Wireless Security…
The cost of convenience.
Erik Graham, CISSP-ISSAP
Wireless Security…
Key Aspects of Information Security Wireless Technologies General Attacks/Defense Wireless - 802.11 a/b/g
– Overview– Attacks/Defense
Wireless - Bluetooth– Overview – Attacks/Defense
Questions
What Is Information Security?
Key Aspects of Information Security
Confidentiality– Protecting information from unauthorised
disclosure Integrity
– Protecting information from unauthorised modifications, and ensure that information is accurate and complete
Availability– Ensuring information is available when
needed
Know Your Enemy
“Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.”
Sun Tsu, Art of War
Wireless Technologies
What are wireless technologies?– Wireless technologies allow users to
access/exchange information without having to be physically connected
– RF (Radio Frequency)• Bluetooth• 802.11
– IR (Infrared)• Wireless handheld devices (require line of site)
– Cellular
Wireless Technologies
What problems are associated with this technology?– Information now moving across airwaves rather
than a fixed cable– Devices are normally made for easy install – Convenience vs security
Wireless Technologies
Why should I care?– Scenario 1: An individual uses your open wireless
connection to attack other computers…
– Scenario 2: Your open wireless allows an individual to access your sensitive/personal data…
– Scenario 3: An individual uses your open wireless connection to access your computer and store illegal images…
General Attacks/Defense
General Attacks/Defense
Common defense for all attacks…
… EDUCATION …
“I don’t care how many millions of dollars you spend on technology. If you don’t have people trained properly, I’m going to get in if I want to get in.”
Susie Thunder, Cyberpunk
Wireless - 802.11 a/b/g
Alert the users to possible threats Educate users on the security policy Educate users on social engineering Train users on security software
Wireless - 802.11 a/b/g
Wireless - 802.11 a/b/gOverview
Common to all versions:– Frequency range is international (ISM band)
802.11b– Maximum transfer rate: 11Mb– Range – 50m (150ft)– Operating frequency – 2.4 GHz
802.11a– Maximum transfer rate: 54Mb– Range – 25m (75ft)– Operating frequency – 5 GHz
802.11g– Maximum transfer rate: 54Mb– Range – 50m (150ft)– Operating frequency – 2.4 GHz– Backwards compatible with 802.11b
Wireless - 802.11 a/b/gArchitecture
Wireless LANs– Ad-Hoc Mode:
Wireless - 802.11 a/b/gArchitecture
Wireless LANs– Infrastructure Mode:
Wireless – 802.11 a/b/g
Attack/Defense
Wireless – 802.11 a/b/g
Attack: – Default Settings
Defense:– Change default passwords to access point!– Implement security
Wireless – 802.11 a/b/g
Attack: – Signal propagation
Defense:– Use directional antennas– Control the broadcast power to limit the signal
propagation to company owned or controlled property.
– Think in three dimensions!
Wireless – 802.11 a/b/g
Wireless – 802.11 a/b/g
Attack: – Sniffing
• Kismet - www.kismetwireless.net– Can be used to determine SSID and MAC addresses
• Netstumber - www.netstumbler.com
Defense:– Encryption
• Use the strongest encryption algorithm available
• Use the highest level of encryption available
Wireless – 802.11 a/b/g
Attack: – Jamming
• Void11 – www.wlsec.net/void11
Defense:– Solution will vary based on the specifics of
the attack– Difficult to stop intentional jamming
Wireless – 802.11 a/b/g
Attack: – Cracking WEP encryption
• WEPCrack - wepcrack.sourceforge.net • DWEPCrack – www.dachb0den.com
Defense:– Avoid encryption algorithms that have
know issues such as WEP
Wireless – 802.11 a/b/g
Attack: – Breaking LEAP authentication
• Anwrap – www.securiteam.com
Defense:– Avoid authentication algorithms that have
know issues such as LEAP
Wireless – 802.11 a/b/g
Attack: – Information Disclosure
• Kismet - www.kismetwireless.net• Netstumber - www.netstumbler.com
Defense:– Do not use an SSID that can identify the
location/owner– Disable broadcasting of the SSID
Wireless – 802.11 a/b/g
Attack: – Intercepting client– Rogue Access Point
• Airsnarf - airsnarf.shmoo.com
Defense:– Use strong forms of machine authentication such as 802.1x
EAP– Use user authentication in addition to machine
authentication– User authentication should be two-factor– Educate the user on what a valid authentication will look like
Wireless - Bluetooth
Bluetooth Overview
What is bluetooth?– Open specification to enable short-range, low
power, low cost inter-device communication - to untether cabled devices
Originally started in 1994 by Ericsson Bluetooth Special Interest Group (SIG)
– Formed in 1998– 3Com, Ericsson, IBM, Intel, Lucent, Microsoft,
Motorola, Nokia and Toshiba• Consumer: http://www.bluetooth.com• Technical: http://www.bluetooth.org
Bluetooth Overview
Frequency range is international (ISM band)
Range :– Class 1 – 100m (330ft)– Class 2 – 10m (33ft)– Class 3 – 1m (3ft)
Operating frequency – 2.4 GHz Maximum transfer rate: 2Mb
Bluetooth - Architecture
Bluetooth Piconet Model– Bluetooth devices form an
ad-hoc network called a piconet
master
Slave
Slave
Slave
Slave
Wireless - Bluetooth
Attack/Defense
Wireless – Bluetooth
Attack: – Signal propagation
Defense:– Turn off devices/Bluetooth when not in use or if its
not needed– Use correct class of Bluetooth device for task– Think in three dimensions!
Wireless – Bluetooth
Attack: – Sniffing
• hcidump
Defense:– Turn off Bluetooth if its not needed– Encryption
• Use the highest level of encryption available
Wireless - Bluetooth
Attack: – Bluejacking
• Sending messages to other devices by placing the message in the name field
Defense:– Disable Bluetooth– Do not advertise your Bluetooth device
Wireless - Bluetooth
Attack: – Bluesnarfing
• Making copies of data on a open Bluetooth device– Phonebook, calendar, and anything else that the vendor
has allowed the user to share via Bluetooth
• Hacking tools exist to aid in Bluesnarfing
Defense:– Disable Bluetooth– Do not advertise your Bluetooth device– Secure Bluetooth to require PIN to access
information
Wireless – Bluetooth
Attack: – Bluebugging
• Uses basic AT commands to read/write data• Tool: Blooover - trifinite.org
Defense:– Ensure device is using latest
firmware/operating system– Disable Bluetooth
Wireless - Bluetooth
Attack: – Denial of Service (DoS)
• Tool: Bluesmack - trifinite.org
Defense:– Disable Bluetooth
Wireless - Bluetooth
Source: http://www.thebunker.net/security/bluetooth.htm
Questions
Resources
Resources
Books– Hacking Exposed
• ISBN: 0072260815
– Wi-Foo: The Secrets of Wireless Hacking• ISBN: 0321292171
Resources
Web:– Airsnarf - airsnarf.shmoo.com– Anwrap – www.securiteam.com– Blooover - trifinite.org– Bluetooth (Consumers) - www.bluetooth.com– Bluetooth (Technical) – www.bluetooth.org– BluejackHQ - www.bluejackq.com– CWNP – www.cwnp.com– DWEPCrack – www.dachb0den.com– Kismet - www.kismetwireless.net– Marcel Holtman - www.holtmann.org– Netstumber - www.netstumbler.com– Void11 – www.wlsec.net/void11– WEPCrack - wepcrack.sourceforge.net
Erik Graham, CISSP-ISSAP– [email protected]