Wireless Security

1
Wireless Security
2
The Current Internet Connectivity and Processing
3
How can it affect cell phones?

• Cabir worm can infect a cell phone
• Infect phones running Symbian OS
• Started in Philippines at the end of 2004,
  surfaced in Asia, Latin America, Europe, and
  recently in US
• Posing as a security management utility
• Once infected, propagate itself to other phones
  via Bluetooth wireless connections
• Symbian officials said security was a high
  priority of the latest software, Symbian OS
  Version 9.
• With ubiquitous Internet connections, more severe
  viruses/worms for mobile devices will happen soon
  

4
Outlines

• 802.11 Basics
• Mobile link access CDMA/CA
• Security in 802.11b
• Example and more attacks
• Trend 802.16 Wireless MAN

5
IEEE 802.11 Wireless LAN

• 802.11b
• 2.4-5 GHz unlicensed radio spectrum
• up to 11 Mbps
• widely deployed, using base stations

• 802.11a
• 5-6 GHz range
• up to 54 Mbps
• 802.11g
• 2.4-5 GHz range
• up to 54 Mbps
• All use CSMA/CA for multiple access
• All have base-station and ad-hoc network versions

6
Base station approch

• Wireless host communicates with a base station
• base station access point (AP)
• Basic Service Set (BSS) (a.k.a. cell) contains
• wireless hosts
• access point (AP) base station
• BSSs combined to form distribution system (DS)

7
Ad Hoc Network approach

• No AP (i.e., base station)
• wireless hosts communicate with each other
• to get packet from wireless host A to B may need
  to route through wireless hosts X,Y,Z
• Applications
• laptop meeting in conference room, car
• interconnection of personal devices
• battlefield

8
CSMA (Carrier Sense Multiple Access)

• CSMA listen before transmit
• If channel sensed idle transmit entire frame
• If channel sensed busy, defer transmission
• Human analogy dont interrupt others!

9
CSMA collisions
spatial layout of nodes
collisions can still occur propagation delay
means two nodes may not hear each others
transmission
collision entire packet transmission time wasted
note role of distance propagation delay in
determining collision probability
10
CSMA/CD (Collision Detection)

• CSMA/CD carrier sensing, deferral as in CSMA
• collisions detected within short time
• colliding transmissions aborted, reducing channel
  wastage
• collision detection
• easy in wired LANs measure signal strengths,
  compare transmitted, received signals
• difficult in wireless LANs receiver shut off
  while transmitting
• human analogy the polite conversationalist

11
CSMA/CD collision detection
12
IEEE 802.11 multiple access

• Collision if 2 or more nodes transmit at same
  time
• CSMA makes sense
• get all the bandwidth if youre the only one
  transmitting
• shouldnt cause a collision if you sense another
  transmission
• Collision detection doesnt work hidden terminal
  problem

13
IEEE 802.11 MAC Protocol CSMA/CA

• 802.11 CSMA sender
• - if sense channel idle for DISF sec.
• then transmit entire frame (no collision
  detection)
• -if sense channel busy then binary backoff
• 802.11 CSMA receiver
• - if received OK
• return ACK after SIFS
• (ACK is needed due to hidden terminal problem)

14
Collision avoidance mechanisms

• Problem
• two nodes, hidden from each other, transmit
  complete frames to base station
• wasted bandwidth for long duration !
• Solution
• small reservation packets
• nodes track reservation interval with internal
  network allocation vector (NAV)

15
Collision Avoidance RTS-CTS exchange

• sender transmits short RTS (request to send)
  packet indicates duration of transmission
• receiver replies with short CTS (clear to send)
  packet
• notifying (possibly hidden) nodes
• hidden nodes will not transmit for specified
  duration NAV

16
Collision Avoidance RTS-CTS exchange

• RTS and CTS short
• collisions less likely, of shorter duration
• end result similar to collision detection
• IEEE 802.11 allows
• CSMA
• CSMA/CA reservations
• polling from AP

17
Outlines

• 802.11 Basics
• Mobile link access CDMA/CA
• Security in 802.11b
• Example and more attacks
• Trend 802.16 Wireless MAN

18
802.11b Built in Security Features

• Service Set Identifier (SSID)
• Differentiates one access point from another
• SSID is cast in beacon frames every few
  seconds.
• Beacon frames are in plain text!

19
Associating with the AP

• Access points have two ways of initiating
  communication with a client
• Shared Key or Open Key authentication
• Open key need to supply the correct SSID
• Allow anyone to start a conversation with the AP
• Shared Key is supposed to add an extra layer of
  security by requiring authentication info as soon
  as one associates

20
How Shared Key Auth. works

• Client begins by sending an association request
  to the AP
• AP responds with a challenge text (unencrypted)
• Client, using the proper WEP key, encrypts text
  and sends it back to the AP
• If properly encrypted, AP allows communication
  with the client

21
Wired Equivalent Protocol (WEP)

• Primary built security for 802.11 protocol
• Uses 40bit RC4 encryption
• Intended to make wireless as secure as a wired
  network
• Unfortunately, since ratification of the 802.11
  standard, RC4 has been proven insecure, leaving
  the 802.11 protocol wide open for attack

22
Case study of a non-trivial attack

• Target Network a large, very active university
  based WLAN
• Tools used against network
• Laptop running Red Hat Linux v.7.3,
• Orinoco chipset based 802.11b NIC card
• Patched Orinoco drivers
• Netstumbler
• Netstumbler can not only monitor all active
  networks in the area, but it also integrates with
  a GPS to map APs
• Airsnort
• Passively listen to the traffic
• NIC drivers MUST be patched to allow Monitor mode
  (listen to raw 802.11b packets)

23
Assessing the Network

• Using Netstumbler, the attacker locates a strong
  signal on the target WLAN
• WLAN has no broadcasted SSID
• Multiple access points
• Many active users
• Open authentication method
• WLAN is encrypted with 40bit WEP

24
Cracking the WEP key

• Attacker sets NIC drivers to Monitor Mode
• Begins capturing packets with Airsnort
• Airsnort quickly determines the SSID
• Sessions can be saved in Airsnort, and continued
  at a later date so you dont have to stay in one
  place for hours
• A few 1.5 hour sessions yield the encryption key
• Once the WEP key is cracked and his NIC is
  configured appropriately, the attacker is
  assigned an IP, and can access the WLAN

25
More Attacks in Wireless Networks

• Rogue Access Point
• Solution Monitor the air space for unexpected AP
• Radio Frequency (RF) Interference
• AP Impersonation
• Rogue AP spoofs its MAC address to the identity
  of an authorized AP
• Man-in-the-middle attack
• Denial of service attack

26
Outlines

• 802.11 Basics
• Mobile link access CDMA/CA
• Security in 802.11b
• Example and more attacks
• Trend 802.16 Wireless MAN

27
(No Transcript)
28
(No Transcript)
29
IEEE 802.16 WirelessMAN Standard for Broadband
Wireless Metropolitan Area Networks

• Broad bandwidth
• Up to 134 Mbps in 10-66 GHz band
• Comprehensive and modern security
• Packet data encryption
• DES and AES used
• Key management protocol
• Use RSA to set up a shared secret between
  subscriber station and base station
• Use the secret for subsequent exchange of traffic
  encryption keys (TEK)

30
Backup Slides
31
Summary of MAC protocols

• What do you do with a shared media?
• Channel Partitioning, by time, frequency or code
• Time Division,Code Division, Frequency Division
• Random partitioning (dynamic),
• ALOHA, CSMA, CSMA/CD
• carrier sensing easy in some technologies
  (wire), hard in others (wireless)
• CSMA/CD used in Ethernet