Wireless Insecurity

Wireless

• 802.11a works on 5 Ghz

• 802.11b,g,n works on 2.4 Ghz

• Access points and wireless cards are used.

• Protocol can be either in the clear or encrypted.

• Wired Equivalent Privacy (WEP) provides poor security

Scenario

AttackerUser

Access Point

PhysicalSecurity

AttackerUser

Access Point

Typical Configuration

PCMCIA Wireless NIC

USB Wireless NIC

ISA/PCI Wireless NIC

Corporate Resources

Wireless Equivalence Protocol

• RC4 Crypto algorithm

• 64, 128 bit encryption

• 24 bit Initialization Vector

• Compromised in under 24 hours– Even faster now!!!

• No key management (key update)New

Configuring Wireless

Service Set Identifier (SSID)

Key

Steps for attack

• Surveying (Wardriving/Warwalking)

• Identification (Warchalking)

• Crypto-analysis(Cracking)

• Penetration

• Exploitation

Wardriving Tools

• Laptop or PDA with Wireless Card– Prism Wireless Card for promiscuous

monitoring– Antenna– GPS– Netstumbler– Kismet– Wireshark

GPS

Antenna

PDA with wireless card and Ministumbler Goal is to identify

Access Points and SSIDs

Warchalking

Identifying wireless sites is a new trophy sport for some.

Note Access Points are Identified

Warchalking as a Social Activity

WEP Cracking

• Capture the packets of an Access Point for a Day using Ethereal.

• Pass through WEP Crack (Shareware)

• Will identify the key in under an hour.

• WEP crypto will be defeated (including 128 bit)

Nobody uses WEP anymore right?

WPA2

• TKIP

• AES

• WPA2-PSK can be cracked with PSK under 21 characters

Use LONG pass phrases for Wireless

Everyonehastherighttolife,libertyand security

Bypassing Access Points with MAC Access Control

• Some Access Points require MACs to authenticate access.

• MACs can be discovered and forged

• Using linux – ifconfig hw eth0 11:11:11:11:11

Other tools• AirSnort

– AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

• AirJAM– Jams Access Point– denial of service attack

• Aircrack-ng and WEPLab

are 802.11 WEP key crackers implementing the Fluhrer - Mantin - Shamir (FMS) attack, and the KoreK approach.

• CoWPAtty (Dictionary attack tool)

Penetration

• Access the network

• Take/Alter Data

• Use backdoor (Wi-Fi) or Front Door (cable)

• GO TO JAIL – Criminal Code

Improvements

• Wi-Fi Protected Access

• WPA2 (802.11i)

• Implementation of Temporal Key Interchange Protocol

• Extensible Authentication Protocol

Other safeguards

• RADIUS Access control

• VPN based on Certificates

• Intrusion Prevention System

• Intrusion Detection System

What is the point?

• Vulnerabilities are discovered

• Vulnerabilities get fixed

• New vulnerabilities appear

• You must re-assess safeguards