Wireless Insecurity By: No’eau Kamakani Robert Whitmire
Outline Background Security Features Attacks Demonstrations Conclusion
Background
Wireless Definitions = LANs (Local Area Network)802 = LANs (Local Area Network) 11 = Wireless11 = Wireless WiFi Wireless FidelityWireless Fidelity Hotspots Connection point for a WiFi network hardwired to the InternetConnection point for a WiFi network hardwired to the Internet
How Does It Work? Transmits over radio frequency 2.4 – GHz2.4 – GHz 5 GHz range5 GHz range Channels (for B and G) Direct Sequence Spread SpectrumDirect Sequence Spread Spectrum USA 1-11USA 1-11 Europe 1-13Europe 1-13 Japan 1-14Japan 1-14
Protocols
Products
Why go wireless Infrastructure easy Goes thru walls, no wiringGoes thru walls, no wiring Portability and Flexibility Access from anywhereAccess from anywhere Interoperability Compatible with all WiFi products certified by Wireless Ethernet Compatibility Alliance (WECA)Compatible with all WiFi products certified by Wireless Ethernet Compatibility Alliance (WECA) Increased Productivity Endless connectivityEndless connectivity
Security
WEP Wired Equivalent Privacy Secret Key for encrypting data Shared between mobile card and access pointShared between mobile card and access point bits (includes IV) bits (includes IV) Initialization Vector (IV) 24 bit, randomly generated24 bit, randomly generated Sent in clear textSent in clear text FiniteFinite
RC4 Encryption Algorithm Stream cipher Generates infinite pseudo-random keystreamGenerates infinite pseudo-random keystream Keystream generated with key and IV XOR’ed with message and Checksum to generate ciphertextXOR’ed with message and Checksum to generate ciphertext Receiver generates same keystream and XOR’s with ciphertext to get message and checksumReceiver generates same keystream and XOR’s with ciphertext to get message and checksum
Visualizing RC4
CRC-32 Checksum Linear Checksum algorithm Integrity checkingIntegrity checking A bit in message correlates directly to set of checksum bitsA bit in message correlates directly to set of checksum bits
WEP Vulnerabilities Relies on flawed encryption method RC4 is crackable through statistical analysisRC4 is crackable through statistical analysis IV’s collisions, calculate key from this Checksum is predictableChecksum is predictable IV implemented incorrectly Better than nothing Not on as defaultNot on as default Not end all security measureNot end all security measure Easily Crackable (AirSnort)
WPA WiFi Protected Access Latest snapshot of i Explained laterExplained later Rotating Keys Temporal Key Integrity ProtocolTemporal Key Integrity Protocol Increased IV (24-48 bits) Checksum Order of magnitude harder to crack
802.1X User not Machine Authentication Supposed to provide a vendor- independent way to control access Authentication through EAP (Extensible Authentication Protocol) Tokens, Kerberos, one-time passwords, certificates, etc..Tokens, Kerberos, one-time passwords, certificates, etc..
Other Security Attempts i IEEE attempt to provide strong securityIEEE attempt to provide strong security Dynamically updating WEP KeyDynamically updating WEP Key Not completeNot complete VPN Providing security through VPN tunneling protocolsProviding security through VPN tunneling protocols Compatibility issues, better than WEP but not universal solutionCompatibility issues, better than WEP but not universal solution MAC Filtering MAC addresses sent in clearMAC addresses sent in clear Easy to sniffEasy to sniff Easy to spoofEasy to spoof
Attacks Passive attack to decrypt traffic Waits for keystream collisionWaits for keystream collision Gets XORGets XOR Statistically reveals plain textStatistically reveals plain text Active attack to inject traffic RC4(X) xor X xor Y = RC4(Y)RC4(X) xor X xor Y = RC4(Y) Unauthorized Access Points on a Network Attacker set up own access point on network effectively circumventing security measuresAttacker set up own access point on network effectively circumventing security measures Resetting access points to defaultResetting access points to default
Fun Demonstrations
War Driving
War Driving Silicon Valley
War Spying Also called Warviewing 2.4 GHz wireless Cameras Gear
Conclusion WEP is better than nothing Never settle for default settings Base protection level on sensitivity of data Provide backup network protection Remember, anyone can sniff your wireless network.
Questions?