330 likes | 559 Views
Wireless Security. By:- Stanley Chand & Damien Prescod. Agenda. Wireless Vulnerability Basic Security Mechanics & Mechanisms Wired Equivalent Privacy (WEP) Guidelines Cellular Wireless Fraud Wimax Security Past and Now. Security Mechanics. Confidentiality
E N D
Wireless Security By:- Stanley Chand & Damien Prescod
Agenda • Wireless Vulnerability • Basic Security Mechanics & Mechanisms • Wired Equivalent Privacy (WEP) • Guidelines • Cellular Wireless Fraud • Wimax Security • Past and Now
Security Mechanics • Confidentiality • Encryption- symmetric and asymmetric • Integrity • Digital signature using Hash function • Availability • Defense mechanism • Authentication • Protocols such as 802.1X, RADIUS, PAP/ CHAP, etc. • Authorization • Multiple levels and protocols • Access Control • Knowledge of the WEP key. • Encryption • Robustness of the method used • Key management • Key distribution should be secure and scalable
Confidentiality Mechanisms • Symmetric Key Encryption • Block Cipher • Stream Cipher • Asymmetric Encryption • Public Key Encryption • Data integrity • Data confidentiality • Sender non-repudiation • Sender authentication • Private Key Encryption
Wireless Vulnerabilities • Its difficult to prevent physical access • Using cheap antennas attacker can pick up or send signals from up to few miles • Wireless networks are subjected to both passive and active attacks. http://rawlab.mindcreations.com/imgs/laptop_cantenna.jpg
Wired Equivalent Privacy • Wired Equitant Privacy (WEP) is an algorithm that was specified in the original IEEE 802.11 specification. • To prevent disclosure of packets in transit • To prevent modification of packets in transit • To provide access control for use of the network http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
Wired Application Protocol • WAP is a wireless standard that applies to wireless communication protocol and services. • There are several wireless standards that are used by various wireless device service manufacturers. • WAP allows for interoperability between them. • WAP has it own built-in security, it uses Wireless Transport Layer Security (WTLS). • Just as Secure Sockets Layer uses certificates and a client/server, verification/ authentication mechanism WTLS does the same.
Basic Wireless Network Employing Radius Server http://www.more.net/technical/netserv/wireless/images/radius-authentication.gif
WEP Key Stream and Plaintext Recovery The two means of breaking WEP encrypted data:- • Discover the Key itself • Discover all possible key streams Keystream Dictionaries:- • WEP use the initialization vector to permit 2^24 (16 million) possible keystreams for each key • One method is to wait for repeated key streams known as collision, which reveals information about data and the keystream.
Design Guidelines WLAN Security Policy:- • What is the corporate policy for WLAN and application usage? • Is there an acceptable use document to which the network designer must make sure wireless WLAN user adhere.? • If the WLAN user is a guest rather than a corporate employee, is a legal disclaimer necessary before he can use the WLAN? • Is there a Policy stating the type of authentication required for WLAN access? • Is there a policy that classifies a particular group of users who can use the WLAN?
Cellular Wireless Fraud • Cellular Telecom Industry Association (CTIA): 1997 wireless industry lost $434 million ($1.18 million daily). • Analog Phones were most susceptible to fraud, hence the advent of the digital age reduce those numbers to an extent. However fraud was still present. • The implementation of Authentication procedures and Profiling systems further combated fraudsters.
Types of Wireless Fraud • Tumbling Electronic Serial Number (ESN) Fraud. • 1st type of fraud, prevalent due to lack of network cellular carrier switches using Signalling System Seven (SS7). Carriers could not communicate with each other. • The fraudsters programmed multiple Mobile Identification Numbers randomly from different geographic areas onto a phone, and created false ESN’s using memory chips (Electronically Programmable Read Only Memory Chips). • When a roaming call is placed the switch allows the first call through, and check the nationwide clearinghouse to validate the phones ESN & MIN against ones which are known to be stolen. • If the phone was not present in the clearing house the caller was permitted repeated calls.
Types of Wireless Fraud • If it was present the phone would be blocked access to call, but the fraudster would “Tumble the ESN” to appear as a new phone on the network. • Thereby getting repeated calling access. • The database was manually updated initially and most carriers were not as diligent as others in updated their local databases. • Eventually the database was updated at 12.01 am daily. • On the streets of NY these phones went for as much as $300!!!
Combating Tumbling • Precall Validation!! • In this anti-fraud method the MIN & ESN have to be verified before a call is placed, and with the onset of global use of SS7 this was realized. • Either the nationwide clearing house or the cellular databases were referenced for the MIN & ESN. • Only those phones with valid MSN & ESN were permitted calls. • Many more carriers work along with the clearing house to make it more robust and effective. • There was some inconsistency however on some carriers parts.
Combating Tumbling • A company called Systemslink developed a product called Roamex which allowed for real time referencing thereby eliminating the clearing house. • To date Systemslink handles 98% of the GSM communication in North America.
Types of Wireless Fraud • Cloning Fraud: The complete duplication of legitimate mobile identification information. • In the early 90’s MIN & ESN were stolen by simple scanning of airwaves with scanners set to frequencies between 824 & 894 MHz. (Airports, Interstates overpasses). • Prevalent in Advanced Mobile Phone System (Analog) not so much in Digital systems. • The info was easy to collect because it was transmitted on the control channel in call activation or receipt. • Since ESN’s are not alterable, by using blank EPROM chips and stolen MSN’s and ESN’s two phones could have the exact same information.! • Cloned phones are then sold in distance geographical markets to unsuspecting customers. • The flaw in cloning is that by having exactly the same information the fraudster give friends his/her number, if for instance his phone is off, then the call is received by the genuine customer and cloning can be detected.
Combating Cloning • Profiling Systems: • These system set off alarms when MIN enter into suspicious or abnormal activity. • High call count in short time periods, long duration of calls, lots of roaming calls and international calls. • One of the most common types is Velocity check. • It check the time period between calls of the same phone with valid MSN & ESN and its location. • Flags are raised when irregularities occur, the system is not automatic and requires that trained personnel be smart and vigilant.
Profiling Problem • It relies on post calls validation so some damage is already done once the system alerts. • Manually monitoring for action to be taken.
Combating Fraud • RF Finger Printing: • Originated when 3 companies in U.S defence radio research stated that they could recognize individual cellular phones by the pattern of their radio transmission signals. • It has a 80-90% chance of detecting fraudulent mobiles. • It works by storing the sample digitized patterns of radio transmission at the Mobile Switching Center. • When a mobile originates a call, the RF siganl and MSN & ESN are all compared to what is stored at the MSC and if no match occurs the calls are not permitted. • Problems with RF Finger Printing!! • 1-2% chance of returning a FALSE POSITIVE. • Certain models of phones are no reliable with this mode of anti-fraud combat • Since the 3 variable compared are not used in all markets its global use has been hindered.
Combating Fraud • Authentication • This is a challenge/response process where the phone and MSC exchange information, to confirm mobile identity. • It is governed by the Cellular Authentication & Voice Encryption (CAVE) Algorithm. • The mobile inputs various data into the algorithm and sends it to the switch, which makes the same calculation and compares the result. A match means phone is valid. • When the phone is turned on the authentication key and other data variables are used to calculate the shared secret data (SSD). To be verified by the switch over the airwaves. • The switch and the phone alone know the key and by comparing results the phone call is allowed once there is a match. • It is better than other methods because it does not rely on the ESN for aid in verification.
Problems with Authentication • There are still many analog phones in use today that don’t have the ability to perform this task. • Carriers who do not have switches capable of authentication features will still be susceptible. (this has impact on roaming agreements in carriers) • Because a fraudster can steal a phone in one city and use it in another where no authentication is employed. Another type of fraud is subscriber fraud, but has more to do with identity thieft.
Wimax Security Authentication • Each subscriber in 802.16 networks must have a X.509 certificate that will uniquely identify them. • X.509 certificates makes it difficult attackers to spoof identities of legitimate subscribers, providing ample protection against theft of service. • The flaw in the authentication mechanism used by WiMAX's privacy & key management (PKM) protocol, is the lack of base station or service provider authentication. • This makes WiMAX networks susceptible to man-in-the-middle attacks, exposing subscribers to various confidentiality and availability attacks. • The 802.16e amendment added support for the Extensible Authentication Protocol (EAP) to WiMAX networks. • Support for EAP protocols is currently optional for service providers.
Wimax Security Encryption • With the 802.16e amendment, support for the Advanced Encryption Standard (AES) cipher is available, providing strong support for confidentiality of data traffic. • Just as in the 802.11 specification, management frames are not encrypted, allowing an attacker to collect information about subscribers in the area and other potentially sensitive network characteristics. http://www.techwarelabs.com/articles/other/wimax_wifi/images/wimax-diagram.gif
Wimax Security • WiMAX will use licensed RF spectrum, giving them some protection from unintentional interference. • However an attacker can use readily available tools to jam the spectrum for all planned WiMAX deployments. • Man in the Middle Attacks • Attacker intercepts identification information of the sending and receiving parties. • Substitutes own key in both situations • Gives access to all information passed between parties • Denial of Service or Distributed Denial of Service • TCP SYN ACK Flood or Buffer Overrun – Typical DoS • Illicit servers used to set up zombie machines for a DDoS. • As well as physical layer denial of service (DOS) attacks, an attacker can use legacy management frames to forcibly disconnect legitimate stations. Similar to the de-authenticate flood attacks used against 802.11 networks.
Past & Now • Until Recently Wireless Communication related to mobile communications alone. • Now there are so many wireless technologies to cover all would require publishing a book. • Wireless includes the likes of Satellite, CDMA, FDMA, GSM, 3G, 4G, Bluetooth, RF Transmission, Wifi, Wimax. • The list goes on each of which has it unique form of threats with unique security enabled features.
Sources • Security & Exam Guide Chris Crayton • Wireless Crash Course