Wireless Hotspot Security

1

• Wireless Hotspot Security
• and
• Client Attacks
• Almerindo Graziano
• a.graziano_at_silensec.com
• www.silensec.com

2
The Menu -)?

• The WiFi Explosion
• Common misconceptions
• Wireless hotspots attacks
• Wireless Client Attacks
• Rogue Access Points
• WEP Insecurity
• WPA Security
• General recommendations

3
About Silensec

• IT Governance
• ISO 27001 Implementation
• Gap Analysis
• Risk Management
• Penetration Testing
• Web apps, Systems, Networks
• Security Training
• BSI ISO 27001, BS25999
• SANS Wireless Security, Hacking Techniques

4
Common Misconceptions

• We do not use/allow wireless networks
• Our network is secure
• We use firewalls
• We use VPN
• Nobody would attack us

5
Mobile Phones Explosion

• Over 100 mobile phone handsets with wi-fi
  capability (June 2007)?
• 213 million Wi-Fi chipsets shipped worldwide in
  2007 (32 growth)?
• 20of the total chipset market by 2009
• Dual-mode phones in 2008
• Bypass mobile operator
• Skype mobile phones

6
Wifi in Everything!

• Digital Camera
• Mobile TVs
• Presentation Projectors
• Stereos
• CCTV Cameras
• Swipe cards systems
• Medical monitoring equipment
• Portable digital players

7
Wireless Networks are Everywhere
8
Terminology

• Station (STA)?
• Laptop, PDA, mobile phone
• Access Point (AP)?
• Connect STAs to the main network
• Infrastructure Mode
• Most common (home and corporate)?
• Ad-Hoc Mode
• Connecting STAs without an AP

Ad-Hoc Mode
Infrastructure Mode
9
Terminology (2)?

• WEP (Wired Equivalent Privacy)?
• WEP Key (64, 128, 256, 512 bits)?
• WEP
• Dynamic WEP
• WPA and WPA2 (Wireless Protected Access)?
• Passphrase (8-63 characters)?

10
Wireless Hotspots

• Provide public access to the Internet through
  wireless networks
• Public does NOT mean FREE
• Often located in
• airports, train stations, libraries, hotels,
  coffee bars
• Designed to be easy to use
• Find the network
• Click and connect
• Authenticate and you are in!

11
Hotspot Example T-Mobile
Secure Connection
12
Hotspot Example T-Mobile (2)?
Enter Credentials
13
Hotspot Security Risks

• Information disclosure
• Most information is not encrypted and may be
  captured easily
• Identity theft
• Fraud and financial loss
• Compromise your computer
• Expose personal info (contacts)?
• Catch a virus
• Back in the workplace
• Expose even more personal info
• Spread the virus

14
Wireless Isolation

• Commonly used by hotspots
• Most modern AP support it too
• Traffic between hotspot clients not allowed
• Protect hotspot clients from possible malicious
  clients
• And anyway you have your firewall..
• What about non-connected clients?

15

• DEMO

16

• Wireless Client Attacks

17
Windows Preferred Network List (PNL)?

• Includes networks created by the user
• Networks are also added when we connect to a new
  network (hotspot)?
• Connection can be automatic or manual

18
Windows Preferred Network List (PNL)?

• Will always connect to the networks higher on the
  list..
• even is already connected to another network!
• even if that network is more secure
• AP with stronger power are preferred
• User is not notified of AP switch!

19
Dangerous Connections..

• Newly networks are added to the PNL
• If new network is in range windows may connect to
  it

20
Rogue Access Points

• More powerful signal
• Karma-based

21
Power Rogue Access Point

• Windows wireless configuration
• AP chosen based on
• position in the PNL
• signal power

tmobile
tmobile
22
Power Rogue Access Points

• DEMO

23
Client Attacks with Karma

• Powerful tool
• Responds to any probe request
• Comes with DHCP, DNS, Web server
• Exploits clients which broadcast SSIDs with no
  security...hotspots

24
Judicious Karma
25
KARMA

• DEMO

26
Wifizoo

• Gathers information passively
• No connection required
• Cookies
• Passwords from FTP,POP3 etc..
• ..and lots more

27
Wifizoo at Work..

• DEMO

28
Wireless Hacking in the Skies..

• Just relax and enjoy the flight
• Watch a film on your laptop
• ...while you are being hacked...
• But don't you worry, there will be no
  interruption to your film entertainment

29
arking Mode

• Found by Simple Nomad
• If DHCP fails to provide an IP address,
  interfaces with Link-Local configurations will
  auto-assign an address in the 169.254.0.0/16
  range
• Link-Local is on by default on all interfaces on
  all Windows platforms, including wireless
  interfaces

Scan for available networks (ANL)?
Parking Mode
Try available PNL networks
Try PNL networks
Any Ad-Hoc network in PNL?
Connect to Non-Preferred Nets?
No
No
Yes
Yes
Connect to 1st Ad-Hoc network in PNL
Connect to available networks (ANL)?
Set Random SSID and go in infrastruture mode
Keep looking for preferred networks
30
Windows Wireless Client Update

• Hotfix described in KB917021
• Non-broadcast networks
• Allows to set a network as non-broadcast by
  setting Connect even if the network is not
  broadcasting
• WAC only sends probe requests for non-broadcast
  networks
• Preferred broadcast networks in the PNL are not
  advertised
• Parking behaviour
• Security configuration is passed onto the
  wireless adapter driver, using the most secure
  encryption method that the wireless network
  adapter supports (including random encryption
  key)?
• Ad-hoc
• Manual connection
• WAC doesn't probe ad-hoc SSID contained in the PNL

31
Windows Wireless Client Update (ctd.)?

• Not included in SP2
• Many clients have not installed it
• Parking mode is driver-dependant
• Most driver still use no security
• You can still override secure default settings

32
Vista Wireless

• VISTA allows to define non-broadcast wireless
  networks
• Listed as Unnamed Network
• WAC will try to connect to wireless networks in
  the order they are listed in the PNL, whether
  they are broadcast or not
• Support ad-hoc using WPA2-PSK
• Strong passphrase selection

33
Hotspot Security Tips

• Doublecheck the name and presence of an official
  Hotspot network where the service is provided
• Remember that the majority of Hotspots do not
  ensure data confidentiality
• Always look out for a padlock and https sign on
  the hotspot login page
• Do NOT implicitly trust advertised Free Public
  WiFi

34
WEP

• WEP IS DEAD
• You MUST NOT use it
• Equivalent to no security (almost)?
• Aircrak-ptw lt 1 minute

35
WPA and WPA2

• WPA
• Stronger security, maintaining hardware
  compatibility
• WPA2
• Even stronger security
• Need new hardware

36
WPA Personal/WPA-PSK

• Both WPA and WPA2 can be used with a passphrase
  (8-63 character)?
• Weak passphrases offer WEP-like protection..NONE
• Use a strong password generator (free
• https//www.grc.com/passwords.htm

37
Wireless Security Tips At Home

• Change default values
• IP addresses
• Admin passwords
• Adjust the power output of your access point if
  possible
• Use MAC address filtering
• Change the default SSID
• Enable WPA/WPA2
• Use a strong passphrase (20 char)
• Set AP configuration to HTTPS if possible

38
Wireless Security Tips On the move

• Switch off your wireless card if not needed
• Do no connect automatically to wireless networks
  (nothing comes free)?
• Change your personal firewall settings to not
  trust the local network
• Be on your guard

39
General Wireless Security Tips

• Download and instal MS wireless update
• Uncheck automatic connection to unprotected
  networks
• Keep your computers patched all the time
• Remember that hotspot networks are not secure

40

• Questions?