PISA Wireless LAN Security Risk and Defense Security Conference Summit @NUS 25 Feb 2003 Presented by S.C. Leung CISSP CISA CBCP Chairperson of PISA Who are we? • PISA is a notnot-forfor-profit organization in Hong Kong – To utilize our expertise and knowledge to help bringing prosperity to the society in the information age. • Members – Individual information security professionals from different disciplines with keen interest in info-sec. • Activities – Workshops, Seminars – Study and Survey; Comments to Legislation Bills http://www.pisa.org.hk 1 Agenda 1. First Published War Driving Report in Hong Kong 2. WLAN Security Risks & Defenses 3. Current WLAN Security Development 4. Q & A War Driving Report in Hong Kong 1 2 What is War-driving? • You use a device capable of receiving an 802.11b signal and software that will log data of signal received (may be with the GPS data as well) • You then move from place to place. • Over time, you build up a database comprised of the network name, signal strength, location, and MAC address in use. Purpose of War Driving • Collecting Statistical Data • Checking Corporate WLAN security vulnerabilities • Checking the coverage of WLAN • Other purposes, including non-malicious and malicious 3 PISA WLAN Security Team Mr. Alan TAM Mr. Jim SHEK Mr. Wo Sang YOUNG A video on the war driving was shown to the audience in the conference. The video illustrated how the war driving team captured the statistics using simple tools on the tram running along the business corridor of the Hong Kong Island. HK Island Business Corridor 7 July 2002 Hong Kong War Driving Snapshot 4 War-driving Tools Set Notebook Computer or Handheld (Pocket PC) Wireless LAN Card War-driving Tools Set Antenna - Commercial Model 5 dBi Gain Cost = S$ 120 9-24 dBi Gain Cost S$ 120-1000 5 War-driving Tools Set Antenna - Home Made Model ~ 3-5 dBi Gain Cost = S$ 4 ~ 7-9 dBi Gain Cost = S$ 10 ~ 10-15 dBi Gain Cost = S$ 14 Compared with commercial ones costing S$ 120-1000 War-driving Tools Set Free Tools - Netstumbler (Win), or KISMET (Linux) Ministumbler (PC2002) 6 War-driving in Hong Kong • Conducted in July, 2002 • On Tram From Kennedy Town to Causeway Bay in 2 Hours • Using common equipments and free software • Only discovery, No IP Connection (association) was made War-driving in Hong Kong Result : – – 187 Access Point discovered with antennae 77% had no WEP (encryption) * 2nd annual Worldwide War Drive, 72% of ~ 25,000 access points found did not enable basic WEP encryption http://www.computerworld.com/mobiletopics/mobile/story/0,10801,74103,00.html http://www.computerworld.com/mobiletopics/mobile/story/0,10801,74103,00.html – 51% using the default SSID – Two strong APs with the same SSID stayed accessible for 3 minutes on the running tram * Suspected buildingbuilding-toto-building connections Full Report: http://www.pisa.org.hk/event/m_comm_sec2.htm 7 Legal Aspects • In Singapore – Is War Driving legal? – Note that the skill is definitely required to do your own internal risk assessment • In many countries – Unauthorized access to computer system by telecommunication is ILLEGAL – Connect to an AP is regarded as accessing the computer system Legal Aspects • War Driving – It usually refer to Discovery – Line must be drawn between Discovery vs. Penetrate. In the letter case, connection is made (i.e. client must associate with AP) • Disclosure of Result – Statistical vs. Individual – The responsible vulnerability disclosure principle should be observed. 8 War Chalking • Intentional Disclosure of War Driving Individual Object Results at their proximity • “For sharing of bandwidth” bandwidth”, it claims. • Network opened to all, good and bad guys. WLAN Security Risks & Defenses 2 9 The 802.11 Alphabet Soup • • • • • • 802.11 802.11a 802.11b 802.11e 802.11g 802.11i : 2.4GHz 2Mbps : 5GHz, 54Mbps : ~WiWi-Fi, Fi, 2.4GHz, 11Mbps : QoS support to 802.11b/11a : 2.4GHz, 54Mbps : Security Improvement over 802.11b • 802.11m : maintenance of 802.11 standard (not a network protocol) IEEE 802.11 Working Group Task Groups a, b, e, … WLAN Channels • Channels (1(1-14, some cities uses 11-11 only) 3 4 5 6 7 8 9 Channel 5 Channel 9 Channel 3 Channel 8 Channel 2 Channel 7 Channel 6 2.437 2.412 2.400 11 Channel 10 Channel 4 Channel 1 10 Frequency (GHz) Channel 11 2.474 2 2.462 1 10 WLAN Terms & Basic Concept Ad Hoc Mode (iBSS) iBSS) Infrastructure Mode (ESS) Peer to Peer Access Point (AP) WLAN Terms & Basic Concept • SSID – Service Set Identifier is the unique wireless network identifier • Beacon – Periodically broadcasted SSID and time stamp beacon beacon • Coverage beacon – 30m – 30km 11 WLAN Security Risks The risks can be classified into 3 classes: 1. Weakened Physical Security 2. Weak Configuration Defaults 3. 802.11b Protocol Weakness Å ONGOING DEVELOPMENT IN SECURITY PROTOCOL WLAN: Lack of Physical Security • Signal coverage (200(200-1000m) > Physical boundary Physical Boundary Normal Signal Boundary Malicious client w/ Antenna Rogue AP Malicious client 12 WLAN: Lack of Physical Security • Building to Building Connection • War flying Æ sniffing possible at 2,500 ft height (Perth of Australia and San Diego of US) Malicious client WLAN: Lack of Physical Security • Fake Access Point (Evil Twin) – Traffic Interception at Public WLAN Access (e.g. Coffee Shop, Airport) AP1 Fake AP1* 13 WLAN Risks in General • Interception and unauthorized monitoring of wireless traffic • Client-to-Client Attacks • Jamming (DoS) • Hack into your wired system Client-to-client attack Jamming Malicious client Consequence of Security Breach • “Sharing” of bandwidth – contractual liability of use might have been violated • Lowered productivity • Higher ISP bill • Information leakage • Injection of worm into internal network • Internal system being hacked • War Spamming • Network being used for attack – Legal liability for hosting “on-site” attacker 14 Defense : Physical Security • Do not put AP near door or windows. • Enforcement Strong Management Policy and monitoring – No unauthorized AP allowed. Audit periodically. • BuildingBuilding-toto-building antennae: use directional radiation pattern, tune the beam angle • Lower Access Point power • Power off AP when not in use Weak Configuration Defaults • WEP encryption is off • Well known SSID is used and broadcasted – Linksys Æ Linksys brand – Tsunami Æ Cisco brand • Administrative Access easy – Web, telnet, snmp are not filtered – Well known Admin ID and password is used – SNMP Community String • Default strings: public & private • Access right: RO & RW • DHCP for all clients • No Access Control on clients 15 Defense: Configuration Defaults • Use WEP. 128bit key is preferred to 64bit – Some security enhancement in client PCs • Harden SSID. Change SSID and Disable Broadcasts – Some current false sense of secured SSID… • Harden Admin access – Turn off unnecessary admin access, e.g. telnet, web – Change default admin ID & password; Choose hard-to-guess admin password – Enable firewall function – Turn off SNMP access • Use Static IP and MAC address Filtering – These are useful in small environment only Are these effective? • To be honest, NO! • They are deterring factors that should be applied. For HomeHome-use APs these are costcost-effective measures. • Business use of WLAN needs … – More security to couple with higher risks – Scalability • Shared secrets of WEP and SSID not working • Static IP and MAC filtering is management nightmare 16 Current WLAN Security Development 3 Weakness in 802.11b Protocol • Highlights – – – – Weak Authentication WEP has weakness (Confidentiality) Lacks Message Integrity and more … Details follows … 17 802.11b Weak Authentication • Weak Authentication – – – – – No user authentication SSID is broadcasted WEP is static (pre-shared to all users) MAC address can be spoofed No mutual authentication (fake AP!) 802.11b Weak WEP • WEP == Wired Equivalent Privacy – Designed to protect wireless communication from eavesdropping – Use Symmetric Encryption Algorithm: RC4 – Option in 802.11b. Static (pre-shared) key is used. • Commercial claimed key size: 64 or 128 bit – Effectively only 40 or 104 bit strength 40 or 104 bits 24 bits WEP Key IV – IV (Initialization Vector) is used to create variable key stream from a fixed WEP key 18 What is IV? IV WEP Cipher Key Stream XOR CipherText PlainText 802.11b Weak WEP • Static WEP key Æ key distribution problem • WEP design vulnerable to Statistical Key Derivation – Paper by Fluhrer, Mantin & Shamir (Aug 2001) – Zero knowledge needed Æ Capture 4 million frames can recover the 128-bit WEP key! – In an extremely busy network it is a matter of 5 hours minus. – A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours – Actual can be shorter due to more collision of IVs: same WEP is used by all stations; Lucent NIC set IV=0 each time the card is initialized; some implementation may have fixed IV!. 19 Proof of the Concept Tools • Tools that have proved the concept – Adam Stubblefield, AT&T Labs • http://www.cs.rice.edu/~astubble/wep – WEPCrack • http://sourceforge.net/projects/wepcrack – Airsnort: the most successful tool • http://airsnort.shmoo.com/ 802.11b Weak Message Integrity • 802.11b packets have a CRC32 integrity check value Encrypted IV Pad & ID Payload CRC • Vulnerable to bitbit-flipping attack – CRC32 a linear checksum. It means for error detection and correction only. • Vulnerable to replay attack – There is no checking on messages sequence or time stamp 20 Patching the 802.11b weakness • 802.11i – Security enhancement to the 802.11b – Slow drafting – Expect to be issued by Q4 of 2003 • WPA (Wi-Fi Protected Access) – Proposed by Wi-Fi Alliance in Q4 of 2002 to meet the intermediate need – Subset of 802.11i, forward compatible with 802.11i Wi-Fi Protected Access (WPA) • WPA 1. Authentication Framework / protocol – 802.1x / EAP 2. TKIP: to strengthen Integrity and WEP • • • Message Integrity Code (MIC): to prevent forged packets New IV sequencing: to prevent replay attack WEP re-keying 21 802.1x Authentication Framework • 802.1x authentication framework – An IEEE standard method of authentication and security for all Ethernet-like protocols • Links 3rd party “plug“plug-in” authentication modules – Shared key, token card, Kerberos, PKI, LEAP, … • Authentication Protocol – Extensible Authentication Protocol (EAP) or EAPOL (EAP On LAN) – RFC2284 • EAP is available in Windows XP 802.1x Authentication Framework • Benefit – Improved user authentication – Dynamic WEP generated after authentication for each user. WEP key has timeout. Solves Key Distribution!! – Can enforce centralized policy control and account auditing – Can plug in different authentication methods and encryption algorithms – Mutual authentication can be possible 22 EAP (RFC 2284) Client AP Start Authentication Server (RADIUS) Request Identity Access point blocks all requests until authenticated Identity Identity Authentication Server authenticates Client Client Cert Client authenticates Authentication Server (optional) Derive key Derive key Broadcast key Key Length Access point sends client broadcast key encrypted with session key EAP variations over 802.11 • LEAP: EAP: Light EAP – Cisco’s (static) password based EAP • PEAP: EAP: Protected EAP – Uses token and one time password • EAPEAP-TLS (Transport Layer Security) – Offers mutual authentication with PKI • EAPEAP-TTLS (Tunnelled Transport Layer Security) – Requires server certificate only 23 Temporal Key Integrity Protocol (TKIP) TKIP = MIC + WEP Enhancements • Message Integrity Check (MIC) • MIC (a cryptographic checksum) protects WEP frame from tampering • Added MIC code (about 30 bits) • Use one-way hash function instead of XOR • MIC based on destination & source hardware addresses, payload and sequence number DST SRC Payload Seq Hash MIC TKIP- WEP Enhancements • WEP Re-Keying – WEP change every 10,000 packets • Deterrence of Replay Attack – Extend IV from 24bit to 48bit IV – Use better sequencing rule to ensure IV cannot be reused • Use hash function 24 Can WPA solve all problems? • Not yet … • Besides • Weak Authentication • WEP has weakness (Confidentiality) • Lacks Message Integrity there is still one more problem • with layer 2 management frames • Firstly, you need to know association and disassociation. Association/Disassociation • Associations are a basic part of 802.11. It works at the link layer (layer 2). • Process of Authentication & Association – Client Requests authentication – AP responds with auth type (Open/WEP) – Authentication is performed – Once authenticated, radio NIC must associate with AP before sending data • Process of DeDe-authentication & Disassociation – The AP can de-authenticate the client and log it off. The client then disassociate with the AP. – When an AP is powered off or not accessible. The client also disassociate with the AP. 25 More 802.11b Weakness • Layer 2 Management frames not authenticated – Management frames are • Association, de-association, beacons … – There is no way to verify if the source is a true AP – Attacker can de-authentication clients and caused a disassociation (DoS) • Management frames sent as clear text – MAC address (layer 2) sent in clear text by 802.11 spec. – Sniffing is easy with available driver and software Attack on Layers 1 & 2 • Airjack by Abaddon @ BHB Aug 2002. http://802.11ninja.net/ – WLAN-Jack: DoS the WLAN • Can be Broadcasted or Directed • In directed mode, user might just think his NIC got problem 26 ` 27 Attack on Layers 1 & 2 – ESSID-Jack: Discover hidden SSID • Send a de-authentication frame to the broadcast address. • Listen to client probe request and AP probe respond Attack on Layers 1 & 2 – Monkey-Jack: Man-in-the-middle attack • De-authenticate victim from real AP by sending fake de-authenticate frames using AP’s MAC address • Victim scan channel for new AP • Victim associate with fake AP (new channel) on attacker machine • Attacker successfully insert between client and server – Kracker-Jack: Attack weak VPN 28 Attack on Layers 1 & 2 • DoS attack not avoidable • Malformed packets, e.g. null SSID, not avoidable Items left by WPA to 802.11i – Secure de-authentication and disassociation – Secure IBSS (Adhoc mode of 802.11b) – Secure fast handoff of public keys – AES encryption 29 Infrastructure Defense in WLAN • Protection of the Infrastructure • Use appropriate Authentication Mechanism • Mitigate the risk in confidentiality by higher level protocols Defense in using Wireless LAN • Secure the Corporate Network Perimeter – Treat WLAN as untrusted network. Put in a separate network guarded by the perimeter firewall – Use VPN and strong encryption – Notebook should install personal firewall Perimeter Firewall VPN GW Internet tu VP N l nne Internal Network Malicious client 30 Higher Level Encryption Protocols Application Application PGP … PGP ... Transport Transport WLAN Router SSL SSL Network (IP) Network (IP) Network (IP) Network (IP) IP-VPN IP-VPN 802.11b Link WEP 802.1b Physical 802.11b Link WEP 802.1b Physical Ethernet Link Ethernet Link Ethernet Physical Ethernet Physical Distant WLAN bridges • Recall for physical security, use Directional Radiation • Incorporate VPN capability: capability: using IPSec to establish tunnel between 2 endpoints • Incorporate Firewall function: function: filter off all traffic coming from wireless link that is not in the IPSec tunnel Directional radiation Malicious client A Linux Embedded Application Firewall implementation • “Increasing Bandwidth with Wireless Devices”, Sys Admin magazine, Feb 2003 31 Other Strategies of WLAN Defense • IDS – AirDefense, AirMagnet, IBM Distributed Wireless Security Auditor (check market availability) – Freeware: Netstumbler, KISMET, Airsnort • Honeypot – Build your own with an isolated HostAP • Decoy – FakeAP: broadcast storm of fake AP beacons to obscure the true one. • The same technology is also used in spoofed scanning and brute force password attack. Finding a Rogue AP • TCP Finger Printing (say by Nmap) Nmap) – False positives exist, the scanning is noisy and creates alerts in scanned clients • SNMP Scan – Not effective. SNMP by default is off, or AP has no SNMP access. • MAC Address Inventory – Match MAC addresses on LAN to the corporate supported LAN card brands Æ Will miss false negative • War Driving: Driving: seems to be the best method – Partial solution only. You can miss a rogue access point that has weak signal range or due to environmental reasons. 32 Wireless LAN in military • DoD had banned Wireless in Q3 of 2002 but now ... • Network World News (10(10-FebFeb-2003) – “DoD expects to write up another Wireless Policy by July 2003” – “Put responsibility on the person who make decision to buy wireless” – “National Security Agency (NSA) to develop a Type 1 encryption algorithm HAIPE (High-Assurance Internet Protocol Encryption) for secure wireless LAN” (Remark: commercial 3DES and AES classified as Type 3) http://www.nwfusion.com/news/2003/0210nsa.html Conclusion • Wireless technology is moving faster than anything. • The gap of security is still large, yet year 2003 is a substantial year for WLAN security development. – Use UPGRADEABLE solution • Make sense in you WLAN investment strategy – Do you think carefully if to use WLAN in sensitive service? – Include the cost of risk mitigation in your budget. 33 Thank You Questions and Comments can be sent to S.C. Leung sc.leung@pisa.org.hk References • • • IEEE 802.11 Workgroup – http://www.ieee.org IEEE 802.1x – http://www.ieee802.org/1/pages/802.1x.html – http://www.shmoo.com/1x/ – http://www.Open1x.org WiWi-Fi Alliance – http://www.weca.net • War Driving • – http://www.bawug.org War Chalking – http://www.warchalking.org • Weakness in the Key Scheduling Algorithm of RC4 – http://online.securityfocus.com/data/library/rc4_ksaproc.pdf • Cracking WEP FAQ – http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html 34 References • Tools – Netstumber, Ministumbler • http://www.netstumbler.com – KISMET • http://www.kismetwireless.net/ – FakeAP • http://www.blackalchemy.to/Projects/fakeap/fake-ap.html – WEPCrack • http://wepcrack.sourceforge.net/ – AirSnort • http://airsnort.shmoo.com/ – AirJack • http://802.11ninja.net/ – APTools • http://aptools.sourceforge.net/ Disclaimer This material is to provide information on WLAN security risks and mitigation measure. It should not be used for malicious intent. Unauthorized Access to computer system is an offense. The points made here are kept concise for the purpose of presentation. If you require details of test and implementation please refer to technical references. 35