Wireless Network Security? Author: Paul Asadoorian, GCIA, GCIH Contributions by Larry Pesce, GCFA, GAWN PaulDotCom http://pauldotcom.com 1 Many are aware that wireless networks, given their open nature, are not secure. Some may take precautions, such as running WEP, using a VPN, and using the newer WPA standards. This presentation aims to raise awareness about attacks that are not easily detectible or preventible on most wireless networks today. This is not a “0day” presentation, there are no “new” attacks, merely demonstrations of existing attacks in different scenarios. In fact, the attacks presented in this paper are from research that was done as long as a year ago, with the newest “attack” being presented in early 2006. It is not the goal of this presentation to tell you not to use wireless networks, but make you aware of the risk so you can make informed decisions about your usage of wireless technology and do everything possible to protect your organization’s network infrastructure, data, and integrity of its client computers. Topics • Why wireless security is increasingly important • Wireless security misconceptions • Wireless Attacks - Detection & Prevention • Defensive Wireless Computing 2 The roadmap for this presentation will first stress the importance of wireless security today. Wireless technology is increasingly everywhere and in everything. We will then attempt to debunk some of the common wireless security misconceptions. To further stress the vulnerabilities in wireless networks three attacks will be discussed, demonstrated, and ideas for detection and prevention presented. Finally we will turn our attention to practical ways in which to *try* to secure your wireless computing environment. Warning:Wireless Network May Become Unstable 3 Just a warning (We have permission to perform attacks against the wireless network and clients and will do so in a responsible manner) Wifi Everywhere • Wifi in the home can be done for $39 • Almost all laptops come with Wifi • New standards such as MIMO (802.11n) will allow for 108Mb 4 Linksys has popularized the wireless networking at home experience by marketing cheap and easy to setup wireless hardware. In today’s market most laptop computers come with a wireless card built-in, including Apple and Wintel. This makes it easy to setup wireless in the home, all you need is a $39 device, and whamo, you are now a Wifi household. One of the drawbacks to wireless networks is speed, it is not as fast as plugging into the wire. However, new standards are looking to solve this problem by offering speeds comparible to the wired ethernet. What does this mean? In the home, there will be little incentive to run expensive cables, which means more people will migrate to wireless. The Linksys WRT54G is the swiss army knife of Wifi, you can add battery packs and all sorts of other fun stuff (some of which you will see in this presentation). A battery pack lets you take your AP where ever you want to go. Take Your AP With You! 5 We’ve estimated that you can get 3.5 hours with 8 AA batteries. Resources: http://www.ck3k.org/gal/wrt/ - “Linksys WRT54G Battery Power Guide” Wireless is in everything • More devices are using Wifi: - Cell phones - Digital cameras - Printers - PDAs - Video game controllers - Televisions - Speakers - Refrigerators 6 Wifi technology can be found in many popular consumer electronics devices that are permiating the market. You digital camera has Wifi so it can talk to your Wifi enabled printer (because I guess plugging in a cable it too much work for the average consumer). Nintendo has released Wii (W- ee), which uses Wifi controllers - Don’t forget the XBOX 360 wireless controllers! Depicted here are wireless extensions for you TV (to get a wireless HD signal or display pictures on your TV) and your refrigerator, you know, so you don’t miss your favorite show while cooking or grabbing a snack. Wireless In Cell Phones • Useful to drain battery • Imagine 802.11n on a cell phone! • Kind of a cool thing in a pinch - Best Buy - Emergency War Driving 7 Cell phones are now featuring wireless technology, allowing you to browse the web and check email wherever you can find a hotspot (we’ll discuss hotspots a little later on). This technology is useful to drain your battery, and 802.11n isn’t going to help things (in fact, I envision flames shooting out of the early models). It does come in handy: - While standing in Best Buy one day I notices that they had a bench of computers setup, most looked like customer computers being worked on by the crack team called “Geek Squad”. I also noticed that they were plugged into WRT54G devices, which also means I smelled an open Wifi network. So while waiting, impatiently, I decided to conduct an experiment. I fired up the Wifi on my phone and saw the wireless network “best buy” and “geek squad”. I connected to the “geek squad” open SSID, and bam I had an RFC1918 address. I didn’t go any further, but you can use your imagination from here. - Sometimes I get really bored on my drive home from work and I feel the need to do a war drive. I don’t always have all my war-driving gear on board, so for a quick fix I enable Wifi on my cell. I am still entertained by some of the SSIDs that I find, such as one near my house labeled “redneckheaven”. (Insert dueling banjos music here). Takes Cool Pictures Too 8 This page left intentionally “W00T”! Wifi Everywhere: FON • “Global hotspots” allow members to access open wireless networks • Most do not provide encryption • Three different access models: - linus - gates - alien • Read more at http://en.fon.com/ 9 FON is an interesting social networking concept (and I mean that in the techie networking way, and the social networking way). You can buy a wireless access point from FON for as little as $20. The catch is that once you set it up, you have to share it. The concern with FON, and other setups, is that they typically do little to secure the wireless network. This leaves you, and anyone connecting to you, vulnerable to attack. FON also uses a modified Linksys WRT54G wireless router. Wifi Everywhere: Open Hotspot • WRT54G-based Wifi Hotspot distros: - EWRT - http://www.portless.net/menu/ewrt/ - Chillispot - http://www.chillispot.org/ - Runs on OpenWRT - WifiDog - http://www.wifidog.org/ - Also runs on OpenWRT 10 There are many other open source projects which implement the “captive portal” technology to create an open wireless network. The above three also run on a WRT54G wireless router, with EWRT even having its own firmware that you install directly on the router. Chillispot and Wifidog run on OpenWRT (http://www.openwrt.org), which is a very popular, open-source, operating system designed specifically for the WRT54G platform. The basic premise is that you run an open wireless network. Once a client connects to the network they get an IP address from DHCP. When the user opens a web browser they are automatically taken to a login page no matter which web site they enter in the URL bar of the web browser. This can be accomplished in a few different ways, such as DNS cache poisoning and destination NAT’ing. [...]... and hackers are already taking an interest 30 Wireless Security Misconceptions • “Mac address filtering keeps most people out” • “WEP is better than nothing” • “I use WPA-PSK now, so I’m secure” • “VPNs will protect me” • “Nobody will find my wireless network 31 Above are what I believe to be the most common 5 wireless security misconceptions Now, some wireless security is better than none, so don’t... simple perl script makes it easy: - http://www.michiganwireless.org/tools/sirmacsalot/ http://aspoof.sourceforge.net/ (OS X tool) http://www.klcconsulting.net/smac/ (Windows Tool) 32 Attacking a wireless network that uses MAC address filtering for security is pretty easy MAC addresses of valid hosts can be observed on the network by anyone with a wireless sniffer in monitor mode Utilities to aid in the... and easy to make They can really boost signal so you can pickup your neighbors Wifi from afar For the Anti-do-ityourselfer CompUSA brand 9Dbi Antenna for Linksys WRT54G - $50 12Dbi Wireless Garden Super Cantenna Wireless Network Booster Antenna” - $50 9 Dbi Directional Indoor Antenna - $30 14 You can buy RF antennas very cheap now It was almost a year ago that I started seeing high gain antennas for... been developed “MAC address filtering keeps most people out” • Kismac is a PPC OS X application that lets you sniff wireless networks in monitor mode Kismet, is the Linux alternative • No support for OS X on Intel for Kismac! • This allows you to see the valid MAC addresses on the network • Kismac/Kismet Demo 33 Even Works in OS X • aspoof is a utility to change your MAC address in OS X - http://aspoof.sourceforge.net/... IVs), a WEP network could be cracked Fast forward to today’s tools and now we are able to inject packets into a WEP network to generate the information (IV) that we need in order to crack the key “WEP is better than nothing” • All software tools required are on a bootable Linux CD • Whax and Auditor merged to create “Backtrack” - Demo uses Auditor • Then all you need is a laptop with a wireless card... conference, and while the usefulness of the attack is under some debate, the ability to clone RFID has proven to be a security risk Sniffing RFID to gather sensative data is another attack vector Just as in wireless networks, data is transmitted for all to see DoS attacks are nuicance in any environment, especially RFID Manipulation of data in transit could be used by an attacker for a profitable gain at the... following shows debug commands executing “Engineering Mode” on PC 5220: - http://www.evdoinfo.com/Tips/PC_5220/ Sniffing_Out_New_EVDO_Towers_with_a_PC5220_20050531297/ 29 Given the insecurities in 802.11 wireless networks many have chosen to go the cellular route EVDO is one of the better technologies It has good speeds, well supported on all major platforms, and works reliably (due in large part to Verizon’s... “SSID” and “WEP” as potential security measures Nobody is safe in my neighborhood • Build your own antenna to increase wireless range • Requires tools, mechanical skills • Chili & Pringles cans are most popular - Who wants to eat an entire can of Chili anyway? http://www.turnpoint.net /wireless/ cantennahowto.html 13 Antennas are fun, cheap, and easy to make They can really boost signal so you can pickup... common 5 wireless security misconceptions Now, some wireless security is better than none, so don’t feel as though you shouldn’t use the above technologies However, be aware of the risks and plan your wireless network security strategy accordingly, balancing risk with convenience I hope to help you achieve a better balance by speaking about the risks “MAC address filtering keeps most people out” • Mac... enable these built-in security features (like SSID and WEP encryption)” - Read more at http://cox.com/takecharge/wi_fi.asp 12 We’ve all done it at one point or another, connected to someone else’s wireless network to use the Intenret (somes not even on purpose!) So why purchase your own Internet connection when you can just use someone elses? ISPs obviously have a huge problem with this, and some, as . your wireless computing environment. Warning :Wireless Network May Become Unstable 3 Just a warning (We have permission to perform attacks against the wireless. the wireless networking at home experience by marketing cheap and easy to setup wireless hardware. In today’s market most laptop computers come with a wireless