1 / 23

Wireless Insecurity Utz Roedig University College Cork, Ireland, utz@cs.ucc.ie

Wireless Insecurity Utz Roedig University College Cork, Ireland, utz@cs.ucc.ie. Introduction Using wireless networks Application scenarios Basic functionality and security mechanisms Attacking wireless networks Targets and goals Methods and examples How to protect wireless networks

inara
Download Presentation

Wireless Insecurity Utz Roedig University College Cork, Ireland, utz@cs.ucc.ie

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Wireless InsecurityUtz RoedigUniversity College Cork, Ireland, utz@cs.ucc.ie

  2. Introduction Using wireless networks Application scenarios Basic functionality and security mechanisms Attacking wireless networks Targets and goals Methods and examples How to protect wireless networks Basics: WEP, MAC filter, … Network separation and security policy Summary Overview

  3. Why using wireless networks? Give users some flexibility and freedom Reduce network cost Available solutions Wi-Fi (IEEE 802.11) HomeRF, Bluetooth, … Introduction

  4. Wlan Wireless Local Area Network Wi-Fi Catchier than 'IEEE 802.11b direct sequence' A marketing name for products based on 802.11 802.11 Specification of PHY and MAC layer a/g/n different modulations and data rates WEP Wired Equivalent Privacy (Ha!, we will see) WPA Wi-Fi Protected Access (WPA and WPA2) Terminology

  5. Application Scenario • Standard company network • Servers: data and services • Workstations: laptop, pc, (pda) • Router: internet connection

  6. Application Scenario • Wireless company network • Servers: data and services • Workstations: laptop, pc, (pda) • Router: internet connection, wireless network connection

  7. Application Scenario • Wireless company network insecurity • Servers: data and services • Workstations: laptop, pc, (pda) • Router: internet connection, wireless network connection

  8. Physical layer (PHY) Defines coding and modulation Operates in the 2.4 - 2.8 GHz band Medium Access Control layer (MAC) Organizes access to the shared medium Uses carrier sense multiple access with collision avoidance All nodes in the vicinity have to participate in PHY/MAC Denial of service (DOS) is very simple! PHY: signal jamming MAC: misbehaving node 802.11 - Basics

  9. Problem scope If everyone talks at the same time I can not understand you A protocol is needed to organize who is talking when Predefinition Everyone talks using packets Everyone uses a number (MAC address) so we know who is talking Packet transmission (Logical) A node first listens to ensure no other node is transmitting If the channel is clear, the node transmits the packet Otherwise, the node chooses a random back-off time and tries again Packet transmission (technical, RTS/CTS mechanism) Snd: ready-to-send (RTS) Rcv: clear-to-send (CTS) Snd: data transmission (DATA) Rec: acknowledgement (ACK) 802.11 - MAC

  10. Wireless Network Card Provides access to the 802.11 network Access point Provides bridge functionality Between 802.11 and the fixed network Provides additional functionality Security: Firewall, Network Address Translation (NAT), … Network: DHCP, DNS, WWW cache, …. Mode of operation Infrastructure mode All traffic passes through the access points Ad-hoc mode All computers talk directly to each other Hardware and Operation

  11. Basic Service Set (BSS) Stations form a BSS Distribution System (DS) A DS interconnects the BSS’s Extended Service Set (ESS) BSS’s form together an ESS Handover requirements Station type Mobile Portable Roaming type Within ESS: PHY/MAC handover Between different ESS: PHY/MAC and network layer handover Network Structure

  12. WEP Wired Equivalent Privacy One key is shared among all users Payload is transmitted encrypted Content is secured, not the communication itself! WPA Wi-Fi Protected Access Each user can be separately authenticated Session keys are derived/negotiated and periodically changed Payload is transmitted encrypted WPA-2 Wi-Fi Protected Access version 2 Similar to WPA, updated cryptographic methods 802.11 - Security

  13. Attacker - Goals What now? • Denial of Service (DoS) • Denial the use of the Wireless Network • Denial the use of the complete company network • Denial the use of services • Unauthorized infrastructure use • Use of the internet access • Use of services (e.g. WWW) • Information theft • Access file servers • Access database servers

  14. Attacker - Steps Step 3 Step 2 Step 1 • Step 1 (PHY) • Laptop with WLAN card • Get close enough (e.g. next door, car park, …) • Get WLAN access • Modulation, channel, … • ESS ID • Step 2 (MAC) • Join the (wireless) network • Bypass MAC filters, … if necessary • Bypass WEP if necessary • Step 3 (Network, Services) • Attack the services as usual

  15. Selection of modulation, channel, … Handled by the NIC Case I: Unprotected (out-of-the-box) Attacker selects the company network Selection by ESS ID Attacker joins the network Case II: Hidden ESS ID Attacker uses a scanner (e.g. aireplay) Attacker obtains the ESS ID Now it is Case I Attacker - Step 1

  16. Case I: MAC filter in place Attacker starts a program scanning the air for a while (e.g. kismet) Attacker changes his MAC into an accepted MAC (e.g. ifconfig) Attacker joins the network Case II: WEP security in place Attacker uses a scanner (e.g. kismet) After ESS ID and channel is known, packets are captured (e.g. airodump) For 64 bits WEP key between about 50000 and 20000 packets For 128 bits between 200000 and 700000 Crack the key (e.g. aircrack) Attacker joins the network Attacker - Step 2

  17. Case III: WAP-PSK security in place Force an authenication handshake (e.g. aireplay) Collect the handshake packets (e.g. airodump) Dictionary Brute Force (e.g. aircrack) Attacker joins the network Possible problems No traffic WAP using RADIUS Additional security mechanisms (Firewall, Proxy, …) Attacker - Step 2

  18. The attacker is now in the network Virtually sitting with his laptop at your desk! What will he do? Using your bandwidth and ID to access the Internet Possible lawsuit (download or offer illegal content) Possible cost (if charged per MB) … Using your servers Free storage space (with backup!) Free web servers Free … Stealing your data/information! DOS (maybe by accident) Attacker - Step 3

  19. Defender - Goals & Steps What now? • Keep the attacker out! • Step1: Secure the wireless network (if possible!) • Step2: Secure the core network • In case the attacker gets somehow in the wireless network • Step3: Define rules of operation • Logging, monitoring, key management, emergency plans, …

  20. Even if security mechanisms are flawed, use them! Most hacker/attacker will choose the easy victim Use several layers of protection Useful security mechanisms Use WAP with RADIUS if possible If WEP/WAP-PSK is used, change keys frequently Use MAC filtering Summary The wireless network can not be secured! Step2/3 is needed if a wireless network is used! Defender - Step 1

  21. Separate the wireless network from the core network Use a firewall between wireless and core network Might be integrated in the base-station Might offer user authentication Restrict services available from the wireless network Do people have to mount the fileserver from the laptop? Is it necessary to have Internet access from the laptop? Use higher layer security/encryption Create a VPN (PPTP, L2TP) IPSec Only access services secure Terminal: telnet -> ssh Mail: POP -> IMAP (or Webmail with HTTPS) … Defender - Step 2

  22. Logging Activity in the network should be recorded Records might be needed to detect an attacker (Records might be needed for forensic analysis) Monitoring Someone should look periodically at the records! Maintenance Security needs maintenance! Periodic update of keys Add/Delete users, mac addresses, update firewall rules, … Emergency plans What will we do if we detect an attacker? Defender - Step 3

  23. Covered topics Basic functionality and application scenarios Attacking wireless networks Securing wireless networks Conclusions Setting up a wireless network is simple Setting up a secure wireless network is somewhat complicated! Do you really need a wireless network? Summary

More Related