http://www.cyanline.com
Advanced High-tech Security
Tracking and recovering a stolen
iPhone…
Author of…
Steven Branigan, President
steveb@cyanline.com
Advanced High-tech Security
http://www.cyanline.com
Who am I?
• Former…
– Bell Labs Researcher, Bellcore Engineer, Cop
• Author of High Tech Crimes Revealed.
– Observed that insiders are more dangerous than
outsiders.
• My company, CyanLine handles
– Wireless security products.
– Network auditing and consulting.
– Devising new tools for technical investigations.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
2
•
•
•
•
•
•
•
http://www.cyanline.com
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
GSM(Global Systems for Mobile Communication) A digital cellular or PCS standard for how data is coded and transferred through the wireless
spectrum. It is the 2G wireless standard throughout the world - except in the United States. GSM is an alternative to CDMA.
GHz(Gigahertz) One billion radio waves, or cycles, per second. Equal to 1,000 megahertz.
GPS(Global Positioning System) A satellite-based navigation system made up of a network of 24 satellites placed into orbit by the U.S.
Department of Defense.
Hot Spots Wireless access points that are found in public places such as airports, conventions centers, hotels and coffee shops
Hz(Hertz) A unit of measurement of one cycle per second, or one radio wave passing one point in one second of time.
ISP(Internet Service Provider) Company which resells internet access
LAN(Local Area Network) A system that links together electronic office equipment, such as computers and word processors, and forms a
network within an office or building.
MMS(Multimedia Messaging Service) A method for transmitting graphics, video clips, sound files and short text messages over wireless
networks using the WAP protocol.
MHz(Megahertz) One million radio waves, or cycles, per second. Equal to one thousand Kilohertz.
MAC(Media-Access Control) A hard-coded or permanent address applied to hardware at the factory.
NAT(Network Address Translation) A security technique—generally applied by a router—that makes many different IP addresses on an internal
network appear to the Internet as a single address
Ping(Packet Information Groper) A protocol that sends a message to another computer and waits for acknowledgment, often used to check if
another computer on a network is reachable.
Point-to-Point Method of transporting IP packets over a serial link between the user and the ISP.
Point-to-Multipoint A communications network that provides a path from one location to multiple locations (from one to many).
RFID(Radio Frequency Identification) An analog-to-digital conversion technology that uses radio frequency waves to transfer data between a
moveable item and a reader to identify, track or locate that item.
SID(System Identification) A five digit number that indicates which service area the phone is in. Most carriers have one SID assigned to their
service area.
SSID(Service Set Identifier) A unique 32-character password that is assigned to every WLAN device and detected when one device sends data
packets to another.
TDMA(Time Division Multiple Access) A wireless technology that allows for digital transmission of radio signals between a mobile device and a
fixed radio base station. It allows for increased bandwidth over digital cellular networks.
TCP/IP(Transmission Control Protocol / Internet Protocol) Internet protocol suite developed by the US Department of Defense in the 1970s.
TCP governs the exchange of sequential data. IP routes outgoing and recognizes incoming messages.
VoIP(Voice over Internet Protocol) Any technology providing voice telephony services over IP, including CODECs, streaming protocols and
session control.
VHG(Very High Frequency) Referring to radio channels in the 30 to 300 MHz band
WAP(Wireless Application Protocol) A technology for wideband digital radio communications in Internet, multimedia, video and other capacitydemanding applications. It provides a data rate of 2Mbps
WEP(Wired Equivalent Privacy) A feature used to encrypt and decrypt data signals transmitted between WLAN devices
Wi-Fi Short for wireless fidelity -- used generically when referring of any type of 802.11 network, including 802.11b, 802.11a, 802.11g
WAN(Wide Area Network) A communications network that uses such devices as telephone lines, satellite dishes, or radio waves to span a
larger geographic area than can be covered by a LAN
WISP(Wireless Internet Service Provider) See ISP
Zulu Time Synonymous with Greenwich Meridian Time, a time designation used in satellite systems
Advanced High-tech Security
The glossary for today
Copyright (c) 2008, CyanLine LLC. All rights reserved.
3
Advanced High-tech Security
http://www.cyanline.com
Terms…
• Wireless networking
issues…
– Rogue Access
Points
– Hotspots
– WEP/WPA
– Probing clients
– SSIDs
– Wi-Fi vs Wi-Max
– Piggybacking…
Dist  (100mw) / 4 (rssi )
Copyright (c) 2009, CyanLine LLC. All rights
reserved.
4
Advanced High-tech Security
http://www.cyanline.com
WiFi Issues
• Sniffing network traffic
– Traffic can be intercepted in clear text.
• Stealing network access
– Unauthorized people getting on my network.
•
•
•
•
– Anonymous access
Denial of service
Employees using unauthorized networks.
A laptop joining unexpectedly joining with an AP.
Employees/contractors bypassing filters and accessing
inappropriate content in the office.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
5
Advanced High-tech Security
http://www.cyanline.com
WiFi network issues
• #1 Piggybacking & the near miss search
warrant
• #2 Anonymous threats
• #3 Network storage devices.
• #4 Why these cases are more challenging
than cellular based wireless.
Copyright (c) 2006, CyanLine LLC. All rights reserved.
6
Advanced High-tech Security
http://www.cyanline.com
What if scenarios
• What if the suspect traffic is coming
from an apartment building?
• What if the suspect traffic is tracked
back to a corporate café’s hotspot?
• What if your jurisdiction has municipal
wireless networking?
Copyright (c) 2006, CyanLine LLC. All rights reserved.
7
Advanced High-tech Security
Test time
http://www.cyanline.com
1. Can multiple wireless networks co-exist in the same room on
the same channel?
YES
2. Can multiple wireless networks co-exist in the same room on
the same channel with the same SSID name?
YES
3. Do users have the ability to control which wireless networks
they use?
YES
4. Can you remotely detect which wireless network a computer is
attached to?
YES
5. Can a wireless access point control which laptops connect to
it?
YES
Copyright (c) 2008, CyanLine LLC. All rights reserved.
8
Advanced High-tech Security
http://www.cyanline.com
Test time (2)
6. Can a wireless access point control which wireless
networks a laptop connects to?
NO
7. Can a laptop be remotely disconnected from a wireless
network?
YES
8. Does WEP encryption protect the MAC address?
NO
9. Does WPA encryption protect the MAC address while
in transit?
NO
10. Do freeware solutions exist to find wireless networks?
YES
Copyright (c) 2009, CyanLine LLC. All rights reserved.
9
Advanced High-tech Security
http://www.cyanline.com
Test time (3)
11. If my wireless card is not attached to any network – will
it still search for networks I have attached to in the
past?
YES
12. Do freeware solutions exist to find hidden networks?
YES
13. Do freeware solutions to defeat wireless encryption?
YES
14. Can a laptop be attached to both a wired and wireless
network at the same time?
YES
15. Can a stolen laptop be tracked by wireless?
YES
Copyright (c) 2009, CyanLine LLC. All rights reserved.
10
Advanced High-tech Security
http://www.cyanline.com
Law Enforcement Issues
• Does house have wireless AP?
• Is suspect actually accessing network from someone
else’s wireless network?
• Does the house have wireless disk drives?
• Check passively?
• Are non-standard cards being used?
• a vs. b vs. g networks?
• MIMO and other range extenders?
• Signal strength as a piece of forensic data?
• Others?
Copyright (c) 2008, CyanLine LLC. All rights reserved.
11
Advanced High-tech Security
http://www.cyanline.com
Case start
•
•
•
•
•
•
•
•
•
iPhone left in a movie theater (after Sherlock Homes no less)
popcorn guy didn’t turn the phone in
he tried a research app that uses GPS
I disabled phone access
He deleted my email
I disabled email access
Located with GPS, WiFi (FIOS) IP accesses to
my email server, and WiFi sniffing
phone recovered, case pending
Copyright (c) 2009, CyanLine LLC. All rights reserved.
12
http://www.cyanline.com
Advanced High-tech Security
• Lost/Stolen iphone
– iPhones are 3G and WiFi capable.
• Typical owner response?
– Turn off cell service.
• Well, iPhone can still be used on WiFi
networks, right?
Copyright (c) 2009, CyanLine LLC. All rights reserved.
13
Advanced High-tech Security
http://www.cyanline.com
Still being used
• Case changed from lost to stolen
iPhone when owner noticed that he
emails were deleted.
• The phone also had a research
application called airgrafiti that collected
GPS coordinates.
• Could this phone be found?
Copyright (c) 2009, CyanLine LLC. All rights reserved.
14
http://www.cyanline.com
Advanced High-tech Security
Copyright (c) 2009, CyanLine LLC. All rights reserved.
15
http://www.cyanline.com
Advanced High-tech Security
Copyright (c) 2009, CyanLine LLC. All rights reserved.
16
Advanced High-tech Security
http://www.cyanline.com
Cellular aside
• AT&T store says a lot are stolen
• No provision offered to blacklist the phone
– I believe this is done in Europe
• AT&T should be able to locate the phone
– Has ESN/MIN pair registration data and tower
data.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
17
http://www.cyanline.com
Advanced High-tech Security
• AGPS data and tower interaction
– Tower positioning data
• National MAC address registry?
– Useful in WiFi cases especially
Copyright (c) 2009, CyanLine LLC. All rights reserved.
18
http://www.cyanline.com
Advanced High-tech Security
• Expectation of privacy with stolen
iPhone?
– None in NJ
Copyright (c) 2009, CyanLine LLC. All rights reserved.
19
Advanced High-tech Security
http://www.cyanline.com
Mac address
• The owner had the MAC address for the
wireless card.
– MAC addresses should be unique.
– MAC addresses can be spoofed, but we
thought unlikely with an iPhone.
• Just listen for the MAC address.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
20
Advanced High-tech Security
http://www.cyanline.com
APFinder4
• We have been working on AP-Finder, and
this seemed like a perfect opportunity to
exercise it in the wild.
• Taking the GPS data, drove around the
neighborhood looking for the MAC address.
• Remember, we are looking for the MAC
address of the client, not of the Access
Point.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
21
Advanced High-tech Security
http://www.cyanline.com
Mac search
Copyright (c) 2009, CyanLine LLC. All rights reserved.
22
Advanced High-tech Security
http://www.cyanline.com
The basics on wireless
• IEEE 802.11 (b) and (g)
– 2.4 GHz
– 11 channels in US, 14 in other places
– 11Mbits to 54Mbits
• IEEE 802.11(a)
– 5 GHz
– 16 channels
– 54 Mbits
• Signals can travel far, as long as you have a
good receive antenna.
Copyright (c) 2008, CyanLine LLC. All rights reserved.
23
Advanced High-tech Security
http://www.cyanline.com
Network types
• “Managed” networks
– Clients talk to an access point.
– Very common type of network.
– Easy to set up.
• Peer-to-peer networks
– Computers talk to each other directly.
– Usually more difficult to set up.
Copyright (c) 2008, CyanLine LLC. All rights reserved.
24
Advanced High-tech Security
http://www.cyanline.com
Signal strength issues
• Good for distance “estimation”
• Not good for triangulation
Copyright (c) 2006, CyanLine LLC. All rights reserved.
3/22/2016
25
Advanced High-tech Security
http://www.cyanline.com
The theory
• Signal emanates from transmission
source spherically with a specific power,
say 100 mW.
• With time, the sphere gets larger
Copyright (c) 2006, CyanLine LLC. All rights reserved.
3/22/2016
26
Advanced High-tech Security
http://www.cyanline.com
Conversation of power
• The power per unit of area gets smaller
as the sphere gets larger.
Power( received )  Power(transmit )
4Dist 2
• This gives us a simple formula for
distance based upon signal strength.
Dist  Power(transmit) / 4Power(received )
Copyright (c) 2006, CyanLine LLC. All rights reserved.
3/22/2016
27
Advanced High-tech Security
http://www.cyanline.com
Signal reflection
AP
Steel Wall
Receiver
Legend
= blocked signal
= strongest signal
= primary signal
= medium signal
= secondary signal
= weakest signal
Copyright (c) 2006, CyanLine LLC. All rights reserved.
3/22/2016
28
Advanced High-tech Security
http://www.cyanline.com
Wireless conversations
• A pairing of an Access Point with a
wireless client.
– Can be viewed in realtime
– Can be discovered “forensically”.
Copyright (c) 2008, CyanLine LLC. All rights reserved.
29
Advanced High-tech Security
http://www.cyanline.com
Probing client
Copyright (c) 2009, CyanLine LLC. All rights reserved.
30
http://www.cyanline.com
Advanced High-tech Security
Copyright (c) 2009, CyanLine LLC. All rights reserved.
31
http://www.cyanline.com
Advanced High-tech Security
• House located…
• And it was not the one identified by
GPS.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
32
Advanced High-tech Security
http://www.cyanline.com
Result…
• Charged with fourth degree theft, and third
degree computer crime.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
33
Advanced High-tech Security
http://www.cyanline.com
Other options?
• Subpoena carrier for location
information.
– Would have worked. In fact, we used to
confirm data.
– Only useful if you have the IP address
access, which we had because the owner
was running his own email.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
34
Advanced High-tech Security
http://www.cyanline.com
Access the router
• Most all of these routers do not contain
permanent disk storage.
– Therefore, you need to access it while it is
still powered.
– The storage is volatile, so you need to
move quickly.
– For the very skilled, you can access it
remotely…
Copyright (c) 2008, CyanLine LLC. All rights reserved.
35
Advanced High-tech Security
http://www.cyanline.com
Access the router
• If you can gain access, be prepared to make
screen snapshots.
– Get the DHCP/MAC table, including expiration
times.
– Get the External IP address, including the last
update/expiration time.
– Get the permanent NAT address translation
information.
• Unfortunately, it is different for each vendor.
Copyright (c) 2008, CyanLine LLC. All rights reserved.
36
Advanced High-tech Security
http://www.cyanline.com
A little test
• It’s about user behavior
• Set it up and they shall come…
Copyright (c) 2008, CyanLine LLC. All rights reserved.
37
Advanced High-tech Security
http://www.cyanline.com
Forensic challenges
• What can be spoofed.
• What can be cracked.
– WEP keys
• What can not be spoofed?
– Power levels
• MIMO technology and implications.
• Info in wireless connector
Copyright (c) 2008, CyanLine LLC. All rights reserved.
38
Advanced High-tech Security
http://www.cyanline.com
Open Issues
•
•
•
•
Can wireless be monitored passively?
Can wireless be monitored legally?
Which tools to use?
Which tools to avoid?
Copyright (c) 2006, CyanLine LLC. All rights reserved.
39
Advanced High-tech Security
http://www.cyanline.com
Freeware Wireless Tools…
• Sniffers
– Tcpdump
– Wireshark
• Network discovery
– Kismet
– Netstumbler (windows)
• Break encryption
– WEPcrack
– Asleap
• APtools
– Hostap
– Fakeap
– APhopper
Copyright (c) 2006, CyanLine LLC. All rights reserved.
40
Advanced High-tech Security
http://www.cyanline.com
Wireless Encryption
• If you have the key, you can listen to all
the traffic on the network.
– So, WEP/WPA give you a little privacy, but
not a lot.
Copyright (c) 2008, CyanLine LLC. All rights reserved.
41
Advanced High-tech Security
http://www.cyanline.com
Some more existing tools
• Mac address changing
– Using MacAddressChanger.exe
– Using TMAC
• Cracking WEP keys.
– aircrack-ptw can crack WEP in less than a minute.
• Traffic monitoring
– Wireless sniffing
• Karma
– Allows a user to set up there own base station on
their laptop.
Copyright (c) 2008, CyanLine LLC. All rights reserved.
42