kablosuz İletişim ve güvenlik
Post on 16-Jul-2015
142 Views
Preview:
TRANSCRIPT
Who am I
At Netas since 2008 and has experience on
Wireline and wireless telephony networks
VoIP - SIP systems
VoIP platform security for federal and goverment projets
Interested in
Radio Frequesny (RF) stuff
Physical security
HAM Radio Operator (TB2THT)
Agenda
Wireless networks today
IEEE 802.11 – WiFi
IEEE 802.11’s technology
Vulnerabilities
EM/RF leakİNG and tempest
Tools
IEEE 802.11
802.11 standart
Uses unlicensed ISM spectrum which is provided by regulators
WiFi frequencies: 2.4 & 5Ghz & 60Ghz (on 2016 non-IEEE)
ISM Bands for WiFi
ISM (industrial, scientific and medical)
902 - 928 MHz
2.4 - 2.5 GHz
5.725 – 5875 GHz
All ISM Bands
Frequency range Bandwidth Center frequency Availability
6.765 MHz 6.795 MHz 30 kHz 6.780 MHz Subject to local acceptance
13.553 MHz 13.567 MHz 14 kHz 13.560 MHz Worldwide
26.957 MHz 27.283 MHz 326 kHz 27.120 MHz Worldwide
40.660 MHz 40.700 MHz 40 kHz 40.680 MHz Worldwide
433.050 MHz 434.790 MHz 1.74 MHz 433.920 MHz
Region 1 only and subject to
local acceptance
(within the amateur radio 70 cm
band)
902.000 MHz 928.000 MHz 26 MHz 915.000 MHz Region 2 only (with some
exceptions)
2.400 GHz 2.500 GHz 100 MHz 2.450 GHz Worldwide
5.725 GHz 5.875 GHz 150 MHz 5.800 GHz Worldwide
24.000 GHz 24.250 GHz 250 MHz 24.125 GHz Worldwide
61.000 GHz 61.500 GHz 500 MHz 61.250 GHz Subject to local acceptance
122.000 GHz 123.000 GHz 1 GHz 122.500 GHz Subject to local acceptance
244.000 GHz 246.000 GHz 2 GHz 245.000 GHz Subject to local acceptance
WiFi Legacy
In 1991 AT&T begins working on a wireless technology called WaveLAN
Now known as WaveLAN Classic
Operated in 900 MHz Spectrum
Developed in the Netherlands as a technology for wireless cashier systems
Supported data rates of 1 and 2 MegaBits Per second
Wifi Since Then
1997: 802.11-1997 «Legacy» 1-2 Mbps now obsolote
1999:802.11a – 5Ghz 54Mbps
Ortogonal Frequensy-Division Multiplexing
Signal Range Lower, didn’t penetrate walls as well
«Late to market»
1999:802.11b – 2.4Ghz 11Mbps
Nor-Ortogonal Frequensy-Division Multiplexing
Wifi Since Then
2003: 802.11g 54Mbps
Best of both world between A and G
Uses 2.4GHZ (B) and OFDM (G)
Problems in dense areas, only 3 non-overlapping
channels
Adopred earlywith drraft specifications
Wifi «Now»
2009: 802.11n
Teoritical maximum speed of 600 Mbps
Uses both 2.4 and 5 GHz bands
40 MHz wide channels, double that 802.11g
Backwards compatible 802.11g
MIMO Multiple Input Multiple Output
4 channels and 4 antennas
Parallel operation
WiFi «Now»
2012: 802.11ac
Operates only on 5GHz frequency band
Extended channel binding 80 and 160MHz
More MIMO streams
Upto 1300Mbps teoritical speed
Wifi Channles on 2.4GHz - 802.11b,g,n
802.11b,g,n slice up their spectrum into channels
802.11b(DSSS) 22MHz wide channles
802.11g/n (OFDM) 20Mhz wide channels
5Mhz Spectrum buffers for each channel
Channels 1,6,11 and 14 are discrete
Wifi Channles on 5GHz - 802.11a,ac
All of non-overlapping channels
802.11a,n 20/40 MHz wide channles
802.11ac 20/40/80/160 MHz wide channles
Use of TDWR channels are prohibited by regulators
Wifi Channles on 60GHz - 802.11ad
The maximum bit-rate of a wireless channel is limited by its bandwidth.
83.5 MHz spectrum in the 2.4 GHz
0.55 GHz spectrum in the 5 GHz
7GHz spectrum in the 60 GHz
Total 4 channels each has 2.16 GHz bandwidth
Modes of WiFi
Master – Access Point or Base Station
Managed – Infrastructure Mode (client)
Ad-hoc – peer-to-peer
Mesh – Mesh cloud (planned ad-hoc)
Repeater
Monitor (promiscuous) - (DEMO)
TX power
Limited based on counties law/regulations
In Europe
17dBm (or 50mW) TX power
Max Equivalent isotropically radiated power (EIRP) 20dBm (or 100mW)
Regulatory settings can be changed via kernel modification
Also you can move your country to another one with better regulations - DEMO
Open Networks
No Encryption, everything is on the air - DEMO
Easy for Man-in-the-middle atacks (MITM)
Evil access points - DEMO
Weak encryptions – WEP (Wireless
equivalent Privacy)
Part of the 802.11 specification
Aims to make connection at least as secure as wired Connection
Used to protect MAC Protocol Data Units (MPDU)
802.11 describes WEP as having two main parts
The first being the Authentication part
The second being the Encryption part
Mostly used until 802.11i
Use RC4 algorithm for encryption which isn’t so secure
Easy to break, less than 5 minuets
Weak designs
WPS – WiFi Protected Setup
WPS can be used in 3 ways
WPS button press
Client generated 8 digit pin
Access point generated 8 digit pin
WPS vulnerability
Almost always written on the AP/Router/Modem
Pin is sent in two stage
Only 11000 possiblty to try
The Thing - The Great Seal bug
Designed by Léon Theremin
Consisted of a tiny capacitive membrane
connected to a small quarter-wavelength
antenna
EM/RF leaking
Every wire is an antenna
Your screen and typing can be monitored even if you are not online
Tempest
TEMPEST is a National Security Agency specification and NATO certification[1][2] referring to
spying on information systems through
Radio or Electrical signals
Sounds
Vibrations
RTL2832U - Realtek
A USB2.0 dvb-t TV card
Can operate as 25Mhz – 1.7Ghz Software Define Radio (SDR)
Only10$
DEMO (adsbsharp, adsbscope, hdsdr, GNU Radio Companion)
What you can do with it
HackRF
10MHz – 6GHz Transreceiver SDR
Need HAM Radio Operator license
About 350$
What you can do with it
References
http://www.scholartica.com/
http://www.hak5.org
http://wireless.kernel.org/en/users/Documentation/Bluetooth-coexistence
http://www.tekgear.com/PDF/WHP-050004-1V0%20Bluetooth%20and%20802.11%20Coexistence.pdf
http://www.freshpatents.com/Enhanced-2-wire-and-3-wire-wlan-bluetooth-coexistence-solution-
dt20070712ptan20070161349.php
https://greatscottgadgets.com
top related