wireless security – how secure is it really?

54
Wireless Security – How Secure is it Really? Brad “RenderMan” Haines RenderLab.net & Church of Wifi [email protected]

Upload: enan

Post on 05-Jan-2016

30 views

Category:

Documents


2 download

DESCRIPTION

Wireless Security – How Secure is it Really?. Brad “RenderMan” Haines RenderLab.net & Church of Wifi [email protected]. Introduction. Who am I? Why am I here? Why are you here? Scope of this talk Why you should stay awake. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Wireless Security – How Secure is it Really?

Wireless Security – How Secure is it Really?

Brad “RenderMan” Haines

RenderLab.net & Church of Wifi

[email protected]

Page 2: Wireless Security – How Secure is it Really?

Introduction

• Who am I?• Why am I here?• Why are you here?• Scope of this talk• Why you should stay awake

Page 3: Wireless Security – How Secure is it Really?

Caveats“It is not the goal of this presentation

to tell you not to use wireless networks, but make you aware of the

risk so you can make informed decisions about your usage of

wireless technology and do everything possible to protect your organizations

network infrastructure, data and integrity of its client computers” - Paul

Asadoorian

Page 4: Wireless Security – How Secure is it Really?

Why are you here?

• 10/2003: Lowe's– Botbyl and Timmins access an unencrypted,

unauthenticated wireless LAN in Southfield, Michigan – Obtain access to internal servers across 7 US states– Crash PoS system while planting CC sniffing software– Apprehended by FBI, both plead guilty to charges

• 3/2004: BJ's– Wholesale merchant reports that a "small fraction" of its

8-million customers may have had CC#'s stolen– FTC asserts charges against BJ's for unencrypted

wireless networks, default usernames/passwords and insufficient monitoring

– BJ's settles, recording $10M in legal costs, agrees to thorough external audits every other year for 2 decades

Page 5: Wireless Security – How Secure is it Really?

Why are you here?

• 6/2005: GE Money– Branch in Finland reports €200,000 stolen– Investigators traced attack to unprotected

consumer WLAN– Initial investigation against owner revealed

suspect not guilty, unprotected WLAN used to hide tracks

– Further investigation reveals GE Money data security manager and accomplices stole account information

Page 6: Wireless Security – How Secure is it Really?

Why are you here?

• 1/2007: TJX– Marshalls department store in St. Paul

Minnesota WEP-protected WLAN compromised

– Estimates between 45.7 million and 200 million payment card numbers revealed

– 451,000 drivers licenses and SS#'s also compromised

– Forrester Research estimates the cost of the breach could surpass 1 billion dollars in 5 years

Page 7: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timelines

Page 8: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timelines

• Most public attacks against unprotected networks• WEP attacks effective 6+ years after critical flaws announced• Emerging attacks of today not solved with standards

Lowe's

BJ's

GE MoneyTJX

Page 9: Wireless Security – How Secure is it Really?

Where it all started

• 802.11b - Released October 1999• 2.4Ghz, 11Mbit (4.5 nominal)• Popularity exploded with Apple Airport• Quickly took off and integrated into

everything• 40 bit (later 64, 128 bit) WEP, MAC filtering• 13 channels in Europe (11 North America)• WPA added later

Page 10: Wireless Security – How Secure is it Really?

Where it went from there

• 802.11a - Released October 1999• 5 Ghz, 54Mbit (~20 nominal)• Shorter range, less penetration• Not backwards compatible with 802.11b• 12 channels• More restrictions on use• 40 bit (later 64, 128 bit) WEP, MAC filtering• WPA added later

Page 11: Wireless Security – How Secure is it Really?

Where it went from there

• 802.11g - Released October 2003• 2.4Ghz, 54Mbit (19 nominal)• Quickly integrated into new devices• Backwards compatible with 802.11b• 13 channels (11 North America)• WPA (Wi-Fi Protected Access) + WEP

Page 12: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timeline

Page 13: Wireless Security – How Secure is it Really?

Where it all started to go wrong

• 802.11 broadcast beacons• Wardriving hit big after Defcon 9 (2001)• Shipped default open, anyone can connect• Wardriving community grew exponentially• Apple Airport ramped up sales and usage

Page 14: Wireless Security – How Secure is it Really?

Wardriving

• “The benign act of detecting wireless networks while in motion” - Blackwave

• Wireless networks are radios, Every card is a capable reciever

• Network information is broadcast with each packet – Network name, encryption status, associated clients all detectable

• Add GPS for making cool maps• Wigle.net – 12,000,000+ nets with location

(Oct, 2007)

Page 15: Wireless Security – How Secure is it Really?

Wireless is everywhere

• $30 for an AP at a computer shop• Most laptops come with WiFi built in• Personally discovered ~175,000

devices (~100,000 in Edmonton and area)

• #17 on wigle.net (soon to be 16)• Hotels, Airports, conferences, coffee

shops, restaurants, etc...• Can all be detected and catalogued

Page 16: Wireless Security – How Secure is it Really?

It's Everywhere!

Page 17: Wireless Security – How Secure is it Really?

Wardriving

• The presence of networks no longer secret• Many people ignorant of the issue• Wardriving brought the issue to the

forefront w/ pretty maps• Worldwide Wardrive brought it to the media

(and CSIS, the Canadian CIA)• Not a huge issue• Cloaking does nothing to help, it's a radio!

Page 18: Wireless Security – How Secure is it Really?

Where it all started to go wrong

• MAC addresses can be observed without connecting

• Changing your own MAC address is easy• Simple program to change it in Windows• Only useful in keeping authorized users

from connecting unauthorized things• Not a security measure

Page 19: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timeline

Page 20: Wireless Security – How Secure is it Really?

Kismet

• De facto free site survey tool• Listens to all 802.11x traffic (monitor mode)• Detects 'cloaked' networks• Can include GPS for maps• Remote drone sniffers for distributed monitoring• Kismet-Newcore promises more features• Linux native, some windows support (Kiswin,

airpcap)• Should be in every wireless toolkit

Page 21: Wireless Security – How Secure is it Really?

Kismet

Page 22: Wireless Security – How Secure is it Really?

Netstumbler

• Windows based• 'Active' scanner• GPS capability• Signal to noise graph• Useful for quick surveys, antenna

alignment, etc

Page 23: Wireless Security – How Secure is it Really?

Netstumbler

Page 24: Wireless Security – How Secure is it Really?

Netstumbler

Page 25: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timeline

Page 26: Wireless Security – How Secure is it Really?

Hostspot Impersonation

• Hot spots gain popularity• Cafe's. Airports, hotels, etc• No discrimination of identical SSID's• 'Drift' or 'Coax' to other networks• Man in the middle attacks, credential

snarfing, etc• Airsnarf, etc

Page 27: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timeline

Page 28: Wireless Security – How Secure is it Really?

WEP – What were they thinking?

• Based on RC4 (weak), 40 bit – Export restrictions

• Limited computing power onboard• 64-128 bit added later after export laws

relaxed• No standard key generation specified –

incompatibilities between brands• Many tried, a lot failed open• Who wants to type out a 64 char HEX key?

Page 29: Wireless Security – How Secure is it Really?

WEP cracking

• Goal is to collect enough IVs to be able to crack the key– IV = Initialization Vector, plain text appended

to the key to avoid repetition• Airsnort – 5-10 Million packets• Injecting packets to generate more IV's (faster)• Aircrack analyses the packets and gives you a

key• Needed 100K to 1M packets in early version (10

Min)• Aircrack-PTW – Need only 40-100K (~60 seconds)

Page 30: Wireless Security – How Secure is it Really?

Aircrack

Page 31: Wireless Security – How Secure is it Really?

Jamming / Interference

• Physics are harsh• Introduce more noise than signal• Microwave oven, cordless phone, baby

monitor or other sources• Accidental or intentional• Spectrum analyzer

Page 32: Wireless Security – How Secure is it Really?

Wavebubble

Page 33: Wireless Security – How Secure is it Really?

WPA

• WPA fixes many WEP flaws• Based on early 802.11i draft - Stop-gap• 256 bit key – Still RC4• Pre-shared key or Enterprise 802.1X• Standard key generation standard –

PBKDF2• Key salted with SSID• TKIP, MIC (Michael)• Sequence enforcement

Page 34: Wireless Security – How Secure is it Really?

Standards are hard - WPA

• WPA – Do more on old hardware• Feared mass obsolescence• Backwards compatibility• Needed soon• Not perfect, got the job done• Fixed a lot of WEP problems, weaknesses

Page 35: Wireless Security – How Secure is it Really?

WPA2

• Mandatory elements of 802.11i• Uses AES (CCMP) instead of RC4• Supports PSK and 802.1X mode• Very interoperable• Defacto standard for wireless

Page 36: Wireless Security – How Secure is it Really?

The Devil is in the Details

• WPA not without problems• People choose weak passphrases• Susceptible to brute force attack• “A key generated from a pass-phrase of

less than about 20 characters is unlikely to deter attack” - 802.11i spec

• Cowpatty, Aircrack

Page 37: Wireless Security – How Secure is it Really?

Cracking WPA

• Capture WPA 4-way handshake• Hash dictionary word with PBKDF2 and

compare output to capture• SSID salted into key• CPU intensive• Early programs had to start over each time

Page 38: Wireless Security – How Secure is it Really?

Cracking WPA Faster

• CoWPAttty, Genpmk and CoWF WPA tables

• Pre-hash 1.2 Million words against top 1000 SSID's = 48 gig of WPA cracking torrent goodness

• Time / Memory trade off - calculate once, crack many

• Cracks WPA v1 and v2• Drastically faster checking onsite• Available after the talk and throughout the

con

Page 39: Wireless Security – How Secure is it Really?

coWPAtty

Page 40: Wireless Security – How Secure is it Really?

The Devil is in the details

• Michael countermeasures• 2 bad checks = Radio turns off• Defense against injection and manipulation• Several layers deep, should not normally

trip• “If a non-AP STA receives a deauthenticate

frame with the reason code “MIC failure,” it cannot be certain that the frame has not been forged, as it does not contain a MIC. The STA may attempt association with this, or another, AP” - 802.11i spec

Page 41: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timeline

Page 42: Wireless Security – How Secure is it Really?

Abusing Michael

• Sequence enforcement, encryption need to be successful before MIC checked

• MIC taken of data + header + sequence #• Wireless multimedia specifications (QoS)• Seprate counters for different QoS bits• MIC covers QoS bits which are not

encrypted.....

Page 43: Wireless Security – How Secure is it Really?

Abusing Michael

DataSequenceQoS bit

WPA Encrypted

MIC Checksum

Page 44: Wireless Security – How Secure is it Really?

Abusing Michael

• Capture high priority packet• Flip QoS bits• Retransmit to other counter• Sequence enforcement is maintained• Encrypted data decrypts successfully• MIC check fails from flipped QoS bits• 2 errors in 60 seconds = DoS condition• Clients continue to try and connect• Not in the wild, but soon...

Page 45: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timeline

Page 46: Wireless Security – How Secure is it Really?

Client attacks

• Karma• Cleartext traffic = easy manipulation• Airpwn• Management frames cleartext and

unauthenticated• Void11, deauth attacks• Driver attacks

Page 47: Wireless Security – How Secure is it Really?

Look Familiar?

Page 48: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timeline

Page 49: Wireless Security – How Secure is it Really?

Driver Vulnerabilities

• 2006 - Johnny Cache & David Maynor fuzz and break many drivers

• Death threats from Apple fanboys• Do not even need to be connected to a

network• Metasploit includes some driver exploits• Point n' pwn

Page 50: Wireless Security – How Secure is it Really?

Standards bodies

• IEEE/IETF do good work• We can get on wirelessly at the office,

conferences• It could be a lot worse• Involves lots of blood, sweat, travel and

politics• Problems can be solved

Page 51: Wireless Security – How Secure is it Really?

Technology

Vulnerabilities

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

PHY/MAC802.11a802.11b,EAP/TLS,EAP-MD5

RegulatoryDomain

Extensions

QoS

802.11g,Europe5 GHz,WPA

802.11i,WPA2,Japan5GHz,

EAP-FAST

Radio ResourceMgmt, Fast Roaming, early mesh

deployments

MIMO,WAVE,Mesh,

ExternalInternetwork,Mgmt. Frame

Protection

Performance,Net. Mgmt,3.65 GHz

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Early wardriving,early WEP

attacks

Windows wardriving

tools, growing attack tool

sophistication

Hotspotimpersonation,LEAP exposed

Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools

commodity

Hotspotmanipulation,QoS attacks,

WIDS fingerprinting

PEAP,TTLSLEAP

WIDS evasion,client attacks

gaining popularity,

fuzzing

Metasploit for Wireless Critical client driver

vulnsAP Fuzzing?

RADIUS Fuzzing?802.11 VA Tools?

Attacks Against TKIP?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

802.11 Technology and Vulnerabilities Timeline

Page 52: Wireless Security – How Secure is it Really?

The Future?

• 802.11n will be 'interesting'• 802.11w will solve some problems• Message will continue to get out• Hacker community will always be there to

break things• People will continue to be dumb

Page 53: Wireless Security – How Secure is it Really?

Thanks

• Josh Wright• Dragorn / Mike Kershaw• Major Malfunction / Adam Laurie• The Pauldotcom crew• Wirelessdefense.org• Deviant Ollam