Wireless Network Security 14-814 Spring 2011 Patrick Tague Feb 8, 2011 Class #9 Link/MAC layer security
Announcements HW #1 is due on Thursday 2/10 If anyone would like Android phones for their course project, please tell me: 1.How many do you need? Why? 2.Do you need any particular OS version? Why? 3.Do you need root access? Why? 4.Do you need 3G voice/data plans or just WiFi? Why?
Agenda Link/MAC layer security Functionality/duties of wireless link/mac Basic services provided Vulnerabilities and threats
Link/MAC Layer The wireless link layer is responsible for interacting with neighboring nodes, managing point-to-point links, interacting with the network and PHY layers In cellular, interaction between mobile and BTS In WLAN, interaction between terminal and AP In MANET/WSN, interaction between nodes Link layer has to manage: Channel / link formation and management Medium access ( MAC sublayer ) Access control (in some WLAN and cellular networks)
Link Layer Services Neighbor discovery Address resolution Network access control Channel setup / access Including sender-receiver synchronization Medium access control Queueing and scheduling Close interaction with PHY collision avoidance, carrier sensing, error correction, signaling, etc. Interaction with NET for forwarding/switching
Threats Essentially, every service has corresponding threats: Malicious/selfish neighbors (e.g. Sybil attackers) can affect any outcome relying on neighbor discovery Spoofing/masquerading attacks or rogue BS/APs can affect network access control Various misbehaviors affect medium access Also, channel establishment and access
Neighbor Discovery Threats In neighbor discovery, every node learns many aspects of its local neighborhood Also, reveals info to nearby nodes and eavesdroppers Any misbehavior will alter the outcome Ex: if a node only records N nearest neighbors, a 'Sybil-like' attacker can account for several of them, subverting voting / reputation and controlling many higher-layer decision processes (e.g. routing) More on this type of attack when we talk about reputation systems and higher-layer services
Network Access Threats Threats to network access control include: Unauthorized access Access granted to a device that doesn't provide credentials Unauthorized service class upgrade Higher-class service granted when only lower-class service has been authorized Attacker spoofs or hijacks session of authorized user Eavesdropping, packet modification or dropping Session stealing in hand-off Attacks based on weak crypto (e.g. WEP) Possibly more on this in Thursday's Survey
More Access Threats Rogue WiFi/WLAN AP A malicious WiFi AP can copy MAC address, SSID, and other identifying traits from a target AP If the target AP is open, traffic from nearby clients will pass through the attackers able hands If the target AP is security-enabled with WEP, the attacker can recover the credentials pretty quickly, making this about the same as an open AP If the target uses stronger security, there's less that can be done, but still something...
Even More Access Threats Rogue cellular BTS Rogue BTS have recently been demonstrated, first costing ~$100k, then ~$15k, now <$1k Rogue station can attract nearby mobiles with higherstrength signal, but 3G devices will only connect with valid BTS-authentication, i.e. BTS needs credentials of service provider hard! Rogue 2G station can jam 3G signals or attract devices in an uncovered area, then no authentication is required easy! In this case, rogue BTS can act as MiTM with access to all link layer frames (need higher-layer protection, e.g. VPN)
MAC Misbehavior Greedy or malicious nodes can break the rules of the MAC protocol for various reasons We already talked about some of these The attacks are a direct consequence of the protocol structure intended to support cooperation 2/15 Survey: MAC-layer misbehavior
Channel Establishment Before a link is formed between two nodes, they have to agree on a number of channel parameters Which time slots, frequency channels, codes to use? How do the two nodes find each other in order to make the initial agreement?
Cellular Channels Cellular networks use a slew of dedicated control channels to set up voice/data/sms/etc. BTS Paging (PCH) Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel SMS delivery (SDCCH) Standalone dedicated control channel All channel establishment decisions are made in the provider's network, not by the mobile device BTS Paging (PCH) Reply (RACH) Random access channel Ch. Assign (AGCH) Access grant channel TCH Setup (SDCCH) Standalone dedicated control channel Voice/data traffic (TCH) Traffic channel
WiFi Channels In WiFi (and WiFi-like) systems, all channel establishment decisions are made at the AP (or at in the back-end if extended service) Channel management is done on the same channels as other data transmission No additional control channels used Framing, control msgs
Ad Hoc Network Channels In a MANET / WSN environment, where are channel establishment / management decisions made? By who? One of the fundamental vulnerabilities in ad hoc networks Channel establishment (much like trust or key establishment) in MANETs is relatively easy to subvert, either through MiTM or masquerading attacks Still many open problems to work on
Cognitive Radio Channels Cognitive radio (CR) networks present some additional challenges in channel establishment Since there's no dedicated spectrum that's always available to CR nodes, where do they talk in order to do channel establishment? How to set up control channels? How to set up control channels that aren't in an attackers' hands? Really big open problem in CR networks...
Next time... Feb 10: Survey on wireless link security Feb 15: Survey on MAC misbehavior Network layer security