Interworking Evaluation of current security mechanisms and lacks in wireless and Bluetooth networks ...

Similar documents
Wireless technology Principles of Security

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

Wireless Attacks and Countermeasures

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

The following chart provides the breakdown of exam as to the weight of each section of the exam.

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Evaluation of current security mechanisms and lacks in wireless and Bluetooth networks

Chapter 24 Wireless Network Security

Wireless LAN Security (RM12/2002)

Mobile MOUSe WIRELESS TECHNOLOGY SPECIALIST ONLINE COURSE OUTLINE

Configuring Cipher Suites and WEP

Wireless Network Security

WLAN Security. Dr. Siwaruk Siwamogsatham. ThaiCERT, NECTEC

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

What is Eavedropping?

Wireless Networking Basics. Ed Crowley

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Configuring a VAP on the WAP351, WAP131, and WAP371

Wireless# Guide to Wireless Communications. Objectives

WIRELESS LOCAL AREA NETWORK SECURITY USING WPA2-PSK

WUG2690 User s Manual

Wireless LAN Security. Gabriel Clothier

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Wireless Networks. Authors: Marius Popovici Daniel Crişan Zagham Abbas. Technical University of Cluj-Napoca Group Cluj-Napoca, 24 Nov.

Chapter 1 Describing Regulatory Compliance

LESSON 12: WI FI NETWORKS SECURITY

Wireless Technologies

Naveen Kumar. 1 Wi-Fi Technology

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Wireless Networking. Chapter The McGraw-Hill Companies, Inc. All rights reserved

WPA SECURITY (Wi-Fi Protected Access) Presentation. Douglas Cheathem (csc Spring 2007)

Appendix E Wireless Networking Basics


COPYRIGHTED MATERIAL. Contents

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Chapter 10: Wireless LAN & VLANs

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Wireless Network (In)Security

Hacking Air Wireless State of the Nation. Presented By Adam Boileau

EnGenius Quick Start Guide

Advanced Security and Mobile Networks

Securing Wireless LANs with Certificate Services

Authentication and Security: IEEE 802.1x and protocols EAP based

Product Brief: SDC-EC25N n ExpressCard Card with Integrated Antenna

Securing a Wireless LAN

OptiView Series III. Wireless Suite. Technical Datasheet. As a network manager, it s your task to. support new users, new networks, new

FAQ on Cisco Aironet Wireless Security

02/21/08 TDC Branch Offices. Headquarters SOHO. Hot Spots. Home. Wireless LAN. Customer Sites. Convention Centers. Hotel

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

A Division of Cisco Systems, Inc. GHz 2, g. Wireless-G. User Guide. PCI Adapter WIRELESS. with SpeedBooster WMP54GS (EU/UK/LA) Model No.

AmbiCom WL11-SD Wireless LAN SD Card. User Manual

Securing Wireless Networks by By Joe Klemencic Mon. Apr

bintec WLAN Controller Highlights Features Easy plug-and-play installation Automated radio cell planning easier, faster, better

Wireless Security i. Lars Strand lars (at) unik no June 2004

Wireless LAN, WLAN Security, and VPN

Funkwerk WLAN Controller

Exam Questions CWSP-205

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Assignment Project Whitepaper ITEC495-V1WW. Instructor: Wayne Smith. Jim Patterson

Configuring the Client Adapter through Windows CE.NET

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No.

INSIDE. Securing Enterprise Wireless Networks. Symantec Enterprise Security

Security. Nelli Gordon and Sean Vakili May 10 th 2011

Product Brief: SDC-PE15N n PCIe Module with Antenna Connectors

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Configuring OfficeExtend Access Points

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Hardware Capabilities. Product Brief: SDC-PC20G g PCMCIA Card with Integrated Antenna

Wireless Network Security

Security Setup CHAPTER

User Guide Supplement Measurement Systems International

Product Brief: SDC-MCF10G g Miniature CF Module with Antenna Connectors

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Product Brief: SDC-PC22AG a/g PCMCIA Card with Integrated Antenna

11N Wireless PCI Adapter User Guide

Configuring a Basic Wireless LAN Connection

Product Brief: SDC-MSD30AG a/g Miniature SDIO Module with Antenna Connectors

802.11b+g Wireless LAN USB Adapter. User Manual

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with SRX 400. User Guide WIRELESS WMP54GX4. Model No.

b/g/n 1T1R Wireless USB Adapter. User s Manual

Wireless LAN Overview

Product Brief: SDC-PC10AG a/g Compact Flash Module with Antenna Connectors

How Does it Work. Presented by StarSight Team

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Family Structural Overview

11N Wireless USB Adapter User Guide

How Insecure is Wireless LAN?

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

Wireless Networking based on Chapter 15 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Wednesday, May 16, 2018

U S E R M A N U A L b/g PC CARD

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

BackTrack 5 Wireless Penetration Testing

Configuring the Client Adapter through the Windows XP Operating System

Security in IEEE Networks

Wireless-N. User Guide. USB Network Adapter WUSB300N WIRELESS. Model No.

Bluetooth. 3.3 Latest Technology in Wireless Network. What is BLUETOOTH: Bluetooth 2/17/2016

Transcription:

Interworking 2006 Evaluation of current security mechanisms and lacks in wireless and Bluetooth networks Interworking Conference, 15th - 17th of January 2007 Dr-Ing Kai-Oliver Detken Business URL: http://wwwdecoitde Private URL: http://wwwdetkennet Consultancy & Internet Technologies Foliennr: 1

Approaches Examination of both wireless technologies regarding Weakness within the design of security concepts Weakness within implementations Weakness within applications Find out the risks Record of data traffic Smuggle in of viruses Identification of clients Disturb of communications and availability Foliennr: 2 Consultancy & Internet Technologies

Wireless technologies (1): WLAN WLAN utilises spread-spectrum technology based on radio waves to enable communication between devices in a limited area This gives users the mobility to move around within a broad coverage area and still be connected to the network This technology is becoming increasingly popular, especially with the rapid emergence of small portable devices such as PDAs (personal digital assistants) Foliennr: 3 Server Access Point (AP) 1 Basic Service Set (BSS) 1 Local Area Network (LAN) Basic Service Set (BSS) 2 Extended Service Set (ESS) Client Access Point (AP) 2 Consultancy & Internet Technologies

Wireless technologies (2): WLAN standards Standard Foliennr: 4 Describtion 80211a 54 Mbps WLAN on 5-GHz-band 80211b 11 Mbps WLAN on 2,4-GHz-band 80211c Wireless bridging 80211d World mode, adaptation of region-specific regularisations 80211e Quality-of-Service (QoS) and streaming extensions for 80211a/g/h 80211f Roaming for 80211a/g/h with Inter Access Point Protocol (IAPP) 80211g 54 Mbps WLAN on 2,4-GHz-band 80211h 54 Mbps WLAN on 5-GHz-band with Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) 80211i Authentication/Encryption for 80211a/b/g/h (AES and 8021X ) Consultancy & Internet Technologies

Wireless technologies (2): Bluetooth Bluetooth is a radio standard and communications protocol primarily designed for low power consumption, with a short range The devices use a radio communications system, so they do not have to be in line of sight of each other, as long as the received transmission is powerful enough As a result of different antenna designs, transmission path attenuations, and other variables, observed ranges are variable Foliennr: 5 Up to 7 Slaves are supported from a Master within one Piconet Master controls the Piconet Slaves communicates every time via the Master Slave 2 Slave 1 Master Piconet Slave 3 Consultancy & Internet Technologies

Global target for WLAN security There are three steps to take when securing a wireless network: All wireless LAN devices need to be secured All users of the wireless network need to be educated in wireless network security All wireless networks need to be actively monitored for weaknesses and breaches Foliennr: 6 Consultancy & Internet Technologies

Basic security mechanisms MAC ID filtering: allows the administrator to only permit access to computers that have wireless functionalities which contain certain MAC IDs Static IP addresses: no automatically IP assignment function via DHCP server WEP encryption: this was the encryption standard for WLAN networks WEP provides different key sizes: 128 and 256 Bit Further security mechanisms: WiFi Protected Access (WPA), WPA2, 8021X, LEAP, PEAP, TKIP, RADIUS Foliennr: 7 Consultancy & Internet Technologies

Unauthorised access via wireless (1) Accidental association: a user turns on the computer and the last latches on to a wireless access point from a neighbouring company s overlapping network arise The user may not even be aware that this has occurred, but this information is sensible Malicious associations: describes situations in which wireless devices are used by crackers to connect to a company network via their cracking laptop instead of a company access point (AP) Ad-hoc networks can be a security threat if there has been less integrated security mechanisms Non-traditional networks such as personal network Bluetooth devices are not safe from cracking and should be regarded as a security risk Foliennr: 8 Consultancy & Internet Technologies

Unauthorised access via wireless (2) MAC Spoofing occurs when a cracker is able to eavesdrop network traffic and identify the MAC address of a computer with network privileges A man-in-the-middle attack revolves around the attacker enticing computers to log into his/her computer which is set up as a rogue AP (Access Point) A denial-of-service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands Network injection attack: a cracker can make use of access points that are exposed to non-filtered network traffic The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs Foliennr: 9 Consultancy & Internet Technologies

Design weakness of WEP No key management Foliennr: 10 Static key Has to distribute manually In the most cases no changes Exits in a simple manner Compromising of the key makes the whole WLAN unsecured No user authentication and identification No central authentication and authorisation Consultancy & Internet Technologies

Design weakness of WPA Access control via 8021X + EAP method with encryption via TKIP (RC4 algorithm) Problem: Message Integrity Check (MIC) uses a leak hash algorithm WPA Personal (WPA-PSK) with pre-shared key Problem: High risk of dictionary attacks; one pre-shared key for all stations of a SSID; high administrative effort WPA Enterprise (WPA RADIUS) with dynamical keys for each packet Each user gets its own key; authentication via EAP with RADIUS WPA2 (80211i) Foliennr: 11 Encryption and integrity check by CCMP (AES encryption) CCMP has more powerful as TKIP (same key for frame encryption and integrity check) Consultancy & Internet Technologies

Recommendations regarding WLAN Authentication each other Dynamical session key and key material: EAP method should bring in the key material Message integrity: Message Integrity Check (MIC) on TKIP (WPA) and CCMP (WPA2) Central authentication and authorisation: central AAA mechanism has to identifier and authenticate user (policy-based network access) Quick re-keying: re-keying invite clients to actualise the key (eg periodically) Session-based encryption: combination of 8021X, EAP-TLS and RADIUS makes encryption data traffic possible per session and connection with dynamic keys Foliennr: 12 Consultancy & Internet Technologies

EAP method With Public Key Infrastructure (PKI) EAP-TLS can be used High effort for infrastructure Secure method if authenticator certificate will transfer on a secure way to the supplicant or check with Certification Authority (CA) Without PKI EAP-TTLS/PEAP in heterogeneous area; needs only a server certificate; it depends from the authentication EAP-TTLS is more flexible; simpler to integrate; can not fulfil higher secure requirements PEAP is secure for the most applications; less implementation effort; supports only EAP methods Suitable basis: 8021X and EAP! Foliennr: 13 Consultancy & Internet Technologies

Mixed operation of WPA and 80211i Regarding a high security level difficult to implement Encryption either with TKIP (WPA) or with AES-CCMP (WPA2) Some access points allow mixed operation of 80211i and weak approaches like WEP SSID/VLAN mapping is recommended (SSIDs divided in different areas) Foliennr: 14 Consultancy & Internet Technologies

Weakness of Bluetooth Damaging content such as viruses, worms or Trojan horses, which can be transmitted to user terminals via Bluetooth, SMS or MMS or through WAP pages Taking advantage of their vulnerability (for instance through attacks to the Bluetooth protocol or through specially deformed SMS or MMS messages) such applications can also be installed on the device Episodes of denial of service (DoS) attacks or system interruption, caused by the propagation of mal-ware or other types of attacks Unauthorised access to information using Trojan horse, spy-ware and eavesdropping attacks, etc Deletion, corruption or modification of data kept on the device Foliennr: 15 Consultancy & Internet Technologies

Main hacking methods BlueSnarf: based on the OBEX Push service, which is the type of service that is commonly used to exchange electronic business cards Easy to set in place when a cellular has Bluetooth set on visible mode, BlueSnarf allows connecting to a cellular phone and accessing the phone book and agenda without authorisation Bluejacking: Taking advantage of the IDs that devices exchange at the beginning of a connection eg when a cell phone associates to a computer - short deceitful text messages can be transmitted (eg user could be invited to dial a code) BlueBug: allows to access the AT Commands of the cellular phone a set of commands that give instructions to the cellular phone allowing the aggressor to use the phone services without the user s knowledge BlueBump: takes advantage of the vulnerability linked to the Bluetooth connection type that is always active giving the possibility to unauthorised cellular phones to continue accessing as if they were still part of the list of authorised cell phones Foliennr: 16 Consultancy & Internet Technologies

Overview about the design weakness Most of the attacks are using typical interfaces of Bluetooth Here attacks use security lacks in the implementation of the protocol stack Further attacks for Bluetooth are available, like PIN hacking, Bluesniping, spoofing, war driving, location tracking, DoS, man in the middle, repairing, brute force Foliennr: 17 Consultancy & Internet Technologies

Bluetooth recommendations (1) Be careful when downloading new software or applications from the Internet: before proceeding with the installation of new software or downloading new applications from the Internet, always verify the reliability of the source Pay attention to possible anomalies in the functioning of the device: considering that without an installed security application it is rather difficult to identify a virus, there are nonetheless situations that can alarm the user Remember to deactivate Bluetooth after use and if this is not possible, at least set the device on hidden mode This precaution ensures at least a minimal level of security since it elongates the time necessary for a potential aggression Foliennr: 18 Consultancy & Internet Technologies

Bluetooth recommendations (2) Modify the cellular phone s ID name: Many users tend to maintain the default ID name of their cell phones set by the producer which is usually associated with the specific model of the device Always update security and antivirus software: to successfully counteract attacks, all security software must be updated Software that is not updated is not useful since computer insecurity is in constant evolution and old software is not designed to face new issues Be careful when choosing PIN numbers to associate devices: too often the codes given by the manufacturer are maintained or, even worse, easily traceable information is used (birthdates for instance) Foliennr: 19 Consultancy & Internet Technologies

Conclusions regarding WLAN The WLAN community has developed new security features within 80211i (8021X and EAP) to make WLAN secure To make sure that you have a uniform authentication with EAP (EAP-TLS, PEAP, EAP-TTLS) Flexible access technology with AAA infrastructure (useful for WLAN, VPN, and LAN) Changing of authentication methods should not be effected the clients and network infrastructure Foliennr: 20 Consultancy & Internet Technologies

Conclusions regarding Bluetooth To implement a base security all relevant distant terminals should be stored within authentication tables A re-keying per PIN has to deactivated User PINs has to use more than 4 characters if the software implementation allows that (Bluetooth allows up to 16 characters in its standard) Unexpected invitations for a new authentication should be checked immediately Foliennr: 21 Consultancy & Internet Technologies

Conclusions of wireless technologies Wireless technologies had a real backlog demand regarding security mechanisms WLAN and Bluetooth technologies have enough security mechanisms available to make these techniques secure, but in most cases these mechanisms are not well tuned Additionally, many companies do not implement wireless security requirements in their common security policy for the wired network However, this is essential, because the attacks to wireless equipment will increase in the future and will reach a higher level To protect company s networks in an efficient way, the wireless environment has to be an integral part of the existing security concept with defined user and communication profiles Further developments of WLAN and Bluetooth will provide improved security mechanisms in the future Foliennr: 22 Consultancy & Internet Technologies

Thank you for your attention Questions? Foliennr: 23 DECOIT GmbH Fahrenheitstraße 9 D-28359 Bremen Germany Phone: +49-421-596064-01 Fax: +49-421-596064-09 E-Mail: detken@decoitde Consultancy & Internet Technologies

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback