Transcript nottmderby.bcs.org

Wireless Hotspot Security
and
Client Attacks
Almerindo Graziano
[email protected]
www.silensec.com
The Information Security Professionals
The Menu :-)








The WiFi Explosion
Common misconceptions
Wireless hotspots attacks
Wireless Client Attacks
Rogue Access Points
WEP Insecurity
WPA Security
General recommendations
The Information Security Professionals
2
3
About Silensec



IT Governance
 ISO 27001 Implementation
 Gap Analysis
 Risk Management
Penetration Testing
 Web apps, Systems, Networks
Security Training
 BSI ISO 27001, BS25999
 SANS Wireless Security, Hacking Techniques
The Information Security Professionals
Common Misconceptions





We do not use/allow wireless networks
Our network is secure
We use firewalls
We use VPN
Nobody would attack us
The Information Security Professionals
4
Mobile Phones Explosion


Over 100 mobile phone handsets with wi-fi
capability (June 2007)
213 million Wi-Fi chipsets shipped worldwide in
2007 (32% growth)


Dual-mode phones in 2008


20%of the total chipset market by 2009
Bypass mobile operator
Skype mobile phones
The Information Security Professionals
5
Wifi in Everything!








Digital Camera
Mobile TVs
Presentation Projectors
Stereos
CCTV Cameras
Swipe cards systems
Medical monitoring equipment
Portable digital players
The Information Security Professionals
6
Wireless Networks are Everywhere
The Information Security Professionals
7
8
Terminology

Station (STA)


Connect STAs to the main
network
Infrastructure Mode


Ad-Hoc Mode
Access Point (AP)


Laptop, PDA, mobile
phone
Most common (home and
corporate)
Ad-Hoc Mode

Connecting STAs without
an AP
The Information Security Professionals
Infrastructure
Mode
9
Terminology (2)




WEP (Wired Equivalent Privacy)
 WEP Key (64, 128, 256, 512 bits)
WEP+
Dynamic WEP
WPA and WPA2 (Wireless Protected Access)
 Passphrase (8-63 characters)
The Information Security Professionals
10
Wireless Hotspots


Provide public access to the Internet through
wireless networks
 Public does NOT mean FREE
Often located in


airports, train stations, libraries, hotels, coffee bars
Designed to be easy to use



Find the network
Click and connect
Authenticate and you are in!
The Information Security Professionals
11
Hotspot Example: T-Mobile
Secure
Connection
The Information Security Professionals
12
Hotspot Example: T-Mobile (2)
Enter
Credentials
The Information Security Professionals
Hotspot Security Risks

Information disclosure





Identity theft
Fraud and financial loss
Compromise your computer
Expose personal info (contacts)


Most information is not encrypted and may be captured
easily
Catch a virus
Back in the workplace


Expose even more personal info
Spread the virus
The Information Security Professionals
13
Wireless Isolation






Commonly used by hotspots
Most modern AP support it too
Traffic between hotspot clients not allowed
Protect hotspot clients from possible malicious
clients
And anyway you have your firewall..
What about non-connected clients?
The Information Security Professionals
14
15
DEMO
The Information Security Professionals
16
Wireless Client Attacks
The Information Security Professionals
Windows Preferred Network List (PNL)



Includes networks created
by the user
Networks are also added
when we connect to a new
network (hotspot)
Connection can be
automatic or manual
The Information Security Professionals
17
Windows Preferred Network List (PNL)

Will always connect to the
networks higher on the
list..



even is already connected
to another network!
 even if that network is
more secure
AP with stronger power are
preferred
User is not notified of AP
switch!
The Information Security Professionals
18
Dangerous Connections..


Newly networks are
added to the PNL
If new network is in
range windows may
connect to it
The Information Security Professionals
19
Rogue Access Points


More powerful signal
Karma-based
The Information Security Professionals
20
21
Power Rogue Access Point


Windows wireless
configuration
AP chosen based on
 position in the PNL
 signal power
tmobile
tmobile
The Information Security Professionals
Power Rogue Access Points
DEMO
The Information Security Professionals
22
Client Attacks with Karma




Powerful tool
Responds to any probe request
Comes with DHCP, DNS, Web server
Exploits clients which broadcast SSIDs with no
security...hotspots
The Information Security Professionals
23
Judicious Karma
Preferred Network List (PNL)
CorpNet
HomeNet
Linksys
tmobile
The Information Security Professionals
24
25
KARMA
DEMO
The Information Security Professionals
26
Wifizoo





Gathers information
passively
No connection required
Cookies
Passwords from
FTP,POP3 etc..
..and lots more
The Information Security Professionals
27
Wifizoo at Work..
DEMO
The Information Security Professionals
Wireless Hacking in the Skies..


Just relax and enjoy the flight
Watch a film on your laptop
...while you are being hacked...

But don't you worry, there will be no interruption
to your film entertainment
The Information Security Professionals
28
29
arking Mode



Found by Simple Nomad
If DHCP fails to provide an IP
address, interfaces with LinkLocal configurations will autoassign an address in the
169.254.0.0/16 range
Link-Local is on by default on all
interfaces on all Windows
platforms, including wireless
interfaces
Scan for available
networks (ANL)
Parking
Mode
Try available PNL
networks
Try PNL networks
Any Ad-Hoc
network in PNL?
Connect to NonPreferred Nets?
No
Yes
Yes
Connect to 1st Ad-Hoc
network in PNL
Connect to available
networks (ANL)
Keep looking for
preferred networks
Set Random SSID and
go in infrastruture mode
The Information Security Professionals
No
30
Windows Wireless Client Update
Hotfix described in KB917021
Non-broadcast networks





Parking behaviour


Allows to set a network as non-broadcast by setting “Connect even if the
network is not broadcasting”
WAC only sends probe requests for non-broadcast networks
Preferred broadcast networks in the PNL are not advertised
Security configuration is passed onto the wireless adapter driver, using the most
secure encryption method that the wireless network adapter supports (including
random encryption key)
Ad-hoc
 Manual connection
 WAC doesn't probe ad-hoc SSID contained in the PNL
The Information Security Professionals
Windows Wireless Client Update (ctd.)
• Not included in SP2
• Many clients have not installed it
• Parking mode is driver-dependant
– Most driver still use no security
• You can still override secure default settings
The Information Security Professionals
31
32
Vista Wireless



VISTA allows to define non-broadcast wireless
networks
 Listed as Unnamed Network
WAC will try to connect to wireless networks in
the order they are listed in the PNL, whether they
are broadcast or not
Support ad-hoc using WPA2-PSK
 Strong passphrase selection
The Information Security Professionals
Hotspot Security Tips




Doublecheck the name and presence of an official
Hotspot network where the service is provided
Remember that the majority of Hotspots do not
ensure data confidentiality
Always look out for a padlock and https sign on
the hotspot login page
Do NOT implicitly trust advertised “Free Public
WiFi”
The Information Security Professionals
33
34
WEP

WEP IS DEAD

You MUST NOT use it

Equivalent to no security (almost)

Aircrak-ptw < 1 minute
The Information Security Professionals
35
WPA and WPA2

WPA

Stronger security, maintaining hardware
compatibility

WPA2

Even stronger security

Need new hardware
The Information Security Professionals
WPA Personal/WPA-PSK



Both WPA and WPA2 can be used with a
passphrase (8-63 character)
Weak passphrases offer WEP-like
protection..NONE
Use a strong password generator (free
 https://www.grc.com/passwords.htm
The Information Security Professionals
36
Wireless Security Tips – At Home

Change default values






Adjust the power output of your access point if
possible
Use MAC address filtering
Change the default SSID
Enable WPA/WPA2


IP addresses
Admin passwords
Use a strong passphrase (20+ char)
Set AP configuration to HTTPS if possible
The Information Security Professionals
37
Wireless Security Tips – On the move




Switch off your wireless card if not needed
Do no connect automatically to wireless networks
(nothing comes free)
Change your personal firewall settings to not trust
the local network
Be on your guard
The Information Security Professionals
38
39
General Wireless Security Tips




Download and instal MS wireless update
Uncheck automatic connection to unprotected
networks
Keep your computers patched all the time
Remember that hotspot networks are not secure
The Information Security Professionals
40
Questions?
The Information Security Professionals