Insert presenter logo here on slide master. See hidden slide 2 for directions

Deepak GuptaAirTight Networks

Wireless Vulnerabilities in the Wild:View From the Trenches

Acknowledgement: Based on work presented by K N Gopinath at RSA 2011

Agenda

2

Why care about Wireless Vulnerabilities? (Motivation)

What’s new in this talk and what are its implications?

Wireless Vulnerability Analysis (Measurements)

Threat/Vulnerability Mitigation

Era of Wireless Consumerization

Real Life Breaches due to Insecure Use of Wi-Fi

Marshalls store hacked via wireless

Hackers accessed TJX network & multiple servers for 18+ months

45.7 million payment credit accounts compromised

Estimated liabilities > 4.5B USD

5

Are today’s enterprises secure enough to prevent the recurrence of such attacks?

Enter War Driving

6

0

10

20

30

40

50

60

70

80

NY London ParisRSA '07

RSA '08

WP

A/W

PA

2 A

P (

%)

NY London Paris

Not all APs are WPA/WPA2.

How many of these are actually

connected to my network?

War Driving Insufficient for Enterprise Threat Classification

Our Study

Authorized

External

Rogue

Sensor Based Statistical Sampling Data collected over last two years

8

Total Number of Count

Sites/Locations 2,155

Organizations 156

Sensors 4501

Total Access Points 268,383

Enterprise Clients 427,308

Threat Instances Analyzed

82,681

Enterprises Deal With Lot of Non-Enterprise Devices

268,383 APs

80,515 187,868

Authorized

External/

Unmanaged

70% APs do NOT belong to the

studied Organizations!

Similarly, About 87% Clients are Unmanaged/External!

Rogue APs

AP mis-configurations

Soft/Client Based APs

Wireless Threat SpaceAP Based Threats

AP

Adhoc Network

Wireless Threat SpaceClient based threats

Client extrusions

Connections to neighbors,

evil twins

Adhoc networks

Client bridging

Banned devices

T3 (T-Cube) Parameters

Threat PresenceTh

reat

Du

rati

on

Threat F

requency

Presence of an instance of a threat (%)

Likelihood of presence of a threat instance

Window of opportunity for an attacker

Real-life data & Accurate picture of Threats

How does this information help you?

Get an idea of Wi-Fi threat scenario in enterprises that may be like yours

Which wireless threats you should worry about first?

Plan your enterprise mitigation strategy

14

Threat PresenceThreat DurationThreat Duration

Threat FrequencyThreat Frequency

Simple (Yes/No) metric based on the presence of an instance of

a threat (%)

Results From Our Survey Randomly Chosen set of IT Security Professionals

Rogue AP Misconf. AP Adhoc Client Extrusion Other

% R

es

po

ns

e

Overall Threat Scenario

Adhoc

Banned Devices DoS

Rogue APs

Client Extrusions

Misconf. APs

Client Bridging

Soft APs

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Threats

Occ

urre

nce

(%

Org

aniz

atio

ns)

Results Based on Our Data

Key Observations

-Prominent Threats-Client extrusions -Rogue APs-AP mis-configurations-Adhoc clients

Key Implications

-Organization data is potentially at risk via Wi-Fi

Let’s Dive Deeper into Nature of Threats

Rogue APs

Client Extrusions

Adhoc Clients

Enterprise Wireless Consumerization: Rogue APs1521 Rogue APs seen in our study

163 Different type of Consumer Grade OUIs seen

WPA(2)/PSK, 29%

Unknown, 1%Open, 49%

WEP, 21%

Rogue AP Details

Non-Default, 89%

Default SSIDs, 9%

Unknown/Blank, 2%

About 1 in 10 Rogue APs have Default SSIDs About Half of Rogue APs Wide Open

Rogue AP Details

An open Rogue AP is

Virtually THIS!

Client Consumerization: Client Extrusion

Client (Smartphones &

laptops both) probes for

these SSIDs.

Topic of Hot Discussion Today!

23

Client Probing For Vulnerable SSIDs Retail/SMB Organizations

118,981 Clients

12,002 106,979

Authorized Unmanaged

21,777 (20.4%)636 (5.3%)

Power of Accurate threat classification.

5.3% Vs 20.4%

“Known” Vulnerable SSIDs Probed For103 distinct SSIDs recorded

Certain (8%) Authorized Clients Probing for 5 or more SSIDs

Adhoc Authorized Clients!565 distinct Adhoc SSIDs found, About half of them Vulnerable

15% of these are default SSIDs. 26,443 (7%) clients in adhoc mode.

VIDEO DEMO: Smartpot MITM Attack

So What?Illustrative Exploit via Client Extrusion

Smartphone as an Attacker

App1: Mobile Hotspot

App2: SSLStrip Attack Tool

VIDEO DEMO: Smartpot MITM Attack

28

29

Threat PresenceThreat DurationThreat Duration

Threat FrequencyThreat Frequency

How long (time interval) a threat is active before removal?

AP Threats live “longer” than Client Threats 15% client threats & 30 % AP threats live for > hr

0% 10% 20% 30% 40% 50% 60% 70%

10 Min

30 Min

1 Hr

6 Hr

12 Hr

12 Hr+

Th

reat

Du

rati

on

% Threat Instances with Given Threat Duration

Histogram indicating that AP threats live longer

AP Misconf.

Rogue AP

Client Extrusion

Adhoc networks

Some AP based threats are active for a day or more!

Data from SMB/Retail (PCI) Segment

31

Threat PresenceThreat DurationThreat Duration

Threat FrequencyThreat Frequency

Threat instances per Sensor per month

1

8

13

0

2

4

6

8

10

12

14

Rogue AP Misconfigured AP Client Extrusion

Threat Frequency

Large Enterprise Segment: Threats Per Month Per Sensor (Approx. 10,000 sq feet area)

Bigger your organization,

higher the likelihood of finding the

threats

Threat Category

Th

reat

Fre

qu

ency

Key Takeaways Summarized

Wireless threats due to unmanaged devices are present Enterprise wireless environment influenced by consumerization

Certain threats more common than others Client extrusions Rogue AP AP Mis-configurations Adhoc clients

Common threats affect large enterprise and SMB organizations Wireless threats persist regardless of sophistication of wired

network security

34

Threat Mitigation

Let’s Ban Wi-Fi!

Use WPA2 For Your Authorized WLAN!

But, WPA2 does not protect against threats due to unmanaged devices

Threat Mitigation

Intrusions (AP Based Threats)

Wire side controls as a first line of defense (e.g., 802.1X port control)

Wireless IPS to automatically detect & block intrusions

Extrusions (Client Based Threats)

Educate users: clean up profiles, Use VPNs & connect to secure Wi-Fi

Deploy end point agents to automatically block connections to insecure Wi-Fi

Wireless IPS to automatically detect & block extrusions in enterprise perimeter

Regular wireless scans to understand your security posture- Cloud based solutions are available to automate wireless scans

Defense-In-Depth Mitigation

Apply Slide: Recommended Best Practices

Self Assessment Test Scan your network to find out how vulnerable you are Good chance that you will find a Rogue AP, higher chance

that you will find client extrusion

Follow best practices Educate your users to connect to secure Wi-Fi Use VPN for remote connections Clean up the Connection profiles of Wi-Fi clients

periodically Deploy end point agents to automate some of the above

Adopt a “defense in depth” security approach Employ wire side defenses against Rogue APs (first line of

defense) Regularly scan your wireless perimeter If risk assessment is high and/or you store super sensitive

data Threat containment via wireless IPS should be considered

Apply Slide: Recommended Best Practices

Go Wi-Fi, But, The Safe Way!

40

Questions?

Thank Youdeepak.gupta@airtightnetworks.com

A1: Location/Site Wise Distribution

Key Observations

Prominent threats aredistributed acrossmultiple sites.

Key Implications

You need an ability to monitor the entire organization, not just 1 or 2sites

Location Wise Distribution

Rogue APs

AdhocSoft APs

Banned Devices

Client Extrusions

Client Bridging DoS

Misconf. APs

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Threats

Occ

urr

ence

(%

Lo

cati

on

s)

A2: Enterprise Vs PCI (SMB/Retail)

Enterprise

Rogue APs

DoS

Client Extrusions

Adhoc

Misconf. APs

Banned DevicesClient

Bridging

Soft APs

0

20

40

60

80

100

120

Threats

Occ

ure

nce

(%

Org

aniz

atio

ns)

PCI (SMB/Retail)

Rogue APs

Misconf. APs

Soft APs

Adhoc

Banned DevicesClient

Bridging

Client Extrusions

DoS

0

20

40

60

80

100

120

Threats

Occ

ure

nce

(%

Org

aniz

atio

ns)

Key Observations

Similar pattern with respectto prominent threats

Some difference w.r.t other threatsIncreased adhoc connections in PCI

A3: North America, Asia (Overall Threat Occurrence)North America

Adhoc

DoS

Soft APs

Banned Devices

Client Bridging

Misconf. APsRogue

APs

Client Extrusions

0

20

40

60

80

100

120

Threats

Oc

cu

ren

ce

(%

Org

an

iza

tio

ns

)

Asia

AdhocDoS

Soft APsBanned

Devices

Client Bridging

Misconf. APs

Rogue APs

Client Extrusions

0

20

40

60

80

100

120

Threats

Occ

ure

nce

(%

Org

aniz

atio

ns)