Wireless Threats and Vulnerabilities

1. Wireless Threats and Vulnerabilities

2. Agenda The Changing Face of Wireless 802.11 a/b/g/n/i 802.11 basics 802.11 vulnerabilities Protecting 802.11 802.11 Policy, Audit, Enforcement Home grown vs. Enterprise More than Wireless Security Bluetooth Bluetooth basics Bluetooth vulnerabilities Tools Policy, Audit, Enforcement More than Just a Headset Other Wireless IrDA RFID Wi-Max On the Road Protection Blackberry, PDA, Smart phone Laptops New and Interesting Technology This page lists the �changing face� of wireless technologies. This page lists the �changing face� of wireless technologies.

3. Wireless This page shows images of various kinds of wireless devices including, blue tooth headsets, cell phones, wireless mouses, satellite dishes, traffic signals. It also shows an image of a subscriber station (SS) and a base station (BS) and shows how information flows through an ISP (internet service provider). This page shows images of various kinds of wireless devices including, blue tooth headsets, cell phones, wireless mouses, satellite dishes, traffic signals. It also shows an image of a subscriber station (SS) and a base station (BS) and shows how information flows through an ISP (internet service provider).

4. Today�s Wireless Landscape This page is an accessible graph that shows the standards, speed, range and applications for various networks in today�s wireless landscape.This page is an accessible graph that shows the standards, speed, range and applications for various networks in today�s wireless landscape.

5. 802.11 802.11 basics 802.11 vulnerabilities Protecting 802.11 802.11 Policy, Audit, Enforcement Home grown vs. Enterprise More than Wireless

6. Wireless Comparisons 802.11 Chart This accessible chart (which is not showing border lines) shows speed, range, compatibility between standards, frequency, general popularity and costs for 802.11A, 802.11B and 802.11C.This accessible chart (which is not showing border lines) shows speed, range, compatibility between standards, frequency, general popularity and costs for 802.11A, 802.11B and 802.11C.

7. 802.11 Encryption WEP RC4 (Wired Equivalent Privacy). WEP's encryption is broken, meaning that with a sufficient amount of network traffic, the WEP key may be extracted and used to connect to the network or sniff traffic. Using WEP doesn't assure security even for a single user on a home network WPA RC4 (Wi-Fi Protected Access). WPA revised WEP's weakness, and is widely supported. WPA includes the TKIP (Temporal Key Integrity Protocol) key. A properly chosen TKIP provides perfectly adequate security for a home user. WPA2 AES This newer version of WPA adds a stronger encryption key format known as CCMP (Counter-mode CBC MAC Protocol) that is a form of AES (Advanced Encryption System). CCMP is considered one of the most secure methods.

8. 802.11 Basics 802.11n Multiple antennas to gain speeds at a minimum of 108 Mbps 802.11i Robust Secure Network WPA TKIP RC4 WPA2 AES SWLAN NSA Type-1 Encryption + 802.11b up to DoD Secret

9. 802.11 Vulnerabilities Native in the clear Associate with any WAP Easy to scan Windows Wireless Zero Configuration vulnerabilities in XP Home use WAP Security weak MAC filtering Static IP WEP WPA Pass Phrase

10. Did You Pay to Connect to an Evil Twin? This page shows a picture of a Starbucks coffee shop (where there is often wireless available) a detour sign and a photo of a person getting out of a car with a wireless laptop.This page shows a picture of a Starbucks coffee shop (where there is often wireless available) a detour sign and a photo of a person getting out of a car with a wireless laptop.

11. War Driving Equipment (the rig) Laptop --- $1399 Wireless card --- $67 Antenna --- $10 (homebrew) Scanning Software ---Free GPS (optional) This page has a photo of a group of college students walking through the streets of downtown Washington DC where with their laptops they are able to identify and intercept wireless transmissions. This page has a photo of a group of college students walking through the streets of downtown Washington DC where with their laptops they are able to identify and intercept wireless transmissions.

12. Equipment Antennas Omni-directional Mast mount Semi-directional Yagi Highly-Directional Grid Parabolic Home Brew Antennas This page has a photo of 3 people taking a large solar blanket type item out of a box in a dry dessert like environmen.tThis page has a photo of 3 people taking a large solar blanket type item out of a box in a dry dessert like environmen.t

13. Equipment Laptops Windows Linux Mac OS X Handhelds HP iPaq Sharp Zaurus This page shows 3 pictures all of wireless phones, laptops in cars and handheld devices. This page shows 3 pictures all of wireless phones, laptops in cars and handheld devices.

14. Equipment Scanning Software Net Stumbler www.netstumber.com Airopeek www.wildpackets.com Wellenreiter www.remote-exploit.org KISMET www.kismetwireless.net AirSnort airsnort.shmoo.org This page shows a screen shot of a computer file that shows scanning software and how the data shows up.This page shows a screen shot of a computer file that shows scanning software and how the data shows up.

15. Wi-Finders This page shows 9 photos of Wi-finders that can be purchased and a web link to http://www.kensington.com/html/3720.html# to get more informationThis page shows 9 photos of Wi-finders that can be purchased and a web link to http://www.kensington.com/html/3720.html# to get more information

16. Security Policy Enterprise Equipment WPA2 WIDS/IPS IDS DMZ Configuration Control Authentication Certificate Exchange Event monitoring

17. Home 802.11 Security Security WEP WPA Pass Phrase Encryption Mac Filtering SSID VPN Don�t auto connect Best Practices�what not to do on your wireless segment DMZ Firewalls Safe system�turn off file sharing

18. WIDS Different flavors Detect anomalies on wired segments Rogue Access Point detection Policy Enforcement Limited NAC like evaluation WAP based IDS Server Based IDS

19. Sensor Based WIDS This page shows a graphic of people using laptops from offices and vehicles. It shows how unauthorized clients can easily gain access to the Enterprise Network. This page shows a graphic of people using laptops from offices and vehicles. It shows how unauthorized clients can easily gain access to the Enterprise Network.

20. Securing Enterprise Wireless The Security Policy Authentication Authorization VPN DMZ Wireless on their own VLAN Hardened wireless gateway Device policy enforcement Configuration Control Passwords on devices Auto erase on devices when password authentication fails a set number of times Physical examination of site regularly Wireless Audits WIDS/IPS IDS

21. Things Not to Do on a Wireless Network Passwords Banking Credit Cards PII exchange File Sharing Bridging

22. It�s More Than Wireless Security Configuration Control Bridging Patching Anti-virus VPN File Encryption Ports, Services DMZ WAPs outside the network Hidden wireless

23. Demonstrations This page shows 3 photos that were used during a demonstration. One shows a dish of food, one shows a cartoon of people with square heads talking and the third shows two characters who look like M&Ms.This page shows 3 photos that were used during a demonstration. One shows a dish of food, one shows a cartoon of people with square heads talking and the third shows two characters who look like M&Ms.

24. Bluetooth Bluetooth basics Bluetooth vulnerabilities Tools Policy, Audit, Enforcement More than Just a Headset

25. Bluetooth Short-range communications 3-300ft 2.4 to 2.485 GHz range Spread spectrum Adaptive frequency hopping (reduce interference) Full duplex signal 79 Channels Algorithm based on Master ID and previous channel Interference with WiFi (device range <10M) Voice Synchronous Connection Oriented (SCO) Data Asynchronous Connection Less (ACL)

26. The Bluetooth Connection Media Access Control (MAC) Wireless Personal Area Network (WPAN) Point-to-Point Point-to-Multipoint Pairing (Agreement) Service Discovery Protocol This page shows a screen on blue tooth set up where one can choose SerialPortThis page shows a screen on blue tooth set up where one can choose SerialPort

27. The Bluetooth Stack This page shows an image of Host controller interfaces and how the Bluetooth Radio interfaces with it. This page shows an image of Host controller interfaces and how the Bluetooth Radio interfaces with it.

28. Bluetooth Networking Piconet (PAN) Master Slave 8 Devices Scatternet Two or More Piconets Master/Slave between Piconets Bandwidth reduced if > 10 PANs in 10 Meter radius This slide shows a graphic where one laptop is considered the �master� and other devices connected t it are �slaves� such as other laptops and wireless phones. This slide shows a graphic where one laptop is considered the �master� and other devices connected t it are �slaves� such as other laptops and wireless phones.

29. Making the Bluetooth Connection Pairing During pairing there is a key exchange Part of initial key exchange occurs in the clear Once paired a trust relationship is built using the link key Identification based on BD_addr (MAC Address)

30. Closer look at the paring Needs 128bit Random Number, PIN, Bluetooth Hardware Address (BD_ADDR) 128Bit Random number transmits in the clear between devices Random Number, PIN, and BD_Addr go through magic �E22� which is a function creating the initial key Initial key is used to create 128bit random numbers which will serve as the asynchronous �Link� key

31. Bluetooth Uses Cars Phones PDAs Not on my laptop Printers Earpieces Keyboard, mice Coke Machines EKG

32. Why a Blue Attack? Listening Hooking up? Open Microphone Dialing for dollars Contacts, Notes, Email

33. Blue Methods of Attack MAC spoofing Break link encryption Crack link encryption Individual implementation vulnerabilities

34. The Blue Hacks BlueJacking- Sending messages to unsuspecting recipients Toothing- Engaging in chance �encounters� using Bluetooth messages Bluebug- access to ATtention (AT) command set Audio Interception This picture shows a man with his head down on his desk in front of a laptop computer. This picture shows a man with his head down on his desk in front of a laptop computer.

35. Blue Attacks Snarfing - Device manipulation Chaos - Call, SMS, Phonebook Denial of Service (BlueSmack) Viruses (Cabir) Cabir hit Europe and Asia in June 2004 Cabir.H and Cabir.I discovered in Santa Monica California Cabir blocks Bluetooth connectivity and drains the device battery Affects Symbian OS devices This slide shows a blown up small item that looks like a pollen spore. This slide shows a blown up small item that looks like a pollen spore.

36. Vulnerable Phones This screen shot shows a vulnerability matrix. It is found in accessible format at http://www.thebunker.net/resources/bluetoothThis screen shot shows a vulnerability matrix. It is found in accessible format at http://www.thebunker.net/resources/bluetooth

37. The Blue Bad News BAD - Bluetooth headsets Default PINs generally 0000, or 1234 are hard coded into the Bluetooth headsets WORSE � Bluetooth cars, are generally left in discoverable mode and subject to surveillance/interception

38. Your Bluetooth Not Discoverable Not a problem ? Bluetooth Hardware Space is limited to 00:00:00:00:00:00 -> FF:FF:FF:FF:FF:FF Isn�t that 281,474,976,710,655 possible addresses? Manufacturer codes eg: Motorola = C6:F7:4A:XX:XX:XX now we have 16,777,215 possible devices to look for Redfang/Green Plague

39. Blue Toys�Blue Sniper Rifle Uses �gumstix� computer with onboard Bluetooth (no laptop necessary) Yagi type antenna increases range up to 2 miles!!! Parts are cheap and readily available Extends range for attack This page shows a person with a gun with a scope aiming at something. This page shows a person with a gun with a scope aiming at something.

40. Blue Sniffing and� Smurf MeetingPoint BTScanner BlueSweep BlueWatch (not free) Blue Jack This slide shows a picture of a little blue SMURF.This slide shows a picture of a little blue SMURF.

41. Securing Bluetooth Disable and uninstall Bluetooth Do not allow device to be �found� Update firmware (ROM) Do not allow paired devices unverified connectivity Storing sensitive corporate information should NEVER be allowed Use encryption technology PED must have the latest security patches installed on their operating system Uninstall unused drivers This page shows a chain with a lock on it. This page shows a chain with a lock on it.

42. Demonstrations This page shows 3 photos that were used during a demonstration. One shows a dish of food, one shows a cartoon of people with square heads talking and the third shows two characters who look like M&Ms. This page shows 3 photos that were used during a demonstration. One shows a dish of food, one shows a cartoon of people with square heads talking and the third shows two characters who look like M&Ms.

43. IrDA Laptop Phone Blackberry PDA Keyboards/Mice Is yours enabled? Easy transfer Banana sticker EEKKKK File Sharing is on��

44. RFID This page shows pictures of several different uses for Radio Frequency Identification including passports, smart cards, and vending machines.This page shows pictures of several different uses for Radio Frequency Identification including passports, smart cards, and vending machines.

45. EvDO Evolution Data Only, Evolution Data Optimized High speed Always on 2.4 mbps bandwidth Supported by some cell phones PCMCIA cards

46. WiMAX This page shows a graphic where: Residential & SoHo DSL Level Service Fractional E1 for small business Mobile backhaul WMAN nomadic coverage handoffs from HOT SPOTS Wide area coverage outside of hotspots. The rest of the graphic shows the internet backbone, the BWA Operator Backbone and the T1+level service enterprises. It shows 802.16d an d802.16cThis page shows a graphic where: Residential & SoHo DSL Level Service Fractional E1 for small business Mobile backhaul WMAN nomadic coverage handoffs from HOT SPOTS Wide area coverage outside of hotspots. The rest of the graphic shows the internet backbone, the BWA Operator Backbone and the T1+level service enterprises. It shows 802.16d an d802.16c

47. 802.16 Wi-MAX Basics This accessible graphic shows the 802.16 Wi-fi Max Basics. This accessible graphic shows the 802.16 Wi-fi Max Basics.

48. How It Works This graphic shows how WiMax Works. IEEE 802/16 standards define how wireless traffic will move between subscribers and core networks. A subscriber sends wireless traffic at speeds rangin grom 2M to 155M bit/sec from a fixed antenna on a building. The base station receives transmissions from multiple sites and sends traffic over wireless or wired links to a switching center using 802.16 protocol. The switching center sends traffic to an ISP or the public switched telephone network. http://www.networkworld.com/news/tech/2001/0903tech.html This graphic shows how WiMax Works. IEEE 802/16 standards define how wireless traffic will move between subscribers and core networks. A subscriber sends wireless traffic at speeds rangin grom 2M to 155M bit/sec from a fixed antenna on a building. The base station receives transmissions from multiple sites and sends traffic over wireless or wired links to a switching center using 802.16 protocol. The switching center sends traffic to an ISP or the public switched telephone network. http://www.networkworld.com/news/tech/2001/0903tech.html

49. Wi-MAX Security Issues and Mitigations Security Issues Use of poorly implemented DES Poor authentication scheme Mitigations Use AES-CCM as encryption primitive Use flexible EAP authentication scheme

50. Ohhhh yeah�I have a cell phone�. No radio transmission is totally secure Several Secure NSA Type-1 certified GSM cellular phones New Smart Card VPN mini SD

51. On the Road Protection Blackberry PDA Smart phone Laptops Who are you connecting to? How are you protecting your data? VPN? What is the health of your device? Are you really on a wired segment?

52. Interesting Wireless Issues Laptop Configuration Management Laptop Patch Management Data Protection/Encryption Hotel/Hot Spot WAPs (Evil Twin) VPN Cell phone encryption PDA encryption 2 Form Factor Authentication

53. New and Interesting Technology/Tools WIDS/IPS Wireless Mess Smart Card VPN NAC PCI Management System Smart Encryption DAR/DARTT GSA SmartBuy

54. Recommended References Trifinite.org NIST 800-48 Wireless Security Implementation Guide, Defense Information Systems Agency Wireless Security Checklist, Defense Information Systems Agency Open-Source Security Testing Methodology Manual, Institute for Security and Open Methodologies Wi-Foo The Secrets of Wireless Hacking Real 802.11 Security Wi-Fi Protected Access and 802.11i Wireless Security: Ensuring Compliance with HIPAA, GLBA, SOX, DoD 8100.2 and Enterprise Policy, AirDefense, www.airdefense.com Weaknesses in the Temporal Key Hash of WPA, Vebjorn Moen, Havard Raddum, Kjell Hole, University of Bergen, Norway Security Flaws in 802.11 Data Link Protocols, Nancy Cam-Winget, Russ Housley, David Wagner, Jesse Walker Securing a Wireless Network, Jon Allen, Jeff Wilson Securing Wireless Data: System Architecture Challenges, Ravi, Raghunathan, Potlapally, Computer and Communications Research Labs NEC USA Solving the Puzzling Layers of 802.11 Security, Mischel Kwon 802.11 Security, Praphul Chandra NIST Wireless Network Security 802.11, Bluetooth and Handheld Devices, Tom Karygiannis, Les Owens Cisco SAFE: Wireless LAN Security in Depth http://www.iwwst.org.uk/Files/2003/FinalPN.pdf http://video.interop.com/presentations/unified-wired-s-sundaralingam.pdf

55. Questions