Wireless LAN INsecurity 2003

Download Report

Transcript Wireless LAN INsecurity 2003

Wireless LAN INsecurity 2004
Robert C. Jones, M.D.
LtCol, USAF, Medical Corps
Staff Anesthesiologist
Andrews Air Force Base, Maryland
E-mail: [email protected]
Web site: http://www.notbob.com
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Disclaimer: Fair Use of Online Resouces
FAIR USE NOTICE: This contains copyrighted material, which is reproduced
under the Fair Use Provision of Title 17, U.S.C. Section 107, and is posted for
purposes such as criticism, comment, news reporting, teaching, scholarship, or
research. This material is posted without profit for the benefit of those who, by
accessing this material, are expressing a prior interest in this information for
research and educational purposes.







In order to educate health care providers and other professionals, this presentation contains graphics and information obtained on the internet which may be copyrighted
According to Sections 107 and 504c of United States Code title 17, this material is considered to be “fair use” of copyrighted intellectual property; it is to be used for noncommercial purposes only
“Fair Use” is the use of a copyrighted work for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or
research.
 In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:
– The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
– The nature of the copyrighted work;
– The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
– The effect of the use upon the potential market for or value of the copyrighted work.
The purpose and character of this presentation is for nonprofit educational purposes in support of Homeland Defense and internet security; the nature of the copyrighted work
is individual graphics and quotes; the amount and substantiality of the portion used is minimal; and the effect on the potential market for or value of the copyrighted use is
negligible. In fact, the hyperlink references crediting the original sources should increase the market value of said copyrighted works by increasing traffic to the websites
presenting this material.
This presentation was produced in the United States Air Force medical environment in the interest of academic freedom and the advancement of national defense-related
concepts. The views expressed in this presentation and linked-to material are those of the author(s) of said material and do not reflect the official policy or position of the U.S.
Air Force, Department of Defense, the United States government, or the AOMPS. Nor do educational links to internet websites or reference sources constitute any kind or
degree of verification or validation of information presented therein. Nobody paid me squat to write this stuff, by the way
Point of Contact for questions regarding copyright infringement shall be the current U.S. Department of Defense designated agent to receive notification of claimed DMCA
copyright infringement (courtesy of Department of Redundancy Department [DoRD])
Financial Disclosure: I am a Microsoft shareholder, so I can parody and provide commentary upon the products and services of the Microsoft Corporation with impunity
"We came across a company with one of these wireless
networks. All their source code, everything was
available. This network was beaconing, 'log onto me'...
It basically had its Rolls-Royce parked in the driveway,
engine running, with a sign saying 'steal me.' "
-- Thubten Comberford of White Hat Technologies, a
wireless security firm.
http://www.wirelessdevnet.com/articles/80211security/
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wireless INSecurity in the News
http://www.wral.com/technology/2465963/detail.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wireless INSecurity is Big Business
$100.00 per page…Think what a bargain this lecture is!
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
The Basic Network Security Pyramid
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wireless Security 2003
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about

Introduction to Wireless LAN (WLAN) tech
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies
 Wardriving 101

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies
 Wardriving 101
 Securing WLAN Communications

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies
 Wardriving 101
 Securing WLAN Communications
 Future WLAN Security Issues

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies
 Wardriving 101
 Securing WLAN Communications
 Future WLAN Security Issues
 References

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about

Cellular communication technology
GSM, CDMA, 2G, 2.5G,3G,4G…
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about

Cellular communication technology
GSM, CDMA, 2G, 2.5G,3G,4G…

Uncommon alternatives to Wired LANs
Powerline technology, IR, laser, Avian IP
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about

Cellular communication technology
 GSM,

CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANs
Powerline technology, IR, laser, Avian IP

How to hack the airwaves for fun & profit
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about

Cellular communication technology
 GSM,

CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANs
 Powerline
technology, IR, laser, Avian IP
How to hack the airwaves for fun & profit
 How to ensure 100% WLAN security

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
You can’t afford perfect security
“The only secure computer is one that is
unplugged, locked in a secure vault that
only one person knows the combination
to, and that person died last year.”
Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is NOT about

Cellular communication technology
 GSM,

CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANs
 Powerline
technology, IR, laser, Avian IP
How to hack the airwaves for fun & profit
 How to ensure 100% WLAN security
 AFH* Topics: TEMPEST, HAARP, ECHELON

*Aluminum Foil Hat
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
This Talk Is Not For You If:
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.geocities.com/Area51/Dreamworld/1799/UNnwo2.html
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Introduction to Wireless vs.
Wired Networking

Wired Networking
Inexpensive infrastructure (CAT5 cable + NICs)
Expensive deployment (drilling through walls)
Reconfiguring network topology difficult
Difficult (not impossible!) to intercept communication
Worldwide exposure to intruders if connected to Net
Fast! (10/100 Mbps Ethernet  Gigabit ethernet…)
Negligible interference from environment
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Basic Wired Network Topology
Firewall
Router
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Introduction to Wireless vs.
Wired Networking

Wireless Networking
Expensive infrastructure (clients+APs=cha-ching!)
Inexpensive deployment (protocols supported in OSes)
Reconfiguring network topology trivial (?too trivial?)
Ridiculously easy to intercept communication
Geographically constrained exposure to intruders*
Relatively Slow (“11Mbps” marketingspeak = 5 Mbps)
Massive environmental interference (ISM, path loss)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
*ad hoc intranetworks
CIA XXIV
Basic Wireless Network Topology
Infrastructure Mode
(using AP)
Firewall
Access Point
Advantages: AP security; isolated net connection
Disadvantages: AP cost, complexity; broadcast range
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Basic Wireless Network Topology
P2P Ad Hoc Networks
Firewall
Advantages: no addt’l hardware; geographically constrained
Disadvantages: unmanaged P2Pnet issues; geo. constrained
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
STA 2003
Basic WLAN Discovery
Beacon Mode (default for 802.11b)
10 Hz signal with SSID
in clear text + info
regarding security
support by AP (WEP,
802.1x, etc.)
STA
Beacon mode shut off probe from station (STA)
valid SSID returned
STA
probe from STA with
SSID = blank or “any”
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Basic WLAN
Authentication & Association
Authentication: process of verifying the
credentials of a client asking to join a WLAN
 Association: process of connection client to a
given AP in the WLAN
 802.11 standard specifies 3 states:

Unauthenticated + Unassociated
Authenticated + Unassociated
Authenticated + Associated
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Authentication

Default: Open authentication (+/- MAC/SSID filtering)
“granted”
“give me access”
 Shared
Key Authentication (e.g., WEP)
“granted”
Authentication response
Authentication challenge
“give me access”
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Security Exploits
Physical Theft
 Eavesdropping
 Data Modification
 Identity Spoofing/Masquerading
 Denial of Service (DoS)

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Let’s Get Physical
Physical theft of laptop/PDA 3rd most common
network security threat facing businesses (2003)
 Laptop = Expensive; Proprietary Data = Priceless
 No one is immune (FBI; DEA; IRS; State
Department; Qualcomm CEO…)
 Theft of proprietary data #1 cause of financial loss
by corporations

References: State Dept.: http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,54791,00.html
FBI/DEA/IRS: http://www.nwfusion.com/newsletters/sec/2002/01514404.html
Qualcomm CEO: http://zdnet.com.com/2100-11-523990.html?legacy=zdnn
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Source:
http://www.gocsi.com/awareness/fbi.jhtml
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Physical Theft (Before)
Firewall
Access Point
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Physical Theft (After)
Firewall
Access Point
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 1: Wardriving
Firewall
Access Point
Gotcha!
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 2: Office Building
Tabloid
Firewall
Access Point
Terrorist
Your Competitor
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 3:
Rogue APs
Firewall
Access Point
Rogue Access Point
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropoing Case 4:
P2P Ad Hoc Networks
Insecure connection to
outside APs
Firewall
• Unwise placement
Insecure modem
connection
• High-power client
•Unauthorized antenna
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
STA 2003
The 100 meter myth
Increasingly powerful 802.11x clients available
 200 mW PCMCIA cards advertise 6000+ ft range

http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html

Most WiFi® adapters have external antenna
connections; even homemade antennas work well
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Data Modification (Man in the Middle Attack)
“Meeting
postponed; go
home early”
Bob
Firewall
Access Point
Listen
Read
Corrupt
Cats
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Forge
Send
Alice
Corrupt
“Need project
Chortle
now!” Ref: Edney J, Arbaugh, WA, Real 802.11 Security, pp. 37-40
STA 2003
Generic Wireless Network Exploits
Identity Spoofing
MAC Address: 0000deadbeef; SSID: default
Looks like
your
company’s
IP to the
FBI!
Bob
Firewall
Access Point
Alice
Cats
Spoof MAC Address: 0000deadbeef; SSID: default
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
STA 2003
Generic Wireless Network Exploits
Denial of Service (DoS)
microwave
oven
Cell phone
Firewall
Access Point
Bluetooth device
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
2.4 GHz
jammer
STA 2003
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Risks of Specific WLAN technologies

802.11x/WiFiTM
 ISM vulnerability
 MAC/SSID authentication insecurity
 WEP insecurity
Bluetooth
 HIPERLAN/2 (Europa: ETSI*)
 HiSWAN (日本: MMAC†)

*European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htm
†Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
IEEE 802.11 Risks
ISM: Industrial, Scientific, and Medical Spectrum
 Not reserved: Allocated for “Amateur” use
 Long list of things that cause interference in 2.4
GHz range:

2.4 GHz cell phones/portable phones
Microwave ovens
Stained glass windows
Portable jammers (illegal in USA)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
MAC/SSID Vulnerability

MAC = media access control address
Hardcoded in all NICs
Easily Spoofed (Win 9x, Linux; not WinXP)

SSID = Service Set Identifier
Used to define networks
By default, broadcast by access points
Will be given out by AP if client configured with
“any” or blank SSID
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Default SSIDs
3Com: comcomcom
 Cisco: 2, tsunami, WaveLAN Network
 Compaq: Compaq
With AP manufacturer,
trivial to determine default
 DLink: WLAN
Administrator
 Intel: 101, 195, xlan, intel
username/password!
 Linksys: linksys, Wireless
 Netgear: Wireless
 Zcomax: any, mello, Test

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.cirt.net/cgi-bin/ssids.pl
http://www.iss.net/wireless/WLAN_FAQ.php
CIA XXIV
WEP…what is WEP?
Wired Equivalent Protocol (NOT Wireless Encryption Privacy)
 First defined in 1999 ANSI/IEEE Std. 802.11, section 8.2

http://standards.ieee.org/getieee802/download/802.11-1999.pdf

Never intended to provide strong security; Goals:
“Reasonably strong” (dependent on key length)
“Self-synchronizing” (for “best effort” delivery)
“Efficient” (low processor overhead)
“Exportable” (pre-1999 ITAR climate [Phil Zimmerman])
“Optional” (so lusers don’t whine to hardware manufacturers
when they mess up WEP on their networks– DISABLED out of
the box by all OEMs as of 2003 AFAIK*)
*AFAIK= As far as I know
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Encryption Basics
XOR Logic Gate




Need to hide message (plaintext) = needle
Generate random stuff (encryption key) = piece of hay
Multiply random stuff (keystream) = haystack
Hide message in haystack (XOR)  needle+haystack (ciphertext)
http://www.mesda.com/files/infosecurity200309.pdf; http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Intro to Encryption: http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm
CIA XXIV
How is WEP supposed to work?
• Secret key combined with IV, run through WEP cipher PRNG (RC4)
• Plaintext XORed with key sequence (irreversible without key)
• Ciphertext output sent over airwaves after encapsulation into IP packets
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://standards.ieee.org/getieee802/download/802.11-1999.pdf
CIA XXIV
What is RC4?




One encryption algorithm (many others: DES, IDEA, Blowfish, AES, etc.)
Efficient streaming cipher (low overhead)-- used in SSL encryption (online banking, etc.)
Proprietary trade secret of RSA Inc. http://www.rsasecurity.com
Presumed RC4 source code uploaded to Usenet newsgroup sci.crypt 13 Sep 1994…all
open source RC4 implementations based on this anonymous post (including WEP)!
From: [email protected] (An0nYm0Us UsEr)
Newsgroups: sci.crypt
Subject: RC4 ?
Date: 13 Sep 1994 21:30:36 GMT
Organization: Global Anonymous Remail Services Ltd.
Lines: 83
Message-ID: <[email protected]>
NNTP-Posting-Host: xs1.xs4all.nl
X-Comment: This message did not originate from the above address.
X-Comment: It was automatically remailed by an anonymous mailservice.
X-Comment: Info: [email protected], Subject: remailer-help
X-Comment: Please report inappropriate use to <[email protected]>
SUBJECT: RC4 Source Code
I've tested this. It is compatible with the RC4 object module
that comes in the various RSA toolkits.
/* rc4.h */
http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Why is WEP Broken?
First paper: Fluhrer, Mantin, Shamir (encryption
flaws) http://www.securityfocus.com/data/library/rc4_ksaproc.pdf
 WEP attack using FMS method: Stubblefield,
Ionnidis, Rubin http://www.cs.rice.edu/~astubble/wep/
 WEP standard implements RC4 improperly

http://www.rsasecurity.com/rsalabs/node.asp?id=2009
Flaws in key scheduling algorithm Large number
of weak keys  encryption easily cracked
 IV is sent in the clear with each chunk– subtract 24
bits of IV from encryption key length

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4
CIA XXIV
Quick Fix for WEP: WPA
WPA = “WiFiTM Protected Access”
 Available as software/firmware upgrade for most
chipsets/manufacturers now or soon
 Subset of upcoming 802.11i security architecture
 Patches major vulnerabilities in WEP:

TKIP fixes IV weakness, adds MIC, key mixing, rekeying
Supports enterprise user authentication via EAP and 802.1X
SOHO mode: Pre-Shared Key (PSK): autorotates key for you
http://www.newswireless.net/articles/021123-protect.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Risks of Specific WLAN technologies
802.11x/WiFiTM
 ISM vulnerability
 MAC/SSID authentication insecurity
 WEP insecurity
Bluetooth
 HIPERLAN/2 (Europa: ETSI*)
 HiSWAN (日本: MMAC†)

*European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htm
†Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Risks of non-802.11x WLAN technologies

Bluetooth
Minimal security “out of the box”– need to RTFM
Security upgrade in B’tooth Spec. 1.2
http://www.itsecurity.com/tecsnews/jun2003/jun255.htm
Red Fang: Bluetooth device discovery tool from @Stake
(formerly L0pht Heavy Industries)– proof of concept; not very
practical http://www.kewney.com/articles/0300910-bluestake.html
References: http://www.webdesk.com/bluetooth-security-issues/; www.giac.org/practical/GSEC/Tu_Niem_GSEC.pdf
HIPERLAN/2
 HiSWAN

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
HIPERLAN/2 and HiSWAN: Future
Technologies for Future Talks
Technology needs to “hit the street” for serious
security issues to arise
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies
 Wardriving 101

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wardriving 101
Definition: Mobile discovery of WLANs
 Derived from term “wardialing”: automated dialing of
telephone numbers looking for modems (“Wargames”)
 Related terms: Warwalking, warflying, warchalking…
 NOT illegal in USA as of 2003: open ISM spectrum
 HOWEVER, ethical wardrivers NEVER connect to the
networks they detect, let alone implant/steal data
therefrom (see Jeff Duntemann, Drive-by WiFi Guide)

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.paraglyphpress.com/pr02242003.php
CIA XXIV
Why Wardrive?
Fun: Sense of adventure a la 007
 Informative: Teaches one about WLAN security
 Cheap Hardware: Laptop + client +/- antenna +/- GPS
 Free Software: Netstumbler, BSDAirtools, Airsnort…
 Camaraderie: Group wardriving contests popular
 31337 Hobby: In-crowd lingo (WEP, )(, tsunami)
 Business tool: Audit your own network to improve
security/demonstrate insecurity to management

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wardriving Hardware
Old laptop with WLAN client +/- GPS
 Pigtail– connects wireless card to antenna
 Antenna– omnidirectional, magnetic mount, low
Duško i Vlado prizivaju bežične signale:
profile best http://www.wardriving.com/fiva.jpg;
http://www.monitor.hr/interview/ wireless.htm (in Croatian, from Zagreb)

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Wardriving Software
NetStumbler http://www.netstumbler.com/
 MacStumbler http://www.macstumbler.com/
 BSDAirtools http://www.dachb0den.com/projects/bsd-airtools.html
 AirSnort http://airsnort.shmoo.com/
 Kismet http://www.kismetwireless.net/
 Wellenreiter http://www.wellenreiter.net/

Lots of other tools:
http://wardrive.net/wardriving/tools
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Preparing for Safe and Ethical Wardrive
Use non-production box (old laptop)– just in case
 Change network ID to generic name (e.g., MSHOME, localhost)
 Update client software/firmware
 Uninstall TCP/IP from supported wireless card
 Uninstall TCP/IP from integrated wireless (if any)
 Spoof MAC address of wireless card (can’t in XP)
 Delete preferred networks (XP): Control Panel | Network | Card | Properties |

Wireless Networks | Preferred Networks
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Disable prior to
wardrive to
prevent autoconnection to
discovered APs
MAC Address Spoofing
edit /etc/sysconfig/network-scripts/ifcfg-eth0
(assuming it's your eth0 network card that you
want to change the MAC for), and add a line
like this: MACADDR=AA:BB:CC:DD:EE:FF
(Obviously you want to substitute the MAC
address you want in place of
AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown
eth0", "/sbin/ifup eth0", and you should be up
and running with the new MAC address. You
can use "/sbin/ifconfig eth0" to verify that the
new MAC address is in effect -- it shows up in
the 'HWaddr' entry on the first line that
ifconfig prints
Orinoco Gold on Win 98SE
(YMMV RTFM HTH)
Red Hat Linux
http://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Conducting Safe and Ethical Wardrive
Read up on local/national laws before you set out
 Be careful with pigtails– fragile!
 Put laptop in back of car (behind driver) to prevent
distraction (local laws against watching TV, etc. +
common sense safety measure)
 Drive during day– no suspicious eerie glow
 Optimum speed around 30 MPH
 Screenshots: shift|print screen or graphics program
(PaintShop Pro, etc.); stop car safely if alone

PSP8: http://www.jasc.com
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Results of a “WarSit™” in San Francisco
Wardriving + GPS
http://www.netstumbler.com/nation.php
Here there be Warchalkers
Mainly mythical meme
 Originated by Matthew D. Jones, Ph.D.
 Open node symbolized by )(
 )( Often used as 31337 shorthand for
wardriving
 Don’t Warchalk: the world has enough
graffiti

http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies
 Wardriving 101
 Securing WLAN Communications

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
The Basics to Do Now









Pay attention to geographical location of AP (parking lot coverage)
Disable file & print sharing if not needed; never share root
Disable SSID broadcasting (default = enabled for most products)
Change the SSID to something non-default which says nothing
about you or network (boring = good; Smithfamilydiamonds = bad)
Upgrade firmware of AP/client to increase security (WPA)
Change default administrator login/password for AP
Set authentication to “Shared Key” or “Auto”, not “Open System”
Configure AP to enable MAC address filtering (not perfect, yes…)
Enable WEP/WPA
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Bbbbut…isn’t WEP broken?
Yes, but…just because your front door can be
picked, doesn’t mean you shouldn’t lock it!
 Never be low hanging fruit for attackers
 If you just enable WEP more secure than 75%
of WLAN users (according to wardriving data)
 If you enable WEP + change SSID from default
+ change AP logon/pw: more secure than 95%
of lusers

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Enabling WEP
Orinoco Gold on Win 98SE
Linksys pic modified from: http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Advanced WEP
Freeware key generators create pseudorandom
keys for you to enter
 Rotate keys frequently (weekly for business,
monthly for home at minimum)
 Make sure highest key-length WEP is enabled
(remember, 64 bit WEP key is really just 40 bits
long [thanks, marketing!])
 Upgrade WEP to WPA as soon as possible (look
for WPA support for all new hardware)

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Advanced WLAN Security: Topology Options
“Safe Side”




“Unsafe Side”
Firewall
Treat all wireless communication as insecure
Put AP on “unsafe” side of firewall
Use VPN (private tunnel) through internet to reach internal network
Impractical for SOHO networks (expensive; throughput hit)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Advanced WLAN Security Upgrades




802.1X port-based authentication– requires dedicated
authentication server (or server process in AP)
RADIUS authentication: for enterprises only
IEEE 802.11i = WPA + RSN; currently in draft form
RSN: Robust Security Network 802.1X + EAP +
AES (non-WEP encryption protocol) – will likely need
hardware upgrade to run RSN without major hit on
throughput; likely available in “mature” form in 2005-6
(world will be beta-testing 802.11i during 2004)
802.11i (excellent): http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003
802.11i (advanced): http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
RSN: http://www.nwfusion.com/news/tech/2003/0526techupdate.html
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies
 Wardriving 101
 Securing WLAN Communications
 Future WLAN Security Issues

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Future WLAN Security Issues
Biological hazards of radio communications
 Military implementation of DOS vs. WLANs/cellular
 Geographic extension of WLAN-- ablation of security
through propinquity (ELF; satellites with ultra-sensitive
sensors)
 Legal aspects (HIPAA, due-diligence) and need to
implement security & audit for rogue APs, wardrivers
 Follow-on Technologies: UltraWide Band (UWB), others

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
WLAN = Biohazard?




3G networks have been shown to affect cognition of
volunteers & create headaches, nausea
Interestingly, enhanced memory and alertness
As we become surrounded by WLANs, PANs, WANs,
and cellular broadcasting towers, are we harming our
fragile neurological systems?
No evolutionary exposure to MW radiation at current
levels…will our children’s children adapt?
http://edition.cnn.com/2003/TECH/ptech/10/01/g3.health.reut/index.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Beware the Wolfpack



Small, autonomous sensor-jammers that intelligently coalesce into WLAN
on battlefield; 6 lb canisters initiate RF DOS within 500 meter radius
Link together to overpower enemy’s WLAN/cellular communications
Part of DARPA XG (Next Generation) RF dominance initiative
http://www.darpa.mil/DARPATech2002/presentations/ ato_pdf/speeches/MARSHALL.pdf
http://www.darpa.mil/ato/programs/wolfpack.htm
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.theregister.co.uk/content/69/32361.html
http://www.defenselink.mil/news/Aug2003/n08142003_200308147.html
CIA XXIV
Physician, Audit Thyself
Lots of commercial products out
there to audit networks for rogue
APs, P2P connections, wardrivers
 May become legal requirement in
future for HIPAA compliance
(along with advanced security
afforded by RSN/802.11i [final
standard anticipated May 2004])

Pictured:
Airmagnet
Handheld PAK®
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
http://www.airmagnet.com/products/handheld.htm
http://www.airdefense.net/products/index.html
http://www.wildpackets.com/products/airopeek
CIA XXIV
Patch OS frequently to
plug wireless security
holes; read media for new
WLAN exploits
802.1X, 802.11i, RSN;
VPN + RADIUS for
enterprises
Change default
admin logon/pw
Enable; rotate
keys manually
Got WPA/802.1X?
Upgrade WEP ASAP
Change default;
don’t broadcast
Prevent theft;
BIOS pw; encrypt
sensitive files
Assume
wardrivers,
snoopers all
around you
The Tao of Network Security
1994-1999:
Information
Access
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
The Tao of Network Security
1994-1999:
2000-2005:
Information
Access
Information
Denial
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about
Introduction to Wireless LAN (WLAN) tech
 Overview of Wireless vs. Wired network security
 Risks of specific WLAN technologies
 Wardriving 101
 Securing WLAN Communications
 Future WLAN Security Issues
 References

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
WLAN Specifications
•WiFiTM Alliance (formerly WECA): http://www.weca.net/
•IEEE 802.11: http://standards.ieee.org/getieee802/portfolio.html
•IEEE 802.11i: Latest draft (private): http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc
Lots of interesting
documents: http://www.ieee802.org/11/Documents/DocumentHolder/
•Bluetooth:
https://www.bluetooth.org/
•HIPERLAN/2: Official Specs: http://www.hiperlan2.com
IEEE Communications Overview: http://www.ihpffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf
•HiSWAN: http://www.arib.or.jp/mmac/e/index.htm
•Avian IP Transport Protocol (RFC 1149): http://www.ietf.org/rfc/rfc1149.txt?number=1149
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
Basic 802.11 Security
•WLAN Security FAQ (ISS): http://www.iss.net/wireless/WLAN_FAQ.php
•WEP Specifications: http://standards.ieee.org/getieee802/download/802.11-1999.pdf
•WEP Insecurity: http://www.cs.rice.edu/~astubble/wep/wep_attack.html
•WPA: http://www.weca.net/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf
•Wardriving: http://www.wardriving.com ; www.sans.org/rr/papers/68/174.pdf
•Netstumbler: http://www.netstumbler.com
•Wireless Glossary: http://www.devx.com/wireless/Door/11333
•Build your own Cantenna: http://www.turnpoint.net/wireless/cantennahowto.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
Advanced WLAN Security/Continuing Security Education
•SANS
http://www.sans.org
•Cool list of WLAN Security Links: http://is-it-true.org/pt/ptips23.shtml
•Google it: search Google for “WLAN security” and/or “WiFi® security”
•Still More whitepapers: http://www.wlana.org/learning_center.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
AFH Topics
•People are stupid: Wireless Equivalent Privacy:
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search
•People are stupid 2: Wireless Encryption Protocol:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22
•HAARP: http://www.haarp.alaska.edu/haarp/ ; http://www.vs.afrl.af.mil/Factsheets/haarp.html
•ECHELON: http://www.europarl.eu.int/tempcom/echelon/ pdf/rapport_echelon_en.pdf
•TEMPEST: http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Offline Resources
Books/Articles: Computer Security Essentials
Skoudis, Ed, Counterhack, Upper Saddle River, NJ: Prentice
Hall PTR 2002. ISBN 0-13-033273-9 (amazing book! dozens of
black-hat techniques with countermeasures)
Cheswick WR, Bellovin SM, Firewalls and Internet Security:
Repelling the Wily Hacker, New York: Addison-Wesley
Publishing Company 1994. ISBN 0-201-63357-4 (a classic)
 Chapman, D. Brent and Zwicky, Elizabeth D., Building
Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995.
ISBN 1-156592-124-0 (first edition includes excellent appendix
on basics of ISO/OSI TCP/IP stack)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Offline Resources
Books/Articles: WLAN Security
 Duntemann J, Jeff Duntemann’s Drive-by WiFi Guide, Scottsdale:
Paraglyph Press, 2003. ISBN 1-932111-74-3 (very readable &
entertaining; most practical 3-space reference thus far)
 Peikari C, Fogie S, Maximum Wireless Security, Indianapolis: Sams
Publishing, 2003. ISBN 0-672-32488-1 (contains some errors [er,
Wireless Equivalent Privacy? To paraphrase the song, 1/3 ain’t good.])
 Edney J, Arbaugh WA, Real 802.11 Security: WiFi Protected Access
and 802.11i, Boston (etc.): Addison-Wesley, 2004 (cool time-travel
aspect of copyright [to make it seem more current]; almost
incomprehensible at times, but good reference)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV