Transcript Document
802.11b Wireless Network Security 7/21/2015 Agenda • • • • • • Background Discovery Vulnerabilities Whacking Solutions The Future 7/21/2015 Background • 802.11 – finalised by IEEE 1997 – 2.4 GHz – Data rate of 1-2 Mbps • 802.11b – 2.4 GHz – Data rate of 11 Mbps – Current Standard • 802.11a – 5 GHz – Data rate of 54 Mbps – Equipment soon to be available from Intel? 7/21/2015 Background • Client Stations are configured with a WLAN network card • These communicate with Access Points which provide a bridge to the wired LAN • Multiple Stations and a single Access Point is known as an BSS (Basic Set Service) • Multiple Stations and multiple Access Points are known as an ESS (Extended Set Service) 7/21/2015 Background • Each SS has an SSID (Service Set IDentifier) • Replaces Layers 1 and 2 of OSI (Physical and Data Link) • Effective range of 100 metres – Can be extended using directional antennae – Outside physical security controls 7/21/2015 Background - Security • Encryption provided by: – WEP (Wireless Encryption Protocol) – Symmetric key – Available in 64bit and 128bit key length versions • Authentication provided by: – WEP – Access control based on: • SSID • MAC Address 7/21/2015 WLAN Discovery • Range makes service sets easy to identify – WarDriving, WarPeddling, WarWalking – NetStumbler, APSniff • Easy to associate with AP and receive an IP address by DHCP 7/21/2015 WLAN Discovery • • • • SSID Mac Address & Vendor Geographic Location Network Parameters (WEP, AP/Peer, Channel) • Radio Signal Parameters (S/N ratio, Strength) 7/21/2015 WLAN Discovery - Equipment • Mobile PC – Windows (Netstumbler, APSniff) – Linux/BSD (Pete Shipley’s scripts, bsd-airtools) • WLAN Card – Hermes Chipset (Lucent, ELSA etc.) – Prism II Chipset (D-Link, Compaq etc.) • GPS with serial link • 2.4Ghz Omni-directional Antenna • Transport 7/21/2015 WLAN Discovery - Netstumbler 7/21/2015 WLAN Discovery – The West End Run Over 40 networks discovered in an 8 mile drive 7/21/2015 WLAN Discovery – Results • 80 unique WLANs identified – 54 not WEP enabled • 130 unique Access Points identified – 84 not WEP enabled WEP usage rate is typical at around 33% 7/21/2015 WLAN Discovery – Some Observations • Detection range generally 10m to 150m – – – Obstructions Weather Antenna • Travel speed affects detection rate – – 7/21/2015 Walking speed optimal Sometimes detectable at speeds of 90mph! WLAN Discovery – Important Points • Legality may be ambiguous – Interception of Communications and Computer Misuse – Inadvertent reception of adjacent networks – Be careful if publishing results • Safeguards – Un-bind all network protocols from WLAN card – Turn off features such as auto-configure 7/21/2015 Vulnerabilities • WEP is flawed and crackable • Some packets are ‘weak’ and reveal information about the key in use • Implemented in: – WEPCrack – AirSnort 7/21/2015 Solutions • 802.11b security is flawed • WLANs are easy to locate • Risks can be mitigated: – – – – – – – – – – Treat WLANs as insecure networks Only use 128bit WEP Segregate WLANs with firewalls Use VPNs to connect through the firewalls Use application encryption e.g. SSH, HTTPS Use MAC address access control Disable SSID broadcasts if possible Use SSIDs that do not reveal information Use site surveys Change default passwords 7/21/2015 The Future • Several IEEE working groups – E to I • 802.11i – Examining security enhancements – WPA WPA2 – Kerberos • 5GSG – Working on harmonisation of 802.11, Hiperlan etc. 7/21/2015 Questions A 802.11 workshop by Loud-fat-bloke Author of WIDZ FATAJACK & the Wireless hacker survey Is available 7/21/2015