wireless insecurity utz roedig university college cork, ireland, [email protected]
DESCRIPTION
Wireless Insecurity Utz Roedig University College Cork, Ireland, [email protected]. Introduction Using wireless networks Application scenarios Basic functionality and security mechanisms Attacking wireless networks Targets and goals Methods and examples How to protect wireless networks - PowerPoint PPT PresentationTRANSCRIPT
Knowledge Business Centre
Overview
Introduction
Using wireless networks Application scenarios Basic functionality and security mechanisms
Attacking wireless networks Targets and goals Methods and examples
How to protect wireless networks Basics: WEP, MAC filter, … Network separation and security policy
Summary
Knowledge Business Centre
Introduction
Why using wireless networks? Give users some flexibility and freedom Reduce network cost
Available solutions Wi-Fi (IEEE 802.11) HomeRF, Bluetooth, …
Knowledge Business Centre
Terminology
Wlan Wireless Local Area Network
Wi-Fi Catchier than 'IEEE 802.11b direct sequence'
A marketing name for products based on 802.11 802.11
Specification of PHY and MAC layer
a/g/n different modulations and data rates WEP
Wired Equivalent Privacy (Ha!, we will see)
WPA
Wi-Fi Protected Access (WPA and WPA2)
Knowledge Business Centre
Application Scenario
Standard company network Servers: data and services
Workstations: laptop, pc, (pda) Router: internet connection
Knowledge Business Centre
Application Scenario
Wireless company network Servers: data and services
Workstations: laptop, pc, (pda) Router: internet connection, wireless network connection
Knowledge Business Centre
Application Scenario
Wireless company network insecurity Servers: data and services
Workstations: laptop, pc, (pda) Router: internet connection, wireless network connection
Knowledge Business Centre
802.11 - Basics
Physical layer (PHY)
Defines coding and modulation
Operates in the 2.4 - 2.8 GHz band
Medium Access Control layer (MAC)
Organizes access to the shared medium
Uses carrier sense multiple access with collision avoidance
All nodes in the vicinity have to participate in PHY/MAC
Denial of service (DOS) is very simple!
PHY: signal jamming
MAC: misbehaving node
Knowledge Business Centre
802.11 - MAC Problem scope
If everyone talks at the same time I can not understand you A protocol is needed to organize who is talking when
Predefinition Everyone talks using packets Everyone uses a number (MAC address) so we know who is talking
Packet transmission (Logical) A node first listens to ensure no other node is transmitting If the channel is clear, the node transmits the packet Otherwise, the node chooses a random back-off time and tries again
Packet transmission (technical, RTS/CTS mechanism) Snd: ready-to-send (RTS) Rcv: clear-to-send (CTS) Snd: data transmission (DATA) Rec: acknowledgement (ACK)
Knowledge Business Centre
Hardware and Operation
Wireless Network Card Provides access to the 802.11 network
Access point Provides bridge functionality
Between 802.11 and the fixed network Provides additional functionality
Security: Firewall, Network Address Translation (NAT), … Network: DHCP, DNS, WWW cache, ….
Mode of operation Infrastructure mode
All traffic passes through the access points Ad-hoc mode
All computers talk directly to each other
Knowledge Business Centre
Network Structure
Basic Service Set (BSS) Stations form a BSS
Distribution System (DS) A DS interconnects the BSS’s
Extended Service Set (ESS) BSS’s form together an ESS
Handover requirements Station type
Mobile Portable
Roaming type Within ESS: PHY/MAC handover Between different ESS: PHY/MAC and network layer handover
Knowledge Business Centre
802.11 - Security
WEP Wired Equivalent Privacy One key is shared among all users Payload is transmitted encrypted
Content is secured, not the communication itself!
WPA Wi-Fi Protected Access Each user can be separately authenticated
Session keys are derived/negotiated and periodically changed
Payload is transmitted encrypted
WPA-2 Wi-Fi Protected Access version 2 Similar to WPA, updated cryptographic methods
Knowledge Business Centre
Attacker - Goals
Denial of Service (DoS) Denial the use of the
Wireless Network Denial the use of the
complete company network Denial the use of services
Unauthorized infrastructure use Use of the internet access Use of services (e.g. WWW)
Information theft Access file servers Access database servers
What now?
Knowledge Business Centre
Attacker - Steps
Step 1 (PHY) Laptop with WLAN card Get close enough
(e.g. next door, car park, …) Get WLAN access
Modulation, channel, … ESS ID
Step 2 (MAC) Join the (wireless) network Bypass MAC filters, … if necessary Bypass WEP if necessary
Step 3 (Network, Services) Attack the services as usual
Step 1Step 2
Step 3
Knowledge Business Centre
Attacker - Step 1
Selection of modulation, channel, … Handled by the NIC
Case I: Unprotected (out-of-the-box)
Attacker selects the company network Selection by ESS ID
Attacker joins the network
Case II: Hidden ESS ID Attacker uses a scanner (e.g. aireplay)
Attacker obtains the ESS ID
Now it is Case I
Knowledge Business Centre
Attacker - Step 2
Case I: MAC filter in place Attacker starts a program scanning the air for a while (e.g. kismet) Attacker changes his MAC into an accepted MAC (e.g. ifconfig) Attacker joins the network
Case II: WEP security in place Attacker uses a scanner (e.g. kismet) After ESS ID and channel is known, packets
are captured (e.g. airodump) For 64 bits WEP key between about 50000 and 20000 packets For 128 bits between 200000 and 700000
Crack the key (e.g. aircrack) Attacker joins the network
Knowledge Business Centre
Attacker - Step 2
Case III: WAP-PSK security in place Force an authenication handshake (e.g. aireplay) Collect the handshake packets (e.g. airodump) Dictionary Brute Force (e.g. aircrack) Attacker joins the network
Possible problems No traffic WAP using RADIUS Additional security mechanisms (Firewall, Proxy, …)
Knowledge Business Centre
Attacker - Step 3
The attacker is now in the network Virtually sitting with his laptop at your desk! What will he do?
Using your bandwidth and ID to access the Internet Possible lawsuit (download or offer illegal content) Possible cost (if charged per MB) …
Using your servers Free storage space (with backup!) Free web servers Free …
Stealing your data/information! DOS (maybe by accident)
Knowledge Business Centre
Defender - Goals & Steps
Keep the attacker out! Step1: Secure the wireless network (if possible!) Step2: Secure the core network
In case the attacker gets somehow in the wireless network Step3: Define rules of operation
Logging, monitoring, key management, emergency plans, …
What now?
Knowledge Business Centre
Defender - Step 1
Even if security mechanisms are flawed, use them!
Most hacker/attacker will choose the easy victim
Use several layers of protection
Useful security mechanisms
Use WAP with RADIUS if possible
If WEP/WAP-PSK is used, change keys frequently
Use MAC filtering
Summary
The wireless network can not be secured!
Step2/3 is needed if a wireless network is used!
Knowledge Business Centre
Defender - Step 2
Separate the wireless network from the core network Use a firewall between wireless and core network
Might be integrated in the base-station Might offer user authentication
Restrict services available from the wireless network Do people have to mount the fileserver from the laptop? Is it necessary to have Internet access from the laptop?
Use higher layer security/encryption Create a VPN (PPTP, L2TP) IPSec Only access services secure
Terminal: telnet -> ssh Mail: POP -> IMAP (or Webmail with HTTPS) …
Knowledge Business Centre
Defender - Step 3
Logging Activity in the network should be recorded
Records might be needed to detect an attacker
(Records might be needed for forensic analysis)
Monitoring Someone should look periodically at the records!
Maintenance Security needs maintenance!
Periodic update of keys
Add/Delete users, mac addresses, update firewall rules, …
Emergency plans What will we do if we detect an attacker?
Knowledge Business Centre
Summary
Covered topics Basic functionality and application scenarios Attacking wireless networks Securing wireless networks
Conclusions Setting up a wireless network is simple Setting up a secure wireless network is somewhat complicated!
Do you really need a wireless network?