aacking)wireless)connec1ons:) …a"acking)wireless)connec1ons:) how)to)protectyourself)...
TRANSCRIPT
A"acking Wireless Connec1ons: How to protect yourself
Jose Ruiz MIS – OSWP, MCSA, MCT
18 Mayo, 2013 Puerto Rico Educators Cyber Security Awareness Training
Anfi-‐Teatro Maestros Rafael Cordero Universidad de Puerto Rico Ríp Piedras
#cybersecuritypr
Introduc1on
• Who am I? – Masters in Informa1on System – Electronic Fraud detec1on preven1on
– Offensive Security Wireless Professional – MicrosoX Trainer – Just love what I do! (That simple!)
#cybersecuritypr
Wireless Communica1ons
• Seamless mobility • It's everywhere • Mass adop1on • Integrated into all devices – Laptops – Phones – Embedded Devices
• Connects to Internet
#cybersecuritypr
Wireless Security Challenges
• How do you protect something you can’t see? • Extend beyond vic1m’s boundaries • Mobile clients • Difficult to locate a"acker • A"acks can be done from miles away
#cybersecuritypr
Typical Vic1ms
#cybersecuritypr
Tools of the trade
#cybersecuritypr
WEP • Wired Equivalent Privacy • Security algorithm for wireless networks. • Introduced in September 1999. • Provides a degree of data confiden1ality • Size of keys 10 or 26 hexadecimal digits. – Example 0023A2B798
• OXen the first security choice presented to users in routers
#cybersecuritypr
WEP • Anyone can authen1cate to the network: – It lets you in although no data transmission is allowed.
• Confiden1ality vulnerabili1es: – The header is not encrypted or checked as part of the ‘message integrity check’.
• Replay a"acks: • The ICV is not linked to 1mestamps or session sequence
numbers.
• Cracked 100% of the 1me – GUARANTEED!
#cybersecuritypr
WEP
• Why is s1ll used? – Handheld scanners in stores use WEP – Enterprises with legacy devices that don’t allow WPA s1ll use WEP.
– CLARO s1ll sells you boxes with WEP!!! – Customer misinforma1on.
#cybersecuritypr
WPA
• Wi-‐Fi Protected Access (WPA) / (WPA2) • Response to the major flaws in WEP • Became available in 2003. • Not limited to the 0123456789ABCDEF key characters.
• Long strange passwords -‐ GOOD!!!!
#cybersecuritypr
WPA
• S1ll can get cracked. • Weak passwords is the key – Ex. carlitos1232
• Weak passwords makes it easier than WEP!!! • Good dic1onaries might find the password. • It was the best op1on un1l…..
#cybersecuritypr
…WPS decided to show up
#cybersecuritypr
…WPS decided to show up
• WPS (Wi-‐Fi Protected Setup) -‐ standard that simplifies the setup of a secure wireless home network.
• Created by the Wi-‐Fi Alliance in 2007 • Allow less experienced users to set up wireless security, add devices etc with li"le effort and…
#cybersecuritypr
…WPS decided to show up
• NO NEED FOR LONG PASSPHRASES!!
• We got WPS – We’re sexy and you know it!!!
LMFAO!!!!
#cybersecuritypr
…WPS decided to show up
• This flaw allows the recovery of the WPS PIN in a few hours and, with it, the network's WPA/WPA2 pre-‐shared key.
• By the way… it works even if you passphrase is up to 62 characters!!!
#cybersecuritypr
…WPS decided to show up
• Users have been urged to turn off the WPS feature.
• This may not be possible on some router models.
• On tests that I've done it doesn't ma"er. If it supports WPS out of the box it is vulnerable either with WPS on or off.
#cybersecuritypr
This is how you look…
#cybersecuritypr
Wireless Security Myths
• What you do… – I hide my SSID
• yeah… ok… whatever… • What they do: – Deauthen1cate you or brute force your AP
#cybersecuritypr
Wireless Security Myths
#cybersecuritypr
Wireless Security Myths
#cybersecuritypr
Wireless Security Myths
• What you do: – I restrict MAC access
• Oh really?!?! Dream on!!!! • What they do: – Scan you, get your MAC and impersonate you
#cybersecuritypr
Wireless Security Myths
#cybersecuritypr
Wireless Security Myths
• What you do: – I assign sta1c IP’s
• Ok stop, you’re killing me!!! • What they do: – Once we crack the AP we scan your devices get an IP and impersonate you…. AGAIN!!!
#cybersecuritypr
Wireless Security Myths
• I use WPA – With a strong Password??? – Uhh??? – Okay… I give up…
#cybersecuritypr
He can see me… Can I see him?
• Yes you can… and scan him back!!!! • Unless… • He changes his regulatory domain… – Now he can use wireless channels restricted in the US so he can do whatever he wants and you just stand there!!!!
#cybersecuritypr
Basic A"acks (WPA)
#cybersecuritypr
Basic A"acks (WPA -‐ Reaver) 4954 Seconds = almost 90 minutes
#cybersecuritypr
So you are compromised (or not)
#cybersecuritypr
So you are compromised (or not)
#cybersecuritypr
Vulnerable Routers
• Can be cracked in 11 hours…
#cybersecuritypr
Vulnerable Routers
• Can be cracked in 3 hours…
#cybersecuritypr
Vulnerable Routers
• Can be cracked in 45 minutes… • (NETGEAR Wireless Router – WNDR3700v1)
#cybersecuritypr
Vulnerable Routers
• Can be cracked in 45 minutes or less… • (CISCO/Linksys -‐ Wireless Router – WRT100)
#cybersecuritypr
S1ll safe with one of these!
• NETGEAR -‐ WGR614v8
#cybersecuritypr
S1ll safe with one of these!
• THOMPSON -‐ TG782
• The irony is…
#cybersecuritypr
S1ll safe with one of these!
• This box is secure… but CLARO sells it with WEP so It can be cracked in 10 minutes…..
#cybersecuritypr
Do I have any hope?
• To be honest… NOT A LOT!!!!! • But there are things you could do to lessen the chances of being a vic1m.
#cybersecuritypr
Countermeasures
• Wireless IS vulnerable. • Even if you apply every sugges1on it’s not a guarantee of safety.
• The more experienced the a"acker, the more security measures he can circumvent.
#cybersecuritypr
Countermeasures • Use the most secure possible encryp1on: WPA2 with a NON-‐WPS Router
• Change the default IP address scheme of 192.168.1.1 / 192.168.0.1 to make even harder to get to your devices if your Internet box is compromised.
• Use the AP's firewall and efine addi1onal security policies and apply them. For example do not allow any traffic coming in or out that has an internal IP address as the source. Your proxy should be doing this job.
#cybersecuritypr
Countermeasures
• Disable the auto-‐connect feature. Your computer remembers every single AP it connects to so an a"acker can fake your AP and even if you are 1000 miles from it.
• Don’t use public WI-‐Fi spots to surf sensi1ve websites.
#cybersecuritypr
Countermeasures
• I know I bashed at this but do it (more is be"er) – Change and hide the default SSID. – Restrict access by assigning sta1c IP addresses – Use MAC filtering:
• Turn off your router when not in use: • If you encounter a cer1ficate warning DON’T blindly click OK. Read it!
• Keep your browser updated.