Hacking Air Wireless State of the Nation. Presented By Adam Boileau

Transcription

1 Hacking Air Wireless State of the Nation Presented By Adam Boileau

2 Introduction Wireless in dot-what? Threats to Wireless Networks Denial of Service Attacks against Authentication Attacks against the Network Traditional attacks over wireless i, The Savior Attacks Against i Building Secure Wireless Networks

3 Wireless Networking in 2006 Statistics 2005, 120m wifi chipsets shipped 64% annual growth 90% of laptops have wifi Trends Wireless is everywhere Cellular, GPS, Wifi, RFID Gradual increase of a use in response to saturation WEP gradually being replaced by WPA, WPA2 VoIP over Wireless next killer app in the bad way? Wired 802.1X, i, Endpoint security converging Security Landscape Becoming harder to break into wireless networks......but also becoming harder to deploy!

4 A whirlwind of eight oh two dot stuff a/b/g Wireless LAN standards, including WEP Not equivalent to wired privacy at all! Shonky crypto, basic mistakes 802.1X wired ethernet port security generic enough to apply to a/b/g i RSN Robust Security Network another name for WPA a/b/g + new crypto (AES) X WPA a/b/g + bits of i RC4 + Temporal Key (TKIP) X + better ICV (MIC) for legacy hardware that lacks support for WPA2 (has RC4- hardware crypto, but not AES)

5 802.soup

6 Denial of Service All wireless services are vulnerable to DoS attacks, accidental and deliberate Accidental: Other wireless networks, microwave ovens, cordless phones, AV transmitters Deliberate: Jammers, illegally powerful wireless networks, employees Countermeasures Good RF design to start with Tools to measure Layer-1 RF environment are available Business continuity the key to managing loss or degradation of wireless networks

7

8 Attacking Authentication: WEP WEP still widespread General belief still that WEP attacks are theoretical or impractical WEP cryptography totally broken Breaking WEP crypto sub 1 hour in the majority of cases Tools are sophisticated, attacks extremely practical Other powerful WEP attacks exist Chop-chop attack can read individual packets within a couple of minutes Possible to send traffic into a network without the WEP key WEP is unfit for any use whatsoever Most certainly not equivalent to wired privacy

9 Attacking the Network: Man in the Middle Attacker impersonates each party to the other Attacker pretends to be the server to the client, and the client to the server Traditionally done with DNS poisoning or ARP spoofing In wireless, can be DNS, ARP, Rogue AP even physically in the middle. Powerful technique for subverting authentication In cryptographic systems, MitM attacks the keyexchange process Only mitigation is PKI SSL certs, SSH keys, DNSSec, IPSec Insidious class of attack that can defeat all systems that do not use mutual authentication

10 Traditional Attacks over Wireless Wireless stations are mobile, transient, and vulnerable to all the classic attacks Viruses, trojans, worms, network buffer overflows, Anna_Kournikova.jpg.exe Vulnerable while at public hotspots, hotels, airports Wireless stations are part of your temporal network perimeter Moving between trust zones is a risk Attack the weakest link using wireless for the anonymity Wireless networks as a covert backchannel Classic stories of covert wireless devices being installed on corporate networks, eg. inside an xbox!

11 Traditional Attacks over Wireless Probing Client attack Wireless stations probe for their configured networks An attacker sees probes, responds by creating a network to match Attacks client via fake network Perhaps chooses network with weakest security posture The wireless station might be connected to the corporate wired network! Worst case, system is configured to route, eg. ICS Best case, an attacker has to break in first Even if you secure all your Access Points, are your client systems going to give up your secrets?

12 Useless defenses Closed/Hidden SSIDs Only hidden in beacons, not in probe responses b Shared auth Actually worse than open association, because it leaks RC4 PRGA! MAC Filtering Trivially bypassed: ip link set wlan0 address 00:de:ad:be:ef:00 Manual WEP Key rotation We change our keys once a week!, oh how cute. Pre-WPA Proprietary WEP Enhancements Generally don't address all WEP's problems Any or all of the above Still broken!

13 802.11i, the Savior? i has: potentially strong auth strong crypto replay protection (poor SACK-based QoS!) key management Does this sound like a VPN to you? Basically implements 802.1X + AES as a layer-2 specific, non-routable VPN technology Which is great! But... all the hassle of a VPN (complex client software, complex auth, PKI, user education)

14 Attacking Authentication: i/802.1X i standard delegates security to EAP Methods Different methods for password, certificate, SIM, etc. Some EAP methods are better than others Online dictionary attacks against password-based auth Enforce minimum password quality standards Offline dictionary attacks against EAP-MD5, EAP-LEAP Compound Binding Problem with EAP encapsulation Combining two secure EAP methods to produce an insecure result Loads of complexity Plenty of fruitful areas for bugs and vulnerability research Can be hard to configure correctly

15 Building Secure Wireless Networks Building wireless networks is too easy Because everyone can do it, everyone thinks they should Secure wireless networking is not easy i is complex, but so are the problems it has to solve It is possible to build secure wireless networks and it is mandated by the PCI-DSS! Combination of policy, design, education and technological enforcement Remember the CISSP triad availability is the real killer for wireless Think long and hard about VoIP over Wireless

16 Building Secure Wireless Networks WEP is not part of a secure wireless network Even with i, it's better to think of wireless networks as a remote-access technology, rather than a wired-lan-replacement technology Wireless infrastructure is part of your network perimeter Needs as much care and attention as your firewalls and routers Implement defense in depth Closed SSID, mac filtering, i with appropriate EAP method, terminating in a DMZ with firewalling, IDS, proper logs, and someone to read them! Remember Mutual Authentication! i mandates mutual authentication. Without it you have nothing.

17 Building Secure Wireless Networks Ensure policy prohibits connection of unsanctioned wireless access points Configure client machines to only associate with corporate access points Wireless IDS/IPS actually more useful than in most environments Configure to detect probing clients, Rogue APs, and provide performance metrics End-to-end VPN technology and aggressive host firewalling still required for road-warrior users i is a station-to-ap VPN only

18 Questions?