Wireless Threats

1

To see more detail on slides including alt tags
for objects go to notes pages.

• Wireless Threats
• and
• Vulnerabilities

Mischel Kwon Chief IT Security Technologist USDOJ
May 1, 2007
2
Agenda

• The Changing Face of Wireless
• 802.11 a/b/g/n/i
• 802.11 basics
• 802.11 vulnerabilities
• Protecting 802.11
• 802.11 Policy, Audit, Enforcement
• Home grown vs. Enterprise
• More than Wireless Security
• Bluetooth
• Bluetooth basics
• Bluetooth vulnerabilities
• Tools
• Policy, Audit, Enforcement
• More than Just a Headset

• Other Wireless
• IrDA
• RFID
• Wi-Max
• On the Road Protection
• Blackberry, PDA, Smart phone
• Laptops
• New and Interesting Technology

3
Wireless
4
Todays Wireless Landscape
5
802.11

• 802.11 basics
• 802.11 vulnerabilities
• Protecting 802.11
• 802.11 Policy, Audit, Enforcement
• Home grown vs. Enterprise
• More than Wireless

6
Wireless Comparisons 802.11 Chart
7
802.11 Encryption

• WEP RC4 (Wired Equivalent Privacy). WEP's
  encryption is broken, meaning that with a
  sufficient amount of network traffic, the WEP key
  may be extracted and used to connect to the
  network or sniff traffic. Using WEP doesn't
  assure security even for a single user on a home
  network
• WPA RC4 (Wi-Fi Protected Access). WPA revised
  WEP's weakness, and is widely supported. WPA
  includes the TKIP (Temporal Key Integrity
  Protocol) key. A properly chosen TKIP provides
  perfectly adequate security for a home user.
• WPA2 AES This newer version of WPA adds a
  stronger encryption key format known as CCMP
  (Counter-mode CBC MAC Protocol) that is a form of
  AES (Advanced Encryption System). CCMP is
  considered one of the most secure methods.

8
802.11 Basics

• 802.11n
• Multiple antennas to gain speeds at a minimum of
  108 Mbps
• 802.11i
• Robust Secure Network
• WPA TKIP RC4
• WPA2 AES
• SWLAN
• NSA Type-1 Encryption 802.11b up to DoD Secret

9
802.11 Vulnerabilities

• Native in the clear
• Associate with any WAP
• Easy to scan
• Windows Wireless Zero Configuration
  vulnerabilities in XP
• Home use WAP Security weak
• MAC filtering
• Static IP
• WEP
• WPA Pass Phrase

10
Did You Pay to Connect to an Evil Twin?
Who are you connected to?
11
War Driving

• Equipment (the rig)
• Laptop --- 1399
• Wireless card --- 67
• Antenna --- 10 (homebrew)
• Scanning Software ---Free
• GPS (optional)

12
Equipment

• Antennas
• Omni-directional
• Mast mount
• Semi-directional
• Yagi
• Highly-Directional
• Grid
• Parabolic
• Home Brew Antennas

13
Equipment

• Laptops
• Windows
• Linux
• Mac OS X
• Handhelds
• HP iPaq
• Sharp Zaurus

14
Equipment

• Scanning Software
• Net Stumbler
• www.netstumber.com
• Airopeek
• www.wildpackets.com
• Wellenreiter
• www.remote-exploit.org
• KISMET
• www.kismetwireless.net
• AirSnort
• airsnort.shmoo.org

15
Wi-Finders
http//www.kensington.com/html/3720.html
16
Security Policy

• Enterprise Equipment
• WPA2
• WIDS/IPS
• IDS
• DMZ
• Configuration Control
• Authentication
• Certificate Exchange
• Event monitoring

17
Home 802.11 Security Security

• WEP
• WPA Pass Phrase
• Encryption
• Mac Filtering
• SSID
• VPN
• Dont auto connect
• Best Practiceswhat not to do on your wireless
  segment
• DMZ
• Firewalls
• Safe systemturn off file sharing

18
WIDS

• Different flavors
• Detect anomalies on wired segments
• Rogue Access Point detection
• Policy Enforcement
• Limited NAC like evaluation
• WAP based IDS
• Server Based IDS

19
Sensor Based WIDS
20
Securing Enterprise Wireless

• The Security Policy
• Authentication
• Authorization
• VPN
• DMZ
• Wireless on their own VLAN
• Hardened wireless gateway
• Device policy enforcement
• Configuration Control
• Passwords on devices

• Auto erase on devices when password
  authentication fails a set number of times
• Physical examination of site regularly
• Wireless Audits
• WIDS/IPS
• IDS

21
Things Not to Do on a Wireless Network

• Passwords
• Banking
• Credit Cards
• PII exchange
• File Sharing
• Bridging

22
Its More Than Wireless Security

• Configuration Control
• Bridging
• Patching
• Anti-virus
• VPN
• File Encryption
• Ports, Services
• DMZ
• WAPs outside the network
• Hidden wireless

23
Demonstrations
24
Bluetooth

• Bluetooth basics
• Bluetooth vulnerabilities
• Tools
• Policy, Audit, Enforcement
• More than Just a Headset

25
Bluetooth

• Short-range communications 3-300ft
• 2.4 to 2.485 GHz range
• Spread spectrum
• Adaptive frequency hopping (reduce interference)
• Full duplex signal
• 79 Channels
• Algorithm based on Master ID and previous channel
• Interference with WiFi (device range
• Voice
• Synchronous Connection Oriented (SCO)
• Data
• Asynchronous Connection Less (ACL)

26
The Bluetooth Connection

• Media Access Control (MAC)
• Wireless Personal Area Network (WPAN)
• Point-to-Point
• Point-to-Multipoint
• Pairing (Agreement)
• Service Discovery Protocol

27
The Bluetooth Stack
28
Bluetooth Networking

• Piconet (PAN)
• Master
• Slave
• 8 Devices
• Scatternet
• Two or More Piconets
• Master/Slave between Piconets
• Bandwidth reduced if 10 PANs in 10 Meter
  radius

29
Making the Bluetooth Connection

• Pairing
• During pairing there is a key exchange
• Part of initial key exchange occurs in the clear
• Once paired a trust relationship is built using
  the link key
• Identification based on BD_addr (MAC Address)

30
Closer look at the paring

• Needs 128bit Random Number, PIN, Bluetooth
  Hardware Address (BD_ADDR)
• 128Bit Random number transmits in the clear
  between devices
• Random Number, PIN, and BD_Addr go through magic
  E22 which is a function creating the initial
  key
• Initial key is used to create 128bit random
  numbers which will serve as the asynchronous
  Link key

31
Bluetooth Uses

• Cars
• Phones
• PDAs
• Not on my laptop
• Printers
• Earpieces
• Keyboard, mice
• Coke Machines
• EKG

32
Why a Blue Attack?

• Listening
• Hooking up?
• Open Microphone
• Dialing for dollars
• Contacts, Notes, Email

33
Blue Methods of Attack

• MAC spoofing
• Break link encryption
• Crack link encryption
• Individual implementation vulnerabilities

34
The Blue Hacks

• BlueJacking- Sending messages to unsuspecting
  recipients
• Toothing- Engaging in chance encounters using
  Bluetooth messages
• Bluebug- access to ATtention (AT) command set
• Audio Interception

35
Blue Attacks

• Snarfing - Device manipulation
• Chaos - Call, SMS, Phonebook
• Denial of Service (BlueSmack)
• Viruses (Cabir)
• Cabir hit Europe and Asia in June 2004
• Cabir.H and Cabir.I discovered in Santa Monica
  California Cabir blocks Bluetooth connectivity
  and drains the device battery
• Affects Symbian OS devices

36
Vulnerable Phones
37
The Blue Bad News

• BAD - Bluetooth headsets
• Default PINs generally 0000, or 1234 are hard
  coded into the Bluetooth headsets
• WORSE Bluetooth cars, are generally left in
  discoverable mode and subject to
  surveillance/interception

38
Your Bluetooth Not Discoverable

• Not a problem ?
• Bluetooth Hardware Space is limited to
  000000000000 - FFFFFFFFFFFF
• Isnt that 281,474,976,710,655 possible
  addresses?
• Manufacturer codes eg Motorola
  C6F74AXXXXXX now we have 16,777,215 possible
  devices to look for
• Redfang/Green Plague

39
Blue ToysBlue Sniper Rifle

• Uses gumstix computer with onboard Bluetooth
  (no laptop necessary)
• Yagi type antenna increases range up to 2
  miles!!!
• Parts are cheap and readily available
• Extends range for attack

40
Blue Sniffing and

• Smurf
• MeetingPoint
• BTScanner
• BlueSweep
• BlueWatch (not free)
• Blue Jack

41
Securing Bluetooth

• Disable and uninstall Bluetooth
• Do not allow device to be found
• Update firmware (ROM)
• Do not allow paired devices unverified
  connectivity
• Storing sensitive corporate information should
  NEVER be allowed
• Use encryption technology
• PED must have the latest security patches
  installed on their operating system
• Uninstall unused drivers

42
Demonstrations
43
IrDA

• Laptop
• Phone
• Blackberry
• PDA
• Keyboards/Mice
• Is yours enabled?
• Easy transfer
• Banana sticker
• EEKKKK File Sharing is on

44
RFID
45
EvDO

• Evolution Data Only, Evolution Data Optimized
• High speed
• Always on
• 2.4 mbps bandwidth
• Supported by some cell phones
• PCMCIA cards

46
WiMAX
47
802.16 Wi-MAX Basics
48
How It Works
http//www.networkworld.com/news/tech/2001/0903tec
h.html
49
Wi-MAX Security Issues and Mitigations

• Security Issues
• Use of poorly implemented DES
• Poor authentication scheme
• Mitigations
• Use AES-CCM as encryption primitive
• Use flexible EAP authentication scheme

50
Ohhhh yeahI have a cell phone.

• No radio transmission is totally secure
• Several Secure NSA Type-1 certified GSM cellular
  phones
• New Smart Card VPN mini SD

51
On the Road Protection

• Blackberry
• PDA
• Smart phone
• Laptops

• Who are you connecting to?
• How are you protecting your data?
• VPN?
• What is the health of your device?
• Are you really on a wired segment?

52
Interesting Wireless Issues

• Laptop Configuration Management
• Laptop Patch Management
• Data Protection/Encryption
• Hotel/Hot Spot WAPs (Evil Twin)
• VPN
• Cell phone encryption
• PDA encryption
• 2 Form Factor Authentication

53
New and Interesting Technology/Tools

• WIDS/IPS
• Wireless Mess
• Smart Card VPN
• NAC
• PCI Management System
• Smart Encryption
• DAR/DARTT GSA SmartBuy

54
Recommended References

• Trifinite.org
• NIST 800-48
• Wireless Security Implementation Guide, Defense
  Information Systems Agency
• Wireless Security Checklist, Defense Information
  Systems Agency
• Open-Source Security Testing Methodology Manual,
  Institute for Security and Open Methodologies
• Wi-Foo The Secrets of Wireless Hacking
• Real 802.11 Security Wi-Fi Protected Access and
  802.11i
• Wireless Security Ensuring Compliance with
  HIPAA, GLBA, SOX, DoD 8100.2 and Enterprise
  Policy, AirDefense, www.airdefense.com
• Weaknesses in the Temporal Key Hash of WPA,
  Vebjorn Moen, Havard Raddum, Kjell Hole,
  University of Bergen, Norway
• Security Flaws in 802.11 Data Link Protocols,
  Nancy Cam-Winget, Russ Housley, David Wagner,
  Jesse Walker
• Securing a Wireless Network, Jon Allen, Jeff
  Wilson
• Securing Wireless Data System Architecture
  Challenges, Ravi, Raghunathan, Potlapally,
  Computer and Communications Research Labs NEC USA
• Solving the Puzzling Layers of 802.11 Security,
  Mischel Kwon
• 802.11 Security, Praphul Chandra
• NIST Wireless Network Security 802.11, Bluetooth
  and Handheld Devices, Tom Karygiannis, Les Owens
• Cisco SAFE Wireless LAN Security in Depth
• http//www.iwwst.org.uk/Files/2003/FinalPN.pdf
• http//video.interop.com/presentations/unified-wir
  ed-s-sundaralingam.pdf

55
Questions