1 / 40

Wireless Hotspot Security and Client Attacks Almerindo Graziano a.graziano@silensec

Wireless Hotspot Security and Client Attacks Almerindo Graziano a.graziano@silensec.com www.silensec.com. The Menu :-) ‏. The WiFi Explosion Common misconceptions Wireless hotspots attacks Wireless Client Attacks Rogue Access Points WEP Insecurity WPA Security

dirk
Download Presentation

Wireless Hotspot Security and Client Attacks Almerindo Graziano a.graziano@silensec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Hotspot Security • and • Client Attacks • Almerindo Graziano • a.graziano@silensec.com • www.silensec.com

  2. The Menu :-)‏ • The WiFi Explosion • Common misconceptions • Wireless hotspots attacks • Wireless Client Attacks • Rogue Access Points • WEP Insecurity • WPA Security • General recommendations

  3. About Silensec • IT Governance • ISO 27001 Implementation • Gap Analysis • Risk Management • Penetration Testing • Web apps, Systems, Networks • Security Training • BSI ISO 27001, BS25999 • SANS Wireless Security, Hacking Techniques

  4. Common Misconceptions • We do not use/allow wireless networks • Our network is secure • We use firewalls • We use VPN • Nobody would attack us

  5. Mobile Phones Explosion • Over 100 mobile phone handsets with wi-fi capability (June 2007)‏ • 213 million Wi-Fi chipsets shipped worldwide in 2007 (32% growth)‏ • 20%of the total chipset market by 2009 • Dual-mode phones in 2008 • Bypass mobile operator • Skype mobile phones

  6. Wifi in Everything! • Digital Camera • Mobile TVs • Presentation Projectors • Stereos • CCTV Cameras • Swipe cards systems • Medical monitoring equipment • Portable digital players

  7. Wireless Networks are Everywhere

  8. Terminology • Station (STA)‏ • Laptop, PDA, mobile phone • Access Point (AP)‏ • Connect STAs to the main network • Infrastructure Mode • Most common (home and corporate)‏ • Ad-Hoc Mode • Connecting STAs without an AP Ad-Hoc Mode Infrastructure Mode

  9. Terminology (2)‏ • WEP (Wired Equivalent Privacy)‏ • WEP Key (64, 128, 256, 512 bits)‏ • WEP+ • Dynamic WEP • WPA and WPA2 (Wireless Protected Access)‏ • Passphrase (8-63 characters)‏

  10. Wireless Hotspots • Provide public access to the Internet through wireless networks • Public does NOT mean FREE • Often located in • airports, train stations, libraries, hotels, coffee bars • Designed to be easy to use • Find the network • Click and connect • Authenticate and you are in!

  11. Hotspot Example: T-Mobile Secure Connection

  12. Hotspot Example: T-Mobile (2)‏ Enter Credentials

  13. Hotspot Security Risks • Information disclosure • Most information is not encrypted and may be captured easily • Identity theft • Fraud and financial loss • Compromise your computer • Expose personal info (contacts)‏ • Catch a virus • Back in the workplace • Expose even more personal info • Spread the virus

  14. Wireless Isolation • Commonly used by hotspots • Most modern AP support it too • Traffic between hotspot clients not allowed • Protect hotspot clients from possible malicious clients • And anyway you have your firewall.. • What about non-connected clients?

  15. DEMO

  16. Wireless Client Attacks

  17. Windows Preferred Network List (PNL)‏ • Includes networks created by the user • Networks are also added when we connect to a new network (hotspot)‏ • Connection can be automatic or manual

  18. Windows Preferred Network List (PNL)‏ • Will always connect to the networks higher on the list.. • even is already connected to another network! • even if that network is more secure • AP with stronger power are preferred • User is not notified of AP switch!

  19. Dangerous Connections.. • Newly networks are added to the PNL • If new network is in range windows may connect to it

  20. Rogue Access Points • More powerful signal • Karma-based

  21. Power Rogue Access Point • Windows wireless configuration • AP chosen based on • position in the PNL • signal power tmobile tmobile

  22. Power Rogue Access Points DEMO

  23. Client Attacks with Karma • Powerful tool • Responds to any probe request • Comes with DHCP, DNS, Web server • Exploits clients which broadcast SSIDs with no security...hotspots

  24. Judicious Karma

  25. KARMA DEMO

  26. Wifizoo • Gathers information passively • No connection required • Cookies • Passwords from FTP,POP3 etc.. • ..and lots more

  27. Wifizoo at Work.. DEMO

  28. Wireless Hacking in the Skies.. • Just relax and enjoy the flight • Watch a film on your laptop ...while you are being hacked... • But don't you worry, there will be no interruption to your film entertainment

  29. arking Mode • Found by Simple Nomad • If DHCP fails to provide an IP address, interfaces with Link-Local configurations will auto-assign an address in the 169.254.0.0/16 range • Link-Local is on by default on all interfaces on all Windows platforms, including wireless interfaces Scan for available networks (ANL)‏ Parking Mode Try available PNL networks Try PNL networks Any Ad-Hoc network in PNL? Connect to Non-Preferred Nets? No No Yes Yes Connect to 1st Ad-Hoc network in PNL Connect to available networks (ANL)‏ Keep looking for preferred networks Set Random SSID and go in infrastruture mode

  30. Windows Wireless Client Update • Hotfix described in KB917021 • Non-broadcast networks • Allows to set a network as non-broadcast by setting “Connect even if the network is not broadcasting” • WAC only sends probe requests for non-broadcast networks • Preferred broadcast networks in the PNL are not advertised • Parking behaviour • Security configuration is passed onto the wireless adapter driver, using the most secure encryption method that the wireless network adapter supports (including random encryption key)‏ • Ad-hoc • Manual connection • WAC doesn't probe ad-hoc SSID contained in the PNL

  31. Windows Wireless Client Update (ctd.)‏ • Not included in SP2 • Many clients have not installed it • Parking mode is driver-dependant • Most driver still use no security • You can still override secure default settings

  32. Vista Wireless • VISTA allows to define non-broadcast wireless networks • Listed as Unnamed Network • WAC will try to connect to wireless networks in the order they are listed in the PNL, whether they are broadcast or not • Support ad-hoc using WPA2-PSK • Strong passphrase selection

  33. Hotspot Security Tips • Doublecheck the name and presence of an official Hotspot network where the service is provided • Remember that the majority of Hotspots do not ensure data confidentiality • Always look out for a padlock and https sign on the hotspot login page • Do NOT implicitly trust advertised “Free Public WiFi”

  34. WEP • WEP IS DEAD • You MUST NOT use it • Equivalent to no security (almost)‏ • Aircrak-ptw < 1 minute

  35. WPA and WPA2 • WPA • Stronger security, maintaining hardware compatibility • WPA2 • Even stronger security • Need new hardware

  36. WPA Personal/WPA-PSK • Both WPA and WPA2 can be used with a passphrase (8-63 character)‏ • Weak passphrases offer WEP-like protection..NONE • Use a strong password generator (free • https://www.grc.com/passwords.htm

  37. Wireless Security Tips – At Home • Change default values • IP addresses • Admin passwords • Adjust the power output of your access point if possible • Use MAC address filtering • Change the default SSID • Enable WPA/WPA2 • Use a strong passphrase (20+ char) • Set AP configuration to HTTPS if possible

  38. Wireless Security Tips – On the move • Switch off your wireless card if not needed • Do no connect automatically to wireless networks (nothing comes free)‏ • Change your personal firewall settings to not trust the local network • Be on your guard

  39. General Wireless Security Tips • Download and instal MS wireless update • Uncheck automatic connection to unprotected networks • Keep your computers patched all the time • Remember that hotspot networks are not secure

  40. Questions?

More Related