Transcript No Slide Title

Security Issues in Wireless LANs
Dr. John A. Copeland
Communications Systems Center
Georgia Tech Electrical & Computer Engineering
www.csc.gatech.edu
[email protected]
ECE6612 - Slide Set 14
4/11/2011
Network Tunnels
Modems
Internet
VPNs
Wireless Hubs
2
Network Tunnels
http://www.telecommagazine.com/default.asp?journalid=3&func=articles&page=0203t11&year=2002&month=3
3
Network Tunnels
Anyone can convert their cube or office Ethernet
jack into a Wireless Hub for their Laptop
(and a public entry point into the Network)
QuickTime™ and a
decompressor
are needed to see this picture.
QuickTime™ and a
decompressor
are needed to see this picture.
IEEE 802.11g/n Wireless
USB Adapter - $ 33
Wireless AP with 5-Port
Ethernet Switch - $ 76
4
[ The Atlanta Journal-Constitution: 3/31/02 ]
Wireless systems are simple to hack
Terrorists could use techniques to attack airliners
By DON PLUMMER
Atlanta Journal-Constitution Staff Writer
(Bill Corbitt) sits in his car in the short-term
parking lot at an airport eating a sandwich, a Pringles can
balanced on the dashboard.
After Corbitt left Hartsfield Airport, he located
more than 100 wireless networks in an hour of
driving around Atlanta. He did not actually break
into any of them but later demonstrated how he
could by intercepting signals from several
wireless systems in use at The Atlanta JournalConstitution.
"Some of these people are even transmitting
their names and the exact locations of the
wireless portals,” Corbitt said, pointing out the
identifiers as they appeared on the screen of his
laptop. Of the 120 wireless systems located,
only 32 had activated the encryption protection
included with the wireless software.
Bill Corbitt, Bulwarkz Defensive Solutions
http://www.accessatlanta.com/ajc/news/0302/31wireless.html
5
“Network Stumbler” - shows 802.11 Networks
WEP
ON
No
No
Screen of laptop with Wireless LAN card
“AiroPeek” maps out who’s talking to who
7
Data sniffed
off the air
from nonWEP session.
8
AirSnort - a tool for Cracking WEP Messages
AirSnort is a wireless LAN (WLAN) tool which recovers encryption
keys. AirSnort operates by passively monitoring transmissions,
computing the encryption key when enough packets have been
gathered.
802.11b, using the Wired Equivalent Protocol (WEP), is crippled
with numerous security flaws. Most damning of these is the
weakness described in " Weaknesses in the Key Scheduling
Algorithm of RC4 " by Scott Fluhrer, Itsik Mantin and Adi Shamir.
Adam Stubblefield was the first to implement this attack, but he
has not made his software public. AirSnort, along with WEPCrack,
which was released about the same time as AirSnort, are the first
publicly available implementations of this attack.
AirSnort requires approximately 5-10 million encrypted packets to
be gathered. Once enough packets have been gathered, AirSnort
can guess the encryption password in under a second.
http://airsnort.sourceforge.net
9
How Does “Wired Equivalent Protocol (WEP) Work”
What’s wrong with it?
10
Wired Equivalent Protocol
V, Key
V varies, but V
is sent in the
clear. Frames
with the same
V will have the
same
"Keystream"
“The Insecurity of 802.11, an analysis of the Wired Equivalent Privacy
protocol”, Black Hat Briefings, 11 July, 2001, Ian Goldberg, ZeroKnowledge Systems, [email protected] with Nikita Borisov and
David Wagner, UC Berkeley).
http://www.cypherpunks.ca/bh2001/index.html
11
The One-Time Pad
The most secure encryption technique is a “One-Time Pad,” if
the Pad is truly random (in WEP it is not).
WEP uses the RC4 encryption algorithm (with a 40 or 112 bit key) to
generate a stream of random looking bits, Pi. These are XORed with
the message bits, Mi, to produce the cyphertext bits, Ci
Ci = Mi (+) Pi
The receiver has the same key, and can generate a duplicate “pad”, Pi,
and recover the original plaintext message, Mi.
Ci (+) Pi = Mi (+) Pi (+) Pi = Mi
since Pi (+) Pi = 0 and Mi (+) 0 = Mi
12
“Two-Time” Pad Problem
The least secure encryption technique is a “One-Time Pad” used twice (or repeatedly).
Consider two intercepted messages (C and D are encrypted M
and N) encrypted with the same pad:
C = M (+) P
and D = N (+) P
The cracker can XOR these together to get M (+) N:
C (+) D = M (+) P (+) N (+) P = M (+) N
Whenever a byte in M (+) N is zero, M & N have the same byte.
One of six bytes in English text is “space”. so one in 36 bytes in
M+N is zero because both text strings have spaces there. Given
several thousand characters of M+N, the messages can be
deciphered.
Then the key sequence can be found:
P = N (+) D.
13
“Two-Time” Pad Problem
The pad, or keystream, for WEP is RC4(v,k) which depends only on v
and k. “k” is a shared secret that changes rarely, if ever (in most
systems (like GTwireless) every user uses the same value of k). So
the keystream depends only on the 24-bit value of v.
Since v is transmitted in the clear, the Cracker collects messages
until he has two with the same value of v, then he is “in.”
There are 2^24 = 16 million different values of v, but because of the
“Birthday Effect,” he is likely to have two that match after collecting
only about 6,000 messages.
Number of different pairs = 6000 x 5999 / 2 = 18 million
Even worse, Goldberg reports that all the 802.11 cards observed
reset their random number generator for v each time they are
activated, meaning they reuse the same sequence of v values
(2002).
14
Defense
These help WEP, but are not totally dependable:
Use the 112-bit key mode, rather than no key or 40-bit
key.
Use an access list of MAC (Ethernet) addresses at the
hub.
Use a new hub that has WPA (22+ random-character
passphrase), or IEEE 802.11i, and only network cards
that are fully compatible.
15
Wi-Fi Protected Access
(WPA upgrades WEP)
IEEE 802.1x authentication is required.
TKIP encryption in WPA-Personal has unique unicast key (weak)
8-bit “Michael” Message Integrity Check (MIC)
Frame counter prevents replay attacks
AES was optional (pre 2011). Some card CPU’s can not manage.
Can support older WEP cards (but no dynamic keys)
802.11 Beacon Frames contain a WEP info element.
WPA has been supported by Windows XP and Apple OSX (2006).
Gtwireless started offering a WPA2 network in 2010 (PEAP, MSCHAPv2).
16
WPA vs. WEP
1. Minimum key length increased from 40 to 256 bits
(four keys made from 8 to 63 character passcode).
2. IV (Initial Vector) length was doubled.
3. IV resequencing enforced.
4. Key rotation embedded automatically.
5. Mutual authentication required.
6. MIC to prevent packet tampering.
Attack code("coWEPtty") can crack passcode "abc123abc123" in
less than a minute.* Longer (>22 characters) and more
random codes are reasonable secure.**
*H. Berghel, J. Uecker, WiFi Attack Vectors", Comm. ACM, pp 2128, Aug. 2005.
** R. Moskowitz, http://wifinetnews.com/archives/002452.html
17
WPA2 (IEEE 802.11i)
WPA2 implements the mandatory elements of 802.11i
(a, b, g and n define bit rates, operating frequency, ...)
It introduces a new AES-based algorithm, CCMP, that is
considered fully secure. RC4 is no longer allowed.
After March 13, 2006, WPA2 certification is mandatory for all
new devices wishing to be "WiFi" certified.
But if compatibility with older WiFi interfaces is necessary,
WPA2, or even WPA, can not be turned on. That's why
GTwireless is still available (can be sniffed with Wireshark).
"WiFi Protected Setup" (WPS, 2007-2012) should be
turned off. It may be on by default. An attacker can discover
the 7-digit PIN and thus the WPA/WPA2 pre-shared key in a
few hours.
Note: 7 digits is equivalent to (10/3)*7 = 23 bits
18
802.11x, EAP and LEAP
IEEE 802.11x defines a structure for authenticated layer-2
access to any IEEE 802 network (3rd party, CA or AS).
EAP (extensible authentication protocol) allows supplicant
(client) to exchange credentials with the AS (authentication
server).
LEAP (lightweight EAP) available on Cisco and some
Linksys access points. Most popular EAP, but flawed by use
of MS-CHAPv2 (NT hashing does not use salt). Attack code
"asleap" can discover LEAP passwords using an offline
dictionary attack.*
CHAP - Challenge Authentication Protocol - hashes a
challenge nonce with password and returns.
* H. Berghel, J. Uecker, "WiFi Attack Vectors", Comm. ACM, pp 21-28, Aug. 2005
19
Process
Application
Defense - Higher Level
Secure Protocols
Router
Buffers Packets that
need to be forwarded
(based on IP address).
Network
Layer (IP)
IPsec
802.11
Link Layer
802.11
Phys. Layer
WEP,WPA
Application
SSL,TLS
SSL,TLS
Transport
Layer
(TCP,UDP)
Process
Transport
Layer
(TCP,UDP)
Network
Layer (IP)
Network
Layer
802.11
Link Layer
Network
Layer
Ethernet
Data Link Layer
WEP,WPA
Ethernet
802.11
Phys. Layer
Phys. Layer
IPsec
Ethernet
Data-Link Layer
Ethernet
Phys. Layer
20
Defense - War Driving
Patrol the Premises Frequently
looking for Rogue Wireless Signals
Purchase only 802.11 Hubs and PC Cards that have the improved
Security standards, or flash memory and can be field upgraded.
Treat all wireless communication channels as "public." Use only
secure protocols: VPN, Radius, SSH, SSL, … .
21
Wireless Sub-Nets can Safely be part
of Corporate Networks - if Properly Isolated
IDS
Wireless Hub
Wireless Subnets should be treated
like attachments to the Internet,
isolated by Firewalls and Intrusion
Detection Systems
22
"Hot Spots" (e.g.Starbucks, airports)
They are dangerous because no encryption is
used.
Anything sent in plaintext is viewable by anyone
nearby, or across the street with a directional
antenna.
Plaintext protocols are: FTP, HTTP (HTML),
TELNET, and email without TLS (SNMP, POP,
IMAP).
Encrypted protocols are: HTTPS, SSH, SCP,
IPsec, and other VPNs, and email with TLS.
23
Firesheep - HTTP session hijacking
It's extremely common for Web sites to protect your password by encrypting
the initial login, but surprisingly uncommon for Web sites to encrypt
everything else. This leaves the cookie (and the user) vulnerable.
After installing the Firesheep extension you'll see a new sidebar. Connect to
any busy open WiFi network and click the big "Start Capturing" button.
Then wait. As soon as anyone on the network visits an insecure Web site
known to Firesheep, their name and photo will be displayed.
http://codebutler.com/firesheep
24
GTwireless
Uses 40-bit WEP and the key is an open secret
traffic is viewable.
- so all
IP addresses are assigned by DHCP (to a wireless MAC
address) and are blocked until authentication through an
HTTPS Web site. (March 2010 - GT requires MAC addresses
to be registered)
- but IP address - Mac/IP address pairs are viewable and
can be spoofed after a legitimate user goes off the network
(voluntarily or DoS'ed).
"Evil Twin" attacks are possible if the victim does not
notice the absence of the authentication step, or that the
authentication page is HTTP (rather than HTTPS).
25
Evil Twin Attack
Authentication
Server
--------------Router
GT Network
Geo. P. Burdell
Internet
Hacker’s
Authentication
Spoofer &
Man-in-Middle
ISP
Hacker can see all data, do a Man-in-the-Middle Attack