the information security professionals wireless hotspot security and client attacks almerindo...

The Information Security Professionals

Wireless Hotspot Security

and

Client AttacksAlmerindo Graziano

[email protected]

www.silensec.com

2


The Menu :-)

The WiFi Explosion Common misconceptions Wireless hotspots attacks Wireless Client Attacks Rogue Access Points WEP Insecurity WPA Security General recommendations

3


About Silensec

IT Governance ISO 27001 Implementation Gap Analysis Risk Management

Penetration Testing Web apps, Systems, Networks

Security Training BSI ISO 27001, BS25999 SANS Wireless Security, Hacking Techniques

4


Common Misconceptions

We do not use/allow wireless networks Our network is secure We use firewalls We use VPN Nobody would attack us

5


Mobile Phones Explosion

Over 100 mobile phone handsets with wi-fi

capability (June 2007) 213 million Wi-Fi chipsets shipped worldwide in

2007 (32% growth) 20%of the total chipset market by 2009

Dual-mode phones in 2008 Bypass mobile operator

Skype mobile phones

6


Wifi in Everything!

Digital Camera Mobile TVs Presentation Projectors Stereos CCTV Cameras Swipe cards systems Medical monitoring equipment Portable digital players

7


Wireless Networks are Everywhere

8


Terminology

Station (STA) Laptop, PDA, mobile

phone Access Point (AP)

Connect STAs to the main

network Infrastructure Mode

Most common (home and

corporate) Ad-Hoc Mode

Connecting STAs without

an AP

Infrastructure

Mode

Ad-Hoc Mode

9


Terminology (2)

WEP (Wired Equivalent Privacy) WEP Key (64, 128, 256, 512 bits)

WEP+ Dynamic WEP WPA and WPA2 (Wireless Protected Access)

Passphrase (8-63 characters)

10


Wireless Hotspots

Provide public access to the Internet through

wireless networks Public does NOT mean FREE

Often located in airports, train stations, libraries, hotels, coffee bars

Designed to be easy to use Find the network Click and connect Authenticate and you are in!

11


Hotspot Example: T-Mobile

Secure

Connection

12


Hotspot Example: T-Mobile (2)

Enter

Credentials

13


Hotspot Security Risks

Information disclosure Most information is not encrypted and may be captured

easily Identity theft Fraud and financial loss Compromise your computer Expose personal info (contacts)

Catch a virus Back in the workplace

Expose even more personal info Spread the virus

14


Wireless Isolation

Commonly used by hotspots Most modern AP support it too Traffic between hotspot clients not allowed Protect hotspot clients from possible malicious

clients And anyway you have your firewall.. What about non-connected clients?

15


DEMO

16


Wireless Client Attacks

17


Windows Preferred Network List (PNL)

Includes networks created

by the user Networks are also added

when we connect to a new

network (hotspot) Connection can be

automatic or manual

18


Windows Preferred Network List (PNL)

Will always connect to the

networks higher on the

list.. even is already connected

to another network! even if that network is

more secure AP with stronger power are

preferred User is not notified of AP

switch!

19


Dangerous Connections..

Newly networks are

added to the PNL If new network is in

range windows may

connect to it

20


Rogue Access Points

More powerful signal Karma-based

21


Power Rogue Access Point

Windows wireless

configuration AP chosen based on

position in the PNL signal power

tmobile

tmobile

22


Power Rogue Access Points

DEMO

23


Client Attacks with Karma

Powerful tool Responds to any probe request Comes with DHCP, DNS, Web server Exploits clients which broadcast SSIDs with no

security...hotspots

24


Judicious Karma

Preferred Network List (PNL)

CorpNet

HomeNet

Linksys

tmobile

25


KARMA

DEMO

26


Wifizoo

Gathers information

passively No connection required Cookies Passwords from

FTP,POP3 etc.. ..and lots more

27


Wifizoo at Work..

DEMO

28


Wireless Hacking in the Skies..

Just relax and enjoy the flight Watch a film on your laptop

...while you are being hacked...

But don't you worry, there will be no interruption

to your film entertainment

29


arking Mode

Found by Simple Nomad

If DHCP fails to provide an IP

address, interfaces with Link-

Local configurations will auto-

assign an address in the

169.254.0.0/16 range

Link-Local is on by default on all

interfaces on all Windows

platforms, including wireless

interfaces

Try available PNL networks

Scan for available networks (ANL)

Try PNL networks

Connect to 1st Ad-Hoc network in PNL

Any Ad-Hoc network in PNL?

Connect to Non-Preferred Nets?

Connect to available networks (ANL)

Set Random SSID and go in infrastruture mode

Keep looking for preferred networks

No No

YesYes

Parking Mode

30


Windows Wireless Client UpdateHotfix described in KB917021Non-broadcast networks

Allows to set a network as non-broadcast by setting “Connect even if the network is not broadcasting”

WAC only sends probe requests for non-broadcast networks Preferred broadcast networks in the PNL are not advertised

Parking behaviour Security configuration is passed onto the wireless adapter driver, using the

most secure encryption method that the wireless network adapter supports (including random encryption key)

Ad-hoc Manual connection WAC doesn't probe ad-hoc SSID contained in the PNL

31


Windows Wireless Client Update (ctd.)

• Not included in SP2

• Many clients have not installed it

• Parking mode is driver-dependant

– Most driver still use no security

• You can still override secure default settings

32


Vista Wireless

VISTA allows to define non-broadcast wireless networks Listed as Unnamed Network

WAC will try to connect to wireless networks in the order they are listed in the PNL, whether they are broadcast or not

Support ad-hoc using WPA2-PSK Strong passphrase selection

33


Hotspot Security Tips

Doublecheck the name and presence of an official

Hotspot network where the service is provided

Remember that the majority of Hotspots do not

ensure data confidentiality

Always look out for a padlock and https sign on

the hotspot login page

Do NOT implicitly trust advertised “Free Public

WiFi”

34


WEP

WEP IS DEAD

You MUST NOT use it

Equivalent to no security (almost)

Aircrak-ptw < 1 minute

35


WPA and WPA2

WPA

Stronger security, maintaining hardware

compatibility WPA2

Even stronger security

Need new hardware

36


WPA Personal/WPA-PSK

Both WPA and WPA2 can be used with a passphrase (8-63 character)

Weak passphrases offer WEP-like protection..NONE

Use a strong password generator (free https://www.grc.com/passwords.htm

37


Wireless Security Tips – At Home

Change default values IP addresses Admin passwords

Adjust the power output of your access point if possible

Use MAC address filtering Change the default SSID Enable WPA/WPA2

Use a strong passphrase (20+ char) Set AP configuration to HTTPS if possible

38


Wireless Security Tips – On the move

Switch off your wireless card if not needed Do no connect automatically to wireless networks

(nothing comes free) Change your personal firewall settings to not trust

the local network Be on your guard

39


General Wireless Security Tips

Download and instal MS wireless update Uncheck automatic connection to unprotected

networks Keep your computers patched all the time Remember that hotspot networks are not secure

40


Questions?

the information security professionals wireless hotspot security and client attacks almerindo...

Documents

mode slide

virus slide

demo slide

bs25999 sans wireless

wireless isolation

wireless networks public

hotspot clients

hotspot example