Transcript Wireless (In)Security or Why You Will WEEP When You Learn

Wireless (In)Security
or
Why You Will WEEP When
You Learn About WEP
http://www.wowway.com/~kwwall/presentations/
security/cocacm-20040218.ppt
Kevin W. Wall
Staff Software Engineer
Qwest IT
[email protected]
IEEE Wireless Standards

IEEE 802.11 standards
• A.K.A.: Wireless LAN (WLAN) & Wi-Fi
• 802.11b was original standard



Transmits up to 11 Mbps
Operates at frequency of 2.4GHz
Typical range of ~300 feet
• 802.11a is successor



Transmits up to 54 Mbps
Operates at frequency of 5GHz
Shorter range; ~60-70 feet.
• 802.11g


Up to 54 Mbps, but at 2.4GHz (comp. w/ 802.11b)
Added security; fixes some problems w/ WEP.
• 802.11i — Coming RSN
• Wired Equivalent Privacy (WEP) provides security for
these first three.Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Security Vulnerabilities
Interception and sniffing wireless
traffic
 Jamming
 Insertion attacks
 Misconfiguration
 Client-to-client attacks

Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vulnerabilities: Sniffing


All wireless standards (802.11, Bluetooth,
etc.) are broadcast networks.
Intruder must be in range of signal to
intercept it.
• Properly selected / positioned antenna aids
security by minimizing how far signal can
reach (i.e., reduces leakage).
• Range given for receiving w/ omnidirectional
antennas; directional antennas give greater
range.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Sniffing (cont’d)
“Antenna on the Cheap (er,
Chip)”
— Rob Flickenger
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Sniffing (cont’d)

Same basic principles as sniffing Ethernet.
• Sniffing wireless easier since no need to
physically attach to LAN segment.
• Many password sniffers (e.g., dsniff) work on
WLAN since same protocols (telnet, POP3,
etc.) still used.

Beyond sniffing: attackers can inject false
traffic into a connection, running
unintended commands as legitimate user.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Sniffing (cont’d)



If AP is connected to hub rather than
network switch, any network traffic
across that hub can be potentially
broadcasted out over the wireless
network.
ARP spoofing technique can trick switch
into passing data from backbone of
subnet and route it through attacker’s
wireless client.
Attacker can trick wireless client into
using unauthorized AP with stronger
signal.
Copyright © 2004 - Kevin Wall All Rights Reserved.
War-driving


Term from “war-dialing” which was
taken from move War Games.
War-driving (-walking, -flying) is driving
(walking, flying) around to collect
access points.
• Map location (using GPS), MACs, SSIDs,
and bandwidth.
• Usually reported to centralized location on
Internet.
• Used by many to gain free Internet access
Copyright © 2004 - Kevin Wall All Rights Reserved.
War-chalking


War-chalking is
act of marking
sidewalks,
walls, etc. with
a symbol to
infer that an AP
is within range.
War-chalking
symbols shown
on right.
Copyright © 2004 - Kevin Wall All Rights Reserved.
War-chalking Examples
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Jamming

DoS attack for WLANs.
• Same principle for (wired) LAN
• Easier to mount than for LAN. Need not
belong to network.
Attacker floods 2.4GHz network that signalto-noise ration drops so low Wi-Fi network
ceases to function.
 May happen accidentally! Cordless phones,
baby monitors, Bluetooth, etc. all use same
2.4GHz band.

Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Insertion Attacks

Based on putting unauthorized
devices on Wi-Fi network w/out
proper security process / review.
• Attacker tries to connect their wireless
client to AP w/out authorization.
• Attacks though renegade AP.

Safeguard: Have and follow policy for
securely attaching Wi-Fi clients and
new AP.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Misconfiguration

By default, APs usually configured
w/out any or very little security.
• Misconfigured Server Set IDs (SSID)
• Misconfigured Wired Equivalent
Privacy (WEP)
• Misconfigured SNMP for AP
management
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Misconfigured SSIDs





Server Set ID (SSID) configured w/
default password, differing only by
manufacturer. Can tell manufacture based
on leading digits of MAC address.
Brute force AP’s SSID w/ dictionary
attacks.
Need to change SSID whenever employee
leaves company.
SSID not encrypted, even when WEP is
used!
Disabling broadcast SSID hardly helps at
all.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Misconfigured WEP

WEP usually disabled by default.
• Most public WLAN APs like those at airports,
hotels, cafes, etc. never enable WEP.
• Only ~20% of companies seem to use WEP.
• WEP is severely broken anyway (more later).


In some APs, use of WEP is optional even
when enabled.
Some manufacturers of APs have default
WEP keys which are never changed.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Misconfigured
SNMP

Most Wi-Fi base stations have support SNMP
for AP management.
• Community strings must be changed from defaults.




Typically “public” for public community and “private”
for private community.
Other manufacturers use different, but well-known
community strings.
Same risk applies to wireless clients if they
have SNMP enabled.
Many SNMP implementations (still) vulnerable
to attack discovered in Feb, 2002 and
embodied in PROTOS tool.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Vuln: Client-to-client
Attacks

File sharing and other TCP/IP service
attacks
• Previously laptops protected by company
firewalls or VPNs. No longer true.

DoS attacks
• Intentional flooding of one client by another.
• Unintentional from duplicate IP or MAC
address.

Hybrid threads: Next generation worms
/ viruses.
Copyright © 2004 - Kevin Wall All Rights Reserved.
IEEE’s WEP Standard



IEEE standard (1999-2000)
Wired Equivalent Privacy (WEP) should
have been called Wildly Exceeding
Expectations of Privacy (WEEP). WEP
severely broken in several major ways.
WEP uses RC4 as encryption algorithm.
• 40-bit encryption specified by original
standard
• Also uses 24-bit IV; sometimes called 64-bit
RC4
• 128 RC4 (104-bit really) also available.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Insecurity (by Team)







October 2000: Jesse Walker
January 2001: UC Berkley cryptographers
Nikita Borisov, Ian Goldberg, and David
Wagner
March 2001: Univ of Maryland researchers
William Arbaugh, Narendar Shankar, and Y.C.
Justin Wan
May 2001: William Arbaugh
June 2001: Tim Newsham
August 2001: Scott Fluhrer, Itsik Mantin, and
Adi Shamir
February 2002: Arunesh Mishra and W.
Arbaugh
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Insecurity (by Attack)
(1/6)

IV / key reuse (Walker, Berkeley team,
Arbaugh)
• Possible because of small IV space (24bits), lack of IV replay protection.


IV should be at least same as key size for stream
cipher.
XOR w/ key instead of concatenating to key.
• Enables statistical attack of ciphertexts w/
replayed IVs
• Worsened by many HW vendors resetting IV
to 0 when NIC powered off.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Insecurity (by Attack) (2/6)

Known plaintext attacks (Walker,
Berkeley team, Arbaugh)
• Lot’s of known plaintext in IP traffic:
ICMP, ARP, TCP ACKs, etc. More in email headers, etc.
• Possible to send “ping” from Internet
through AP to snooping attacker.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Insecurity (by Attack) (3/6)

Partial known plaintext attacks
(Berkeley team, Arbaugh)
• Only part of message (plaintext) may be
known; e.g., IP header.
• Possible to flip bits in real time and
recompute CRC-32, divert traffic to
attacker

CRC32 is linear; no keyed hash
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Insecurity (by Attack) (4/6)

Authentication forging (Berkeley team)
• WEP 1.0 encrypts challenge w/ IV chosen by
client.
• Recovery of key stream for given IV allows
reuse of that IV for forging WEP
authentication.

DoS attacks
• Disassociate, reassociate messages not
authenticated
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Insecurity (by Attack) (5/6)

Dictionary attacks
• Possible when WEP keys are derived from
passwords.

Real-time decryption (Berkeley team,
Arbaugh)
• Repeated IV use (NIC deficiency), probing
allows building IV lookup table for given
key.


Need 1500 bytes of key stream per IV
224* 1500 bytes = ~24GB
• Enables decryption of traffic in real-time
after table computed.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi Insecurity (by Attack) (6/6)

Weakness in RC4 key setup algorithm
(Fluhrer, Mantin, & Shamir)
• Completely passive attack; requires collection
of sufficient WEP data packets.
• Certain “weak” IVs result in ~5% chance of
exposing single byte of key.
• Gather sufficient # of weak IVs along w/
statistical analysis eventually results in key.
• Tools such as airsnort automate this.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Screen Shot of Airsnort
See http://airsnort.shmoo.com/
Copyright © 2004 - Kevin Wall All Rights Reserved.
Example of Broken WEP

Borisov, Goldberg, and Wagner (Berkeley
team) discovered following flaws:
• Passive attacks to decrypt traffic based on
statistical analysis.
• Active attack to inject new traffic from
unauthorized mobile stations, based on known
plaintext.
• Active attacks to decrypt traffic, based on
tricking the access point.
• Dictionary-building attack that, after analysis
of about a day's worth of traffic, allows realtime automated decryption of all traffic
Copyright © 2004 - Kevin Wall All Rights Reserved.
Better Luck Next Time? WEP 2






Increase size of IV to 128 bits.
To avoid staleness and repeating key stream,
key may be changed periodically via IEEE
802.1X reauthentication.
Still no keyed message integrity code.
Still no IV replay protection.
Still no authentication for reassociate,
disassociate messages
Mandatory support of Kerberos V for IEEE
802.1X
Copyright © 2004 - Kevin Wall All Rights Reserved.
WEP 2 Security Issues

Known / partial plaintext attacks not
affected by larger IV
• Still possible to recover key streams via ping
from Internet.



Authentication forging: not affected
DoS attacks not addressed.
Dictionary attack: new attacks based on
improper mandatory use of Kerberos V
authentication.
Copyright © 2004 - Kevin Wall All Rights Reserved.
WPA: A WEP Replacement

Wi-Fi Protected Access (WPA)
• Temporary solution, forward compatible
with 802.11i.
• Includes 802.1X (not a typo), EAP, and
TKIP
• Special “home mode” where no central
authorization servers.
• Reviewed by cryptographers!
• Deployment started in early 2003.

802.11 - Longer term solution.
Copyright © 2004 - Kevin Wall All Rights Reserved.
WEP vs. WPA
WEP
Encryption
WPA
Several known severe
flaws.
Fixes all known WEP
encryption flaws.
40-bits
128-bits
Static keys – same key
used by everyone on
network
Manual distribution of
keys makes changing
keys hard.
Authentication Flawed; used WEP key
itself for authentication.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Dynamic keys – per
user, per session, and
per packet keys
Automatic distribution
of keys.
Stronger user
authentication using
802.1X and EAP.
Minimizing Wi-Fi Security Risks








Change your SSID to a strong password
and change periodically.
Use MAC filtering.
Set up fake access points (“fakeAP”
tool).
Disable SSID broadcasts.
Use low power. Turn off when not used.
Map out your own networks.
Use VPNs if you really need security.
If possible, wait for 802.11i, else use
WPA or 128-bit WEP if available to you.
Copyright © 2004 - Kevin Wall All Rights Reserved.
Wireless Security Tools
airsnot
 netstumbler
 kismet
 wepcrack
 fakeap
See http://www.networkintrusion.co.uk/wireless.htm
for more complete list.

Copyright © 2004 - Kevin Wall All Rights Reserved.
Wi-Fi References



http://www.wifimaps.com/ -- interactive
maps of wireless access-points across the
globe; search by city / state or SSID.
http://www.iss.net/wireless/WLAN_FAQ.php -FAQ on Wi-Fi security problems.
http://www.cs.umd.edu/~waa/wireless.html -list of 802.11b security vulnerabilities,
including WEP.
Copyright © 2004 - Kevin Wall All Rights Reserved.