Wireless LAN Security

1
Wireless LAN Security

• Teo Hong Siang
• Computer Security Lab
• DSO National Laboratories

2
Personal intro

• Wireless security
• e.g. Bluetooth, WLAN, 3G
• Broadband security
• e.g. cable, ADSL
• Computer forensic
• Visit CSL _at_ http//security.dso.org.sg
• Visit SIG2 _at_ http//www.security.org.sg

3
Agenda

• Quick 802.11 standards overview
• 802.11 baseline security features
• Basic security concerns
• Recent developments
• The end of WEP?
• What can be done?
• Other security considerations
• Summary

4
802.11 standardsoverview
IEEE 802.11
802.11a
802.11b
802.11i
802.11h
802.11d
802.11e
802.11f
802.11g
5
802.11 standards

• Original 802.11, circa 1999
• FHSS, DSSS, IR
• 1 2 Mbps
• Wired Equivalent Privacy (WEP)
• SNMP v2 for remote management
• 802.11b (shortly after 802.11)
• DSSS
• 1, 2, 5.5 11 Mbps, Complementary Code Keying
  (CCK)

6
802.11 standards

• 802.11a (approved same time as .11b)
• 6, 9, 12, 18, 24, 36, 48, 54 Mbps
• Only 6, 12, 24 Mbps support is mandatory
• 5 GHz UNII band (not universally free)

7
802.11 standards

• 802.11c (completed, subsumed into d)
• Bridge operation
• 802.11d (ongoing)
• Specs for other regulatory domains
• 802.11e (ongoing)
• QoS (Security moved to 802.11i (May 2001))
• 802.11f (ongoing)
• Inter Access Point interoperability

8
802.11 standards

• 802.11g (ongoing)
• high-speed extension to 802.11b, gt 20Mbps
• Just approved!
• 802.11h (ongoing)
• improvement to 802.11a, w.r.t. power and spectrum
  management
• 802.11i (ongoing)
• security enhancements

9
Baseline security features

• Wired Equivalent Privacy
• shared 40/128 bit key
• static, i.e. not designed to change often
• RC4 stream cipher
• Myth a Wireless LAN segment only has 1 shared
  key
• This is false - Any AP/client can be configured
  to handle up to 4 keys

10
Baseline security features

• Mutual authentication
• Open, i.e. null
• Shared key (if WEP is enabled), MS-CHAP style
  challenge and response
• Access control list at AP
• based on MAC addresses of WLAN cards
• Service set ID (SSID)
• secret word that identifies a WLAN segment

11
Basic security concerns

• Sniffing tools are easily available
• Freeware
• Ethereal PrismII card
• Now can capture raw encrypted packets
• Commercial tools
• WildPacket Airopeek (US2.5K)
• NAI Sniffer Wireless (US20K)

12
Basic security concerns

• SSID is not a security feature
• transmitted in the clear in beacon frames
• specs says that clients can set as null string
• (does not work for Cisco product though)
• AP Access Control List can be easily bypassed
• MAC addresses can be sniffed from the air
• clients MAC address can be easily spoofed

13
Basic security concerns

• Impractical to stop RF signals from propagating
  beyond your premises
• Parking lot attack, war-driving
• Poorly configured networks can be woefully
  exposed
• Hackers can be highly stealthy, guerilla warfare
  style
• Thats the reason for WEP

14
Basic security concerns

• Besides WEP key, no other credentials required to
  access WLAN network
• Difficult to manage shared WEP key in large
  deployments
• keys are seldom changed, manual process
• If a WLAN card is stolen, have to reconfigure all
  other WLAN cards configured with that same WEP
  key

15
Basic security concerns

• The shared static key feature of WEP is the
  centre of attraction in security community
• Subsequent developments focused on this

16
Some recent developments

• University of Berkeley Paper
• University of Maryland Paper
• Fluhrer/Mantin/Shamir Paper
• Stubblefield implementation of F/M/S attack
• AirSnort and WEPCrack

17
University of Berkeley Paper

• Intercepting Mobile Communications The
  Insecurity of 802.11, Borisov et. al., Jan 2001
• http//www.isaac.cs.berkeley.edu/isaac/mobicom.pdf
  
• Key weakness identified single shared static WEP
  key.

18
University of Berkeley Paper

• 2 of the attack scenarios are feasible
• Keystream reuse, due to IV collision and static
  WEP key, can lead to dictionary-based known
  plaintext attack to recover key
• Message injection without the key, using a
  previously recovered keystream.
• The same IV is used, but AP doesnt care.
• Attack requires significant time resources
• not trivial, but possible

19
University of Maryland Paper

• Your 802.11 Wireless Network has no clothes, W.
  A. Arbaugh et. al., Mar 2001.
• http//www.cs.umd.edu/waa/wireless.pdf
• Main contribution - Eavesdropping attack on
  Shared Key Authentication
• can authenticate with AP without knowing the WEP
  key
• but still dont know the WEP key, i.e. cannot
  access the network further

20
Fluhrer/Mantin/Shamir Paper

• This is the bomb.
• Weaknesses in the key scheduling algorithm of
  RC4, August 2001
• http//www.eyetap.org/rguerra/toronto2001/rc4_ksa
  proc.pdf
• RC4 key secret key IV
• Certain IVs result in creation of weak keys

21
Fluhrer/Mantin/Shamir Paper

• Attacks RC4, not WEP-specific
• Totally passive attack
• Scales linearly with increased key length
• Paper claims est. 4m packets required
• at full load 11Mbps, avg 1KB packets, time taken
  3000 seconds lt 1 hr.
• Negligible computational power
• Key recovery is instantaneous

22
Stubblefield implementation

• Using the Fluhrer, Mantin, and Shamir Attack to
  Break WEP, August 2001.
• http//www.cs.rice.edu/astubble/wep/
• What is needed
• Linksys card (Prism II chipset) US100
• Linux Ethereal linux-wlan-ng patch 0
• Est. 6 million packets needed
• i.e. a few hours on moderately loaded network

23
Airsnort and WEPCrack

• Freely available tools that implements F/M/S
  attack
• http//airsnort.sourceforge.net
• http//wepcrack.sourceforge.net
• Ethereal PrismII card some driver patches are
  all that is needed
• practically 0 barrier to entry

24
The end of WEP?

• Need to read beyond the hype
• Report of 15 mins or thereabouts is exaggerating,
  or extremely lucky
• Original paper quoted 4 mil packets
• Subsequent paper quoted 6 mil packets
• we estimates half of 24 bits 8 mil packets
• A few hours is more realistic
• still impressive for 128-bit encryption!

25
The end of WEP?

• Undeniable fact WEP in its current form is not
  secure
• Tools are available, cost is 0
• Security issues are now better understood
• no false sense of security gt a good thing
• Vendors have always advocated higher level
  security is needed anyway
• e.g. VPN, IPSec, SSH

26
The end of WEP?

• Central theme - single shared static WEP key is
  the weakness
• Dynamic WEP keying is needed to address this
  problem
• F/M/S attack is powerful, but there is a limit to
  how fast the attack can be
• depends on number of sniffed packets, not
  computational power

27
The end of WEP?

• If keys are refreshed quickly enough, F/M/S
  attack can be mitigated

28
What can be done?

• WEP Enhancements
• VPN
• Application level, e.g. SSH
• developments in standards

29
WEP Enhancements

• 2 fundamental problems with WEP
• Shared, static key
• RC4 weakness that creates weak keys
• Ciscos solution
• Orinocos solution

30
Ciscos solution

• LEAP - Lightweight Extensible Authentication
  Protocol
• similar to 802.1x, but proprietary
• only works with Ciscos ACS and equipment
• Per-client, per-session, refreshable keys
• Addresses the shared static key problem
• RC4 weakness still exists, just impractical to
  exploit if refresh interval is short

31
Ciscos solution

• The confidentiality of username/password becomes
  critical
• Once compromised, anybody can use the same
  username/password to logon to network

32
Orinocos solution

• Orinocos enterprise-class Access Server has an
  Automatic Key Exchange feature
• RADIUS-based authentication
• Per user, per session keys are automatically
  generated and distributed using a Diffie-Hellman
  algorithm
• No user involvement
• separate keys for uplink and downlink

33
Orinocos solution

• Hot off the press - 13 Nov 2001
• Firmware updates to prevent usage of weak key
  streams
• Retains compatibility with other products
• Addresses the RC4 weakness, but key is still
  shared and static
• Security reverts back to strength of 128 bit key

34
VPN Firewall

• Existing concept, technology available,
  independent of hardware
• Arguably the most cost effective
• Weaknesses
• protects IP traffic, not lower level e.g. ARP
• clients can still be attackable targets

35
Developments in standard

• 802.1x provides support for Port-based Network
  Access Control at MAC Bridges
• user identification, centralized authentication,
  e.g. RADIUS
• dynamic per-session key management
• Windows XP built-in support
• 802.11i provides new encryption
• 128-bit AES?
• but current equipment will not benefit

36
Other security considerations

• Overall security picture
• WLAN is only 1 physical part of your network
• just treat it as unsecured
• Confidentiality of username/password
• Client-side security
• e.g. IDS, Firewall, AV, card theft
• Mobility discipline
• e.g. Home and cybercafe WLAN environments

37
Summary

• Sniffing is trivial - Always assume that your
  traffic is accessible by anybody
• WEP in its baseline form is not tenable
• Several possible course of action
• WEP enhancements
• VPN, SSH
• None of the solutions is silver bullet, there are
  other security issues to consider