Presentation - Professional Information Security Association

advertisement
PISA
Wireless LAN
Security Risk and Defense
Security Conference Summit
@NUS 25 Feb 2003
Presented by
S.C. Leung
CISSP CISA CBCP
Chairperson of PISA
Who are we?
• PISA is a notnot-forfor-profit organization in Hong Kong
– To utilize our expertise and knowledge to help bringing
prosperity to the society in the information age.
• Members
– Individual information security professionals from
different disciplines with keen interest in info-sec.
• Activities
– Workshops, Seminars
– Study and Survey; Comments to Legislation Bills
http://www.pisa.org.hk
1
Agenda
1. First Published War Driving Report in Hong Kong
2. WLAN Security Risks & Defenses
3. Current WLAN Security Development
4. Q & A
War Driving Report in Hong Kong
1
2
What is War-driving?
•
You use a device capable of receiving an 802.11b
signal and software that will log data of signal received
(may be with the GPS data as well)
•
You then move from place to place.
•
Over time, you build up a database comprised of the
network name, signal strength, location, and MAC
address in use.
Purpose of War Driving
• Collecting Statistical Data
• Checking Corporate WLAN security vulnerabilities
• Checking the coverage of WLAN
• Other purposes, including non-malicious and
malicious
3
PISA WLAN Security Team
Mr. Alan TAM
Mr. Jim SHEK
Mr. Wo Sang YOUNG
A video on the war driving was shown to the audience
in the conference.
The video illustrated how the war driving team
captured the statistics using simple tools on the tram
running along the business corridor of the
Hong Kong Island.
HK Island Business Corridor
7 July 2002 Hong Kong
War Driving Snapshot
4
War-driving Tools Set
Notebook Computer or
Handheld (Pocket PC)
Wireless LAN Card
War-driving Tools Set
Antenna - Commercial Model
5 dBi Gain
Cost = S$ 120
9-24 dBi Gain
Cost S$ 120-1000
5
War-driving Tools Set
Antenna - Home Made Model
~ 3-5 dBi Gain
Cost = S$ 4
~ 7-9 dBi Gain
Cost = S$ 10
~ 10-15 dBi Gain
Cost = S$ 14
Compared with commercial ones costing S$ 120-1000
War-driving Tools Set
Free Tools -
Netstumbler (Win),
or KISMET (Linux)
Ministumbler (PC2002)
6
War-driving in Hong Kong
• Conducted in July, 2002
• On Tram From Kennedy Town to Causeway Bay in 2 Hours
• Using common equipments and free software
• Only discovery, No IP Connection (association) was made
War-driving in Hong Kong
Result :
–
–
187 Access Point discovered with antennae
77% had no WEP (encryption)
* 2nd annual Worldwide War Drive, 72% of ~ 25,000 access
points found did not enable basic WEP encryption
http://www.computerworld.com/mobiletopics/mobile/story/0,10801,74103,00.html
http://www.computerworld.com/mobiletopics/mobile/story/0,10801,74103,00.html
–
51% using the default SSID
–
Two strong APs with the same SSID stayed accessible for
3 minutes on the running tram
* Suspected buildingbuilding-toto-building connections
Full Report: http://www.pisa.org.hk/event/m_comm_sec2.htm
7
Legal Aspects
• In Singapore
– Is War Driving legal?
– Note that the skill is definitely required to
do your own internal risk assessment
• In many countries
– Unauthorized access to computer system
by telecommunication is ILLEGAL
– Connect to an AP is regarded as accessing
the computer system
Legal Aspects
• War Driving
– It usually refer to Discovery
– Line must be drawn between Discovery vs. Penetrate.
In the letter case, connection is made (i.e. client must
associate with AP)
• Disclosure of Result
– Statistical vs. Individual
– The responsible vulnerability disclosure principle should
be observed.
8
War Chalking
• Intentional Disclosure of War
Driving Individual Object
Results at their proximity
• “For sharing of bandwidth”
bandwidth”, it
claims.
• Network opened to all, good and
bad guys.
WLAN Security Risks & Defenses
2
9
The 802.11 Alphabet Soup
•
•
•
•
•
•
802.11
802.11a
802.11b
802.11e
802.11g
802.11i
: 2.4GHz 2Mbps
: 5GHz, 54Mbps
: ~WiWi-Fi,
Fi, 2.4GHz, 11Mbps
: QoS support to 802.11b/11a
: 2.4GHz, 54Mbps
: Security Improvement over 802.11b
• 802.11m : maintenance of 802.11 standard (not a
network protocol)
IEEE 802.11 Working Group
Task Groups a, b, e, …
WLAN Channels
• Channels (1(1-14, some cities uses 11-11 only)
3
4
5
6
7
8
9
Channel 5
Channel 9
Channel 3
Channel 8
Channel 2
Channel 7
Channel 6
2.437
2.412
2.400
11
Channel 10
Channel 4
Channel 1
10
Frequency (GHz)
Channel 11
2.474
2
2.462
1
10
WLAN Terms & Basic Concept
Ad Hoc Mode (iBSS)
iBSS)
Infrastructure Mode (ESS)
Peer to Peer
Access
Point
(AP)
WLAN Terms & Basic Concept
• SSID
– Service Set Identifier is
the unique wireless
network identifier
• Beacon
– Periodically
broadcasted SSID and
time stamp
beacon
beacon
•
Coverage
beacon
– 30m – 30km
11
WLAN Security Risks
The risks can be classified into 3 classes:
1. Weakened Physical Security
2. Weak Configuration Defaults
3. 802.11b Protocol Weakness Å ONGOING
DEVELOPMENT IN SECURITY PROTOCOL
WLAN: Lack of Physical Security
• Signal coverage (200(200-1000m) > Physical boundary
Physical Boundary
Normal
Signal
Boundary
Malicious client
w/ Antenna
Rogue
AP
Malicious client
12
WLAN: Lack of Physical Security
• Building to Building Connection
• War flying Æ sniffing possible at 2,500 ft height (Perth
of Australia and San Diego of US)
Malicious client
WLAN: Lack of Physical Security
• Fake Access Point (Evil Twin)
– Traffic Interception at Public WLAN Access
(e.g. Coffee Shop, Airport)
AP1
Fake AP1*
13
WLAN Risks in General
• Interception and unauthorized monitoring of
wireless traffic
• Client-to-Client Attacks
• Jamming (DoS)
• Hack into your wired system
Client-to-client attack
Jamming
Malicious client
Consequence of Security Breach
• “Sharing” of bandwidth
– contractual liability of use might have been violated
• Lowered productivity
• Higher ISP bill
• Information leakage
• Injection of worm into internal network
• Internal system being hacked
• War Spamming
• Network being used for attack
– Legal liability for hosting “on-site” attacker
14
Defense : Physical Security
• Do not put AP near door or windows.
• Enforcement Strong Management Policy and monitoring
– No unauthorized AP allowed. Audit periodically.
• BuildingBuilding-toto-building antennae: use directional radiation
pattern, tune the beam angle
• Lower Access Point power
• Power off AP when not in use
Weak Configuration Defaults
• WEP encryption is off
• Well known SSID is used and broadcasted
– Linksys Æ Linksys brand
– Tsunami Æ Cisco brand
• Administrative Access easy
– Web, telnet, snmp are not filtered
– Well known Admin ID and password is used
– SNMP Community String
• Default strings: public & private
• Access right: RO & RW
• DHCP for all clients
• No Access Control on clients
15
Defense: Configuration Defaults
• Use WEP. 128bit key is preferred to 64bit
– Some security enhancement in client PCs
• Harden SSID. Change SSID and Disable Broadcasts
– Some current false sense of secured SSID…
• Harden Admin access
– Turn off unnecessary admin access, e.g. telnet, web
– Change default admin ID & password; Choose hard-to-guess
admin password
– Enable firewall function
– Turn off SNMP access
• Use Static IP and MAC address Filtering
– These are useful in small environment only
Are these effective?
• To be honest, NO!
• They are deterring factors that should be applied. For
HomeHome-use APs these are costcost-effective measures.
• Business use of WLAN needs …
– More security to couple with higher risks
– Scalability
• Shared secrets of WEP and SSID not working
• Static IP and MAC filtering is management nightmare
16
Current WLAN Security Development
3
Weakness in 802.11b Protocol
• Highlights
–
–
–
–
Weak Authentication
WEP has weakness (Confidentiality)
Lacks Message Integrity
and more …
Details follows …
17
802.11b Weak Authentication
• Weak Authentication
–
–
–
–
–
No user authentication
SSID is broadcasted
WEP is static (pre-shared to all users)
MAC address can be spoofed
No mutual authentication (fake AP!)
802.11b Weak WEP
• WEP == Wired Equivalent Privacy
– Designed to protect wireless communication from
eavesdropping
– Use Symmetric Encryption Algorithm: RC4
– Option in 802.11b. Static (pre-shared) key is used.
• Commercial claimed key size: 64 or 128 bit
– Effectively only 40 or 104 bit strength
40 or 104 bits
24 bits
WEP Key
IV
– IV (Initialization Vector) is used to create variable key stream
from a fixed WEP key
18
What is IV?
IV
WEP
Cipher
Key Stream
XOR
CipherText
PlainText
802.11b Weak WEP
• Static WEP key Æ key distribution problem
• WEP design vulnerable to Statistical Key Derivation
– Paper by Fluhrer, Mantin & Shamir (Aug 2001)
– Zero knowledge needed Æ Capture 4 million frames
can recover the 128-bit WEP key!
– In an extremely busy network it is a matter of 5 hours
minus.
– A busy access point, which constantly sends 1500 byte
packets at 11Mbps, will exhaust the space of IVs after
1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours
– Actual can be shorter due to more collision of IVs: same
WEP is used by all stations; Lucent NIC set IV=0 each time
the card is initialized; some implementation may have
fixed IV!.
19
Proof of the Concept Tools
• Tools that have proved the concept
– Adam Stubblefield, AT&T Labs
• http://www.cs.rice.edu/~astubble/wep
– WEPCrack
• http://sourceforge.net/projects/wepcrack
– Airsnort: the most successful tool
• http://airsnort.shmoo.com/
802.11b Weak Message Integrity
• 802.11b packets have a CRC32 integrity check value
Encrypted
IV
Pad
&
ID
Payload
CRC
• Vulnerable to bitbit-flipping attack
– CRC32 a linear checksum. It means for error detection
and correction only.
• Vulnerable to replay attack
– There is no checking on messages sequence or time
stamp
20
Patching the 802.11b weakness
• 802.11i
– Security enhancement to the 802.11b
– Slow drafting
– Expect to be issued by Q4 of 2003
• WPA (Wi-Fi Protected Access)
– Proposed by Wi-Fi Alliance in Q4 of 2002 to
meet the intermediate need
– Subset of 802.11i, forward compatible with
802.11i
Wi-Fi Protected Access (WPA)
•
WPA
1. Authentication Framework / protocol
– 802.1x / EAP
2. TKIP: to strengthen Integrity and WEP
•
•
•
Message Integrity Code (MIC): to prevent
forged packets
New IV sequencing: to prevent replay attack
WEP re-keying
21
802.1x Authentication Framework
• 802.1x authentication framework
– An IEEE standard method of
authentication and security for
all Ethernet-like protocols
• Links 3rd party “plug“plug-in”
authentication modules
– Shared key, token card,
Kerberos, PKI, LEAP, …
• Authentication Protocol
– Extensible Authentication
Protocol (EAP) or EAPOL (EAP On
LAN)
– RFC2284
• EAP is available in Windows XP
802.1x Authentication Framework
• Benefit
– Improved user authentication
– Dynamic WEP generated after authentication
for each user. WEP key has timeout. Solves
Key Distribution!!
– Can enforce centralized policy control and
account auditing
– Can plug in different authentication methods
and encryption algorithms
– Mutual authentication can be possible
22
EAP (RFC 2284)
Client
AP
Start
Authentication Server
(RADIUS)
Request Identity
Access point blocks all
requests until authenticated
Identity
Identity
Authentication Server authenticates Client
Client Cert
Client authenticates Authentication Server (optional)
Derive key
Derive key
Broadcast key
Key Length
Access point sends client
broadcast key encrypted
with session key
EAP variations over 802.11
• LEAP:
EAP: Light EAP
– Cisco’s (static) password based EAP
• PEAP:
EAP: Protected EAP
– Uses token and one time password
• EAPEAP-TLS (Transport Layer Security)
– Offers mutual authentication with PKI
• EAPEAP-TTLS (Tunnelled Transport Layer Security)
– Requires server certificate only
23
Temporal Key Integrity Protocol (TKIP)
TKIP = MIC + WEP Enhancements
• Message Integrity Check (MIC)
• MIC (a cryptographic checksum) protects WEP frame
from tampering
• Added MIC code (about 30 bits)
• Use one-way hash function instead of XOR
• MIC based on destination & source hardware addresses,
payload and sequence number
DST
SRC
Payload
Seq
Hash
MIC
TKIP- WEP Enhancements
• WEP Re-Keying
– WEP change every 10,000 packets
• Deterrence of Replay Attack
– Extend IV from 24bit to 48bit IV
– Use better sequencing rule to ensure IV
cannot be reused
• Use hash function
24
Can WPA solve all problems?
• Not yet …
• Besides
• Weak Authentication
• WEP has weakness (Confidentiality)
• Lacks Message Integrity
there is still one more problem
• with layer 2 management frames
• Firstly, you need to know association and disassociation.
Association/Disassociation
• Associations are a basic part of 802.11. It works at the
link layer (layer 2).
• Process of Authentication & Association
– Client Requests authentication
– AP responds with auth type (Open/WEP)
– Authentication is performed
– Once authenticated, radio NIC must associate with AP
before sending data
• Process of DeDe-authentication & Disassociation
– The AP can de-authenticate the client and log it off. The
client then disassociate with the AP.
– When an AP is powered off or not accessible. The client also
disassociate with the AP.
25
More 802.11b Weakness
• Layer 2 Management frames not authenticated
– Management frames are
• Association, de-association, beacons …
– There is no way to verify if the source is a true AP
– Attacker can de-authentication clients and caused a
disassociation (DoS)
• Management frames sent as clear text
– MAC address (layer 2) sent in clear text by 802.11 spec.
– Sniffing is easy with available driver and software
Attack on Layers 1 & 2
• Airjack
by Abaddon @ BHB Aug 2002.
http://802.11ninja.net/
– WLAN-Jack: DoS the WLAN
• Can be Broadcasted or Directed
• In directed mode, user might just think his NIC
got problem
26
`
27
Attack on Layers 1 & 2
– ESSID-Jack: Discover hidden SSID
• Send a de-authentication frame to the
broadcast address.
• Listen to client probe request and AP probe
respond
Attack on Layers 1 & 2
– Monkey-Jack: Man-in-the-middle attack
• De-authenticate victim from real AP by sending
fake de-authenticate frames using AP’s MAC
address
• Victim scan channel for new AP
• Victim associate with fake AP (new channel) on
attacker machine
• Attacker successfully insert between client and
server
– Kracker-Jack: Attack weak VPN
28
Attack on Layers 1 & 2
• DoS attack not avoidable
• Malformed packets, e.g. null SSID, not
avoidable
Items left by WPA to 802.11i
– Secure de-authentication and disassociation
– Secure IBSS (Adhoc mode of 802.11b)
– Secure fast handoff of public keys
– AES encryption
29
Infrastructure Defense in WLAN
• Protection of the Infrastructure
• Use appropriate Authentication Mechanism
• Mitigate the risk in confidentiality by higher
level protocols
Defense in using Wireless LAN
• Secure the Corporate Network Perimeter
– Treat WLAN as untrusted network. Put in a separate network
guarded by the perimeter firewall
– Use VPN and strong encryption
– Notebook should install personal firewall
Perimeter
Firewall
VPN GW
Internet
tu
VP N
l
nne
Internal Network
Malicious client
30
Higher Level Encryption Protocols
Application
Application
PGP …
PGP ...
Transport
Transport
WLAN Router
SSL
SSL
Network (IP)
Network (IP)
Network (IP)
Network (IP)
IP-VPN
IP-VPN
802.11b Link
WEP
802.1b
Physical
802.11b Link
WEP
802.1b
Physical
Ethernet
Link
Ethernet
Link
Ethernet
Physical
Ethernet
Physical
Distant WLAN bridges
• Recall for physical security, use Directional Radiation
• Incorporate VPN capability:
capability: using IPSec to establish tunnel between 2
endpoints
• Incorporate Firewall function:
function: filter off all traffic coming from wireless
link that is not in the IPSec tunnel
Directional radiation
Malicious
client
A Linux Embedded Application Firewall implementation
• “Increasing Bandwidth with Wireless Devices”, Sys Admin magazine, Feb 2003
31
Other Strategies of WLAN Defense
• IDS
– AirDefense, AirMagnet, IBM Distributed Wireless Security
Auditor (check market availability)
– Freeware: Netstumbler, KISMET, Airsnort
• Honeypot
– Build your own with an isolated HostAP
• Decoy
– FakeAP: broadcast storm of fake AP beacons to obscure the
true one.
• The same technology is also used in spoofed scanning and
brute force password attack.
Finding a Rogue AP
• TCP Finger Printing (say by Nmap)
Nmap)
– False positives exist, the scanning is noisy and creates alerts
in scanned clients
• SNMP Scan
– Not effective. SNMP by default is off, or AP has no SNMP
access.
• MAC Address Inventory
– Match MAC addresses on LAN to the corporate supported
LAN card brands Æ Will miss false negative
• War Driving:
Driving: seems to be the best method
– Partial solution only. You can miss a rogue access point that
has weak signal range or due to environmental reasons.
32
Wireless LAN in military
• DoD had banned Wireless in Q3 of 2002 but now ...
• Network World News (10(10-FebFeb-2003)
– “DoD expects to write up another Wireless Policy by
July 2003”
– “Put responsibility on the person who make decision to
buy wireless”
– “National Security Agency (NSA) to develop a Type 1
encryption algorithm HAIPE (High-Assurance Internet
Protocol Encryption) for secure wireless LAN”
(Remark: commercial 3DES and AES classified as Type 3)
http://www.nwfusion.com/news/2003/0210nsa.html
Conclusion
• Wireless technology is moving faster than anything.
• The gap of security is still large, yet year 2003 is a
substantial year for WLAN security development.
– Use UPGRADEABLE solution
• Make sense in you WLAN investment strategy
– Do you think carefully if to use WLAN in sensitive
service?
– Include the cost of risk mitigation in your budget.
33
Thank You
Questions and Comments can be sent to
S.C. Leung
[email protected]
References
•
•
•
IEEE 802.11 Workgroup
– http://www.ieee.org
IEEE 802.1x
– http://www.ieee802.org/1/pages/802.1x.html
– http://www.shmoo.com/1x/
– http://www.Open1x.org
WiWi-Fi Alliance
– http://www.weca.net
• War Driving
•
– http://www.bawug.org
War Chalking
– http://www.warchalking.org
• Weakness in the Key Scheduling Algorithm of RC4
– http://online.securityfocus.com/data/library/rc4_ksaproc.pdf
• Cracking WEP FAQ
– http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
34
References
• Tools
– Netstumber, Ministumbler
• http://www.netstumbler.com
– KISMET
• http://www.kismetwireless.net/
– FakeAP
• http://www.blackalchemy.to/Projects/fakeap/fake-ap.html
– WEPCrack
• http://wepcrack.sourceforge.net/
– AirSnort
• http://airsnort.shmoo.com/
– AirJack
• http://802.11ninja.net/
– APTools
• http://aptools.sourceforge.net/
Disclaimer
This material is to provide information on WLAN security
risks and mitigation measure. It should not be used for
malicious intent. Unauthorized Access to computer system
is an offense.
The points made here are kept concise for the purpose of
presentation. If you require details of test and
implementation please refer to technical references.
35
Download