Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security concerns in Wireless LAN Guðbjarni Guðmundsson.

Similar presentations

Presentation on theme: "Security concerns in Wireless LAN Guðbjarni Guðmundsson."— Presentation transcript:

1 Security concerns in Wireless LAN Guðbjarni Guðmundsson

2 Wireless Technologies LAN (Local Area Network) PAN (Personal Area Network) WAN (Wide Area Network) MAN (Metropolitan Area Network) PANLANMANWAN StandardsBluetooth802.11HiperLAN2802.11802.16 GSM, GPRS, CDMA, 1xRTT, 3G Speed < 1Mbps 11 to 54 Mbps 11 to 100+ Mbps 10 to 384Kbps RangeShortMediumMedium-LongLong ApplicationsPeer-to-PeerDevice-to-Device Enterprise networks T1 replacement, last mile access Mobile Phones, cellular data

3 Momentum is Building in Wireless LANs Wireless LANs are an addictive technology Strong commitment to Wireless LANs by technology heavy-weights –Cisco, IBM, HP, Intel, Microsoft Embedded market is growing –Laptop PCs with wireless inside –Also PDAs, phones, printers, etc. The WLAN market is expanding from Industry-Specific Applications, to broad-based applications in Universities, Homes, & Offices

4 WLAN Security Hierarchy Virtual Private Network (VPN) No Encryption, Basic Authentication Public Hotspots Open Access 40-bit or 128-bit Static WEP Encryption Home Use Basic Security 802.1x, TKIP/WPA Encryption, Mutual Authentication, Scalable Key Mgmt., etc. Business Enhanced Security Remote Access Business Traveler, Telecommuter

5 Hacking into WEP Wireless LAN Security Concerns: 3 Key Vulnerabilities Credit: KNTV San Jose War Driving Employees

6 1. Concern for Enterprise about Wireless: Security Source: WSJ, 2/5/01 Hacking into WEP

7 Papers on WEP Weaknesses University of California, Berkeley University of Maryland Scott Fluhrer, Itsik Mantin, and Adi Shamir Feb. 2001 April 2001 July 2001 Focuses on static WEP; discusses need for key management Focuses on authentication; identifies flaws in one vendors proprietary scheme Focuses on inherent weaknesses in RC4; describes pragmatic attacks against RC4/WEP * In practice, most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from the attacks we describe… - University of California, Berkeley report on WEP security, faq.html

8 AirSnort Weak IV Attack Initialization vector (IV) is 24-bit field that changes with each packet RC4 Key Scheduling Algorithm creates IV from base key Flaw in WEP implementation of RC4 allows creation of weak IVs that give insight into base key More packets = more weak IVs = better chance to determine base key To break key, hacker needs 100,000-1,000,000 packets IVencrypted dataICV WEP frame dest addr src addr

9 Bit-Flipping and Replay Attack Hacker intercepts WEP-encrypted packet Hacker flips bits in packet and recalculates ICV CRC32 Hacker transmits to AP bit-flipped frame with known IV Because CRC32 is correct, AP accepts, forwards frame Layer 3 device rejects and sends predictable response AP encrypts response and sends it to hacker Hacker uses response to derive key (stream cipher) message XOR plain text 1234 stream cipher XXYYZZ cipher text XOR 1234 stream cipher message predicted plain text

10 WEP hacked Wireless networks can therefor be vulnerable hit-and-run attacks carried out with laptops attackers cant be traced

11 2. Concern for Enterprise about Wireless: Security Source: WSJ, 2/5/01 War Driving

12 News Clip: Hackers hit the Streets White Hat Hackers search for vulnerable wireless LANs Over 900 companies identified in a single area Credit: KNTV San Jose

13 War Driving Originally, WarDriving was when crackers drove around in a car equipped with wireless gear looking for unsecured wireless networks, to gain illicit access. Over time, the term has evolved to include harmless types that simply looking for free internet access.

14 What are needed for war driving –Device capable of receiving 802.11b signal. Capable of moving around. –Software that will log data from the device. NetStumbler Over time, you can build up a database comprised of the network name, signal strength, location, and ip/namespace in use. War Driving cont.

15 Netstumbler Screenshot


17 How is the situation in Iceland? (War Driving) Less than 1 hours drive –10 Open wireless networks found 2 Homes 2 School 6 Companies SSID gave ALWAYS indication of who owned the network –Except homes (default SSID of AP) 50% gave IP-address via DHCP –Open Access

18 3. Concern for Enterprise about Wireless: Security Source: WSJ, 2/5/01 Employees

19 Who Installs Rogue APs? Focus on the Frustrated Insider Frustrated Insider: Employee that installs wireless AP in order to benefit from increased efficiency and convenience it offers Common because of wide availability of low cost APs Usually ignorant of AP security configuration, default configuration most common Malicious Hacker : Penetrates physical security specifically to install a rogue AP Can customize AP to hide it from detection tools Hard to detectmore effective to prevent via 802.1X and physical security More likely to install LINUX box than an AP Jones from Accounting >99.9% of Rogue APs James Bond <.1% of Rogue APs

20 3 Steps to Solving the Rogue AP Problem Step 1: Prevent –Physical Security (prevent unauthorized access to the bldg.) –Develop a company-wide WLAN Policy –Install an IT-sanctioned WLAN Step 2: Detect –Intermittent checking with portable wireless sniffers AirMagnet, NetStumbler, Sniffer, WildPackets, etc. –Continuous Monitoring with WLAN management tools –Engage APs & Clients in the hunt Step 3: Eliminate –Locate the Rogue AP, and physically remove it Rogue AP

21 Wireless LAN Security: Lessons War Driving Hacking into WEP Lessons: Security must be turned on (part of the installation process) Employees will install WLAN equipment on their own (compromises security of your entire network) WEP keys can be easily broken (businesses need better security) Employees

22 WLAN Security White Papers To download these White Papers, go to: Wireless LAN Security & the Cisco Wireless Security Suite SAFE for Wireless (updated Mar.03)

Download ppt "Security concerns in Wireless LAN Guðbjarni Guðmundsson."

Similar presentations

Ads by Google