http://www.cyanline.com Advanced High-tech Security Tracking and recovering a stolen iPhone… Author of… Steven Branigan, President steveb@cyanline.com Advanced High-tech Security http://www.cyanline.com Who am I? • Former… – Bell Labs Researcher, Bellcore Engineer, Cop • Author of High Tech Crimes Revealed. – Observed that insiders are more dangerous than outsiders. • My company, CyanLine handles – Wireless security products. – Network auditing and consulting. – Devising new tools for technical investigations. Copyright (c) 2009, CyanLine LLC. All rights reserved. 2 • • • • • • • http://www.cyanline.com • • • • • • • • • • • • • • • • • • • • GSM(Global Systems for Mobile Communication) A digital cellular or PCS standard for how data is coded and transferred through the wireless spectrum. It is the 2G wireless standard throughout the world - except in the United States. GSM is an alternative to CDMA. GHz(Gigahertz) One billion radio waves, or cycles, per second. Equal to 1,000 megahertz. GPS(Global Positioning System) A satellite-based navigation system made up of a network of 24 satellites placed into orbit by the U.S. Department of Defense. Hot Spots Wireless access points that are found in public places such as airports, conventions centers, hotels and coffee shops Hz(Hertz) A unit of measurement of one cycle per second, or one radio wave passing one point in one second of time. ISP(Internet Service Provider) Company which resells internet access LAN(Local Area Network) A system that links together electronic office equipment, such as computers and word processors, and forms a network within an office or building. MMS(Multimedia Messaging Service) A method for transmitting graphics, video clips, sound files and short text messages over wireless networks using the WAP protocol. MHz(Megahertz) One million radio waves, or cycles, per second. Equal to one thousand Kilohertz. MAC(Media-Access Control) A hard-coded or permanent address applied to hardware at the factory. NAT(Network Address Translation) A security technique—generally applied by a router—that makes many different IP addresses on an internal network appear to the Internet as a single address Ping(Packet Information Groper) A protocol that sends a message to another computer and waits for acknowledgment, often used to check if another computer on a network is reachable. Point-to-Point Method of transporting IP packets over a serial link between the user and the ISP. Point-to-Multipoint A communications network that provides a path from one location to multiple locations (from one to many). RFID(Radio Frequency Identification) An analog-to-digital conversion technology that uses radio frequency waves to transfer data between a moveable item and a reader to identify, track or locate that item. SID(System Identification) A five digit number that indicates which service area the phone is in. Most carriers have one SID assigned to their service area. SSID(Service Set Identifier) A unique 32-character password that is assigned to every WLAN device and detected when one device sends data packets to another. TDMA(Time Division Multiple Access) A wireless technology that allows for digital transmission of radio signals between a mobile device and a fixed radio base station. It allows for increased bandwidth over digital cellular networks. TCP/IP(Transmission Control Protocol / Internet Protocol) Internet protocol suite developed by the US Department of Defense in the 1970s. TCP governs the exchange of sequential data. IP routes outgoing and recognizes incoming messages. VoIP(Voice over Internet Protocol) Any technology providing voice telephony services over IP, including CODECs, streaming protocols and session control. VHG(Very High Frequency) Referring to radio channels in the 30 to 300 MHz band WAP(Wireless Application Protocol) A technology for wideband digital radio communications in Internet, multimedia, video and other capacitydemanding applications. It provides a data rate of 2Mbps WEP(Wired Equivalent Privacy) A feature used to encrypt and decrypt data signals transmitted between WLAN devices Wi-Fi Short for wireless fidelity -- used generically when referring of any type of 802.11 network, including 802.11b, 802.11a, 802.11g WAN(Wide Area Network) A communications network that uses such devices as telephone lines, satellite dishes, or radio waves to span a larger geographic area than can be covered by a LAN WISP(Wireless Internet Service Provider) See ISP Zulu Time Synonymous with Greenwich Meridian Time, a time designation used in satellite systems Advanced High-tech Security The glossary for today Copyright (c) 2008, CyanLine LLC. All rights reserved. 3 Advanced High-tech Security http://www.cyanline.com Terms… • Wireless networking issues… – Rogue Access Points – Hotspots – WEP/WPA – Probing clients – SSIDs – Wi-Fi vs Wi-Max – Piggybacking… Dist (100mw) / 4 (rssi ) Copyright (c) 2009, CyanLine LLC. All rights reserved. 4 Advanced High-tech Security http://www.cyanline.com WiFi Issues • Sniffing network traffic – Traffic can be intercepted in clear text. • Stealing network access – Unauthorized people getting on my network. • • • • – Anonymous access Denial of service Employees using unauthorized networks. A laptop joining unexpectedly joining with an AP. Employees/contractors bypassing filters and accessing inappropriate content in the office. Copyright (c) 2009, CyanLine LLC. All rights reserved. 5 Advanced High-tech Security http://www.cyanline.com WiFi network issues • #1 Piggybacking & the near miss search warrant • #2 Anonymous threats • #3 Network storage devices. • #4 Why these cases are more challenging than cellular based wireless. Copyright (c) 2006, CyanLine LLC. All rights reserved. 6 Advanced High-tech Security http://www.cyanline.com What if scenarios • What if the suspect traffic is coming from an apartment building? • What if the suspect traffic is tracked back to a corporate café’s hotspot? • What if your jurisdiction has municipal wireless networking? Copyright (c) 2006, CyanLine LLC. All rights reserved. 7 Advanced High-tech Security Test time http://www.cyanline.com 1. Can multiple wireless networks co-exist in the same room on the same channel? YES 2. Can multiple wireless networks co-exist in the same room on the same channel with the same SSID name? YES 3. Do users have the ability to control which wireless networks they use? YES 4. Can you remotely detect which wireless network a computer is attached to? YES 5. Can a wireless access point control which laptops connect to it? YES Copyright (c) 2008, CyanLine LLC. All rights reserved. 8 Advanced High-tech Security http://www.cyanline.com Test time (2) 6. Can a wireless access point control which wireless networks a laptop connects to? NO 7. Can a laptop be remotely disconnected from a wireless network? YES 8. Does WEP encryption protect the MAC address? NO 9. Does WPA encryption protect the MAC address while in transit? NO 10. Do freeware solutions exist to find wireless networks? YES Copyright (c) 2009, CyanLine LLC. All rights reserved. 9 Advanced High-tech Security http://www.cyanline.com Test time (3) 11. If my wireless card is not attached to any network – will it still search for networks I have attached to in the past? YES 12. Do freeware solutions exist to find hidden networks? YES 13. Do freeware solutions to defeat wireless encryption? YES 14. Can a laptop be attached to both a wired and wireless network at the same time? YES 15. Can a stolen laptop be tracked by wireless? YES Copyright (c) 2009, CyanLine LLC. All rights reserved. 10 Advanced High-tech Security http://www.cyanline.com Law Enforcement Issues • Does house have wireless AP? • Is suspect actually accessing network from someone else’s wireless network? • Does the house have wireless disk drives? • Check passively? • Are non-standard cards being used? • a vs. b vs. g networks? • MIMO and other range extenders? • Signal strength as a piece of forensic data? • Others? Copyright (c) 2008, CyanLine LLC. All rights reserved. 11 Advanced High-tech Security http://www.cyanline.com Case start • • • • • • • • • iPhone left in a movie theater (after Sherlock Homes no less) popcorn guy didn’t turn the phone in he tried a research app that uses GPS I disabled phone access He deleted my email I disabled email access Located with GPS, WiFi (FIOS) IP accesses to my email server, and WiFi sniffing phone recovered, case pending Copyright (c) 2009, CyanLine LLC. All rights reserved. 12 http://www.cyanline.com Advanced High-tech Security • Lost/Stolen iphone – iPhones are 3G and WiFi capable. • Typical owner response? – Turn off cell service. • Well, iPhone can still be used on WiFi networks, right? Copyright (c) 2009, CyanLine LLC. All rights reserved. 13 Advanced High-tech Security http://www.cyanline.com Still being used • Case changed from lost to stolen iPhone when owner noticed that he emails were deleted. • The phone also had a research application called airgrafiti that collected GPS coordinates. • Could this phone be found? Copyright (c) 2009, CyanLine LLC. All rights reserved. 14 http://www.cyanline.com Advanced High-tech Security Copyright (c) 2009, CyanLine LLC. All rights reserved. 15 http://www.cyanline.com Advanced High-tech Security Copyright (c) 2009, CyanLine LLC. All rights reserved. 16 Advanced High-tech Security http://www.cyanline.com Cellular aside • AT&T store says a lot are stolen • No provision offered to blacklist the phone – I believe this is done in Europe • AT&T should be able to locate the phone – Has ESN/MIN pair registration data and tower data. Copyright (c) 2009, CyanLine LLC. All rights reserved. 17 http://www.cyanline.com Advanced High-tech Security • AGPS data and tower interaction – Tower positioning data • National MAC address registry? – Useful in WiFi cases especially Copyright (c) 2009, CyanLine LLC. All rights reserved. 18 http://www.cyanline.com Advanced High-tech Security • Expectation of privacy with stolen iPhone? – None in NJ Copyright (c) 2009, CyanLine LLC. All rights reserved. 19 Advanced High-tech Security http://www.cyanline.com Mac address • The owner had the MAC address for the wireless card. – MAC addresses should be unique. – MAC addresses can be spoofed, but we thought unlikely with an iPhone. • Just listen for the MAC address. Copyright (c) 2009, CyanLine LLC. All rights reserved. 20 Advanced High-tech Security http://www.cyanline.com APFinder4 • We have been working on AP-Finder, and this seemed like a perfect opportunity to exercise it in the wild. • Taking the GPS data, drove around the neighborhood looking for the MAC address. • Remember, we are looking for the MAC address of the client, not of the Access Point. Copyright (c) 2009, CyanLine LLC. All rights reserved. 21 Advanced High-tech Security http://www.cyanline.com Mac search Copyright (c) 2009, CyanLine LLC. All rights reserved. 22 Advanced High-tech Security http://www.cyanline.com The basics on wireless • IEEE 802.11 (b) and (g) – 2.4 GHz – 11 channels in US, 14 in other places – 11Mbits to 54Mbits • IEEE 802.11(a) – 5 GHz – 16 channels – 54 Mbits • Signals can travel far, as long as you have a good receive antenna. Copyright (c) 2008, CyanLine LLC. All rights reserved. 23 Advanced High-tech Security http://www.cyanline.com Network types • “Managed” networks – Clients talk to an access point. – Very common type of network. – Easy to set up. • Peer-to-peer networks – Computers talk to each other directly. – Usually more difficult to set up. Copyright (c) 2008, CyanLine LLC. All rights reserved. 24 Advanced High-tech Security http://www.cyanline.com Signal strength issues • Good for distance “estimation” • Not good for triangulation Copyright (c) 2006, CyanLine LLC. All rights reserved. 3/22/2016 25 Advanced High-tech Security http://www.cyanline.com The theory • Signal emanates from transmission source spherically with a specific power, say 100 mW. • With time, the sphere gets larger Copyright (c) 2006, CyanLine LLC. All rights reserved. 3/22/2016 26 Advanced High-tech Security http://www.cyanline.com Conversation of power • The power per unit of area gets smaller as the sphere gets larger. Power( received ) Power(transmit ) 4Dist 2 • This gives us a simple formula for distance based upon signal strength. Dist Power(transmit) / 4Power(received ) Copyright (c) 2006, CyanLine LLC. All rights reserved. 3/22/2016 27 Advanced High-tech Security http://www.cyanline.com Signal reflection AP Steel Wall Receiver Legend = blocked signal = strongest signal = primary signal = medium signal = secondary signal = weakest signal Copyright (c) 2006, CyanLine LLC. All rights reserved. 3/22/2016 28 Advanced High-tech Security http://www.cyanline.com Wireless conversations • A pairing of an Access Point with a wireless client. – Can be viewed in realtime – Can be discovered “forensically”. Copyright (c) 2008, CyanLine LLC. All rights reserved. 29 Advanced High-tech Security http://www.cyanline.com Probing client Copyright (c) 2009, CyanLine LLC. All rights reserved. 30 http://www.cyanline.com Advanced High-tech Security Copyright (c) 2009, CyanLine LLC. All rights reserved. 31 http://www.cyanline.com Advanced High-tech Security • House located… • And it was not the one identified by GPS. Copyright (c) 2009, CyanLine LLC. All rights reserved. 32 Advanced High-tech Security http://www.cyanline.com Result… • Charged with fourth degree theft, and third degree computer crime. Copyright (c) 2009, CyanLine LLC. All rights reserved. 33 Advanced High-tech Security http://www.cyanline.com Other options? • Subpoena carrier for location information. – Would have worked. In fact, we used to confirm data. – Only useful if you have the IP address access, which we had because the owner was running his own email. Copyright (c) 2009, CyanLine LLC. All rights reserved. 34 Advanced High-tech Security http://www.cyanline.com Access the router • Most all of these routers do not contain permanent disk storage. – Therefore, you need to access it while it is still powered. – The storage is volatile, so you need to move quickly. – For the very skilled, you can access it remotely… Copyright (c) 2008, CyanLine LLC. All rights reserved. 35 Advanced High-tech Security http://www.cyanline.com Access the router • If you can gain access, be prepared to make screen snapshots. – Get the DHCP/MAC table, including expiration times. – Get the External IP address, including the last update/expiration time. – Get the permanent NAT address translation information. • Unfortunately, it is different for each vendor. Copyright (c) 2008, CyanLine LLC. All rights reserved. 36 Advanced High-tech Security http://www.cyanline.com A little test • It’s about user behavior • Set it up and they shall come… Copyright (c) 2008, CyanLine LLC. All rights reserved. 37 Advanced High-tech Security http://www.cyanline.com Forensic challenges • What can be spoofed. • What can be cracked. – WEP keys • What can not be spoofed? – Power levels • MIMO technology and implications. • Info in wireless connector Copyright (c) 2008, CyanLine LLC. All rights reserved. 38 Advanced High-tech Security http://www.cyanline.com Open Issues • • • • Can wireless be monitored passively? Can wireless be monitored legally? Which tools to use? Which tools to avoid? Copyright (c) 2006, CyanLine LLC. All rights reserved. 39 Advanced High-tech Security http://www.cyanline.com Freeware Wireless Tools… • Sniffers – Tcpdump – Wireshark • Network discovery – Kismet – Netstumbler (windows) • Break encryption – WEPcrack – Asleap • APtools – Hostap – Fakeap – APhopper Copyright (c) 2006, CyanLine LLC. All rights reserved. 40 Advanced High-tech Security http://www.cyanline.com Wireless Encryption • If you have the key, you can listen to all the traffic on the network. – So, WEP/WPA give you a little privacy, but not a lot. Copyright (c) 2008, CyanLine LLC. All rights reserved. 41 Advanced High-tech Security http://www.cyanline.com Some more existing tools • Mac address changing – Using MacAddressChanger.exe – Using TMAC • Cracking WEP keys. – aircrack-ptw can crack WEP in less than a minute. • Traffic monitoring – Wireless sniffing • Karma – Allows a user to set up there own base station on their laptop. Copyright (c) 2008, CyanLine LLC. All rights reserved. 42