analysis of 802.11 privacy jim mccann & daniel kuo eecs 598
Post on 20-Dec-2015
218 views
TRANSCRIPT
![Page 1: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/1.jpg)
Analysis of 802.11 Privacy
Jim McCann & Daniel Kuo
EECS 598
![Page 2: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/2.jpg)
Overview
Part 1:
• The idea– What our software does
Part 2:
• Applications: Locating rogue access points– How our software can help
![Page 3: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/3.jpg)
Part 1
User identity / MAC address
Relationship Identification
![Page 4: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/4.jpg)
Collection Method
• Run a laptop as a sniffer in a wireless network
• Record packets that are sent
• Software used:– Kismet– Ethereal– Lots of PERL
Wirelesscommunication
Base station
Clients
Sniffer
![Page 5: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/5.jpg)
Personal Information
Some interesting packets that leak personal information:
• SMTP packets – unencrypted packets contain source and destination email address
• IMAP packets – though encrypted versions are available, some people don’t use them
![Page 6: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/6.jpg)
Personal Information
• Multicast DNS packets – information broadcast for device discovery in Apple’s Rendezvous service. Reveals a computer’s ID (user’s name by default)
• NetBIOS Name Service – used when browsing windows networks, also shows computer’s name (though windows defaults are less revealing)
![Page 7: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/7.jpg)
Personal Information
• HTTP post – some personal information may be leaked if unencrypted post is used
• MSN Messenger packets – the hotmail address is found in some packets
• Also AIM, YMSG, FTP, Telnet (if anyone still use it), many other protocols.
![Page 8: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/8.jpg)
Findings
Most of our data is collected in the EECS building, where two networks are available:
• EECS-PRIV: an unencrypted wireless network
• CAEN wireless: can be connected only with VPN client
![Page 9: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/9.jpg)
Findings
• Two weeks of data from the EECS-PRIV network:
• Of the 1744 MACs we saw:– 850 had some identifying information– About 200 had strong identifying info
• Why not more?– This counts computers on the VPN which we
make no attempt to identify.
![Page 10: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/10.jpg)
Time profile of user
At a coarser level …
![Page 11: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/11.jpg)
Time profile of user
• Based on a MAC address, a time plot of network usage can be used to analyze user’s behavior.
• Typical plots reveal:- what time of the day - what days of the weeka user is present.
• Might be interesting for malicious parties when MAC can be correlated to identity.
![Page 12: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/12.jpg)
Typical User's Time Profile
0
5
10
15
20
25
30
35
40
45
Fri0:00
12:00 Sat0:00
12:00 Sun0:00
12:00 Mon0:00
12:00 Tue0:00
12:00 Wed0:00
12:00 Wed0:00
12:00 Thu0:00
12:00 Fri0:00
12:00 Sat0:00
12:00 Sun0:00
Time
Kil
oB
ytes
tra
nsf
erre
d
![Page 13: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/13.jpg)
Demo
• Demo of our software
![Page 14: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/14.jpg)
Feasibility of identity analysis
• Unencrypted network like EECS-PRIV is easiest to perform the analysis on user identity from an attacker’s perspective
• In a WEP environment, it is also possible for an “insider” who has the key, or an attacker who can break the key using chosen plaintext attacks.
• Much more difficult in the CAEN VPN environment
![Page 15: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/15.jpg)
Implications
• A user’s movement can be tracked if the laptop’s wireless card is on, and data collecting nodes are set up in multiple locations.
• Also, attackers can use this technique to target important people (for example, professors or network administrators).
![Page 16: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/16.jpg)
Possible Defense Mechanism
Simple ways to stop others from correlating your personal information with MAC Addresses:
• Don’t send personal data
or
• Don’t keep the same MAC address
![Page 17: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/17.jpg)
Possible Defense Mechanism
Not sending personal data:
• Be paranoid- Do not send email, passwords in the clear- Do not name your computer with your name or uniqname
• Use encryption whenever possible- Best to use VPN- Using WEP is still better than nothing
![Page 18: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/18.jpg)
Possible Defense Mechanism
Changing your MAC Addresses:
• Software can change the MAC address of many wireless cards
• When is a good time interval?
![Page 19: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/19.jpg)
Possible Defense Mechanism
• Changing every time you start using the network will be a problem if you stay connected for a long time.
• Changing MAC address every given amount of time (say 1 hour) may help.– Special software to do this seamlessly would be
nice, but there are hard cases to deal with (MAC address conflicts!).
![Page 20: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/20.jpg)
Part 2:
Laptops as Rogue Access Points
![Page 21: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/21.jpg)
Laptops as Rogue Access Points
• How to do this:– Have the laptop establish an ad-hoc network
using the wireless card– Access the internet through ethernet
• This is similar to a commercial access point.
Ad-hocnetwork Authorized
accessEthernet hub
Authorizedclient
Unauthorizedclients
1 2 3 4 5 6
7 8 9101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
erne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
![Page 22: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/22.jpg)
Laptops as Rogue Access Points
• It is possible for a laptop to act as a wireless router and allow access to an authorized network.
• It establishes an ad-hoc network with unauthorized clients and routes their packets over to the network that it is authorized on.
Ad-hocnetwork Authorized
accessBase station
Authorizedclient
Unauthorizedclients
![Page 23: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/23.jpg)
Laptops as Rogue Access Points
• This requires additional hardware (second wireless card) and/or software for the laptop to establish both an ad-hoc network and connect to the authorized network.
![Page 24: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/24.jpg)
Discovering access points
Finding if unauthorized access points or ad hoc networks exist isn’t hard.
• Look for people sending packets with BSS Id’s you don’t approve of (if you are an admin).
• Look for networks you can connect to (if you are an attacker).
![Page 25: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/25.jpg)
Discovering access points
• Kismet does just this:
![Page 26: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/26.jpg)
Tracking
Finding where they actually are is harder.
![Page 27: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/27.jpg)
Tracking by Identity (our method)
• Possible to figure out who controls the access point by looking at identity data.
• Hypothesis: unauthorized APs are carelessly administrated and don’t use encryption.
• Our software can figure out who is using them.
![Page 28: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/28.jpg)
Tracking by Connections
• Find identity on our network of the rogue access provider by comparing data sent over the ad-hoc network.
• In an unencrypted network (or one we have the keys for), this can be detected by passively sniffing packets.
• More tricky if the data is encrypted – Using Signal Processing to Analyze Wireless Data Traffic (Craig Partridge, et al.)
![Page 29: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/29.jpg)
Tracking by Connections
• Problem: We haven’t found a person, just another computer address.
• We need a list of who uses what on the local network.
• Our software helps!
![Page 30: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/30.jpg)
Tracking by Signal Strength
Alternative:
• Collect data and use signal strength to pinpoint the location of unauthorized clients and access points.
• More complicated.
• A Practical Approach to Identifying and Tracking Unauthorized 802.11 Cards and Access Points (Interlink Networks)
![Page 31: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/31.jpg)
Tracking by Signal Strength
• Locating an access point with signal strength
![Page 32: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/32.jpg)
Uses and Abuses
• Some users may not want their locations to be revealed.
• Spammers may start wardriving.
![Page 33: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/33.jpg)
Conclusion
• Privacy is an issue for wireless networks, especially unencrypted networks.
• MAC addresses can be used to track users.• Our software can be used to help discover
what types of privacy information are leaked over the network.
• Can also help track users related to an unauthorized access point.
![Page 34: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/34.jpg)
Questions
Questions?
![Page 35: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/35.jpg)
Laptops as Rogue Access Points
Situation where this may be a problem:
• Lufthansa airline is providing in-flight wireless internet service starting this month
• Cost is $29.95 for flights over 6 hours
• Can imagine people ‘sharing’ the internet by using their laptops as rogue access points to share the cost
![Page 36: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/36.jpg)
Uses and Abuses
• Making the location of a user available may be beneficial.
• Google has a beta version of local search. This returns local information like restaurants for a location you enter.
• Can imagine in the future that the location of the user can be made available for google by the access point.
![Page 37: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/37.jpg)
Uses and Abuses
Tradeoff between convenience and privacy
• Apple’s Rendezvous service automatically discovers available services.
• User will (by default), name the computer “<First name> <Last name>’s Computer” for sharing purpose, and broadcast this info.
• This reveals the user’s personal information, so it would be better in privacy’s perspective to set the default identifier to something else.
![Page 38: Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598](https://reader036.vdocument.in/reader036/viewer/2022062421/56649d4b5503460f94a29091/html5/thumbnails/38.jpg)
Collection Method
• A captured packet viewed with Tethereal