Wireless insecurity utz roedig university college cork ireland utz@cs ucc ie l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Wireless Insecurity Utz Roedig University College Cork, Ireland, [email protected] PowerPoint PPT Presentation

Wireless Insecurity Utz Roedig University College Cork, Ireland, [email protected] Introduction Using wireless networks Application scenarios Basic functionality and security mechanisms Attacking wireless networks Targets and goals Methods and examples How to protect wireless networks

Download Presentation

Wireless Insecurity Utz Roedig University College Cork, Ireland, [email protected]

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Wireless insecurity utz roedig university college cork ireland utz@cs ucc ie l.jpg

Wireless InsecurityUtz RoedigUniversity College Cork, Ireland, [email protected]


Overview l.jpg

Introduction

Using wireless networks

Application scenarios

Basic functionality and security mechanisms

Attacking wireless networks

Targets and goals

Methods and examples

How to protect wireless networks

Basics: WEP, MAC filter, …

Network separation and security policy

Summary

Overview


Introduction l.jpg

Why using wireless networks?

Give users some flexibility and freedom

Reduce network cost

Available solutions

Wi-Fi (IEEE 802.11)

HomeRF, Bluetooth, …

Introduction


Terminology l.jpg

Wlan

Wireless Local Area Network

Wi-Fi

Catchier than 'IEEE 802.11b direct sequence'

A marketing name for products based on 802.11

802.11

Specification of PHY and MAC layer

a/g/n different modulations and data rates

WEP

Wired Equivalent Privacy (Ha!, we will see)

WPA

Wi-Fi Protected Access (WPA and WPA2)

Terminology


Application scenario l.jpg

Application Scenario

  • Standard company network

    • Servers: data and services

    • Workstations: laptop, pc, (pda)

    • Router: internet connection


Application scenario6 l.jpg

Application Scenario

  • Wireless company network

    • Servers: data and services

    • Workstations: laptop, pc, (pda)

    • Router: internet connection, wireless network connection


Application scenario7 l.jpg

Application Scenario

  • Wireless company network insecurity

    • Servers: data and services

    • Workstations: laptop, pc, (pda)

    • Router: internet connection, wireless network connection


802 11 basics l.jpg

Physical layer (PHY)

Defines coding and modulation

Operates in the 2.4 - 2.8 GHz band

Medium Access Control layer (MAC)

Organizes access to the shared medium

Uses carrier sense multiple access with collision avoidance

All nodes in the vicinity have to participate in PHY/MAC

Denial of service (DOS) is very simple!

PHY: signal jamming

MAC: misbehaving node

802.11 - Basics


802 11 mac l.jpg

Problem scope

If everyone talks at the same time I can not understand you

A protocol is needed to organize who is talking when

Predefinition

Everyone talks using packets

Everyone uses a number (MAC address) so we know who is talking

Packet transmission (Logical)

A node first listens to ensure no other node is transmitting

If the channel is clear, the node transmits the packet

Otherwise, the node chooses a random back-off time and tries again

Packet transmission (technical, RTS/CTS mechanism)

Snd: ready-to-send (RTS)

Rcv: clear-to-send (CTS)

Snd: data transmission (DATA)

Rec: acknowledgement (ACK)

802.11 - MAC


Hardware and operation l.jpg

Wireless Network Card

Provides access to the 802.11 network

Access point

Provides bridge functionality

Between 802.11 and the fixed network

Provides additional functionality

Security: Firewall, Network Address Translation (NAT), …

Network: DHCP, DNS, WWW cache, ….

Mode of operation

Infrastructure mode

All traffic passes through the access points

Ad-hoc mode

All computers talk directly to each other

Hardware and Operation


Network structure l.jpg

Basic Service Set (BSS)

Stations form a BSS

Distribution System (DS)

A DS interconnects the BSS’s

Extended Service Set (ESS)

BSS’s form together an ESS

Handover requirements

Station type

Mobile

Portable

Roaming type

Within ESS: PHY/MAC handover

Between different ESS: PHY/MAC and network layer handover

Network Structure


802 11 security l.jpg

WEP

Wired Equivalent Privacy

One key is shared among all users

Payload is transmitted encrypted

Content is secured, not the communication itself!

WPA

Wi-Fi Protected Access

Each user can be separately authenticated

Session keys are derived/negotiated and periodically changed

Payload is transmitted encrypted

WPA-2

Wi-Fi Protected Access version 2

Similar to WPA, updated cryptographic methods

802.11 - Security


Attacker goals l.jpg

Attacker - Goals

What

now?

  • Denial of Service (DoS)

    • Denial the use of the Wireless Network

    • Denial the use of the complete company network

    • Denial the use of services

  • Unauthorized infrastructure use

    • Use of the internet access

    • Use of services (e.g. WWW)

  • Information theft

    • Access file servers

    • Access database servers


Attacker steps l.jpg

Attacker - Steps

Step 3

Step 2

Step 1

  • Step 1 (PHY)

    • Laptop with WLAN card

    • Get close enough (e.g. next door, car park, …)

    • Get WLAN access

      • Modulation, channel, …

      • ESS ID

  • Step 2 (MAC)

    • Join the (wireless) network

    • Bypass MAC filters, … if necessary

    • Bypass WEP if necessary

  • Step 3 (Network, Services)

    • Attack the services as usual


Attacker step 1 l.jpg

Selection of modulation, channel, …

Handled by the NIC

Case I: Unprotected (out-of-the-box)

Attacker selects the company network

Selection by ESS ID

Attacker joins the network

Case II: Hidden ESS ID

Attacker uses a scanner (e.g. aireplay)

Attacker obtains the ESS ID

Now it is Case I

Attacker - Step 1


Attacker step 2 l.jpg

Case I: MAC filter in place

Attacker starts a program scanning the air for a while (e.g. kismet)

Attacker changes his MAC into an accepted MAC (e.g. ifconfig)

Attacker joins the network

Case II: WEP security in place

Attacker uses a scanner (e.g. kismet)

After ESS ID and channel is known, packets are captured (e.g. airodump)

For 64 bits WEP key between about 50000 and 20000 packets

For 128 bits between 200000 and 700000

Crack the key (e.g. aircrack)

Attacker joins the network

Attacker - Step 2


Attacker step 217 l.jpg

Case III: WAP-PSK security in place

Force an authenication handshake (e.g. aireplay)

Collect the handshake packets (e.g. airodump)

Dictionary Brute Force (e.g. aircrack)

Attacker joins the network

Possible problems

No traffic

WAP using RADIUS

Additional security mechanisms (Firewall, Proxy, …)

Attacker - Step 2


Attacker step 3 l.jpg

The attacker is now in the network

Virtually sitting with his laptop at your desk!

What will he do?

Using your bandwidth and ID to access the Internet

Possible lawsuit (download or offer illegal content)

Possible cost (if charged per MB)

Using your servers

Free storage space (with backup!)

Free web servers

Free …

Stealing your data/information!

DOS (maybe by accident)

Attacker - Step 3


Defender goals steps l.jpg

Defender - Goals & Steps

What

now?

  • Keep the attacker out!

    • Step1: Secure the wireless network (if possible!)

    • Step2: Secure the core network

      • In case the attacker gets somehow in the wireless network

    • Step3: Define rules of operation

      • Logging, monitoring, key management, emergency plans, …


Defender step 1 l.jpg

Even if security mechanisms are flawed, use them!

Most hacker/attacker will choose the easy victim

Use several layers of protection

Useful security mechanisms

Use WAP with RADIUS if possible

If WEP/WAP-PSK is used, change keys frequently

Use MAC filtering

Summary

The wireless network can not be secured!

Step2/3 is needed if a wireless network is used!

Defender - Step 1


Defender step 2 l.jpg

Separate the wireless network from the core network

Use a firewall between wireless and core network

Might be integrated in the base-station

Might offer user authentication

Restrict services available from the wireless network

Do people have to mount the fileserver from the laptop?

Is it necessary to have Internet access from the laptop?

Use higher layer security/encryption

Create a VPN (PPTP, L2TP)

IPSec

Only access services secure

Terminal: telnet -> ssh

Mail: POP -> IMAP (or Webmail with HTTPS)

Defender - Step 2


Defender step 3 l.jpg

Logging

Activity in the network should be recorded

Records might be needed to detect an attacker

(Records might be needed for forensic analysis)

Monitoring

Someone should look periodically at the records!

Maintenance

Security needs maintenance!

Periodic update of keys

Add/Delete users, mac addresses, update firewall rules, …

Emergency plans

What will we do if we detect an attacker?

Defender - Step 3


Summary l.jpg

Covered topics

Basic functionality and application scenarios

Attacking wireless networks

Securing wireless networks

Conclusions

Setting up a wireless network is simple

Setting up a secure wireless network is somewhat complicated!

Do you really need a wireless network?

Summary


  • Login