-0857 27 of 57


2.9 Developer behaviour

While being interviewed in 2010, Steve Lipner, head of Microsoft's Trustworthy ComputingGroup stated:

�It is di�cult to write secure software� . . . �Developers are not trained and edu-cated on Security and how to write secure software, that is why Microsoft requirestheir developers and testers to undergo Secure Development training to ensure theywrite secure code�

[O:Lip10]

Another review of a Top 50 free iPad done in June 2012 demonstrated:

. . . even the top apps failed to use transport layer encryption properly. 80% of theapps tested were collectively found to use no transport encryption or 16% at best usedit interchangeably.

[O:Nea12]

Now in itself this may not be an issue, but a study estimated that 43% of End-users reuses theirpasswords [T:Bon11]. Thus eavesdropping on an un-encrypted Wi-Fi Hotspot and gathering apassword for a simple game may, in the worst case, result in gaining access to someone's bankaccount or other sensitive information.The fact that an application itself is not considered sensitive or does not contain or transmitsensitive information, does not entail that the user will not reuse the password associated withaccessing services that do contain sensitive data (e.g. a bank account).End-users should be educated to stop reusing passwords, but given the amount of passwords eachperson has (an average of approximately 25 password protected accounts per user [T:FH07]),there is a high likelihood that they actually are reused. It would be far better to ensure thatdevelopers protect sensitive information during storage and transmission.

2.10 Conclusion

The overall primary focus of Wi-Fi security has been about access control to the network. Thediscussed preventative and detective security and access controls all take place at the AP side.The use of encryption provides authentication of the AP or SSID by proxy at best. But by usinga PSK that level of authentication becomes quite low. One could argue that knowing the PSKwill already hand the attacker what he wanted: access to the network, but he can actually usethe PSK to eavesdrop or perform Man-in-the-middle Attacks on End-users and their STAs.

Access control measures prior to a full association with a wireless network will indirectly resultin a con�rmation of the identity of the network, but this type of access is not always a viableoption, especially when considering Wi-Fi Hotspots.802.1x is a much better solution to provide authentication and related encryption keys, butproper con�guration is key as some methods are insecure. Authenticating the associated RA-DIUS servers is important, but having some form of AP and SSID authentication would makea lot of sense. Given the fact that more and more devices are Wi-Fi-enabled and being sold[O:Ste12] will increase the likelihood of abuse and attacks on these platforms.

IY5500-DST-v120114-0857 28 of 57


Hacking is no longer just done for fun or to drive home an opinion. Organised crime has steppedup to the plate and are interested in a high rate of success when trying to gain access to sensitiveinformation, thus will attack the platform that is most used.

The Art of Deception shows how vulnerable we all are - government, business,and each of us personally - to the intrusions of the social engineer. In this security-conscious era, we spend huge sums on technology to protect our computer networksand data.

[B:KDM02]

I fully underwrite the notion that technology will not solve every security issue, but deceptionbegins with attacking the integrity of key information. Information like a SSID cannot beguaranteed because there is no telltale sign that either con�rms or refutes if that identity isgenuine.The use of Wi-Fi Hotspot and UAM portals is widespread, but even if a certi�cate for the portalis used, it only authenticates the UAM portal, not the network, nor does it give any guaranteethat submitting your credit card information will be handled in a secure fashion. Standards likePayment Card Industry Data Security Standard (PCI-DSS), that ensure the proper handlingof cardholder information, do not stop an attacker from collecting that same information on afaked payment site.End-users should not submit their sensitive information to sites that they don't trust, but thereis no such thing as a separate SSL certi�cate or telltale like the padlock, showing him/her thatthe site visited is a genuine and validated payment site.Furthermore, the wireless connection to Wi-Fi Hotspots is not encrypted, allowing for attackersto eavesdrop on all transmissions or create fake UAM portals and setup rogue Access Points toperform Man-in-the-middle Attacks.802.11u is a good step in the right direction, but only resolves the issues for STAs that have aspecial software pre-installed or contain a SIM card. It also requires a nearby 802.11u-enablednetwork that is owned or a�liated with their mobile network provider. It does not protectad-hoc users that do not have the required SIM or software installed. However, it does seemthat mobile operators are eager to roll-out 802.11u as their revenue is decreasing. Given theinvestment required for 802.11u to operate and the need to recuperate that investment, I reallywonder if 802.11u will prevail over all the free Wi-Fi Hotspots that are currently available.Other security measures, like the padlock in a browser or App, are either ignored by the End-user or are not visualised at all. Alerting users of just exceptions is �ne, but that does implyan added responsibility to the developers of mobile platforms and Apps to ensure that sensitiveinformation is always properly handled.

Looking at these vulnerabilities separately may cause one to conclude that the risk of abuse islow, but combining these vulnerabilities may result in toxic combinations and leave End-usersvulnerable to attacks.

IY5500-DST-v120114-0857 29 of 57

CHAPTER 3

Wireless Experiments

Two experiments were undertaken to identify potential client-side vulnerabilities and resultingattack vectors associated with Wi-Fi Hotspots and 802.1x based wireless networks.

3.1 Experiment 1: Clients associated with an Open Wireless net-

work

ScenarioAn End-user, Virgil, has been using an open wireless network with the Service Set Identi�er(SSID) CAMPUSNET. It is stored in the preferred wireless networks list of Virgil's device. The al-leged attacker, Malcolm, spoofs this known network, by setting up an Independent Basic ServiceSet (IBSS) that consists of a rogue Access Point (AP) with the same SSID CAMPUSNET. This setup is is also known as an evil twin. Malcolm could set up the rogue AP in the same service areaas the o�cial CAMPUSNET, but Malcolm could perform this attack anywhere as long as Virgil orany user of CAMPUSNET is in signal range.Although the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard statesthat: �the SSID element indicates the identity of an Extended Service Set (ESS) or IBSS�[T:IEE07, p.101], it does not explicitly state that two ESSs or IBSSs with the same SSID shouldbe considered as two di�erent networks. One could however argue that, as an ESS consists ofa unique set of Base Service Sets (BSSs) and integrated Local Area Network (LAN), the rogueIBSS is not part of the genuine ESS thus should be considered di�erent by its Wireless Stationor Clients (STAs).

HypothesisThe hypothesis therefore is that client devices would not automatically connect to just anywireless network with the same SSID. Especially if one is an ESS while the other is an IBSSwith no connection or relation to the genuine ESS.

IY5500-DST-v120114-0857 30 of 57

Chapter 3: Wireless Experiments

The objective of this experiment is to validate the hypothesis, by corroborating if a 802.11g STAwill automatically connect to a rogue AP announcing the same SSID as the genuine networkthat is in its preferred wireless networks list; or if the STA will notify the End-user of the factthat he is actually connecting to a di�erent IBSS (or ESS).

3.1.1 Experiment 1: Set-up

Figure 3.1 represents the setup used in the experiment which consisted of the following devices:

• STA#1a: Dell XPS 1640 running MS Windows 7 Home sp1 64bit

• STA#1b: Apple Macbook Air running OSX Lion 10.7.3

• STA#2a: Apple iPhone 4 running iOS v5.01

• STA#2b: Asus EEE Transporter running Android v3.2r1

• AP#1: Cisco WVRS4400N running �rmware v1.1.13

• SVR#1: Zotac ZBOX-ID41 running Ubuntu v10.04

• FWR#1: Thomson TWG870U Cable Router running �rmware STBA.01.41

LAN #2: 172.16.1.0/24LAN#1: 192.168.1.0/24

FWR#1: Firewall RouterEth0: 172.16.1.254WAN0: 80.57.170.78

INTERNET

AP#1: Rogue Router/APEth0: 192.168.1.1Wlan0: 192.168.1.1Eth1: 172.16.1.254

SSID: CAMPUSNET802.11b/g

192.168.1.0/24

STA#2STA#1

SVR#1: Rogue DHCP/DNS/Proxy ServerHost: rogue.dsiss.comEth0: 192.168.1.100

eBanking Server

Airline Server

Figure 3.1: Open Wireless Set-up (802.11b/g) [A:Sta12; A:BRS12]

The network diagram shown in 3.1 is a typical set-up of a �Wi-Fi Zone� or Wi-Fi Hotspot.Network access authorisation is either not required or done via other means. The End-userjust needs to use his/her wireless device to scan for nearby wireless networks and connect orwill connect automatically if the SSID was stored in the preferred wireless network list. Theannounced SSID is either a very common one like a brand name of a local Internet ServiceProvider (ISP) or the name of the establishment one has been visiting.

IY5500-DST-v120114-0857 31 of 57


3.1.2 Experiment 1: Findings

It is worth noting that an attacker can always eavesdrop on tra�c crossing this type of openwireless network, as the Protocol Data Units (PDUs) transmitted are not encrypted. This typeof activity is also known as a Passive Attack. Higher level protocols like HyperText TransferProtocol over SSL (HTTPS), IP Security (IPSec) or other secure tunnelling/encapsulating tech-niques can be used to guard against eavesdropping. Application developers should thereforealways implement a secure channel when transferring sensitive information (e.g. credentials,con�dential documents).Because of the built-in Network Location Awareness (NLA) service1 only STA#1a alerted theVirgil of a change in access/network, requesting what Firewall pro�le should be initiated (seeFigure 3.2). But as explained in �2.7.1, Malcolm could spoof this information as well as the Net-work Globally Unique Identi�er (GUID) is a collation of easily retrievable details of the genuineESS and thus should not be used for validating the identity of a network or a SSID.

Figure 3.2: Selecting the Network Location [A:Mic12a]

If Malcolm would have set the rogue AP up in the same area as the o�cial AP, Virgil wouldhave probably considered the �rewall selection as a glitch; selected the right pro�le and just con-tinued using the rogue access point. To ensure Virgil would connect to the rogue AP, Malcolmcould send so-called disassociation frames spoo�ng the identity (Basic Service Set Identi�cation


IY5500-DST-v120114-0857 32 of 57


(BSSID)) of one or more o�cial APs.If Virgil would have checked the bottom option �Treat all future networks that I connect to aspublic, and don't ask me again� in �gure 3.2, he would not have been noti�ed at all.Even though the Operating System (OS) considers the network to be a di�erent one, the pop-up window does not state anything about the fact that this is potentially a di�erent network.Although the NLA function is capable of distinguishing two Wireless Fidelity (Wi-Fi) networks2

with the same SSID, it is designed to assist Virgil in selecting the right Firewall / protectionpro�le. However, that decision may be based on incorrect or spoofed information. NLA is notdesigned to warn Virgil of the fact that he may be connecting to a rogue network.The other STAs did not register or alert Virgil at all and just connected to rogue AP as theylack an NLA service or other method.

Figure 3.3: Connecting to an Open Wireless Network [A:Mic12a]

It is worth noting that STA#1a is the only one that does not retain open wireless networks inits preferred wireless network list by default (see Figure 3.3). Secondly, it presents a warning:�Information sent over the wireless network might be visible to others.�. Although it may decreasethe likelihood of an open wireless network to be reused, Virgil may be a regular visitor of thelocation of this particular open wireless network (e.g. airport lounge) and may be inclined toadd it to his preferred network list anyway.


IY5500-DST-v120114-0857 33 of 57


3.1.3 Experiment 1: Possible Exploits

Given the fact that most STAs will just connect to an AP announcing a known SSID, Malcolmhas control over one of the Hops Virgil is connecting to. This allows Malcolm to perform so-called Man-in-the-middle Attacks or Active Attacks. The most obvious way of performing thistype of attacks would be to proxy Virgil tra�c, allowing Malcolm to alter the data transmittedor received to his liking. Another way would be to use a connected STA as a back-door into awell protected physical network using a �Dual-Homed� attack3.

3.1.3.1 Proxy-based attack using ParosProxy

Encrypted using Server-STA Key

Start Session

Setup SSL

Send Certificate

Send Secret

Send genuine Reply

Show Reply

Virgil Virgil’s STA Malcolm Web Server

Figure 3.4: Process Flow SSL Encryption [A:Sta12]

Figure 3.4 shows a regular connection between a STA and a secure website. Malcolm can eaves-drop on the tra�c but the secret will be encrypted. Any regular Proxy would allow the moni-toring or alteration of information sent in Clear-Text information sent or received. ParosProxy[S:Chi04] is such a proxy application but also includes Key Escrow features, which allows it toperform the monitoring or alteration on HTTPS tra�c as well. The Key Escrow feature usesa so-called Wildcard Certi�cate, which is valid for all possible website addresses. As shown inFigure 3.5 the STA is made to believe it is setting up a secure connection with the server.

3See �3.1.3.3 on page 38

IY5500-DST-v120114-0857 34 of 57


Encrypted using Server-Paros Key

Encrypted using Paros-STA key

Start Session

Setup SSL

Send Certificate

Send Alert*

Accept Certificate*

Send Secret

Read/Alter Secret

Setup SSL

Send genuine Certificate

Send (altered) Secret

Send genuine Reply

Read/Alter Reply

Send (altered) Reply

Show (altered) Reply

Virgil Virgil’s STA Paros Proxy Malcolm Web Server

Figure 3.5: Process Flow ParosProxy [A:Sta12]

Prior to any certi�cate being used it should be signed by a Certi�cate Authority (CA) that istrusted by the OS and/or Application of Virgil's STA. Otherwise, the certi�cate should not beaccepted and Virgil should be alerted of this issue. The OS or Application should show an alert(see * in Figure 3.5) to Virgil asking if the certi�cate should be trusted. The accommodatingmessage and the skill-set or awareness of Virgil could result in the warning to be ignored and theinvalid/untrusted certi�cate to be accepted for �secure� transmission. This would allow Malcolmto read any message4 transmitted and received. This is possible because the ParosProxy medi-ates the secure connection between Virgil and the server. It creates a secure connecting withVirgil's STA and a separate secure connection with the server, allowing it read and/or alter thetra�c prior passing it on.During the experiment, the tested devices are manually con�gured to use the ParosProxy server,but not to explicitly trust the presented certi�cate. In a real attack scenario the manual con-�guration of the proxy would not take place, but there are other options to force transparentproxying like using Cisco's Web Cache Communication Protocol (WCCP) or a gateway devicerunning a transparent proxy version of Squid. Transparent proxying would not require the man-ual recon�guration of the settings on the clients.These methods have however been considered out-of-scope of this project as it would have re-quired the purchase of additional equipment. Transparent or manually con�gured, the resultwould still have been the same as the attack does not rely on the method of access to the proxy.ParosProxy is quite dated (last update 2004) and includes a self-signed and expired certi�catethat could be replaced with a more recent one.Instead of ParoxProxy, other more recent applications like MITMProxy or Burp Suite couldhave been used as they have similar capabilities but for the experiments performed ParosProxysu�ced.

4any clear-text message that is encrypted with Malcolm's certi�cate

IY5500-DST-v120114-0857 35 of 57


Attacks performed with ParosProxyA random selection of Applications and Apps, including all main-stream Internet browsers (In-ternet Explorer, Mozilla Firefox (Windows & OSX), Chrome (Windows & OSX), Safari (OSX& iOS), were tested to see how they would respond to the certi�cate presented. Almost allapplications presented an alert (see Figures 3.6). The Google Chrome error was the most clearand descriptive of all errors presented. It clearly stated the potential problem with continuingto access the supposedly secured website5.

Figure 3.6: Untrusted Certi�cate [A:Goo12]

3.1.3.2 Proxy-based attack using SSLStrip

Another proxy application to alter the messages transferred between client and server is SSLStrip.

SSLStrip will transparently hijack HTTP tra�c on a network, watch for HTTPSlinks and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.

[S:Mar11]

In other words, any links or text containing HTTPS would be replaced with their HyperTextTransfer Protocol (HTTP) counterpart. SSLStrip does have two additional prerequisites:

• The server must provide the same service via HTTP; and

• The initial access should be started via HTTP to allow SSLStrip to rewrite any HTTPSlinks.


IY5500-DST-v120114-0857 36 of 57


Attacks performed with SSLStripFigure 3.7 and Figure 3.8 give a real-life example of an attack using SSLStrip performed inFebruary 2012.

Figure 3.7: Secure Login of a Dutch Bank

Translation (green box): Only �ll in your details if the URL starts with https://. . .Only then are you sure that you are authenticating to the site of the Bank

[]

As stated before SSLStrip will even alter the content of the webpage as shown below (Figure 3.8):

Figure 3.8: Insecure Login of a Dutch Bank via SSLStrip

Translation (green box): Only �ll in your details if the URL starts with http://. . .Only then are you sure that you are authenticating to the site of the Bank

[]

IY5500-DST-v120114-0857 37 of 57


In this case the bank should not provide the same service over a non-secure channel and secureaccess should be enforced by the server, not via (Java)scripts on the client-side. Please note thatit could not be ascertained if full access would be granted over a non-secure channel. This wasdue to a lack of valid access credentials. It does require End-users to be well aware of when asite should use HTTPS, something that is still an issue for most users [T:Sch+07, p.9].Mobile applications (non-Browser) are less vulnerable to this type of attack as these applicationstend to use secure HTTP from the start. This causes SSLStrip to fail in its ability to redirecttra�c to a non-secure version of the service. That being said, there is no way of con�rming thata mobile application is using a secure connection to transfer sensitive information.Just like the browser con�rming the security of a website/web application, it should be themobile OS to indicate, if a connection made by a mobile application is secure.

Note: As of the end of March 2012 the log-in page of the bank has been updated and the portalpage is only accessible via HTTPS.

3.1.3.3 Dual-homed Client Attack

The following attack is possible due to the fact that Virgil's laptop is equipped with both wiredand wireless interfaces. In this sub-scenario Virgil has been using the CAMPSUSNET wirelessnetwork and travels back to his o�ce. Malcolm can set up his rogue AP in- or outside thepremises of the o�ce of Virgil as long as Virgil's device is still in signal range. If Virgil's devicereconnects to the rogue AP, it will result in his device to become dual-homed (see Figure 3.9).There are some laptop vendors that support an auto-switching feature like Hewlett Packard. ThisBIOS feature is, however, not enabled by default on several of their current business models.

Malcolm VirgilRogue AP CorporateServerP

hys

ical

Off

ice

Per

imet

er

CorporateWANor

Figure 3.9: Dual Homed Attack [A:Sta12]

The STAs that were tested did not have an auto-switch feature that would ensure only onenetwork interface would be enabled at a time. Depending on the existence of a Firewall on thewireless interface, the device of Virgil could be used as a stepping-stone into the o�ce networkand result in unauthorised access of local servers or any systems on the corporate Wide AreaNetwork (WAN).

IY5500-DST-v120114-0857 38 of 57


3.1.4 Experiment 1: Vulnerable App found

During the experiments with ParosProxy there was one iPhone application that did not validatethe ParosProxy certi�cate properly, which shows how important it is to properly implementthe use of secure protocols and certi�cates. The application was receiving privacy sensitiveinformation which should have been properly protected. Apple does not disclose the numberof downloads/installations of Apps, but since the owner of the App is a large multinationalcompany with millions of customers, the use of this App is very likely to be quite widespread.After several recon�rmations the vulnerability was disclosed to the a�ected multinational. ItsCorporate Security department was eager understand what mistakes had been made. Moreinformation on the vulnerability and the process of the disclosure can be found in Appendix Aon page VI. The vulnerability could have been disclosed to the press as seen in other cases, butthis could have been detrimental to the brand of the multinational and never the intend of theresearch performed. Another similar research result was released to the press and appeared onDutch national TV in March 2012:

A Dutch security researcher has found a security �aw on smartphones runningthe Mobile Banking App of the ING Group. . . .Bart Jacobs, professor of ComputerSecurity at the Radboud University, was surprised:"It's a disgrace that this error wasmade. . . "

[N:Cyb12]

3.1.5 Experiment 1: Conclusion

This laboratory test shows that there is a potential for misuse of open wireless networks End-users are connecting to. End-users can be easily fooled to connect to a network that has atrustworthy name or is recognised by their device from supposedly earlier use. The hypothesisstated at the beginning of this experiment is therefore rejected.

Once an End-user system is connected its tra�c can be eavesdropped or even altered, whichmay or may not be detected. Whether or not alterations are detected largely depends on thedevelopers of the OS and/or application. If alteration is detected, it is the End-user who needsto decide how he/she should proceed and they may make the wrong decision either becausethe warning presented is unclear, the level of experience or awareness is too low. The formerclearly being the responsibility of the developer because long or unclear error messages may beconsidered glitches and thus completely ignored [T:Sun+09]. The NLA service gives some levelof awareness, but as stated before6 is not really intended to distinguish friend from foe.

Sometimes it is not even required to attack encrypted tra�c. One could probably just eavesdropon the tra�c as sensitive information transmitted was not encrypted at all7.

6See �2.7.1 on page 237See �2.9 on page 28

IY5500-DST-v120114-0857 39 of 57


3.2 Experiment 2: Wireless networks with 802.1x access control

Experiment 1 showed that open wireless networks come with certain risks to its End-users. Itwould be better if a mechanism was used to encrypt the wireless communication between Wire-less Station or Client (STA) and Access Point (AP). A commonly used security mechanism isthe use of a Pairwise Master Key (PMK). However, this is not a viable option when used toprotect End-users on a Wi-Fi Hotspot8.Some form of per user key exchange would resolve these issues. The only solution currentlyavailable is to use IEEE 802.1x based authentication: when a STA connects to the AP it ischallenged for credentials prior to it being allowed full access to the network. If the STA isauthenticated and authorised to access the network, a key is derived and used to encrypt furtherwireless communication between the AP and the STA.Devices involved in this experiment were aligned with the IEEE 802.11-2007 standard. Devicesof software that support new standards like 802.11u were not considered nor available at thetime of writing this dissertation.

ScenarioVirgil has been given a username and a password to access an Extended Service Set (ESS) withthe Service Set Identi�er (SSID) EDUROAM. The APs require the use of 802.1x using ProtectedExtensible Authentication Protocol (PEAP) as the authentication mechanism.The EDUROAM network has not been pre-con�gured on Virgil's STA and he will be connecting tothe network for the �rst time.Malcolm is an attacker and plans too spoof the EDUROAM network and trick Virgil into au-thenticating with his malicious authentication server. This will allow Malcolm to steal Virgil'scredentials and gain access to both the network and systems that those credentials give himaccess to.

HypothesisThe hypothesis of this experiment is that 802.1x PEAP could be used to provide mutual au-thentication of both End-user and a Wi-Fi Hotspot.The objective of this experiment is to validate the hypothesis by understanding the requirementsof 802.1x based authentication and investigating if this method of authentication is vulnerableto attacks.


IY5500-DST-v120114-0857 40 of 57


3.2.1 Experiment 2: Set-up

Figure 3.10 represents the set-up used in the experiment which consisted of the following devices:

• STA#1a: Dell XPS 1640 running MS Windows 7 Home sp1 64bit

• STA#1b: Apple Macbook Air running OSX Lion 10.7.3

• STA#2a: Apple iPhone 4 running iOS v5.01

• STA#2b: Asus EEE Transporter running Android v3.2r1

• AP#1: Cisco WVRS4400N

• SVR#1: Zotac ZBOX-ID41 running BackTrack 5R1

• SVR#2: ISP managed/hosted DNS server

• FWR#1: Thomson TWG870U Cable Router

LAN #2: 172.16.1.0/24LAN#1: 192.168.1.0/24

FWR#1: Firewall RouterEth0: 172.16.1.254WAN0: 80.57.170.78

INTERNET

AP#1: Rogue Router/APEth0: 192.168.1.1Wlan0: 192.168.1.1Eth1: 172.16.1.254

SSID: EDUROAM802.11i/802.1x192.168.1.0/24

STA#2STA#1

SVR#1: Rogue RADIUS ServerHost: radius.dsiss.comEth0: 192.168.1.100

SVR#2: Rogue DNS Serverfor DSISS.com

Figure 3.10: WPA2 Enterprise Set-up (802.11i/802.1X) [A:Sta12]

Server (SVR)#1 is running a Remote Authentication Dial In User Service (RADIUS) servercalled FreeRADIUS [S:Fre11] to authenticate users.FreeRADIUS will either generate its own Secure Socket Layer (SSL) certi�cates (a.k.a. a self-signed certi�cates), but in this case it has been con�gured to use a trusted certi�cate that wassigned by StartSSL [S:Sta12].StartSSL is a Certi�cate Authority (CA), which is trusted by all of the devices that were partof the experiment. This was con�rmed by con�guring the secure web service running on theSVR#1 to use the same certi�cate and using the default browsers of all client devices to connectto this webserver.AP#1 is con�gured to use SVR#1 for authenticating and authorising users to gain access to itswireless service.SVR#2 has an Domain Name System (DNS) entry for the Fully Quali�ed Domain Name(FQDN) of the SVR#1 which is the name the SSL certi�cate has been created for.

IY5500-DST-v120114-0857 41 of 57


3.2.2 Experiment 2: Findings

Figure 3.11: RADIUSCerti�cate[A:App11]

All clients were able to connect with their credentials, but onlyafter accepting the presented certi�cate. Even though the certi�-cate was signed by a valid and trusted CA, it seems that a signedcerti�cate is not su�cient.This is due to the following: the certi�cate of the RADIUSserver authenticates the hostname of that server. It does notgive any assurance if the server is actually authoritative for thedomain/realm the user is trying to authenticate with nor is itcon�rming to be authoritative for the wireless network.To overcome this lack of trust of the certi�cate, Virgil either needsto accept it at �rst-use (see Figure 3.11 and 3.12) or have his STApre-con�gured to trust the association between the certi�cate andthe wireless network.Clearly the latter is not a feasible option for Wi-Fi Hotspots as End-users may have no prior as-sociation with the establishment nor the Wi-Fi Hotspot in question. Without pre-con�gurationVirgil would have to make the decision whether or not to trust the certi�cate presented anddi�erence in the accompanying message.As stated in Figure 3.12, only an administrator has su�cient information to con�rm the associa-tion between the authentication server and the wireless network while pre-con�guring a station.During this pre-con�guration, the administrator could even force the use of certain servers andCAs (see Figure 3.13). In this case Virgil has no means to con�rm this relationship as thecerti�cate presented only con�rms the identity of the authentication server and should thereforenot continue with his connection to the network.The experiment also showed that the Operating System (OS) of STA#1a has an advanced op-tion not to validate the presented certi�cate at all (see Figure 3.13). This is a very insecureoption that could be taken advantage o� as shown in the next section.

Figure 3.12: Windows 7 Certi�cate Alert[A:Mic12a] Figure 3.13: EAP Properties[A:Mic12a]

IY5500-DST-v120114-0857 42 of 57


3.2.3 Experiment 2: Possible Exploits

PEAP9 allows for several exploits, but only if the certi�cate of the RADIUS server is notproperly validated either through user error or through an insecure con�guration. As statedbefore the most technically vulnerable is STA#1a which may not be validating the certi�cateat all and connect without any warning. To exploit these vulnerabilities an altered version ofFreeRADIUS [S:Fre11] was used called FreeRADIUS Wireless Pwnage Edition (FreeRADIUSWPE) [S:WA08a]. It was created to demonstrate RADIUS impersonation vulnerabilities andhas the following features that will be used in this experiment:

• It will authenticate any given username and authorise its access request; and

• It adds credential logging for multiple Extensible Authentication Protocol (EAP) typesincluding EAP-MSCHAPv2.

3.2.3.1 Stealing Credentials

ScenarioEnd-user Virgil works for BestCorp and has been given a laptop STA#1a that has been pre-con�gured with a 802.1x based wireless network with SSID BestCorpWLAN. This allows Virgilto walk into any BestCorp o�ce and start working via the local wireless network. The wirelessnetwork will request and use his domain credentials to authenticate and authorise access to thenetwork. From Virgil's perspective this gives him a nice user experience, also known as single-sign-on. Virgil only needs to provide his credentials once when he logs into his laptop and the OSof the laptop will take care of the rest. The IT Administrator has however con�gured the centralRADIUS server with a certi�cate that is not signed by a CA. Instead, the IT Administrator hascon�gured Virgil's machine not to validate the certi�cate presented by the RADIUS server whenVirgil's machine is trying to authenticate to the corporate wireless network.It's lunch time and Virgil decides to take his laptop to a nearby lunch room. Malcolm has beenobserving BestCorp and its employees and is determined on gaining access to the corporatenetwork of BestCorp. Malcolm sets up a rogue AP on his laptop at the lunch room, that imper-sonates the corporate SSID BestCorpWLAN and con�gures it to use his instance of FreeRADIUSWPE. When Virgil starts up his laptop he notices that he has an internet connection and as-sumes he is connected to the wireless network of the lunch room. What Virgil does not know isthat Malcolm has been actively sending Virgil's laptop disassociation frames to disconnect himfrom the lunch room internet access and caused him to connect to that other �known� network:the rogue version of the BestCorpWLAN wireless network.


IY5500-DST-v120114-0857 43 of 57


As the OS of Virgil's STA does not validate the certi�cate it sends Virgil's credentials to Mal-colm's altered RADIUS server and Virgil's device is authenticated and granted access to theInternet. Malcolm on the other hand has been granted much more:

• He has a hashed version of Virgil credentials which he can brute-force or possibly lookupin a Rainbow Table. If he is able to recover the credentials he will not only have accessto the corporate network from the BestCorp public parking lot, but will also be able toaccess any server or information which Virgil has access to; and

• The Network Location Awareness (NLA) service of Virgil's laptop has been fooled intothinking that it is connected to the BestCorp network and has lowered its incoming de-fences; allowing Malcolm to exploit any vulnerable network service running on Virgil'slaptop; thereby possibly gaining access to Virgil's machine and access sensitive informa-tion by infecting it with some kind of Malware. If undetected, the Malware could spreadonto the real BestCorp network, once Virgil returns to his o�ce.

Actual Attacks performedThe experiment environment was used to successfully authenticate and authorise any user withany password, granting them access to the rogue wireless network. The MSCHAP passwordhashes were logged, but no tools were used to actually brute-force or reverse engineer themthrough a Rainbow Table. These tools do exist as shown in the ShmooCon 2008 presentation:�EAP: Pwned Extensible Authentication Protocol� [O:WA08b].

Figure 3.14: FreeRADIUS WPE Access Log[S:WA08a]

Figure 3.15: LEAP Dictionary Attack [S:Wri08]

3.2.4 Experiment 2: Conclusion

802.1x was not really designed for authenticating and authorising wireless End-users. It was de�-nitely not designed to provide authentication of the network. It either requires a pre-deploymentof the wireless con�guration including a selection of the associated CAs or su�cient knowledgeor awareness of the End-user to understand the consequences of sending its credentials to an un-trusted destination. Figure 3.12 clearly told the End-user not to connect and to contact his/heradministrator. Whereas the message displayed in Figure 3.11 only alerted on an untrusted cer-ti�cate.802.1x should therefore preferably only be used when the settings can be pre-deployed, like inan enterprise and probably the reason why it is commonly referred to as Wi-Fi Protected Access(WPA)(2)-Enterprise. The experiment has also shown that it is not a feasible solution for theproblem that this paper is trying to address with Wi-Fi Hotspots and another solution shouldbe considered.The hypothesis stated at the beginning of this experiment is therefore rejected.The experiment also showed that when deployed in a corporate environment one should considerimplementing it properly ensuring all insecure features are not used and other best practices arefollowed to the letter.

IY5500-DST-v120114-0857 44 of 57

CHAPTER 4

Open Wireless Network Authentication Protocol

Chapter Three has clearly shown a need for the proper authentication of the Service Set Iden-ti�er (SSID) and its associated Access Points (APs) to its potential Wireless Station or Clients(STAs). Having encrypted communication between STA and the AP would be bene�cial to theoverall security of the End-user as well: as it would prevent a nearby wireless attacker fromeavesdropping. To overcome the lack of authentication and encryption on Wi-Fi Hotspots, thischapter discusses the high-level design of a new protocol code-named Open Wireless NetworkAuthentication Protocol (OWNAP). It is based on Public Key Cryptography (PKC) and wouldbe best compared with the way a webserver authenticates itself to an End-user's browser1 usinga X.509 certi�cate. The following sections will describe the design of OWNAP including itsobjectives, a technical explanation of the protocol, the associated message sequence chart, itsprerequisites and �nally its implementation challenges.

4.1 OWNAP Details

This section will describe the objectives and technical details of the OWNAP protocol.

4.1.1 Objectives

The objectives and assumptions of the OWNAP protocol are as follows:

• OWNAP should provide assurance that the broadcasted SSID is transmitted by a validatedWireless Fidelity Internet Service Provider (ISP); and

• OWNAP should provide assurance that the associated APs with that SSID are part of theExtended Service Set (ESS); and


IY5500-DST-v120114-0857 45 of 57

Chapter 4: Open Wireless Network Authentication Protocol

• OWNAP should establish a unique Pairwise Master Key (PMK) per STA to encrypt thetra�c between STA and AP preventing the potential eavesdropping of nearby wirelessattackers; and

• OWNAP should allow for the same roaming capabilities between APs of the same ESS aswith regular Wi-Fi Protected Access (WPA) keeping latency or the chance of connection-loss to a minimum; and

• End-user or STA authentication and authorisation for the (Internet) service providedshould still take place through di�erent means (e.g. using an Universal Access Method(UAM)); and

• Existing Certi�cate Authorities (CAs) should be used to validate and sign the new X.509certi�cates; and �nally

• The use of OWNAP should be transparent to the End-users.

4.1.2 X.509 Certi�cate

The assurance if the SSID and associated APs are genuine will be established using a X.509 cer-ti�cate. In a X.509 certi�cate the Subject �eld identi�es the entity associated with the Public-key found in the Subject Public Key Info �eld [T:ITU08a, p. 12]. The certi�cate Subject

�eld contains several X.520 attributes, e.g. the Common Name (CN) attribute will be set to theFully Quali�ed Domain Name (FQDN) of a webserver.To accommodate for OWNAP, the X.509 certi�cate will have to validate both SSID and theBasic Service Set Identi�cations (BSSIDs) of one or more APs. Another X.520 attribute willhave to be selected as the X.520 currently does not provide a BSSID attribute to store theBSSIDs. The following X.520 attributes have been selected:

• CN: this attribute will be set to the broadcasted SSID; and must always be su�xed with.wi�2.

• uniqueIdentifier: this attribute will be set to one or more BSSIDs of the APs associatedwith the ESS. The uniqueIdenti�er variable is de�ned as a bit string in X.520 [T:ITU08b,p. 14]. A BSSID is currently 6 bytes long (48bits) [T:IEE07, p. 65]. This �xed lengthallows any system to determine number of and the start and end of each BSSID withouta delimiter.

One could also create a new attribute called BSSID. In a X.500 deployment one is allowed tocreate new attributes, also referred to as schema changes. The BSSID variable would become aglobally used attribute, so it would be bene�cial to submit it as a new attribute to the X.520standard.


IY5500-DST-v120114-0857 46 of 57


Multiple BSSIDsThe reason why the uniqueIdentifier attribute must be able contain the BSSIDs of multipleAPs in the same area (e.g. airport terminal), is to allow for faster roaming between APs thatare part of the same ESS and the fact that APs cant have the same BSSID3.At �rst glance it may be unusual to have a single certi�cate con�gured on multiple APs butit is still used to authenticate a single entity: the ESS the APs deliver access to. Sharing thecerti�cate allows the STA to more quickly establish a new or even reuse the PMK it establishedwith the initial AP of the ESS. This is similar to the re-use of the encryption key in Global Systemfor Mobile Communications (GSM) communications, which is agreed between the SubscriberIdentity Module (SIM) and the mobile network it being services by. The encryption key isshared by all the base stations with which the mobile phone/SIM communicates.Else roaming STA/mobile phone and nearby APs/base station would need to go through thecomplete encryption set-up again which could result in unacceptable latency, decremental to theservice and resource usage overhead.As OWNAP hands of the PMK to WPA, the existing WPA pre-authentication mechanism wouldbe used and should keep latency due to roaming to a minimum.Compared to a web site certi�cate, some of the X.509 version 3 extensions �elds will requiresome changes as well:

• Key Usage [T:ITU08a, p. 25]: similar to a webserver the certi�cate will be used for signingthe SSID and BSSIDs and provide the method of securely agreeing and exchanging thePMK;

• Extended Key Usage [T:ITU08a, p. 25] :The KeyPurposeIds for these values do not exist,but the Request for Comments (RFC) for OWNAP would include these de�nitions. TheITU states that key purposes may be de�ned by any organization with a need [T:ITU08a,p. 26].

• Subject Alternative Name: The SSID and BSSIDs �elds could be de�ned as an otherNameas allowed by X.509 [T:ITU08a, p. 29].

The certi�cate can be signed by any of the existing CAs, but the CAs should ensure they onlysign a OWNAP X.509 certi�cate that contains these new attributes, especially the .wi� su�xof the CN4.The signing of both SSID and associated BSSID(s) will provide the required assurance thatassociated APs are o�cially part of the broadcasted SSID and resulting ESS.The certi�cate can be transmitted to a requesting STA using the protocol that is already in use.Two new ElementIDs would need to be de�ned for the Management Frame[T:Wri07]:

• As OWNAP will hand over to WPA authentication, the already de�ned Robust SecurityNetwork (RSN) Information Element could be used to distinguish between a regularWPA Management Frame or a �WPA over OWNAP� Management Frame. If this is notpossible a new ElementID would need to created;

• The second ElementID, OWNAPCert, would be used to transmit the certi�cate.

3See �2.2 on page 74See �4.1.3 on page 49

IY5500-DST-v120114-0857 47 of 57


Below is an example of the OWNAP X.509 Certi�cate5:

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 359836 (0x57d9c)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing,

CN=StartCom Class 1 Primary Intermediate Server CA

Validity:

Not Before: Feb 18 04:20:32 2012 GMT

Not After : Feb 18 09:51:20 2013 GMT

Subject:CN=GenuineSSID.wifi/

uniqueIdentifier=7B-C8-7A-0F-2F-19

99-F8-10-22-A2-D2

59-0B-13-8B-20-69

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (1024 bit)

Modulus:

00:f2:6b:d2:45:ef:4d:df:3a:e0:b3:0b:71:37:bf:

...

c4:36:db

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Key Encipherment, Key Agreement

X509v3 Extended Key Usage:

TLS SSID & AP Authentication

...

X509v3 Subject Alternative Name:

SSID: GenuineSSID.wifi,

uniqueIdentifier:7B-C8-7A-0F-2F-19;99-F8-10-22-A2-D2;59-0B-13-8B-20-69

X509v3 Certificate Policies:

...

X509v3 CRL Distribution Points:

Full Name:

URI:http://crl.startssl.com/crt1-crl.crl

Authority Information Access:

OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca

CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt

X509v3 Issuer Alternative Name:

URI:http://www.startssl.com/

Signature Algorithm: sha1WithRSAEncryption

7c:9f:69:0b:be:86:1f:5e:df:cd:a3:aa:30:4d:6d:d1:ba:12:

...

a3:8a:75:60

5Certain information has been replaced with `. . . ' to ensure the certi�cate is displayed on a single page

IY5500-DST-v120114-0857 48 of 57


4.1.3 New Generic Top-Level Domain: .wi�

The suggested CN included the .wi� su�x, which will also be part of the announced SSID6. This Do-main Name System (DNS) su�x does not exist, but Internet Assigned Numbers Authority (IANA) hasopened the registration for new Top-Level Domains (TLDs) called Generic Top-Level Domains (gTLDs)[O:ICA12]. At the time of writing this report, the .wi� gTLD had not yet been submitted nor registered.The signing of a .wi� gTLD request should follow the regular process (e.g. [O:Ver10]) but should ensurethe following prerequisites:

• Certi�ed CAs should create a special CA certi�cate that is only used to sign .wi� certi�caterequests.

• CAs should only sign an OWNAP Certi�cate that has a CN that is su�xed with .wi� and containsone or more BSSIDs; and

• CAs should only sign an OWNAP Certi�cate that includes the OWNAP X.509 v3 extensions; and

• CAs should only sign an OWNAP Certi�cate if the owner of the .wi� �domain� is submitting thesigning request.

The rules above should result in the required assurance of authenticity of the ESS and its associatedAPs. The new .wi� gTLD will ensure global uniqueness of the SSID.The following policy for a .wi� �domain� or SSID registration would need to be enforced as well:

• The SSID must be unique and non-ambiguous

• The SSID must represent the name of the brand the wireless network is associated with e.g. iBahn,Spectrum, Boingo. This could include non-ISPs like hotels, or other chain of companies.

� Initial exceptions could be well-establishedWireless SSIDs that have been in use e.g. BTOpen-Zone

• Disputes can be settled using the existing Uniform Domain-Name Dispute-Resolution Policy(UDRP) procedures for regular Domain Name registration [O:ICA09] .

The above will result in the required assurance that the broadcasted SSID is transmitted by a validatedand registered Wireless Internet Service Provider (WISP).

The registration fee of the gTLD .wi� would be $185,000 and applicants would undergo an exhaustiveassessment [T:Len12]. If OWNAP would be considered implementation it would be best to register .wi�as a consortium of companies consisting of wireless ISPs and CAs.

4.1.4 Establishing a unique PMK

STAs can use the public key included in the certi�cate to encrypt a pseudo-random generated key andsend this to the AP. APs sharing the corresponding private key will be the only systems that can decryptthe encrypted key.The agreed key will be used as the PMK and used for the creating standard WPA-CCMP encryption,decryption and Message Authentication Code (MAC) keys7. This will ensure that no one can eavesdropon the tra�c between STA and AP.A rogue AP would be able to spoof the Media Access Control (MAC) of an OWNAP enabled AP andeven replay/transmit the public key and certi�cate of the genuine AP. However, since the STA selectsand encrypts the PMK with the Public Key, the rogue AP will not be able to decrypt it as it lacks theassociated Private Key.

6See �4.2 on page 527See �2.4 on page 12

IY5500-DST-v120114-0857 49 of 57


The objective of OWNAP is not to authenticate nor authorise/grant the STA access to the serviceprovided by the wireless network (e.g. access to the Internet). Once could use the Di�e-Hellman basedStation-to-Station Protocol (STS) to provide mutual authentication, but the STS assumes that bothparties have each established a long-term signature/veri�cation key pair and have had their veri�cationkeys certi�ed [B:Mar12, p. 317]. Whereas access to a Wi-Fi Hotspot could be ad-hoc and STA and APhave not established those key pairs.Once connected the End-user must still use pre-established UAM credentials, vouchers or other paymentoptions to authenticate himself to the WISP. It is very similar to accessing a secure web site: beingpresented with the webserver's public certi�cate and agreeing a session key does ensure encryption ofclient-server tra�c, but does not automatically entail access to the content of that web site. One maystill be required to provide a set of credentials to access the site.

4.1.5 Protocol Run

Regular WPA2 setup

Request SSID Listing

Broadcast SSID, BSSID

Virgil Virgil’s STAOWNAP capable

AP OWNAP capable

Validate SSID, BSSID & Cert

Generate PMK

Encrypt PMK With Public

Key of AP

Show validated SSID

Connect

Send encrypted PMK

Initiate 4-way handshake

Decrypt PMK

Request Certificate

Transmit Certificate

Connection established

Figure 4.1: OWNAP Message Sequence Chart [A:Sta12]

IY5500-DST-v120114-0857 50 of 57


Below is a detailed description of the steps shown in Figure 4.1 that take place during the setup ofOWNAP:

1. The OWNAP capable AP is broadcasting its SSID: WiFi-ISP.wi�;

2. End-user Virgil wants to connect to the Internet and requests his STA to scan for available wirelessnetworks;

3. Virgil's STA identi�es the AP as an OWNAP enabled AP and requests its certi�cate;

4. The OWNAP capable AP sends its Public Key Certi�cate;

5. Virgil's STA veri�es if the presented Certi�cate contains the SSID, BSSID and if the Certi�catehas been signed by a trusted8 CA;

6. Virgil's STA presents a list of nearby wireless networks including the validated OWNAP network(e.g. Figure 4.2a or 4.2b );

7. Virgil requests its STA to connect to the OWNAP based network;

8. Virgil's STA generates a pseudo-random 256 bit PMK and securely transmits this key to the APby encrypting it with the Public Key received as part of the AP's Public Certi�cate;

9. As both devices now share the PMK they can initiate the standard WPA 4-way handshake[T:IEE07, p. 211].

Once the handshake completes successfully, Virgil can be assured that he has established a connectionwith a validated wireless network and that at least his transmissions between his STA and associatedAP are encrypted.

(a) MS Windows 7 mock-up [A:Mic12a; A:Sta12] (b) Apple iOS mock-up [A:App11; A:Sta12]

Figure 4.2: Wireless List on OWNAP capable devices

8Trusted means part of the trusted CAs list con�gured on the Virgil's STA

IY5500-DST-v120114-0857 51 of 57


Figure 4.2a and 4.2b are mock-ups of how OWNAP capable networks could be visualised to the End-user. The .wi� TLD has been omitted as it would only cause confusion. Most professional APs arecapable of announcing/serving multiple SSIDs and networks. In this example the SSID of the insecurewireless network is kept the same. This could however be changed to a di�erent name if one sees �t.The colour scheme and icons were taken from the colour scheme used to represent EV SSL in platformdefault browsers. End-users could be provided with a message, asking if they would prefer to connectwith the validated, more secure version of the �same� SSID. This could even be done if the regular SSIDwould be announced by a rogue AP.

4.2 Backward compatibility

Backward compatibility is not really an issue as professional APs are capable of announcing/servingmultiple SSIDs. A legacy system that would not be capable of connecting to an OWNAP AP, would bepresented with a wireless network listing that is being shown in Figure 4.3.

Figure 4.3: Wireless List on a OWNAP incompatible station [A:Mic12b; A:Sta12]

As one can see the OWNAP SSID is visible but shown as a protected network. It includes the earlierobfuscated .wi� su�x.

4.3 Challenges

It should be obvious that the �rmware of the APs would need signi�cant updates to be capable ofsupporting OWNAP. However, even after such an upgrade several challenges would remain. Thesechallenges will be discussed in the following paragraphs.

4.3.1 Certi�cate distribution to APs

The certi�cates used will have to be managed and distributed to the APs. Certi�cates will expire after acertain amount of time and will need to be replaced resulting in an administrative overhead. This should,however, not be a major problem as the candidate wireless networks are large and are expected to havesome form of central management via so-called Wireless LAN Controllers (WLCs). To accommodate forOWNAP, the application running on these management systems would require a signi�cant update aswell.

IY5500-DST-v120114-0857 52 of 57


4.3.2 Certi�cate chaining

A single certi�cate would only store a certain amount of MAC addresses. The WISP could order addi-tional certi�cates for new MAC addresses but could also ask for an intermediate certi�cate. The inter-mediate certi�cate would be for a speci�c SSID. It would allow the WISP to sign OWNAP certi�catesthemselves with this intermediate certi�cate. The resulting OWNAP certi�cate would still be trusted asit would be chained through the certi�cate hierarchy to the root CA certi�cate. The STA would howeverneed to ensure that the name of SSID corresponds to the SSID mentioned in the intermediate certi�cate.

4.3.3 Certi�cate Revocation

In regular PKC a Certi�cate Revocation list (CRL) is used to warn systems of revoked certi�cates. Thisis, however, not possible for associating STAs as its communication is very limited at the time of initialaccess: there is no full Internet Protocol (IP) stack that would allow it to contact the associated CRL,which is residing somewhere on the Internet.Even if the STA would have a fully enabled IP stack the STA would need to be allowed access to the CRL.The CRL uses Online Certi�cate Status Protocol (OCSP) which exchanges the validation informationover HyperText Transfer Protocol (HTTP) [T:Mye+99, page 17], but HTTP is actually a service thatthe ISP would be charging for. The ISP could limit the initial access to just the CRL but this wouldrequire a Firewall or other type of network �lter, increasing the complexity of the required networkinfrastructure.In either case, the AP would either proxy or at least be in the path of the validation that is taking place.One could argue that an alternative path must be used to validate a presented certi�cate, especiallysince OCSP only uses Abstract Syntax Notation One (ASN.1) encoding and no encryption [T:Mye+99,page 6]: In the situation where a browser wants to check if a certi�cate is revoked it is the browser thatseeks a direct connection with the CRL. Such a request does not pass through the webserver for whichit is verifying the certi�cate.It is worth noting that the same issue exists for EAP-Transport Layer Security (EAP-TLS)9 whenvalidating the Remote Authentication Dial In User Service (RADIUS) server certi�cate. It will thereforehave to be accepted that the STA has no secure means of con�rming, if the certi�cate presented by theAP has been revoked.

4.3.4 User Awareness

It is important that End-users are made aware of this new technology. The enhanced security couldbe marketed as a positive experience and advertised using billboards and �yers at the area where theOWNAP network is active. Operating Systems (OSs) manufacturers could also add hints when usersare presented with an OWNAP enabled network for the �rst time.Companies could actually enforce the use of OWNAP enabled APs for its roaming employees. The OSof the STA could be told either not to show or allow access to networks that are not using OWNAP.

4.3.5 Certi�cate Authorities

CAs play a key role in the validation of any requests for signing the OWNAP Certi�cate Signing Request(CSR). Their procedures should be strictly followed and monitored. CAs are under a certain level ofscrutiny but procedures can fail especially when there is an attack on a CA and the procedures areperformed manually. An example of such an attack was the recent breach at DigiNotar, where DigiNotar'sCA system was used to generate several wildcard certi�cates [T:Pri11].


IY5500-DST-v120114-0857 53 of 57


4.3.6 Threats to Access Points

The role of the AP will become more important as it stores the both the OWNAP X.509 private keyand all active PMKs. It may therefore become a target for attacks to try and retrieve these keys. Inmost cases, physical access to these ISP owned AP is only permitted by authorised personnel, but insome cases like the partnership between FON and BT [O:Tel07] the AP may reside on private premises,which could result in unauthorised physical access.To mitigate against a physical attack, the OWNAP X.509 private key and PMKs could be stored involatile memory and retrieved from a secure and central location like the WLC which usually resides ona management network. These WLCs are usually connected to a management network and unreachablefor any STAs connected to the AP. This central storage would protect the keys from being retrieved froman uninitialised AP and allow for the same PMK to be used while a STA is roaming between di�erentAPs. This central storage may result in additional and unacceptable latency issues, but it would be verysimilar to the one in use with mobile Universal Mobile Telecommunications System (UMTS) networkswhich also rely on low latency access and roaming.Another threat to the AP would be the use and management of all STA and their PMK and derivedkeys. It will result in an additional CPU and memory load on OWNAP-enabled APs. This may notbe achievable with the current models in use or may require additional access-points in busy networks.Although any AP could fail due to too many connection request, this vulnerability could actually beused to perform a Denial of Service (DoS) attack starving the AP from resources by requesting too manyOWNAP setups. Since OWNAP will require more hardware resources, AP enabled for OWNAP wouldreach its limit quicker than the same model AP that is not enabled to support OWNAP.

4.4 Alternatives

4.4.1 Updating IEEE 802.1X

The second laboratory test showed that the certi�cate used for 802.1x Authentication via RADIUS isused to give a level of assurance of the server's identify. However, as the certi�cate only gives assuranceof the identity of the server, it is the STA or even its End-user who had to decide whether or not theRADIUS server and network were genuine part of the proposed network. One could consider updatingthe 802.1x protocol by adding the OWNAP certi�cate structure to 802.1x and ensure that the FQDN ofthe authentication server contained the SSID of the network the STA is trying to connect or authenticateto. A Wireless Fidelity (Wi-Fi) speci�c gTLD would still be required to ensure attackers would not beable to perform the following attack:

• The SSID being "ISPWi�" without a su�x;

• The o�cial authentication server being authserver.ISPWIFI.com;

• The attacker's authentication server being authserver.ISPWIFI.net.

Both servers would be considered valid and thus an attack could succeed.

Another option would be to su�x the End-user's username with the SSID or domain of the authenticationserver and only allow authentication to take place if they match.

IY5500-DST-v120114-0857 54 of 57


There are, however, some issues with this solution as well:

• In some cases the authentication server may be responsible for multiple authentication domainsand may even be proxying for others. It would require the authentication server to have multipleIP addresses to support multiple certi�cates.

• The use of open wireless networks is mostly ad-hoc: End-users start their machine and expecta wireless network to be available. 802.1x would require a set of credentials prior to any accesstaking place. These credentials would need to be managed and somehow distributed via a vendingmachine or kiosk. It would result in administrative overhead and cost.

4.4.2 Existing alternatives

End-user could purchase vouchers or subscriptions prior to using the open wireless network services.Another option would be to use applications with build-in Wi-Fi services like Skype that allows itssubscribers to use their Skype credit for accessing the internet [O:Sky]. Both options are probably cheaperthan buying pay-as-you-go access and will also reduce the likelihood of one's credit card information tobe stolen when using it to pay for Internet access. The access authorisation may or may not be secure,but unless a secure version of 802.1x is used10, the applications used are still vulnerable to the sameattacks as on regular Wi-Fi Hotspots.

4.4.3 Emerging alternative

As discussed in Chapter 2, there is a new standard called 802.11u that will allow the authentication totake place using the SIM card in mobile devices. Legacy systems, like laptops, will have to install a802.11u capable client to use the service as well. This a positive development, but lacks the open natureof OWNAP. Just like 802.11u, OWNAP will also require new hard- and software to be deployed, butEnd-users are not limited to a single provider. In 802.11u, the mobile device's SIM card is used forauthentication. This card is linked to a single provider and the to-be-developed 802.11u applicationsfor legacy devices may be provider speci�c as well. OWNAP does not result in this vendor lock in asit will work with any WISP using OWNAP. Customers can decide to sign up to a subscription serviceif required and can even use automatic login features like Wireless Internet Service Provider roaming(WISPr) to seamlessly connect to a Wi-Fi Hotspot without the need to interact with a Captive Portal.

4.5 Conclusion

OWNAP has shown to be a good solution of ensuring the authenticity of open wireless networks. Itstransparent use would keep the user-experience the same in comparison to regular open wireless networks,but would enhance the End-user's security. One could argue that encryption should only be implementedfor tra�c that is sensitive of nature. This is a valid point, but there are no regulations, policies or lawsto ensure that this is always the case. With End-user reusing their credentials for multiple services[T:Bon11] eavesdropping on an insecure authenticating application could result in gaining unauthorisedaccess to a secure application.Although it may not be written in any type of regulation, WISPs have an obligation to protect their users,not just when End-users provide sensitive information like credit card details when purchasing wirelessISP services. Their customers should be assured of the fact that the network they are connecting to isgenuine as well.

10See �2.5.2 on page 14

IY5500-DST-v120114-0857 55 of 57

CHAPTER 5

Final Conclusion

People have a good sense whether or not they can trust other people. These senses are part of our socialskills that have been developing since the beginning of mankind. We rely on them to protect us fromharm. We have however not evolved enough to perform the same with technology as it requires a certainlevel of understanding that not everyone has: an alert message may be considered a glitch and ignoredby one user where another user will stop and think twice before continuing.The solution to enabling everyone to use technical devices is to simplify their use by obfuscating thecomplexity of the underlying technology. This has allowed for what is now called the consumerisation ofInformation Technology. With this obfuscation comes a need for the transparency of security. However,developers seem to have di�culty with building security into their designs, as it adds time and complexityto the device or application they are developing. Building transparent security mechanisms may be evenmore di�cult to achieve.It is also important that by obfuscating security one needs to implement multiple layers of security andnot rely on the End-user to make the right decision the moment one of these security measures fail. Thisis because one may have taken away too many telltale signs from the End-user, preventing that sameEnd-user from making the right, most secure decisions.Studies have shown that telltales like the padlock, representing a secure connection, do not work. Justalerting on exceptions may provide the user with too little or too much information. End-users need tobe able to make informed decisions. If this is not possible, due to a potential lack of awareness, educationor information, the decision should be made for them.

WISPs & Developers

Wireless Internet Service Providers (WISPs) may not consider themselves responsible for the security ofthe users that use their services. They are probably only interested in preventing misuse of the servicesprovided. In their mind, they may have decided that it should be the developers of the applications thatensure the secure transmission of sensitive information. However, those developers may not have takensu�cient precautions to prevent attacks. Possibly due to the fact that they are not aware of the risksinvolved with Wi-Fi Hotspots. Developers may not even be able to prevent certain Man-in-the-middleAttack attacks without the assistance of the WISPs.Both WISPs and developers do share a common goal: providing a service to their customers in accordancewith their customer requests. Security may not have been requested explicitly as End-users may assumethat the service is secure. Providing a secure service to their customers should be part of that commongoal and could be considered a pilar in one's Corporate Social Responsibility strategy.

IY5500-DST-v120114-0857 56 of 57

Chapter 5: Final Conclusion

Law and regulation

Although not enforced by law, like the duty of care of airlines [T:Com04], technology providers have,in my opinion, a duty of care as well. Keeping vulnerabilities a secret until �xed may have its bene�tsbut may result in End-users and administrators of their devices to make bad or at least misinformeddecisions. I am a partisan of partial disclosure as it will act as an additional stopgap, ensuring thatcompanies take security more seriously before releasing a new piece technology or service. It may slowdown innovation, but security should not be an afterthought, security should be part of the innovation.In the area of disclosure some headway has been made in the proposed addendum to the EU Data Pri-vacy Directive that will require companies to disclose any data breaches of personal information within24 hours to the European Data Protection Authorities and the European citizens concerned.Events, like the FBI's unprecedented action to delete Botnets from infected machines [N:Zet11], havecaused quite some upheaval as well. These kinds of developments will hopefully spark a discussion onthe duty of care provided by technology providers.

Practicality of Attacks

The attacks presented in this dissertation may be considered as too much e�ort or too high a risk ofgetting caught to gain access to sensitive information that may be accessible elsewhere. I would arguethat it all depends on the target and sensitivity of the information involved. Skimming may be a betterway of collecting payment card information but internal company �nancial information could give aperson a good insight whether or not to buy or sell shares.

The Future

It is clear that the networks of mobile telephony and wireless data networks will be converging in thesame way that physical telephone and data networks did in the past.Hopefully 802.11u or the proposed Open Wireless Network Authentication Protocol (OWNAP) will beembraced by both technology and user community, but either solution will require an investment thatneeds to be earned back. It will be very di�cult to compete with a free service, unless other enhance-ments like speed, coverage or automatic roaming are provided. Security alone will be too much of anintangible bene�t.Given the amount of free wireless access-points it may take some time for 802.11u to reach critical mass.However, when combining this with the increasing demand for online collaboration, the need to haveaccess to (sensitive) information at all times, it becomes essential that systems and data are protectedon multiple levels.

Information Security Community

Finally it is our job as Information Security specialists to convince others of the importance of properlyprotecting information. If we don't, developers will remain focussed on just delivering the explicitlyrequested features. As societies pressure people into good behaviour so too should we try to coercedevelopers into creating secure code and technology.

IY5500-DST-v120114-0857 57 of 57

Bibliography

Books

[B:Can11] D.L. Cannon. CISA Certi�ed Information Systems Auditor Study Guide. JohnWiley & Sons, 2011.isbn: 9780470610107.

[B:Com06] D.E. Comer. Internetworking with TCP/IP: Principles, protocols, and architec-ture. Internetworking with TCP/IP. Pearson Prentice Hall, 2006.isbn: 9780131876712.

[B:Gas05] M. Gast. 802.11 Wireless Networks: The De�nitive Guide, Second Edition. O'ReillySeries. O'Reilly, 2005.isbn: 9780596100520.

[B:Gei06] E. Geier. Wi-Fi Hotspots. Cisco Press, 2006.isbn: 9781587052668.

[B:KDM02] William L. Simon Kevin D. Mitnick. The Art of Deception: Controlling the HumanElement of Security. Wiley, 2002.isbn: 9780471237129.

[B:KPS02] C. Kaufman, R. Perlman, and M. Speciner. Network security: private communica-tion in a public world. Prentice Hall series in computer networking and distributedsystems. Prentice Hall PTR, 2002.isbn: 9780130460196.

[B:Mar12] K.M. Martin. Everyday Cryptography. Oxford University Press, 2012.isbn: 9780199695591.

[B:May+07] D. Maynor et al.Metasploit Toolkit for Penetration Testing, Exploit Development,and Vulnerability Research. Elsevier Science, 2007.isbn: 9780080549255.

[B:PF03] B. Potter and B. Fleck. 802.11 Security. O'Reilly Series. O'Reilly, 2003.isbn: 9780596002909.

[B:Sch12] B. Schneier. Liars and Outliers: Enabling the Trust That Society Needs to Thrive.John Wiley & Sons, 2012.isbn: 9781118143308.

IY5500-DST-v120114-0857 I

http://books.google.com/books?vid=ISBN9780470610107











Technical Reports

[T:Abo+04] B. Aboba et al. Extensible Authentication Protocol (EAP). IETF, June 2004.url: http://goo.gl/BYuZ0 (visited on 08/15/2012).

[T:AH06] J. Arkko and H. Haverinen. Extensible Authentication Protocol Method for 3rdGeneration Authentication and Key Agreement. IETF, Jan. 2006.url: http://goo.gl/0BYGy (visited on 08/01/2012).

[T:All12] Wi-Fi Alliance. Wi-Fi CERTIFIED PasspointTM

. Wi-Fi Alliance, June 2012.url: http://goo.gl/Pwta5 (visited on 07/11/2012).

[T:Bon11] J. Bonneau.Measuring password re-use empirically. University of Cambridge, Feb.2011.url: http://goo.gl/I2ipA (visited on 06/18/2012).

[T:Cis10] Cisco. Rogue Management in a Uni�ed Wireless Network. Cisco, Aug. 2010.url: http://goo.gl/oElgz (visited on 07/11/2012).

[T:Com04] European Commission. Establishing common rules on compensation and assis-tance to airline passengers. European Commission, Feb. 2004.url: http://goo.gl/HGZW4 (visited on 08/01/2012).

[T:Com12] European Commission. Roaming on public mobile communications networks withinthe Union. European Commission, June 2012.url: http://goo.gl/yCahz (visited on 08/15/2012).

[T:Dil01] Prof. J-M. Dilhac. The telegraph of Claude Chappe - an optical telecommunication.Laboratoire d'Analyse et d'Architecture des Systèmes, Aug. 2001.url: http://goo.gl/OOBLR (visited on 06/18/2012).

[T:FH07] D. Florencio and C. Herley. A Large-Scale Study of Web Password Habits. Mi-crosoft Research, Mar. 2007.url: http://goo.gl/gV603 (visited on 08/15/2012).

[T:Gem10] Gemalto. EAP-SIM White Paper. Gemalto, Jan. 2010.url: http://goo.gl/7r0Ld (visited on 08/18/2012).

[T:HS06] H. Haverinen and J. Salowey. Extensible Authentication Protocol Method for GSMEAP-SIM. IETF, Jan. 2006.url: http://goo.gl/LC6ie (visited on 08/01/2012).

[T:ITU08a] ITU. ITU-T Recommendation X.509. ITU, Nov. 2008.url: http://goo.gl/Chp4A (visited on 06/18/2012).

[T:ITU08b] ITU. ITU-T Recommendation X.520. ITU, Nov. 2008.url: http://goo.gl/qxDS7 (visited on 06/18/2012).

[T:Len12] K. Lentz. gTLD Applicant Guidebook. ICANN, June 2012.url: http://goo.gl/9d61f (visited on 06/18/2012).

[T:Mye+99] M. Myers et al. X.509 Internet Public Key Infrastructure Online Certi�cate StatusProtocol - OCSP. The Internet Society, June 1999.url: http://goo.gl/EcAVk (visited on 06/18/2012).

[T:Pri11] J.R. Prins. DigiNotar Certi�cate Authority breach "Operation Black Tulip". Fox-IT, Sept. 2011.url: http://goo.gl/zzeay (visited on 06/18/2012).

IY5500-DST-v120114-0857 II

http://goo.gl/BYuZ0

http://goo.gl/0BYGy

http://goo.gl/Pwta5

http://goo.gl/I2ipA

http://goo.gl/oElgz

http://goo.gl/HGZW4

http://goo.gl/yCahz

http://goo.gl/OOBLR

http://goo.gl/gV603

http://goo.gl/7r0Ld

http://goo.gl/LC6ie

http://goo.gl/Chp4A

http://goo.gl/qxDS7

http://goo.gl/9d61f

http://goo.gl/EcAVk

http://goo.gl/zzeay


[T:SA06] K. Shampan�er and D. Ariely. How Small is Zero Price? The True Value of FreeProducts. Federal Reserve Bank of Boston, Oct. 2006.url: http://goo.gl/QifNs (visited on 11/01/2011).

[T:SAH08] D. Simon, B Aboba, and R. Hurst. EAP-TLS Authentication Protocol. IETF,Mar. 2008.url: http://goo.gl/LPuXU (visited on 08/15/2012).

[T:Sch+07] S.E. Schechter et al. The Emperor's New Security Indicators. IEEE, Feb. 2007.url: http://goo.gl/fIpHK (visited on 06/18/2012).

[T:SS75] J.H. Saltzer and M.D. Schroeder. The Protection of Information in ComputerSystems. University of Virginia, Apr. 1975.url: http://goo.gl/2f8ty (visited on 06/18/2012).

[T:Ste07] John-Paul M. Stewart. Con�guring application settings based on changes associ-ated with a network identi�er. Microsoft, Feb. 2007.url: http://goo.gl/tLRXz (visited on 08/01/2012).

[T:Sun+09] J. Sunshine et al. Crying Wolf: An Empirical Study of SSL Warning E�ectiveness.Carnegie Mellon University, Aug. 2009.url: http://goo.gl/aDRE5 (visited on 06/18/2012).

[T:Wri07] J. Wright. 802.11 Pocket Reference Guide. SANS, May 2007.url: http://goo.gl/7hJba (visited on 06/23/2012).

[T:Eur09] European Commission. Web browser choice for European consumer. EuropeanCommission, 2009.url: http://goo.gl/ZdOPm (visited on 06/18/2012).

[T:IEE07] IEEE 802.11 Working Group. IEEE Std 802.11TM-2007. IEEE, June 2007.url: http://goo.gl/R1hOh (visited on 06/18/2012).

[T:IEE12] IEEE 802.11 Working Group. IEEE Std 802.11TM-2012. IEEE, Mar. 2012.url: http://goo.gl/ri8oX (visited on 06/23/2012).

Software Tools Used

[S:Mar11] M. Marlinspike. SSLStrip. May 2011.url: http://goo.gl/5Tg76 (visited on 06/18/2012).

[S:WA08a] J. Wright and B. Antoniewicz. FreeRADIUS - Wireless Pwnage Edition. 2008.url: http://goo.gl/1mkC9 (visited on 06/18/2012).

[S:Wri08] J. Wright. ASLEAP: Exploiting Cisco LEAP. 2008.url: http://goo.gl/PsA51 (visited on 06/18/2012).

[S:Chi04] Chinotec Technologies Company. Paros Proxy. 2004.url: http://goo.gl/OtrH (visited on 06/18/2012).

[S:Fre11] FreeRADIUS Core Team. FreeRADIUS. 2011.url: http://goo.gl/ish4T (visited on 06/18/2012).

[S:Sta12] StartCom Ltd. StartSSL - The Swiss Army Knife of Digital Certi�cates & PKI.2012.url: http://goo.gl/CLvD (visited on 06/18/2012).

IY5500-DST-v120114-0857 III

http://goo.gl/QifNs

http://goo.gl/LPuXU

http://goo.gl/fIpHK

http://goo.gl/2f8ty

http://goo.gl/tLRXz

http://goo.gl/aDRE5

http://goo.gl/7hJba

http://goo.gl/ZdOPm

http://goo.gl/R1hOh

http://goo.gl/ri8oX

http://goo.gl/5Tg76

http://goo.gl/1mkC9

http://goo.gl/PsA51

http://goo.gl/OtrH

http://goo.gl/ish4T

http://goo.gl/CLvD


Attributed Artistic Works

[A:App11] Apple. Apple iOS v5.01. 2011.url: http://goo.gl/nujb (visited on 06/18/2012).

[A:BRS12] BRSev. Airplane Icon. Creative Commons License. 2012.url: http://goo.gl/wLA7B (visited on 06/18/2012).

[A:Cis06] Cisco. Cisco Wireless Control System Con�guration Guide. Mar. 2006.url: http://goo.gl/K2CA2 (visited on 07/11/2012).

[A:Dig12] DigiCert. Extended Validation EV SSL Certi�cate. 2012.url: http://goo.gl/VeC9P (visited on 06/18/2012).

[A:Goo12] Google. Google Chrome Browser v18.0.1025.142. 2012.url: http://goo.gl/7TAf (visited on 06/18/2012).

[A:Hun11] T. Hunt. OWASP Top 10 for .NET developers - part 9. 2011.url: http://goo.gl/8gUjc (visited on 06/18/2012).

[A:KPN12a] KPN. KPN Hotspots. 2012.url: http://goo.gl/MUzey (visited on 06/18/2012).

[A:Mic12a] Microsoft. Microsoft Windows R© 7. 2012.url: http://goo.gl/kAtR0 (visited on 06/18/2012).

[A:Mic12b] Microsoft. Microsoft Windows R© XP. 2012.url: http://goo.gl/VAVjO (visited on 06/18/2012).

[A:Ogo12] Ogone. Ogone Payment Services. 2012.url: http://goo.gl/yW8Yr (visited on 06/18/2012).

[A:Sta12] J.M.D. Stakenburg. 2012.

News Articles

[N:Adk11] H. Adkins. An update on attempted man-in-middle-attacks. Aug. 2011.url: http://goo.gl/adBvA (visited on 08/01/2012).

[N:Zet11] K Zetter. With Court Order, FBI Hijacks 'Core�ood' Botnet, Sends Kill Signal.2011.url: http://goo.gl/ELU6A (visited on 08/01/2012).

[N:Cyb12] Cyberwarzone SlaVash. Leak in ING Mobile Banking app. Mar. 2012.url: http://goo.gl/s1fd4 (visited on 06/18/2012).

[N:RTL12] RTL News. KPN poorly secured Modems thousands of subscribers. Aug. 2012.url: http://goo.gl/9MzxQ (visited on 08/18/2012).

Other Sources

[O:Dev12] DeviceScape. DeviceScape Industry Intelligence. 2012.url: http://goo.gl/id9k3 (visited on 08/18/2012).

[O:ICA09] ICANN. Uniform Domain Name Dispute Resolution Policy. Aug. 2009.url: http://goo.gl/6Sc7f (visited on 07/16/2012).

[O:ICA12] ICANN. New gTLD Applied-For Strings. 2012.url: http://goo.gl/PpoN1 (visited on 06/18/2012).

IY5500-DST-v120114-0857 IV

http://goo.gl/nujb

http://goo.gl/wLA7B

http://goo.gl/K2CA2

http://goo.gl/VeC9P

http://goo.gl/7TAf

http://goo.gl/8gUjc

http://goo.gl/MUzey

http://goo.gl/kAtR0

http://goo.gl/VAVjO

http://goo.gl/yW8Yr

http://goo.gl/adBvA

http://goo.gl/ELU6A

http://goo.gl/s1fd4

http://goo.gl/9MzxQ

http://goo.gl/id9k3

http://goo.gl/6Sc7f

http://goo.gl/PpoN1


[O:IEE12] IEEE. IEEE Standards Association Website - About us. 2012.url: http://goo.gl/tk0FT (visited on 06/29/2012).

[O:KPN12b] KPN. KPN recommends you to use a VPN for internet access. 2012.url: http://goo.gl/CdcXo (visited on 08/01/2012).

[O:Lip10] Steve Lipner. Interview with Steve Lipner. 2010.url: http://goo.gl/UOJE2 (visited on 08/15/2012).

[O:Nea12] T. Neaves. iOS Application Security: Review of Top 50 Free iPad Apps. 2012.url: http://goo.gl/pvR4N (visited on 06/18/2012).

[O:NU.12] NU.nl. Survey onn 3G/Wi-Fi Roaming. Use requested and approved by NU.nl.2012.

[O:Sky] Skype. Skype WiFi.url: http://goo.gl/Q5Atv (visited on 06/18/2012).

[O:Ste12] Karl Stetson. Wi-Fi Innovations and User Enthusiasm Propel Continued SalesGrowth. 2012.url: http://goo.gl/qUfkF (visited on 07/06/2012).

[O:Tel07] British Telecom. BT and Fon launch the world's largest wi-� community. 2007.url: http://goo.gl/RXo3X (visited on 06/18/2012).

[O:Ver10] Verisign. Easy Guide to the VeriSign Enrollment Process. June 2010.url: http://goo.gl/tCOc6 (visited on 07/16/2012).

[O:WA08b] J. Wright and B. Antoniewicz. PEAP: Pwned Extensible Authentication Protocol.2008.url: http://goo.gl/mcExJ (visited on 06/18/2012).

[O:Yao05] T. Yao. Network Location Awareness Vision And Scenarios. May 2005.url: http://goo.gl/3wLvX (visited on 06/18/2012).

[O:AKJ11] AKJ Associates. e-Crime Mid Year Meeting Europe. Nov. 2011.url: http://goo.gl/yuRza (visited on 06/18/2012).

[O:Enc12a] Encyclopaedia Britannica Online. Cryptology - Early cryptographic systems andapplications. 2012.url: http://goo.gl/fpGrv (visited on 06/18/2012).

[O:Enc12b] Encyclopaedia Britannica Online. Great Wall of China. 2012.url: http://goo.gl/ItfWJ (visited on 06/18/2012).

IY5500-DST-v120114-0857 V

http://goo.gl/tk0FT

http://goo.gl/CdcXo

http://goo.gl/UOJE2

http://goo.gl/pvR4N

http://goo.gl/Q5Atv

http://goo.gl/qUfkF

http://goo.gl/RXo3X

http://goo.gl/tCOc6

http://goo.gl/mcExJ

http://goo.gl/3wLvX

http://goo.gl/yuRza

http://goo.gl/fpGrv

http://goo.gl/ItfWJ

APPENDIX A

Vulnerable iPhone App

This appendix has been omitted for con�dentiality purposes.

IY5500-DST-v120114-0857 VI

APPENDIX B

Hotspot Walk-Through

The following screen shots were taken at Schiphol Airport. KPN is one of the largest telecom providersin the Netherlands. They o�er free wireless access for 1 hour for transiting passengers or a premiumservice with higher speed and more capabilities. The hotspot login page appears shortly after associatingyour device with the network.

Figure B.1: Initial Hotspot Login Page[A:KPN12a]

Figure B.2: Selecting the Premium Service[A:KPN12a]

IY5500-DST-v120114-0857 VII

Appendix B: Hotspot Walk-Through

Figure B.3: Account Login/Creation[A:KPN12a]

Figure B.4: Redirect to Broker for Payment[A:Ogo12]

Figure B.5: Payment via Broker[A:Ogo12]

IY5500-DST-v120114-0857 VIII

Royal Holloway University of London


Managing the Client-side Risksof IEEE 802.11 Networks

dissertation by:J.M.D. Stakenburg

supervised by:Professor J. Crampton

managing the client-side risks of ieee 802.11 networkspki public-key infrastructure pmk pairwise...

Documents