Transcript Document

802.11b Wireless
Network Security
7/21/2015
Agenda
•
•
•
•
•
•
Background
Discovery
Vulnerabilities
Whacking
Solutions
The Future
7/21/2015
Background
• 802.11
– finalised by IEEE 1997
– 2.4 GHz
– Data rate of 1-2 Mbps
• 802.11b
– 2.4 GHz
– Data rate of 11 Mbps
– Current Standard
• 802.11a
– 5 GHz
– Data rate of 54 Mbps
– Equipment soon to be available from Intel?
7/21/2015
Background
• Client Stations are configured with a
WLAN network card
• These communicate with Access Points
which provide a bridge to the wired LAN
• Multiple Stations and a single Access Point
is known as an BSS (Basic Set Service)
• Multiple Stations and multiple Access
Points are known as an ESS (Extended Set
Service)
7/21/2015
Background
• Each SS has an SSID (Service Set
IDentifier)
• Replaces Layers 1 and 2 of OSI (Physical
and Data Link)
• Effective range of 100 metres
– Can be extended using directional antennae
– Outside physical security controls
7/21/2015
Background - Security
• Encryption provided by:
– WEP (Wireless Encryption Protocol)
– Symmetric key
– Available in 64bit and 128bit key length versions
• Authentication provided by:
– WEP
– Access control based on:
• SSID
• MAC Address
7/21/2015
WLAN Discovery
• Range makes service sets easy to identify
– WarDriving, WarPeddling, WarWalking
– NetStumbler, APSniff
• Easy to associate with AP and receive an IP
address by DHCP
7/21/2015
WLAN Discovery
•
•
•
•
SSID
Mac Address & Vendor
Geographic Location
Network Parameters (WEP, AP/Peer,
Channel)
• Radio Signal Parameters (S/N ratio,
Strength)
7/21/2015
WLAN Discovery - Equipment
• Mobile PC
– Windows (Netstumbler, APSniff)
– Linux/BSD (Pete Shipley’s scripts, bsd-airtools)
• WLAN Card
– Hermes Chipset (Lucent, ELSA etc.)
– Prism II Chipset (D-Link, Compaq etc.)
• GPS with serial link
• 2.4Ghz Omni-directional Antenna
• Transport
7/21/2015
WLAN Discovery - Netstumbler
7/21/2015
WLAN Discovery – The West
End Run
Over 40 networks discovered in an 8 mile drive
7/21/2015
WLAN Discovery – Results
• 80 unique WLANs identified
– 54 not WEP enabled
• 130 unique Access Points
identified
– 84 not WEP enabled
WEP usage rate is typical at around 33%
7/21/2015
WLAN Discovery – Some
Observations
• Detection range generally 10m to
150m
–
–
–
Obstructions
Weather
Antenna
• Travel speed affects detection rate
–
–
7/21/2015
Walking speed optimal
Sometimes detectable at speeds of
90mph!
WLAN Discovery – Important
Points
• Legality may be ambiguous
– Interception of Communications and Computer Misuse
– Inadvertent reception of adjacent networks
– Be careful if publishing results
• Safeguards
– Un-bind all network protocols from WLAN card
– Turn off features such as auto-configure
7/21/2015
Vulnerabilities
• WEP is flawed and crackable
• Some packets are ‘weak’ and reveal
information about the key in use
• Implemented in:
– WEPCrack
– AirSnort
7/21/2015
Solutions
• 802.11b security is flawed
• WLANs are easy to locate
• Risks can be mitigated:
–
–
–
–
–
–
–
–
–
–
Treat WLANs as insecure networks
Only use 128bit WEP
Segregate WLANs with firewalls
Use VPNs to connect through the firewalls
Use application encryption e.g. SSH, HTTPS
Use MAC address access control
Disable SSID broadcasts if possible
Use SSIDs that do not reveal information
Use site surveys
Change default passwords
7/21/2015
The Future
• Several IEEE working groups
– E to I
• 802.11i
– Examining security enhancements
– WPA WPA2
– Kerberos
• 5GSG
– Working on harmonisation of 802.11, Hiperlan
etc.
7/21/2015
Questions
A 802.11 workshop
by Loud-fat-bloke
Author of WIDZ FATAJACK
& the Wireless hacker
survey
Is available
7/21/2015