1 / 38

Security of Wireless Networks

Security of Wireless Networks. Mario Č agalj FESB University of Split 2 7 /4/20 10. Assembled from different sources: Č apkun, Danev,. Device Identification. Agenda. • Introduction – Definitions & Perspectives – Device Identification Basics • Device Identification Techniques

gittel
Download Presentation

Security of Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Wireless Networks MarioČagalj FESB University of Split 27/4/2010 Assembled from different sources: Čapkun, Danev,...

  2. Device Identification

  3. Agenda • Introduction – Definitions & Perspectives – Device Identification Basics • Device Identification Techniques – Passive Device Identification – Active Device Identification – Summary • Applications of Device Identification • Attacks on Device Identification Systems • Conclusion

  4. Introduction • Device identification is the act – of identifying a component in a networked environment(e.g., an operating system, drivers, a physical device) – based on the analysis of the communication with thatcomponent with or without the component’s knowledge • Device identification covers a – broad spectrum of technologies (wired, wireless) and – many different methods have been suggested • Device identification presents two perspectives – The network authority perspective – The attacker perspective

  5. Different Perspectives • The network authority perspective – Law enforcement agencies to maintain some measure ofcontrol and regulatory power (e.g., illegal transmitters) – Mobile operators to identify cloned cell phones – Administrator to identify and track problematic hosts – Prevention/protection against some types of attacks onthenetwork operation (e.g., identity spoofing) • The attacker perspective – Identify valuable targets (e.g., hosts) to break a network – Privacy violation (e.g., unauthorized tracking) – Protocol compromise (e.g., “Shake them up” – check later)

  6. Device Identification Basics (1/2) • Device identification is also commonly referred to asfingerprinting (inspired from Biometrics) • In a typical scenario – The fingerprinter observes traffic to and from a targeteddevice (fingerprintee) in order to find characteristics that(uniquely) distinguish the device or its components • Fingerprinting looks for characteristics in all layers: – Application/network layer – Link and physical layers • Characteristics are usually differences in – Software implementations of specs (e.g., 802.11) – Hardware imperfections (e.g., clock skew)

  7. Device Identification Basics (2/2) • Classification of the characteristics (fingerprints) – Typically by means of some standard classifier – When the number of devices is known in advance • Nearest Neighbor Classifier – k-nearest neighbour (KNN) rule • Classification Error Rate – The percentage of misclassified test fingerprints over thetotal number of test fingerprints Class (device) A Training fingerprints of A and B k=1: Test fingerprint is device B k=4: Test fingerprint is device A Test fingerprint Class (device) B

  8. Device Identification Techniques • Two main approaches – Passive identification: Only observes the communicationtraffic of the targeted device – Active identification: Generates purpose-built traffic withthe device and then observes the device’s behavior Device Identification Techniques Passive Active Physical layer Application layer Physical layer Application layer ... ... ... ... Transient Modulation Driver OS Driver

  9. Agenda • Introduction – Definitions & Perspectives – Device Identification Basics • Device Identification Techniques – Passive Device Identification – Active Device Identification – Summary • Applications of Device Identification • Attacks on Device Identification Systems • Conclusion

  10. Passive Identification - Application Layer (1/5) • • Franklin et al. “Passive Data Link 802.11 Wireless DeviceDriver Fingerprinting” [USENIX Security 06] • • Overview of technique • – A station sends probe request frames when it needs todiscover access points in a wireless network. Thisprocessis known as active scanning • Probe request frames carry data rates that the client supports • If an AP is compatible with the client’s rates it sends the proble response • At this stage the client and the AP run authentication and assosication processes

  11. Passive Identification - Application Layer (2/5) • IEEE 802.11 standard speficies the active scan as follows • Each client broadcasts a probe request and starts a timer • If the timer reaches MinChannelTime and channel is idle, the client scans the next channel • Otherwise the client waits until MaxChannelTime, processes probe response frames and scans the next channel • Further specifications not provided by the standard • Result: Many drivers that perform probing using slightly different techniques

  12. Passive Identification - Application Layer (3/5) • • Driver signatures • – Based on the delta arrival time between proberequests • Fingerprints (signatures) are obtained by a binning approach • Binning works by translating an interval of continuous data points into discrete bins • • Signature generation • Record the percentage of probe requests placed in each bin • Record the average, for each bin, of all actual (nonrounded) delta arrival time values in that bin • Generate a vector initialized with these parameters as the signature for that driver

  13. Passive Identification - Application Layer (4/5) • Classification of a Trace Based on Signature Closeness • Attacker A observes the probe request frames (prf) and creates a signature T; pn the percentage of prf in the n-th bin of T and mn the mean of all the prf in the n-th bin of T • Let S be the set of all training signatures (fingerprints), s is a single signature, vn the percentage of prf in the n-th bin of s and wn the mean of all the prf in the n-th bin of s • Calculate the distance between T and all s in S, pick the smallest value and output the “closest” signature s*

  14. Passive Identification - Application Layer (5/5) Amount of Trace Data (Minutes) • • Results • – Test set 1: (Lab) No background traffic, no obstructions • – Test set 2: (Home Network) No background traffic, wall between fingerprinter and victim • – Test set 3: (Coffee House) Background wireless traffic, miscellaneous objects between fingerprinter and victim

  15. Passive Identification – Physical Layer 01 00 11 10 QPSK Signal Constellation • Transient-based Identification – The signal ramps up fromchannel noise to full powerbefore a new transmission – The time between the start ofthe ramping and reaching fullpower is the transient signal • Modulation-based Identification – Demodulation of aQPSKmodulatedsignal generates anumber of errors – Exploiting these errors is in theessence of the approach

  16. Transient-based Identification (1/3) • Rasmussen et al., “Implications of Radio Fingerprintingon the Security of Sensor Networks” [SecureComm 07] – Feasibility of identifying identical wireless devices(same manufacturer and model) – Security implications • Signal Capturing Process – Hardware Components – System Components

  17. Transient-based Identification (2/3) Variance Signal • Fingerprinting Approach Details 1. Extract the transient part − Threshold-based algorithm 2. Extract features from thetransient signal (fingerprints) − Transient length − Number of peaks in transient − Variance of normalized amplitude in transient 3. Classify unknown fingerprintsto the reference fingerprints (using a Kalman filter) − Compute the classificationerror rate Mean of S over window of 50 (w=50)

  18. Transient-based Identification (3/3) • Experimental Conditions – 10 MicaZ CC1000 identical wireless sensor nodes(same manufacturer and model) – Positioned 15 cm from the fingerprinter antenna • Results – Classification error rate of approx. 30% • Sensors successfully identified in 70% of cases • Open Issues – Distance – Antenna polarization – Voltage/Temperature – Resilience to attacks

  19. Modulation-based Identification (1/3) • Brik et al., “Wireless Device Identification withRadiometric Signatures” [Mobicom’08] – Explores the variance of demodulation of QPSK signals – Uses k-nearest-neighbor (kNN) and support vector machines (SVM) classifiers to classify the fingerprints • Background – Focus is on the IEEE 802.11 standards • Standards use different I/Q modulation techniques • Data is encoded using two independent carrier components (sub-curriers): in-phase (I) and quadrature (Q)

  20. Modulation-based Identification (2/3) • Fingerprinting Approach • Capture the signals using the vector signal analyzer • QPSK constellation • Signal spectrum • Extract the following errorsdue to QPSK modulation − I/Q origin offset − Frequency offset − Error Vector Magnitude • Fingerprints are representedby a vector of the above threeerrors • Compute the classificationerror rate QPSK symbols Modulation errors

  21. Modulation-based Identification (3/3) • Experimental Conditions – 100 identical 802.11 NICs (same manufacturer and model) – Positioned 3 – 15 m from the fingerprinter antenna • Results – Classification error rate • k-NN Classifier - ~3% • SVM Classifier - ~0.34% • Open issues – Feature stability – Resilience to attacks

  22. Agenda • Introduction – Definitions & Perspectives – Device Identification Basics • Device Identification Techniques – Passive Device Identification – Active Device Identification – Summary • Applications of Device Identification • Attacks on Device Identification Systems • Conclusion

  23. Active Identification – Application Layer (1/5) • Bratus et al. “Active Behavioral Fingerprinting of WirelessDevices” [ACM WiSec 08] • Test driver implementations on non-standard or malformedpackets • Hardware Setup • No need of specialized software • Only a generator and injector of link-layer frames • Fingerprinting Approach Details • Send “stimulus” non-standard and/or malformed frame tothedevice • Record the device’s response (any type of frame, specificframe, lack of response)

  24. Active Identification – Application Layer (2/5) IEEE 801.11 protocol family MAC frame structure: • Type - Frame type: Management, Control and Data. • Subtype - Frame subtype: Authentication frame, Deauthentication frame; Association requestframe;Association response frame; Reassociation request frame; Reassociation response frame; Disassociation frame;Beacon frame; Probe frame; Probe request frame and Probe response frame. • To DS - is set to 1 when the frame is sent to Distribution System (DS) • From DS - is set to 1 when the frame is received from the Distribution System (DS) • MF- More Fragment is set to 1 when there are more fragments • W – WEP is used to protect the frame

  25. Active Identification – Application Layer (3/5) • Fingerprinting an access point (some options) • Responses to Probe Requests with other Frame Control bits set (in particular, More Fragments, Power Management, ...) differed between APs • The FromDS and ToDS bits on a Probe Request are expected to be cleared. Some cleared some not. • A Probe Request is expected to contain certain information elements such as those with the ESSID and required rates. The reaction to Probe Requests without such elements may vary • As a variant of the previous two tests, the same is applied to the Association Requests after a successful Authentication Request – Authentication Response exchange • ...

  26. Active Identification – Application Layer (4/5) • Fingerprinting a client station (some options) • Deauthentication and Deassociation frames are not expected to have certain Frame Control bits set (e.g., FromDS and ToDS). Stations may not react to malformed injected frames and continue in associated state. • The station’s response to undefined reason codes in such frames may vary, ignoring them and continuing in associated state, or making repeated attempts at re-authentication, or loss of connectivity. • The number of retransmits a station would attempt before giving up varies between implementations. As a convenient example, we consider the number of retransmissions of a purposefully unacknowledged Authentication Request once the station has been lured into attempting authentication. For example, the authors observed 14 retransmit attempts for the iPhone, 10 for a MacBook Pro, around 126–127 for the Intel PRO/Wireless 3945ABG operating under an open source Linux driver, and 3 for a Cisco 7920 wireless VOIP handset. • ...

  27. Active Identification – Application Layer (5/5) • Testing and results for AP fingerprinting • Two series of result tests • ProbeFCTest: Tested responses to Probe Request with varying FC flags • AuthFCTest: Tested responses to Authentication Requests with varying FC flags Madwifi-ng soft AP AuthFCTest Cisco-Linksys WRT54g AuthFCTest HostAP soft AP AuthFCTest Extrasys WAP-257 AuthFCTest

  28. Passive vs. Active Identification Summary • Passive approach – Application layer fingerprinting can be circumvented bychanging the application parameters – Physical-layer fingerprinting is more difficult to compromisedue inherent physical properties (imperfections) – The accuracy depends on the features extracted and goodfeatures are very difficult to find • Active approach – More flexible and allows to explore different scenarios – Usually can distinguish only different manufacturers – Easier to detect from the authority

  29. Agenda • Introduction – Definitions & Perspectives – Device Identification Basics • Device Identification Techniques – Passive Device Identification – Active Device Identification – Summary • Applications of Device Identification • Attacks on Device Identification Systems • Conclusion

  30. Applications of Device Identification (1/3) • Defensive Use – Intrusion detection in all-wireless multi-hop networks • Wormhole attack • Sybil and Replication attacks • Wormhole attack case

  31. Applications of Device Identification (2/3) • Defensive Use – Second layer of security in access control in currentwireless networks – Can compliment existing solutions such MAC authenticationor cryptographic schemes • Problems with existing solutions – MAC authentication is easy to spoof and therefore notsecure – Cryptographic schemes require key distribution and – In particular, such schemes are not robust to detecting andrevoking compromised keys

  32. [Example] iPhone Location Spoofing Attacks (1/3) • iPhone Self-Localization Feature – Uses known locations of Wi-Fi access points – Detects access points and looks for them in a database – Provided by Skyhook Inc. and contains information aboutaccess points around the world, collected by the companyand partially provided by the users. • iPhone Location Spoofing by Access Point Impersonation – By means of MAC address spoofing – Impersonate Wi-Fi access point from another location – Location precision depends on the presence of GSM signals • More Information http://www.syssec.ch/press/location-spoofing-attacks-ontheiphone-and-ipod 32

  33. [Example] iPhone Location Spoofing Attacks (2/3) • Results of spoofing the New York City location on an iPhone(left). The iPhone has a GSM signal and GSM localization overrules the NYaccess points. The position is still in Zurich but much less accurate(right). The result is in New York City if no GSM signal is available. 33

  34. [Example] iPhone Location Spoofing Attacks (3/3) • Passive Wi-Fi Driver Fingerprinting – Does neither require hardware modification of the LNdevice nor changes on the scanned access points – But relies on characteristic behavior of different AP models – Does not fully prevent location-spoofing attacks, it makesthem more difficult since the attacker needs to know theexact model. This would require his prior physical presenceat the access point whose location is to be spoofed • Physical-layer Fingerprinting – Potentially more robust solution – But requires hardware modifications

  35. Applications of Device Identification (3/3) • Offensive Use – Compromise a communication protocol • “Shake Them Up” key establishment – A movement-based pairing protocol for CPU-constraineddevices – Allows two wireless devices to establish a shared keywithout public key crypto, out-of-band channels – Alice and Bob broadcast bits – An attacker cannot retrieve the secret bit since it cannotfigure out whether the packet was actually sent by Alice orBob 35

  36. Attacks on Device Identification Systems • Impersonation attacks – Involves recreating the device fingerprint in order toimpersonate a targeted device – E.g., faked transient signal concatenated with data • Denial-of-Service attacks – Involves preventing a device identification procedure fromcorrectly recognizing the devices – E.g., jamming only the transient signal • Replay attacks – Involves recording the physical representation of the signaland replaying it – E.g., record the modulated signal and replay it 36

  37. Conclusion • Techniques for device identification span all networklayers for a variety of objectives (defensive or offensive) • The accuracy of identification depends on many factors(e.g., hardware, experimental conditions, features andclassification procedures) • The physical-layer based approaches are believed to bemore robust to impersonation and replay attacks • There is little work on the resilience of identification withrespect to the above and other attacks • Research should not only focus on new identificationapproaches, but also carefully analyze the implications ofusing them under security threats 37

  38. References • J. Franklin et al. “Passive Data Link Layer 802.11Wireless Device Driver Fingerprinting” • Rasmussen et al. “Implications of Radio Fingerprintingon the Security of Sensor Networks” • Brik et al. “Wireless Device Identification withRadiometric Signatures” • Bratus et al. “Active Behavioral Fingerprinting ofWireless Devices” • Castelluccia et al. “Shake Them Up”

More Related