Reasons Not to Trust Wireless Networks

1
Reasons Not to Trust Wireless Networks

• Bruce Potter
• Potter_bruce_at_bah.com gdead_at_shmoo.com
• June 23, 2006

2
Dont Believe Anything I Say

• "Do not believe in anything simply because you
  have heard it. Do not believe in anything simply
  because it is spoken and rumored by many. Do not
  believe in anything simply because it is found
  written in your religious books. Do not believe
  in anything merely on the authority of your
  teachers and elders. Do not believe in traditions
  because they have been handed down for many
  generations. But after observation and analysis,
  when you find that anything agrees with reason
  and is conducive to the good and benefit of one
  and all, then accept it and live up to it. -
  Buddha
• By Day, Senior Associate for Booz Allen Hamilton
• By Night, Founder of The Shmoo Group and restorer
  of hopeless Swedish cars

3
High Assurance is Out of Bounds

• With enough money, nearly anything can be made to
  be secure
• High assurance wireless options exist, but the
  development and testing costs make them
  prohibitively expensive to the average Joe/Jane
• Wouldnt it be nice to have high assurance
  without the high cost?
• But I think thats a topic for another conference

4
For the record, weve been trying to solve the
same problem for a while

• Another major problem is the fact that there are
  growing pressures to interlink separate but
  related computer systems into increasingly
  complex networks
• Underlying most current users problems is the
  fact that contemporary commercially available
  hardware and operating systems do no provide
  adequate support for computer security
• In addition to the experience of accidental
  disclosure, there has also been a number of
  successful penetrations of systems where the
  security was added on or claimed from fixing
  all known bugs in the operating system. The
  success of the penetrations, for the most part,
  has resulted from the inability of the system to
  adequately isolate a malicious user, and from
  inadequate access control mechanisms built into
  the operating system
• Computer Security Technology Planning Study -
  October 1972, Electronic Systems Division, Air
  Force

5
First, Some Trends Vulnerability Hype by
Security Industry

• The fox is guarding the hen house
• The security industry has a vested interest in
  making the situation sound as bad as possible
• Technologies such as firewalls, IDS, and AV have
  lead us to believe that security software is a
  requirement
• A firewall is a network response to a software
  engineering problem
• As application and operating system security
  improve, these technologies may come under
  pressure
• However, due to the hype, these technologies are
  becoming ubiquitous
• Microsoft just entered the fray the likely
  outcome is that the security bar will be raised
  significantly in consumer and enterprise
  networks.
• Example - WMF
• British Parliament was one of many organizations
  attacked with directed attacks after the WMF
  vulnerability came to light

6
Another Trend - Mercenary Exploit Development

• A new market has emerged for exploit development
• Not the historical underground market, but rather
  a legit marketplace
• Many security companies now offer money in
  exchange for exclusive rights to exploits from
  mercenary exploit developers
• Tipping Points Zero Day Initiative (ZDI)
• iDefenses Vulnerability Contributor Program
  (VCP)
• Etc
• These programs have rewards programs, as well
  as other incentives
• Also, eBay and other online commerce sites have
  become storefronts for vulnerability information
• Many niche security companies are hording 0-day
• Who knows whos buying this information and what
  they are using it for?

7
Wireless Device discovery

• First part of attacking wireless devices is
  finding them
• Obviously, wireless devices can be found,
  especially given enough resources
• Spectrum analyzers, protocol analyzers, custom
  gear can be great at finding cell phones, 802.11
  radios, and Bluetooth devices. At high cost
• However, device discovery can dramatically change
  the threat against a technology if it can be put
  in the hands of many
• How much will geeks pay to find wireless devices?

1000?
500?
300?
100?
Free?
8
WiFi Device Discovery Demo
9
Bluetooth Device Discovery

• FHSS harder to find
• Must align with hopping pattern
• BT uses 1/2 the normal hop time to Jump Around
• Still averages 2.5 to 10 secs to find known
  device
• Devices can be Discoverable
• Respond to inquiry requests
• Means both devices need to be able to hear each
  other
• Devices can also be non-discoverable
• Must be directly probed by MAC addr
• Little to no traffic for extended periods of time
  (esp in low power mode)
• Cannot easily be listened to b/c receiver cannot
  sync on hopping pattern

10
Bluetooth Device Discovery Demo
11
802.11 Rogue AP

• Rogue Access Points are the biggest threat
  against WiFi Networks
• WEP is Broken Surprise!
• Were actually getting pretty good at securing
  the enterprise
• Clients are the real problem
• Two types of Rogue APs
• One is plugged into your network by accident
• The other is directly targeting your laptop

12
Rogue AP Powerpoint Foo
SSID Stardollar
Disassociate
Rogue Access Point
-40dBm
SSID Stardollar
Laptop
SSID Stardollar
-50dBm
Access Point
13
Rogue AP - Lessons Learned

• Authenticating Management Frames is a good idea
• Disruptive technologies will succeed even in the
  face of poor security
• Theres a corollary that says that people dont
  want to pay for privacy and security.. They
  expect it exists already
• Need to protect the client
• Not something currently done out of the box

14
Bluetooth Basics

• Pairing
• Establishes a trust relationship
• Uses a shared secret (PIN), exchanges a random
  number to form key
• Key used to derive session key for future comms
• Ie Pairing only done once
• NOTE Pairing is not required to transmit data
  between devices
• Used for Trusted Trusted comms
• Profiles are a mechanism to standardize on higher
  level functionality
• Keyboard, serial port, file transfer, etc

15
Bluetooth Attacks

• Adam Laurie and the Crew at Trifinite.org have
  been doing much of the publicly available
  research
• Bluesnarf, Bluebug, CarWhisperer, etc
• Also, a PIN attack that has a flavor of social
  engineering to it
• No real direct attacks against the security
  aspects of Bluetooth
• However, security is not required by default
• Further, Bluetooth is VERY complicated

16
Bluetooth Attack Demo - Bluesnarf
17
Bluetooth - Lessons Learned
Vulnerability Matrix ( NOT Vulnerable) Make Mod
el Firmware Rev BACKDOOR SNARF when Visible SNARF
when NOT Visible BUG Ericsson T68
20R1B 20R2A013 20R2B013 20R2F004 20R5C001 ?
Yes No No Sony Ericsson R520m 20R2G ? Yes
No ? Sony Ericsson T68i 20R1B 20R2A013 20R2B013
20R2F004 20R5C001 ? Yes ? ? Sony Ericsson
T610 20R1A081 20R1L013 20R3C002 20R4C003 20R4D001
? Yes No ? Sony Ericsson T610 20R1A081 ?
? ? Yes Sony Ericsson Z1010 ? ? Yes ?
? Sony Ericsson Z600 20R2C007 20R2F002 20R5B001
? Yes ? ? Nokia 6310 04.10 04.20 4.07 4.80 5
.22 5.50 ? Yes Yes ? Nokia 6310i
4.06 4.07 4.80 5.10 5.22 5.50 5.51 No Yes Yes
Yes Nokia 7650 ? Yes No () ? No Nokia
8910 ? ? Yes Yes ? Nokia 8910i ? ? Yes
Yes ? Siemens S55 ? No No No No
Siemens SX1

• Implementation errors are teh suck
• Most of whats been uncovered to date with
  respect to Bluetooth vulnerabilities are actually
  device vulnerabilities
• Writing secure code in an emerging technology is
  hard

18
IR Remotes

• IR has been around for years and its used
  everywhere. What security concerns could there
  be?
• IR systems tend to use a predefined series of
  signals to make events happen
• European garage door openers use IR different
  signals make the door go up and down
• Hotel remote systems use different patterns to
  select premium content, modify bar inventory,
  view bill, etc
• If you know the patterns, you can replicate the
  actions using a Linux laptop
• No real state machine for things like hotel
  systems, therefore you can get free movies, bill
  beer consumption to other rooms, tag the TV,
  etc
• http//www.toorcon.org/2005/conference.html?id21

19
IR Remotes - Lessons Learned

• First, never let Adam into a hotel room without
  supervision
• Security through obscurity is not an answer
• Several payment systems have learned this lesson
  the hard way
• BlackBoard also learned this

20
More Trends - Hardware Security

• Having trusted hardware can completely change the
  face of information assurance
• Secure cryptographic operations
• Secure key storage
• Integrity attestation
• By some accounts, can ultimately rid us of the
  problems of malware, viruses, etc
• Shockingly Apple is leading the charge
• Made Digital Rights Management acceptable to the
  masses
• Now using Trusted Platform Module (TPM) for
  protection of proprietary software
• Many other vendors also working to integrate
  trusted hardware
• Changes the wireless security situation
• Makes device authentication easier (hopefully)
• Real Network level access control can be applied
• Low probability of near term success
• Massive impact, however
• More info http//www.trustedcomputing.org/

21
Summary and Questions?

• Bruce Potter
• potter_bruce_at_bah.com
• gdead_at_shmoo.com