computer security lab juseung yun

Proximity Breeds Danger:Emerging Threats in Metro-

area Wireless Networks

Computer security LabJuseung Yun

2

Paper Information Detail Paper Information

Title Proximity Breeds Danger: Emerging Threats in Metro-

area Wireless Networks

Authors P.Akritdis, W.Y.chin, V.T.Lam, S.Sidiroglou, K.G.Anagnos-

takis

Publish 2007 USENIX

Hanyang Univ. Computer Security Lab.

3

Goals Quantify threat from large-scale distributed

attacks on wireless networks Focus on three attacks

Hanyang Univ. Computer Security Lab.

4

Introduction Attackers are evolving

Explore creative ways to exploit systems Target new technologies and services as they

emerge Any technology or service reaching critical mass

draws attention Some of the largest security lapses are due to de-

signers being ignorant of the threat landscape Soon wireless networking will reach critical mass

Hanyang Univ. Computer Security Lab.

5

Introduction Study 3 possible threats

Countermeasures are not implemented even though mechanisms are either available or easily implemented.

Threats are underestimated

6

Wildfire Worms - Introduction

Hanyang Univ. Computer Security Lab.

Cabir virus in 2004 -> Symbian OS vulnerabil-ity

Focus on worms that could propagate over 802.11 networks

Main concern, the large number of laptops

Hanyang Univ. Computer Security Lab.

7

Wildfire Worms - Propagation

Probe victims in the neighborhood Gather list of usable access points Nodes at intersections are used for the propaga-

tion of the worms Wireless hotspots

8

Wildfire Worms - Mobility

Hanyang Univ. Computer Security Lab.

Wireless population : Laptops, PDAs, smart phones

Mobility : Compensates for sparse connectivity Helps propagation into secure networks

9

Wildfire Worms – Open vs Protected Access Points

Hanyang Univ. Computer Security Lab.

Open access points : any worm can propagate WEP encrypted : attacks have already been

implemented WPA (Wifi Protected Access) : susceptible to

brute force attacks combined with a weak password

Any type of wifi network can be easily compromised so most likely worms will carry additional payload of cracking tools

10

Wildfire Worms – Infection Process

Hanyang Univ. Computer Security Lab.

Push Method : Probe for an exploitable service and inject code

Pull Method : Man-in-the-middle attack. Listen for broadcasts, pretend to be the web server and respond with pages that include exploits

Broadcast nature of wireless networks makes pull method an attractive method for attack-ers to use

Hanyang Univ. Computer Security Lab.

11

Wildfire Worms – Proof of concept implementation Authors created a wildfire worm for both Win-

dows XP and Vista from WLAN API already available.

The worm was able to associate itself with an AP, scan the local subnet for vulnerable ma-chines and inject code (push method) .

It exploited the vulnerability found in Apache Web server 1.22

Hanyang Univ. Computer Security Lab.

12

Wildfire Worms – Analysis Wifi worms require a widespread vulnerability

Do such vulnerabilities exist ? Data taken from NVD, Securityfocus concerning

Windows XP SP2 between 8/04 – 1/07 Classified into push/pull “friendly” Vulnerability window : time exploit was known and

was not patched Push type flaws existed for 11.89% of period Pull type existed for 48.47% For 98 days critical security flaws in IE allowed the

theft of personal and financial data

Hanyang Univ. Computer Security Lab.

13

Wildfire Worms – Simulation

Push type worm, assuming AP radius of 90m, 14 and 8 Mbps networks, Transmission speed ~100KB/host

14

Large-scale Wifi Spoofing

Hanyang Univ. Computer Security Lab.

Protocols such as DHCP, TCP, DNS are vulner-able to man-in-the-middle attacks

Attackers can perform spoofing in any wireless network within range of the controlled host’s vicinity

15

Wifi Tracknets

Hanyang Univ. Computer Security Lab.

Wifi networks can very well become the new “Big Brother”

However the most concerning thing is that at-tackers can set up a tracking system re-motely, without physical infrastructure

Tracknets provide location information and leak significant amount of personal informa-tion

16

Wifi Tracknets – Tracking Methods

Hanyang Univ. Computer Security Lab.

Tracknet masters gather information from hosts and create their unique profiles MAC Addresses : Unique per host, randomizing it

may lead to software errors and conflicts between ISPs

Live bookmarks – RSS : Customized news feeds presented in browser, can be eavesdropped and added to the user profile information

Location tracking : Radio signal characteristics of WLANs to pinpoint user location

Instant messaging, online service portals, cookies

17

Wifi Tracknets – Experimental Analy-sis

Hanyang Univ. Computer Security Lab.

Effectiveness is expressed in terms of network coverage

18

Wifi Tracknets – Experimental Analy-sis

Hanyang Univ. Computer Security Lab.

Accuracy of gathered RSS profiles

19

Defense Strategy

Hanyang Univ. Computer Security Lab.

User awareness : Strong passwords, use of WPA/WPA2

Wireless IPS : APs have limited computing resources Use a subset of known signatures Centralized wireless controller. All local traffic is directed

here for inspection before being redirected back to the user. Use full set of signatures Rely on honeypot feeds for zero-day attacks

Attackers can avoid AP inspection by performing a low power signal emission (whisper attack), severely re-duces range of attack

20

Defense Strategy

Hanyang Univ. Computer Security Lab.

Lightweight alternatives to WPA and VPN

Ingress filtering : Traffic originating from the wireless network should have an IP address on the local net-work. DNS spoof attacks will arrive from the local net-work yet they will have an external IP address. How-ever with help from a collaborator outside the local network, with some limitations, this attack can succeed

Packet rewriting against collaborator attack : Map DNS and TCP numbers to another space using hash func-tions. Can be used if hardware provides cheap hash functions

21

Defense Strategy

Hanyang Univ. Computer Security Lab.

802.11 spoofing : Attacker violates 802.11 protocol to directly transmit frames to the vic-tim. AP can detect the attack by monitoring transmissions it did not send

Whisper attack detection : Bookkeeping of request-reply pairs to detect excess and in-consistent replies. Alert when host appears to retransmit even after receiving a reply

22

Conclusion

Hanyang Univ. Computer Security Lab.

Wireless technology is bound to draw attack-ers’ attention soon

High risks involved, large-scale rapid worm in-fections, user profiling

User awareness must be raised and security issues must be dealt with

Hanyang Univ. Computer Security Lab.

23

The End