EECS 598 Analysis of 802.11 Privacy Jim McCann & Daniel Kuo Overview Part 1: • The idea – What our software does Part 2: • Applications: Locating rogue access points – How our software can help Part 1 User identity / MAC address Relationship Identification Collection Method • Run a laptop as a sniffer in a wireless network • Record packets that are sent • Software used: Clients Wireless communication Base station – Kismet – Ethereal – Lots of PERL Sniffer Personal Information Some interesting packets that leak personal information: • SMTP packets – unencrypted packets contain source and destination email address • IMAP packets – though encrypted versions are available, some people don’t use them Personal Information • Multicast DNS packets – information broadcast for device discovery in Apple’s Rendezvous service. Reveals a computer’s ID (user’s name by default) • NetBIOS Name Service – used when browsing windows networks, also shows computer’s name (though windows defaults are less revealing) Personal Information • HTTP post – some personal information may be leaked if unencrypted post is used • MSN Messenger packets – the hotmail address is found in some packets • Also AIM, YMSG, FTP, Telnet (if anyone still use it), many other protocols. Findings Most of our data is collected in the EECS building, where two networks are available: • EECS-PRIV: an unencrypted wireless network • CAEN wireless: can be connected only with VPN client Findings • Two weeks of data from the EECS-PRIV network: • Of the 1744 MACs we saw: – 850 had some identifying information – About 200 had strong identifying info • Why not more? – This counts computers on the VPN which we make no attempt to identify. Time profile of user At a coarser level … Time profile of user • Based on a MAC address, a time plot of network usage can be used to analyze user’s behavior. • Typical plots reveal: - what time of the day - what days of the week a user is present. • Might be interesting for malicious parties when MAC can be correlated to identity. Typical User's Time Profile 45 40 35 KiloBytes transferred 30 25 20 15 10 5 0 Fri 12:00 Sat 12:00 Sun 12:00 Mon 12:00 Tue 12:00 Wed 12:00 Wed 12:00 Thu 12:00 Fri 12:00 Sat 12:00 Sun 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 Time Demo • Demo of our software Feasibility of identity analysis • Unencrypted network like EECS-PRIV is easiest to perform the analysis on user identity from an attacker’s perspective • In a WEP environment, it is also possible for an “insider” who has the key, or an attacker who can break the key using chosen plaintext attacks. • Much more difficult in the CAEN VPN environment Implications • A user’s movement can be tracked if the laptop’s wireless card is on, and data collecting nodes are set up in multiple locations. • Also, attackers can use this technique to target important people (for example, professors or network administrators). Possible Defense Mechanism Simple ways to stop others from correlating your personal information with MAC Addresses: • Don’t send personal data or • Don’t keep the same MAC address Possible Defense Mechanism Not sending personal data: • Be paranoid - Do not send email, passwords in the clear - Do not name your computer with your name or uniqname • Use encryption whenever possible - Best to use VPN - Using WEP is still better than nothing Possible Defense Mechanism Changing your MAC Addresses: • Software can change the MAC address of many wireless cards • When is a good time interval? Possible Defense Mechanism • Changing every time you start using the network will be a problem if you stay connected for a long time. • Changing MAC address every given amount of time (say 1 hour) may help. – Special software to do this seamlessly would be nice, but there are hard cases to deal with (MAC address conflicts!). Part 2: Laptops as Rogue Access Points Laptops as Rogue Access Points • How to do this: – Have the laptop establish an ad-hoc network using the wireless card – Access the internet through ethernet • This is similar to a commercial access point. Unauthorized clients Authorized access Ethernet hub Ethernet Ad-hoc network 8x 9x 1x 2x 3x 10x 11x 12x 7x 8x 9x 4x 5x 6x 1x 2x 3x 10x 11x 12x 4x 5x 6x 7 8 9101112 A Authorized client 7x C 12 34 56 A B Laptops as Rogue Access Points • It is possible for a laptop to act as a wireless router and allow access to an authorized network. • It establishes an ad-hoc network with unauthorized clients and routes their packets over to the network that it is authorized on. Unauthorized clients Ad-hoc network Authorized access Authorized client Base station Laptops as Rogue Access Points • This requires additional hardware (second wireless card) and/or software for the laptop to establish both an ad-hoc network and connect to the authorized network. Discovering access points Finding if unauthorized access points or ad hoc networks exist isn’t hard. • Look for people sending packets with BSS Id’s you don’t approve of (if you are an admin). • Look for networks you can connect to (if you are an attacker). Discovering access points • Kismet does just this: Tracking Finding where they actually are is harder. Tracking by Identity (our method) • Possible to figure out who controls the access point by looking at identity data. • Hypothesis: unauthorized APs are carelessly administrated and don’t use encryption. • Our software can figure out who is using them. Tracking by Connections • Find identity on our network of the rogue access provider by comparing data sent over the ad-hoc network. • In an unencrypted network (or one we have the keys for), this can be detected by passively sniffing packets. • More tricky if the data is encrypted – Using Signal Processing to Analyze Wireless Data Traffic (Craig Partridge, et al.) Tracking by Connections • Problem: We haven’t found a person, just another computer address. • We need a list of who uses what on the local network. • Our software helps! Tracking by Signal Strength Alternative: • Collect data and use signal strength to pinpoint the location of unauthorized clients and access points. • More complicated. • A Practical Approach to Identifying and Tracking Unauthorized 802.11 Cards and Access Points (Interlink Networks) Tracking by Signal Strength • Locating an access point with signal strength Uses and Abuses • Some users may not want their locations to be revealed. • Spammers may start wardriving. Conclusion • Privacy is an issue for wireless networks, especially unencrypted networks. • MAC addresses can be used to track users. • Our software can be used to help discover what types of privacy information are leaked over the network. • Can also help track users related to an unauthorized access point. Questions Questions? Laptops as Rogue Access Points Situation where this may be a problem: • Lufthansa airline is providing in-flight wireless internet service starting this month • Cost is $29.95 for flights over 6 hours • Can imagine people ‘sharing’ the internet by using their laptops as rogue access points to share the cost Uses and Abuses • Making the location of a user available may be beneficial. • Google has a beta version of local search. This returns local information like restaurants for a location you enter. • Can imagine in the future that the location of the user can be made available for google by the access point. Uses and Abuses Tradeoff between convenience and privacy • Apple’s Rendezvous service automatically discovers available services. • User will (by default), name the computer “<First name> <Last name>’s Computer” for sharing purpose, and broadcast this info. • This reveals the user’s personal information, so it would be better in privacy’s perspective to set the default identifier to something else. Collection Method • A captured packet viewed with Tethereal