Wireless Security - What Were They Thinking?

1
Wireless Security - What Were They Thinking?
Brad RenderMan Haines RenderLab.net Church of
Wifi Render_at_Renderlab.Net
2
Introduction

• Who am I?
• Why am I here?
• Why are you here?
• Scope of this talk
• Why you should stay awake

3
Caveats

• It is not the goal of this presentation to tell
  you not to use wireless networks, but make you
  aware of the risk so you can make informed
  decisions about your usage of wireless technology
  and do everything possible to protect your
  organizations network infrastructure, data and
  integrity of its client computers - Paul
  Asadoorian

4
Why are you here?

• 10/2003 Lowe's
• Botbyl and Timmins access an unencrypted,
  unauthenticated wireless LAN in Southfield,
  Michigan
• Obtain access to internal servers across 7 US
  states
• Crash PoS system while planting CC sniffing
  software
• Apprehended by FBI, both plead guilty to charges
• 3/2004 BJ's
• Wholesale merchant reports that a "small
  fraction" of its 8-million customers may have had
  CC's stolen
• FTC asserts charges against BJ's for unencrypted
  wireless networks, default usernames/passwords
  and insufficient monitoring
• BJ's settles, recording 10M in legal costs,
  agrees to thorough external audits every other
  year for 2 decades

5
Why are you here?

• 1/2007 TJX
• Marshalls department store in St. Paul Minnesota
  WEP-protected WLAN compromised
• Estimates between 45.7 million and 200 million
  payment card numbers revealed
• 451,000 drivers licenses and SS's also
  compromised
• Forrester Research estimates the cost of the
  breach could surpass 1 billion dollars in 5 years

6
Why are you here?

• 6/2005 GE Money
• Branch in Finland reports 200,000 stolen
• Investigators traced attack to unprotected
  consumer WLAN
• Initial investigation against owner revealed
  suspect not guilty, unprotected WLAN used to hide
  tracks
• Further investigation reveals GE Money data
  security manager and accomplices stole account
  information

7
802.11 Technology and Vulnerabilities Timelines
Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
8
802.11 Technology and Vulnerabilities Timelines

• Most public attacks against unprotected
  networks
• WEP attacks effective 6 years after critical
  flaws announced
• Emerging attacks of today not solved with
  standards

Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
GE Money
TJX
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
BJ's
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Lowe's
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
9
Where it all started

• 802.11b - Released October 1999
• 2.4Ghz, 11Mbit (4.5 nominal)
• Popularity exploded with Apple Airport
• Quickly took off and integrated into everything
• 40 bit (later 64, 128 bit) WEP, MAC filtering
• 11 channels (North America)
• WPA added later

10
Where it went from there

• 802.11a - Released October 1999
• 5 Ghz, 54Mbit (20 nominal)
• Shorter range, less penetration
• Not backwards compatible with 802.11b
• 12 channels (North America)
• More restrictions on use
• 40 bit (later 64, 128 bit) WEP, MAC filtering
• WPA added later

11
Where it went from there

• 802.11g - Released October 2003
• 2.4Ghz, 54Mbit (19 nominal)
• Quickly integrated into new devices
• Backwards compatible with 802.11b
• 11 channels (North America)
• WPA (Wi-Fi Protected Access) WEP

12
802.11 Technology and Vulnerabilities Timeline
Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
13
Where it all started to go wrong

• 802.11 broadcast beacons
• Wardriving hit big after Defcon 9 (2001)
• Shipped default open, anyone can connect
• Wardriving community grew exponentially
• Apple Airport ramped up sales and usage

14
Wardriving

• The benign act of detecting wireless networks
  while in motion - Blackwave
• Wireless networks are radios, Every card is a
  capable reciever
• Network information is broadcast with each packet
  Network name, encryption status, associated
  clients all detectable
• Add GPS for making cool maps
• Wigle.net 12,000,000 nets with location (Oct,
  2007)

15
Wireless is everywhere

• 30 for an AP at a computer shop
• Most laptops come with WiFi built in
• Personally discovered 175,000 devices (100,000
  in Edmonton and area)
• 17 on wigle.net (soon to be 16)
• Hotels, Airports, conferences, coffee shops,
  restaurants, etc...
• Can all be detected and catalogued

16
It's Everywhere!
17
Wardriving

• The presence of networks no longer secret
• Many people ignorant of the issue
• Wardriving brought the issue to the forefront w/
  pretty maps
• Worldwide Wardrive brought it to the media (and
  CSIS)
• Not a huge issue
• Cloaking does nothing to help, it's a radio!

18
Where it all started to go wrong

• MAC addresses can be observed without connecting
• Changing your own MAC address is easy
• A simple perl script makes it easy in linux
• http//www.michiganwireless.org/tools/sirmacsalot/
  
• Simple program to change it in Windows
• http//www.codeproject.com/tools/MacIdChanger.asp
• Only useful in keeping authorized users from
  connecting unauthorized things

19
802.11 Technology and Vulnerabilities Timeline
Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
20
Kismet

• De facto free site survey tool
• Listens to all 802.11x traffic (monitor mode)
• Detects 'cloaked' networks
• Can include GPS for maps
• Remote drone sniffers for distributed monitoring
• Kismet-Newcore promises more features
• Linux native, some windows support (Kiswin,
  airpcap)
• Should be in every wireless toolkit

21
Kismet
22
Netstumbler

• Windows based
• 'Active' scanner
• GPS capability
• Signal to noise graph
• Useful for quick surveys, antenna alignment, etc

23
Netstumbler
24
Netstumbler
25
802.11 Technology and Vulnerabilities Timeline
Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
26
Hostspot Impersonation

• Hot spots gain popularity
• Cafe's. Airports, hotels, etc
• No discrimination of identical SSID's
• 'Drift' to other networks
• Man in the middle attacks, credential snarfing,
  etc
• Airsnarf, etc

27
802.11 Technology and Vulnerabilities Timeline
Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
28
WEP What were they thinking?

• Based on RC4 (weak), 40 bit Export restrictions
• Limited computing power onboard
• 64-128 bit added later after export laws relaxed
• No standard key generation specified
  incompatibilities between brands
• Many tried, a lot failed open
• Who wants to type out a 64 char HEX key?

29
WEP cracking

• Goal is to collect enough IVs to be able to crack
  the key
• IV Initialization Vector, plain text appended
  to the key to avoid repetition
• Airsnort 5-10 Million packets
• Injecting packets to generate more IV's (faster)
• Aircrack analyses the packets and gives you a key
• Needed 100K to 1M packets in early version (10
  Min)
• Aircrack-PTW Need only 40-100K (60 seconds)

30
Aircrack
31
Jamming / Interference

• Physics are harsh
• Introduce more noise than signal
• Microwave oven, cordless phone, baby monitor or
  other sources
• Accidental or intentional
• Spectrum analyzer

32
Wavebubble
33
WPA

• WPA fixes many WEP flaws
• Based on early 802.11i draft - Stop-gap
• 256 bit key Still RC4
• Pre-shared key or Enterprise 802.1X
• Standard key generation standard PBKDF2
• Key salted with SSID
• TKIP, MIC (Michael)
• Sequence enforcement

34
Standards are hard - WPA

• WPA Do more on old hardware
• Feared mass obsolescence
• Backwards compatibility
• Needed soon
• Not perfect, got the job done
• Fixed a lot of WEP problems, weaknesses

35
WPA2

• Mandatory elements of 802.11i
• Uses AES (CCMP) instead of RC4
• Supports PSK and 802.1X mode
• Very interoperable
• Defacto standard for wireless

36
The Devil is in the Details

• WPA not without problems
• People choose weak passphrases
• Susceptible to brute force attack
• A key generated from a pass-phrase of less than
  about 20 characters is unlikely to deter attack
  - 802.11i spec
• Cowpatty, Aircrack

37
Cracking WPA

• Capture WPA 4-way handshake
• Hash dictionary word with PBKDF2 and compare
  output to capture
• SSID salted into key
• CPU intensive
• Early programs had to start over each time

38
Cracking WPA Faster

• Genpmk and CoWF WPA tables
• Pre-hash 1.2 Million words against top 1000
  SSID's 48 gig of WPA cracking torrent goodness
• Time / Memory trade off - calculate once, crack
  many
• Cracks WPA v1 and v2
• Drastically faster checking onsite
• Available after the talk and throughout the con

39
coWPAtty
40
The Devil is in the details

• Michael countermeasures
• 2 bad checks Radio turns off
• Defense against injection and manipulation
• Several layers deep, should not normally trip
• If a non-AP STA receives a deauthenticate frame
  with the reason code MIC failure, it cannot be
  certain that the frame has not been forged, as it
  does not contain a MIC. The STA may attempt
  association with this, or another, AP - 802.11i
  spec

41
Abusing Michael

• Sequence enforcement, encryption need to be
  successful before MIC checked
• MIC taken of data header
• Wireless multimedia specifications (QoS)
• Seprate counters for different QoS bits
• MIC does cover QoS bits which are not
  encrypted.....

42
Abusing Michael
WPA Encrypted
Data
Sequence
QoS
MIC Checksum
43
Abusing Michael

• Capture high priority packet
• Flip QoS bits
• Retransmit to other counter
• Sequence enforcement is maintained
• Encrypted data decrypts successfully
• MIC check fails from flipped QoS bits
• 2 errors in 60 seconds DoS condition
• Clients continue to try and connect
• Not in the wild, but soon...

44
802.11 Technology and Vulnerabilities Timeline
Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
45
Client attacks

• Karma
• Cleartext traffic easy manipulation
• Airpwn
• Management frames cleartext and unauthenticated
• Void11, deauth attacks
• Driver attacks

46
802.11 Technology and Vulnerabilities Timeline
Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
47
Driver Vulnerabilities

• 2006 - Johnny Cache David Maynor fuzz and break
  many drivers
• Death threats from Apple fanboys
• Do not even need to be connected to a network
• Metasploit includes some driver exploits
• Point n' pwn

48
Emerging threats

• Bluetooth Highly overlooked
• Security by obscurity and 4 digit PIN
• Open Source protocol sniffer coming
• RFID Whole other talk
• Speedpass broken
• Passports blown wide open
• RFID Virus

49
(No Transcript)
50
(No Transcript)
51
Standards bodies

• IEEE/IETF do good work
• We can get on wirelessly at the office,
  conferences
• It could be a lot worse
• Involves lots of blood, sweat, travel and
  politics
• Problems can be solved

52
802.11 Technology and Vulnerabilities Timeline
Radio ResourceMgmt, Fast Roaming, early mesh
deployments
Performance, Net. Mgmt, 3.65 GHz
MIMO, WAVE, Mesh, ExternalInternetwork, Mgmt.
FrameProtection
PHY/MAC 802.11a 802.11b, EAP/TLS, EAP-MD5
802.11g, Europe5 GHz, WPA
RegulatoryDomainExtensions
802.11i, WPA2, Japan5GHz, EAP-FAST
PEAP, TTLS
QoS
LEAP
Technology
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
Sophisticated WEP attack tools, attacks against
WPA-PSK, PHY jamming tools commodity
Windows wardriving tools, growing attack tool
sophistication
Metasploit for Wireless Critical client driver
vulns AP Fuzzing?RADIUS Fuzzing? 802.11 VA
Tools? Attacks Against TKIP?
WIDS evasion, client attacks gaining popularity,
fuzzing
Hotspotmanipulation,QoS attacks, WIDS
fingerprinting
Early wardriving, early WEP attacks
Hotspot impersonation, LEAP exposed
Vulnerabilities
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
53
The Future?

• RFID will be huge
• Bluetooth will be huge
• 802.11n will be 'interesting'
• 802.11w will solve some problems
• Hacker community will always be there to break
  things

54
Thanks

• Josh Wright
• Dragorn / Mike Kershaw
• Major Malfunction / Adam Laurie
• The Pauldotcom crew
• Wirelessdefense.org

55
Questions?

• render_at_renderlab.net
• www.renderlab.net
• www.churchofwifi.org
• www.personalwireless.org