Laptops as Rogue Access Points

advertisement
EECS 598
Analysis of 802.11 Privacy
Jim McCann & Daniel Kuo
Overview
Part 1:
• The idea
– What our software does
Part 2:
• Applications: Locating rogue access points
– How our software can help
Part 1
User identity / MAC address
Relationship Identification
Collection Method
• Run a laptop as a sniffer in a
wireless network
• Record packets that are sent
• Software used:
Clients
Wireless
communication
Base station
– Kismet
– Ethereal
– Lots of PERL
Sniffer
Personal Information
Some interesting packets that leak personal
information:
• SMTP packets – unencrypted packets
contain source and destination email
address
• IMAP packets – though encrypted versions
are available, some people don’t use them
Personal Information
• Multicast DNS packets – information
broadcast for device discovery in Apple’s
Rendezvous service. Reveals a computer’s
ID (user’s name by default)
• NetBIOS Name Service – used when
browsing windows networks, also shows
computer’s name (though windows defaults
are less revealing)
Personal Information
• HTTP post – some personal information
may be leaked if unencrypted post is used
• MSN Messenger packets – the hotmail
address is found in some packets
• Also AIM, YMSG, FTP, Telnet (if anyone
still use it), many other protocols.
Findings
Most of our data is collected in the EECS
building, where two networks are available:
• EECS-PRIV: an unencrypted wireless
network
• CAEN wireless: can be connected only
with VPN client
Findings
• Two weeks of data from the EECS-PRIV
network:
• Of the 1744 MACs we saw:
– 850 had some identifying information
– About 200 had strong identifying info
• Why not more?
– This counts computers on the VPN which we
make no attempt to identify.
Time profile of user
At a coarser level …
Time profile of user
• Based on a MAC address, a time plot of
network usage can be used to analyze user’s
behavior.
• Typical plots reveal:
- what time of the day
- what days of the week
a user is present.
• Might be interesting for malicious parties
when MAC can be correlated to identity.
Typical User's Time Profile
45
40
35
KiloBytes transferred
30
25
20
15
10
5
0
Fri 12:00 Sat 12:00 Sun 12:00 Mon 12:00 Tue 12:00 Wed 12:00 Wed 12:00 Thu 12:00 Fri 12:00 Sat 12:00 Sun
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
Time
Demo
• Demo of our software
Feasibility of identity analysis
• Unencrypted network like EECS-PRIV is
easiest to perform the analysis on user
identity from an attacker’s perspective
• In a WEP environment, it is also possible
for an “insider” who has the key, or an
attacker who can break the key using
chosen plaintext attacks.
• Much more difficult in the CAEN VPN
environment
Implications
• A user’s movement can be tracked if the
laptop’s wireless card is on, and data
collecting nodes are set up in multiple
locations.
• Also, attackers can use this technique to
target important people (for example,
professors or network administrators).
Possible Defense Mechanism
Simple ways to stop others from correlating
your personal information with MAC
Addresses:
• Don’t send personal data
or
• Don’t keep the same MAC address
Possible Defense Mechanism
Not sending personal data:
• Be paranoid
- Do not send email, passwords in the clear
- Do not name your computer with your
name or uniqname
• Use encryption whenever possible
- Best to use VPN
- Using WEP is still better than nothing
Possible Defense Mechanism
Changing your MAC Addresses:
• Software can change the MAC address of
many wireless cards
• When is a good time interval?
Possible Defense Mechanism
• Changing every time you start using the
network will be a problem if you stay
connected for a long time.
• Changing MAC address every given
amount of time (say 1 hour) may help.
– Special software to do this seamlessly would be
nice, but there are hard cases to deal with
(MAC address conflicts!).
Part 2:
Laptops as Rogue Access Points
Laptops as Rogue Access Points
• How to do this:
– Have the laptop establish an ad-hoc network
using the wireless card
– Access the internet through ethernet
• This is similar to a commercial access
point.
Unauthorized
clients
Authorized
access
Ethernet hub
Ethernet
Ad-hoc
network
8x
9x
1x
2x
3x
10x
11x
12x
7x
8x
9x
4x
5x
6x
1x
2x
3x
10x
11x
12x
4x
5x
6x
7 8 9101112
A
Authorized
client
7x
C
12 34 56
A
B
Laptops as Rogue Access Points
• It is possible for a laptop to act as a wireless
router and allow access to an authorized
network.
• It establishes an ad-hoc network with
unauthorized clients and routes their packets
over to the network that it is authorized on.
Unauthorized
clients
Ad-hoc
network
Authorized
access
Authorized
client
Base station
Laptops as Rogue Access Points
• This requires additional hardware
(second wireless card) and/or software for
the laptop to establish both an ad-hoc
network and connect to the authorized
network.
Discovering access points
Finding if unauthorized access points or ad
hoc networks exist isn’t hard.
• Look for people sending packets with BSS
Id’s you don’t approve of (if you are an
admin).
• Look for networks you can connect to (if
you are an attacker).
Discovering access points
• Kismet does just this:
Tracking
Finding where they actually are is harder.
Tracking by Identity (our method)
• Possible to figure out who controls the
access point by looking at identity data.
• Hypothesis: unauthorized APs are carelessly
administrated and don’t use encryption.
• Our software can figure out who is using
them.
Tracking by Connections
• Find identity on our network of the rogue
access provider by comparing data sent over
the ad-hoc network.
• In an unencrypted network (or one we have
the keys for), this can be detected by
passively sniffing packets.
• More tricky if the data is encrypted – Using
Signal Processing to Analyze Wireless Data
Traffic (Craig Partridge, et al.)
Tracking by Connections
• Problem: We haven’t found a person, just
another computer address.
• We need a list of who uses what on the local
network.
• Our software helps!
Tracking by Signal Strength
Alternative:
• Collect data and use signal strength to
pinpoint the location of unauthorized clients
and access points.
• More complicated.
• A Practical Approach to Identifying and
Tracking Unauthorized 802.11 Cards and
Access Points (Interlink Networks)
Tracking by Signal Strength
• Locating an access point with signal
strength
Uses and Abuses
• Some users may not want their locations to
be revealed.
• Spammers may start wardriving.
Conclusion
• Privacy is an issue for wireless networks,
especially unencrypted networks.
• MAC addresses can be used to track users.
• Our software can be used to help discover
what types of privacy information are
leaked over the network.
• Can also help track users related to an
unauthorized access point.
Questions
Questions?
Laptops as Rogue Access Points
Situation where this may be a problem:
• Lufthansa airline is providing in-flight wireless
internet service starting this month
• Cost is $29.95 for flights over 6 hours
• Can imagine people ‘sharing’ the internet by
using their laptops as rogue access points to
share the cost
Uses and Abuses
• Making the location of a user available may
be beneficial.
• Google has a beta version of local search.
This returns local information like
restaurants for a location you enter.
• Can imagine in the future that the location
of the user can be made available for google
by the access point.
Uses and Abuses
Tradeoff between convenience and privacy
• Apple’s Rendezvous service automatically
discovers available services.
• User will (by default), name the computer
“<First name> <Last name>’s Computer” for
sharing purpose, and broadcast this info.
• This reveals the user’s personal information, so
it would be better in privacy’s perspective to
set the default identifier to something else.
Collection Method
• A captured packet viewed with Tethereal
Download