Wireless Network Defensive Strategies Jay A. Crossler ECE 646 Analytical Project 12 Dec 2003
Topics Wireless Security Intrusion Experiment Initial Findings Attempted Attacks Results WEP Vulnerabilities Other Tools Used Secure Configurations Recommendation Summary 2
Wireless has become critical Wireless Local Area Networks used: By Emergency Response Workers after 9/11 By police and terrorist response cells By government agencies to control remote security cameras Within the top five Stock exchanges throughout the world To Monitor critical patient status and retrieve medical records In over 200 wireless networks discovered while walking downtown DC and Pentagon City 3
Basic Wireless Configuration Out of the box: Can plug and play on most networks Default Admin password on router SSID set to broadcast mode DHCP enabled No MAC or IP filters No WEP key enabled 4
Intrusion Experiment Question: How easy is it to gain admin access to 30 local wireless networks? Answer: Very, very easy on 28 of them. 5
Step 1: Built a map of 30 local wireless systems Intrusion Experiment Initial Findings Used NetStumbler on a laptop and MiniStumbler on an ipaq to locate and analyze networks and settings 6
Intrusion Experiment Initial Findings (cont) Results: - Level 1 23 Systems had never changed the default password or enabled any security - Average intrusion time: 15 minutes to gain root access - Level 2 5 Systems had disabled SSID broadcasts and/or set a 56-bit WEP key - Average intrusion time: 4 hours to gain root access - Level 3 2 Systems had either a 128-bit key or VPN or both - Average intrusion time: did not achieve 7
Step 2: Used Kismet/KisMAC and Ethereal to sniff hidden SSIDs, MAC and IP addresses Intrusion Experiment Attempted Attacks Connected to 192.168.0.1 or router IP. Used router MAC to find device maker, or try to connect to find device name. Retrieved password from product docs on internet. 8
Intrusion Experiment Attempted Attacks (Cont) Step 3: Use Kismet/AirSnort to attempt to crack WEP keys (need about 1 Gig of packets sniffed) Use Ethereal to sniff names, passwords, websites, email, bank codes 9
Results: Intrusion Experiment Results Access to 28 networks was obtained Access to 5 networks that owners thought were secure was obtained Access to 2 live networks with 128-bit security was NOT obtained (not enough packets) Access to personal test network with 128-bit WEP was obtained (with continuous packet stream) 10
WEP Vulnerabilities Wireless Encryption Protocol (WEP) Commonly the only security used Susceptible to known attacks on Initialization Vectors Data encrypted with RC4 A stream cipher Keys vulnerable to known plaintext attacks CRC-32 used to check integrity of data Only a linear checksum is used: not sufficient 11
WEP Initialization Vectors (IV) WEP has: 16 Million possible IVs 9000 of which are weak A weak IV can expose one byte of the key 5% chance of revealing key byte AirSnort Attack collects and sorts IVs Statistically analyzes possible key bytes Shows tendency towards correct byte of key Need very large number of packets 12
Other Tools Used Pringle Can Antenna $10 antenna extended range to 1km (receive) and 400m (transmit) Signal Strength Meter KisMAC was very useful for relocating networks Lego Mindstorm Aiming arm Built a targeting device for relocating networks through an IR control 13
Security Configuration Suggested Configuration Techniques: Realize that WEP is not secure Remove wireless networks from LAN devices Remove SSID broadcasts; rename SSIDs Hard Code MAC addresses and IPs into allow-list Change encryption keys Look for Rogue access points Change Router Admin Password 14
Security Configuration Level III Configuration: Virtual Private Network Time: 5 hours to install Linux on 486 FreeS/WAN SSH Sentinal (SSH Tectia) Enable 3DES encryption www.freeswan.org www.ssh.com 15
Attacks on Reliability 1km Denial of Service using Pringles Can Easy to mount Exploit Carrier Sense Multiple Access with Collision detection (CSMA/CD) Transmit continuous stream of data packets Can be done with very low power Difficult to detect Transmit Clear To Send (CTS) and Request To Send (RTS) packets 16
Take Aways Wireless Security is critical Many people never change default router password It is easy to crack WEP in many routers It is easy to deny service to some wireless networks from 1 km away Simple fixes can greatly improve security 17