1 / 29

CIPS CompSEC SIG

CIPS CompSEC SIG. Feb 20, 2003 Speech by Renderman Render@renderlab.net. Wardriving Edmonton Results. “It’s not a bug, it’s a feature”. Technology Background. 802.11b Spread Spectrum 2.4Ghz – License free 11 channels, 2.412 –2.462 GHz 11Mbps

ena
Download Presentation

CIPS CompSEC SIG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIPS CompSEC SIG Feb 20, 2003 Speech by Renderman Render@renderlab.net

  2. Wardriving Edmonton Results “It’s not a bug, it’s a feature”

  3. Technology Background • 802.11b • Spread Spectrum • 2.4Ghz – License free • 11 channels, 2.412 –2.462 GHz • 11Mbps • 40, 64, 128 bit WEP Encryption, MAC filtering • SSID – logical network name • Cellular nature • Wi-Fi Alliance • Founded 1999, Certifies devices for compliance

  4. Technology Background • Various features among different models • Usually have DHCP server, MAC filtering, WEP • Wi-Fi is designed to ‘roam’ to strongest signal • Many different manufacturers and many brands • Dlink • Linksys • Cisco • Apple • M$

  5. Which brings us to today.. • 802.11b is a multi billion Dollar industry • $1.546 Billion in 2002 • Set to rise (or fall, depending on the report) • Prices falling dramatically • Many laptops/PDA’s Wi-Fi enabled from the factory • Airports, Airplanes, Café’s, Hotels • Very pervasive, very chic, ‘hot’ technology

  6. Enough marketing and history Time for the realities

  7. What is ‘Wardriving’ • WarDriving v. The benign act of locating and logging wireless access points while in motion. - Blackwave • A.k.a, Network stumbling, lanjacking(?), whacking(?) • Using a Wi-Fi enabled device (laptop, PDA), to discover the presence of wireless networks. • Factory software allows rudimentary ‘stumbling’ • First coined and automated by Pete Shipley of Dis.org • Completely LEGAL! • Frighteningly effective

  8. Wardriving is not a crime • Detection is legal – public frequencies • Connecting is illegal • ‘Stumbler Ethic’ • Trying to raise security awareness with the Worldwide Wardrive • Bad people do bad thing, Wardrivers are not bad people

  9. Edmonton, Alberta as of Feb 2nd 2003, 1689 Access points

  10. Downtown and University Detail

  11. Downtown Detail

  12. Edmonton Statistics Since March 2002 • 1689 separate Access points detected • 1194 without WEP (not necessarily insecure) • 600 on default settings (very insecure) • In the strangest of places • Hospitals, health facilities, gov’t, hotels, trucking companies, breweries, homes, oil companies, schools, cafes….

  13. Wireless Intruder Implications • Bandwidth theft • Spamming, threats, attacks • All tracks lead back to you • Access to your internal network • Untraceable • Easy to do, cheap

  14. Edmonton Survey Conclusions • After 11 months and a lot of miles, no one has learned anything • No-one is paying attention • Wireless is popular even in the frozen north • ‘It can’t happen here’ attitude • Severe lack of understanding • There is an interest in learning though

  15. Now that I have your attention… How is this accomplished?

  16. Wardriving made easy • Laptop or PDA • 802.11b card • Special software that supports the card (Netstumbler or Kismet) • Some form of conveyance (feet, bike, car, etc) • Optional: • External antennas (Pringles can) • GPS for generating maps • Misc software (realtime tracking, routing)

  17. Passive Vs Active • Netstumbler – Active, Listens for ‘Broadcast’ announcements ~10 per second) • Kismet – Passive, Listens for any 802.11b traffic and determines network settings from packet capture. Able to detect ‘cloaked’ AP’s (SSID broadcast turned off) • Both Free (as in beer) • Both useful as site survey tools, used throughout the industry

  18. The RenderVan Wardriving Rig

  19. The problems with Wi-Fi • No one RTFM’s • AP’s left on defaults • WEP – unsafe at any key length • Inappropriate deployment • ‘Rougue’ AP’s • It’s a bloomin RADIO!

  20. RTFM • Buried security warnings and instructions • No deployment warnings • Manufacturers ignoring problem, bad for sales

  21. Defaults • 36% of AP’s in Edmonton on Default, ‘out of box’ settings • ‘It works, don’t screw with it’ attitude • Quick start Guides ignore security

  22. Demo Default access point

  23. Wired equivalency protocol • Uses RC4 • Export restrictions kept key at 40bit, very weak 64bit later on • Proprietary extensions for 128bit, incompatible between manufacturers, making for headaches and users ignoring it • Static Key • Found weak in July 2001 • Fluhrer, Mantin, and Shamir (‘S’ in RSA) Broke RC4 in August 2001 which lead to… • Airsnort : 30 seconds + 2 gig of data = WEP Key

  24. Deployment problems • Often behind firewalls and other security devices on the ‘Trusted’ side of the network • Should be treated as a wall jack; Would you run cat5 to the parking lot? • Current implementation makes security hard to maintain (rotating keys, updating MAC filters) • Attitudes: ‘No one would want to break in here’, ‘No one will find me’, ‘Security costs too much’

  25. Rogue AP’s • Employee’s being ‘helpful’, or ‘creative’ • IT staff unaware, not caring • No company policies, or no enforcment • No IT auditing – ‘rouge hunting’ • Often on defaults (ID10T errors) • Geewhiz factor for the boss

  26. It’s a RADIO!!! • Broadcasts far beyond walls and property • If WEP not enabled, data is sent in the clear • Email, database queries, FTP, messenger… • Data sent in all directions • Long distance detection <25 miles • Long distance connection <5miles • All Wi-Fi gear is a Tx & Rx • Wi-Fi is ‘cellular’ in nature, designed to associate with the strongest signal (even if it’s not yours)

  27. Suggestions • Set a company policy on Wireless and enforce it • Use WEP at a minimum – Keep out sign • EAP (Extensible Authentication Protocol), Cisco • RADIUS, 802.1x, VPNs • Audit network from wired side • Audit network from wireless side • Locate AP’s in front of firewall, captive portal or other authentication (RADIUS, etc) • Hire professionals for installation and advice

  28. Sites • www.renderlab.net - Edmonton and Alberta wardriving • www.dis.org/wl/maps/ - Pete shipleys original research • www.netstumbler.com - Active wardriving software • www.kismetwireless.net - Passive wardriving software • www.wardrivingisnotacrime.com - Fashions by Blackwave • www.worldwidewardrive.org - We have our own event • www.wardriving.com - General resource • forums.netstumbler.com – My hangout, great info & ppl

  29. Q & A Questions, comments, and accusations

More Related