Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Wireless (In)Security or Why You Will WEEP When You Learn About WEP http://www.wowway.com/~kwwall/presentations/ security/cocacm-20040218.ppt Kevin W. Wall Staff Software Engineer Qwest IT [email protected] IEEE Wireless Standards IEEE 802.11 standards • A.K.A.: Wireless LAN (WLAN) & Wi-Fi • 802.11b was original standard Transmits up to 11 Mbps Operates at frequency of 2.4GHz Typical range of ~300 feet • 802.11a is successor Transmits up to 54 Mbps Operates at frequency of 5GHz Shorter range; ~60-70 feet. • 802.11g Up to 54 Mbps, but at 2.4GHz (comp. w/ 802.11b) Added security; fixes some problems w/ WEP. • 802.11i — Coming RSN • Wired Equivalent Privacy (WEP) provides security for these first three.Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Security Vulnerabilities Interception and sniffing wireless traffic Jamming Insertion attacks Misconfiguration Client-to-client attacks Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vulnerabilities: Sniffing All wireless standards (802.11, Bluetooth, etc.) are broadcast networks. Intruder must be in range of signal to intercept it. • Properly selected / positioned antenna aids security by minimizing how far signal can reach (i.e., reduces leakage). • Range given for receiving w/ omnidirectional antennas; directional antennas give greater range. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Sniffing (cont’d) “Antenna on the Cheap (er, Chip)” — Rob Flickenger Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Sniffing (cont’d) Same basic principles as sniffing Ethernet. • Sniffing wireless easier since no need to physically attach to LAN segment. • Many password sniffers (e.g., dsniff) work on WLAN since same protocols (telnet, POP3, etc.) still used. Beyond sniffing: attackers can inject false traffic into a connection, running unintended commands as legitimate user. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Sniffing (cont’d) If AP is connected to hub rather than network switch, any network traffic across that hub can be potentially broadcasted out over the wireless network. ARP spoofing technique can trick switch into passing data from backbone of subnet and route it through attacker’s wireless client. Attacker can trick wireless client into using unauthorized AP with stronger signal. Copyright © 2004 - Kevin Wall All Rights Reserved. War-driving Term from “war-dialing” which was taken from move War Games. War-driving (-walking, -flying) is driving (walking, flying) around to collect access points. • Map location (using GPS), MACs, SSIDs, and bandwidth. • Usually reported to centralized location on Internet. • Used by many to gain free Internet access Copyright © 2004 - Kevin Wall All Rights Reserved. War-chalking War-chalking is act of marking sidewalks, walls, etc. with a symbol to infer that an AP is within range. War-chalking symbols shown on right. Copyright © 2004 - Kevin Wall All Rights Reserved. War-chalking Examples Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Jamming DoS attack for WLANs. • Same principle for (wired) LAN • Easier to mount than for LAN. Need not belong to network. Attacker floods 2.4GHz network that signalto-noise ration drops so low Wi-Fi network ceases to function. May happen accidentally! Cordless phones, baby monitors, Bluetooth, etc. all use same 2.4GHz band. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Insertion Attacks Based on putting unauthorized devices on Wi-Fi network w/out proper security process / review. • Attacker tries to connect their wireless client to AP w/out authorization. • Attacks though renegade AP. Safeguard: Have and follow policy for securely attaching Wi-Fi clients and new AP. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Misconfiguration By default, APs usually configured w/out any or very little security. • Misconfigured Server Set IDs (SSID) • Misconfigured Wired Equivalent Privacy (WEP) • Misconfigured SNMP for AP management Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Misconfigured SSIDs Server Set ID (SSID) configured w/ default password, differing only by manufacturer. Can tell manufacture based on leading digits of MAC address. Brute force AP’s SSID w/ dictionary attacks. Need to change SSID whenever employee leaves company. SSID not encrypted, even when WEP is used! Disabling broadcast SSID hardly helps at all. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Misconfigured WEP WEP usually disabled by default. • Most public WLAN APs like those at airports, hotels, cafes, etc. never enable WEP. • Only ~20% of companies seem to use WEP. • WEP is severely broken anyway (more later). In some APs, use of WEP is optional even when enabled. Some manufacturers of APs have default WEP keys which are never changed. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Misconfigured SNMP Most Wi-Fi base stations have support SNMP for AP management. • Community strings must be changed from defaults. Typically “public” for public community and “private” for private community. Other manufacturers use different, but well-known community strings. Same risk applies to wireless clients if they have SNMP enabled. Many SNMP implementations (still) vulnerable to attack discovered in Feb, 2002 and embodied in PROTOS tool. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Vuln: Client-to-client Attacks File sharing and other TCP/IP service attacks • Previously laptops protected by company firewalls or VPNs. No longer true. DoS attacks • Intentional flooding of one client by another. • Unintentional from duplicate IP or MAC address. Hybrid threads: Next generation worms / viruses. Copyright © 2004 - Kevin Wall All Rights Reserved. IEEE’s WEP Standard IEEE standard (1999-2000) Wired Equivalent Privacy (WEP) should have been called Wildly Exceeding Expectations of Privacy (WEEP). WEP severely broken in several major ways. WEP uses RC4 as encryption algorithm. • 40-bit encryption specified by original standard • Also uses 24-bit IV; sometimes called 64-bit RC4 • 128 RC4 (104-bit really) also available. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Insecurity (by Team) October 2000: Jesse Walker January 2001: UC Berkley cryptographers Nikita Borisov, Ian Goldberg, and David Wagner March 2001: Univ of Maryland researchers William Arbaugh, Narendar Shankar, and Y.C. Justin Wan May 2001: William Arbaugh June 2001: Tim Newsham August 2001: Scott Fluhrer, Itsik Mantin, and Adi Shamir February 2002: Arunesh Mishra and W. Arbaugh Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Insecurity (by Attack) (1/6) IV / key reuse (Walker, Berkeley team, Arbaugh) • Possible because of small IV space (24bits), lack of IV replay protection. IV should be at least same as key size for stream cipher. XOR w/ key instead of concatenating to key. • Enables statistical attack of ciphertexts w/ replayed IVs • Worsened by many HW vendors resetting IV to 0 when NIC powered off. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Insecurity (by Attack) (2/6) Known plaintext attacks (Walker, Berkeley team, Arbaugh) • Lot’s of known plaintext in IP traffic: ICMP, ARP, TCP ACKs, etc. More in email headers, etc. • Possible to send “ping” from Internet through AP to snooping attacker. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Insecurity (by Attack) (3/6) Partial known plaintext attacks (Berkeley team, Arbaugh) • Only part of message (plaintext) may be known; e.g., IP header. • Possible to flip bits in real time and recompute CRC-32, divert traffic to attacker CRC32 is linear; no keyed hash Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Insecurity (by Attack) (4/6) Authentication forging (Berkeley team) • WEP 1.0 encrypts challenge w/ IV chosen by client. • Recovery of key stream for given IV allows reuse of that IV for forging WEP authentication. DoS attacks • Disassociate, reassociate messages not authenticated Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Insecurity (by Attack) (5/6) Dictionary attacks • Possible when WEP keys are derived from passwords. Real-time decryption (Berkeley team, Arbaugh) • Repeated IV use (NIC deficiency), probing allows building IV lookup table for given key. Need 1500 bytes of key stream per IV 224* 1500 bytes = ~24GB • Enables decryption of traffic in real-time after table computed. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi Insecurity (by Attack) (6/6) Weakness in RC4 key setup algorithm (Fluhrer, Mantin, & Shamir) • Completely passive attack; requires collection of sufficient WEP data packets. • Certain “weak” IVs result in ~5% chance of exposing single byte of key. • Gather sufficient # of weak IVs along w/ statistical analysis eventually results in key. • Tools such as airsnort automate this. Copyright © 2004 - Kevin Wall All Rights Reserved. Screen Shot of Airsnort See http://airsnort.shmoo.com/ Copyright © 2004 - Kevin Wall All Rights Reserved. Example of Broken WEP Borisov, Goldberg, and Wagner (Berkeley team) discovered following flaws: • Passive attacks to decrypt traffic based on statistical analysis. • Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext. • Active attacks to decrypt traffic, based on tricking the access point. • Dictionary-building attack that, after analysis of about a day's worth of traffic, allows realtime automated decryption of all traffic Copyright © 2004 - Kevin Wall All Rights Reserved. Better Luck Next Time? WEP 2 Increase size of IV to 128 bits. To avoid staleness and repeating key stream, key may be changed periodically via IEEE 802.1X reauthentication. Still no keyed message integrity code. Still no IV replay protection. Still no authentication for reassociate, disassociate messages Mandatory support of Kerberos V for IEEE 802.1X Copyright © 2004 - Kevin Wall All Rights Reserved. WEP 2 Security Issues Known / partial plaintext attacks not affected by larger IV • Still possible to recover key streams via ping from Internet. Authentication forging: not affected DoS attacks not addressed. Dictionary attack: new attacks based on improper mandatory use of Kerberos V authentication. Copyright © 2004 - Kevin Wall All Rights Reserved. WPA: A WEP Replacement Wi-Fi Protected Access (WPA) • Temporary solution, forward compatible with 802.11i. • Includes 802.1X (not a typo), EAP, and TKIP • Special “home mode” where no central authorization servers. • Reviewed by cryptographers! • Deployment started in early 2003. 802.11 - Longer term solution. Copyright © 2004 - Kevin Wall All Rights Reserved. WEP vs. WPA WEP Encryption WPA Several known severe flaws. Fixes all known WEP encryption flaws. 40-bits 128-bits Static keys – same key used by everyone on network Manual distribution of keys makes changing keys hard. Authentication Flawed; used WEP key itself for authentication. Copyright © 2004 - Kevin Wall All Rights Reserved. Dynamic keys – per user, per session, and per packet keys Automatic distribution of keys. Stronger user authentication using 802.1X and EAP. Minimizing Wi-Fi Security Risks Change your SSID to a strong password and change periodically. Use MAC filtering. Set up fake access points (“fakeAP” tool). Disable SSID broadcasts. Use low power. Turn off when not used. Map out your own networks. Use VPNs if you really need security. If possible, wait for 802.11i, else use WPA or 128-bit WEP if available to you. Copyright © 2004 - Kevin Wall All Rights Reserved. Wireless Security Tools airsnot netstumbler kismet wepcrack fakeap See http://www.networkintrusion.co.uk/wireless.htm for more complete list. Copyright © 2004 - Kevin Wall All Rights Reserved. Wi-Fi References http://www.wifimaps.com/ -- interactive maps of wireless access-points across the globe; search by city / state or SSID. http://www.iss.net/wireless/WLAN_FAQ.php -FAQ on Wi-Fi security problems. http://www.cs.umd.edu/~waa/wireless.html -list of 802.11b security vulnerabilities, including WEP. Copyright © 2004 - Kevin Wall All Rights Reserved.