Embed Size (px)
Citation preview
Security concerns in Wireless LAN
Guðbjarni Guðmundsson
Wireless Technologies
LAN(Local Area Network)
PAN(Personal Area
Network)
WAN(Wide Area Network)
MAN(Metropolitan Area Network)
PANPAN LANLAN MANMAN WANWAN
StandardsStandards BluetoothBluetooth802.11802.11
HiperLAN2HiperLAN2802.11802.11802.16802.16
GSM, GPRS,GSM, GPRS,CDMA, 1xRTT, 3GCDMA, 1xRTT, 3G
SpeedSpeed < 1Mbps< 1Mbps 11 to 54 Mbps11 to 54 Mbps 11 to 100+ Mbps11 to 100+ Mbps 10 to 384Kbps10 to 384Kbps
RangeRange ShortShort MediumMedium Medium-LongMedium-Long LongLong
ApplicationsApplications Peer-to-PeerPeer-to-PeerDevice-to-DeviceDevice-to-Device
Enterprise networksEnterprise networks T1 replacement, last T1 replacement, last mile accessmile access
Mobile Phones, cellular Mobile Phones, cellular datadata
Momentum is Building in Wireless LANs
• Wireless LANs are an “addictive” technology
• Strong commitment to Wireless LANs by technology heavy-weights–Cisco, IBM, HP, Intel, Microsoft
• Embedded market is growing–Laptop PC’s with “wireless inside”–Also PDA’s, phones, printers, etc.
• The WLAN market is expanding from Industry-Specific Applications, to broad-based applications in Universities, Homes, & Offices
WLAN Security Hierarchy
VirtualPrivate
Network (VPN)
No Encryption, Basic Authentication
Public “Hotspots”
Open Access 40-bit or 128-bitStatic WEP Encryption
Home Use
Basic Security 802.1x,TKIP/WPA Encryption,Mutual Authentication,
Scalable Key Mgmt., etc.
Business
Enhanced Security
Remote Access
Business Traveler,
Telecommuter
Hacking into WEP
Wireless LAN Security Concerns:3 Key Vulnerabilities
Credit: KNTV San Jose
“War Driving”
Employees
1. Concern for Enterpriseabout Wireless: Security
Source: WSJ, 2/5/01
Hacking into WEP
Papers on WEP Weaknesses
University of California, Berkeley
University of Maryland
Scott Fluhrer, Itsik Mantin, and Adi Shamir
Feb. 2001 April 2001 July 2001
Focuses on static WEP; discusses need for key management
Focuses on authentication; identifies flaws in one vendor’s proprietary scheme
Focuses on inherent weaknesses in RC4; describes pragmatic attacks against RC4/WEP
* “In practice, most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from the attacks we describe…”- University of California, Berkeley report on WEP security, http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
AirSnort “Weak IV” Attack
• Initialization vector (IV) is 24-bit field that changes with each packet• RC4 Key Scheduling Algorithm creates IV from base key • Flaw in WEP implementation of RC4 allows creation of “weak” IVs
that give insight into base key• More packets = more weak IVs = better chance to determine base key• To break key, hacker needs 100,000-1,000,000 packets
IV encrypted data ICV WEP framedest addr
src addr
Bit-Flipping and Replay Attack
• Hacker intercepts WEP-encrypted packet• Hacker flips bits in packet and recalculates ICV CRC32• Hacker transmits to AP bit-flipped frame with known IV• Because CRC32 is correct, AP accepts, forwards frame• Layer 3 device rejects and sends predictable response• AP encrypts response and sends it to hacker• Hacker uses response to derive key (stream cipher)
message XOR
plain text
1234
stream cipher
XXYYZZ
cipher text
XOR 1234
stream cipher
message
predicted plain text
WEP hacked
• Wireless networks can therefor be vulnerable• “hit-and-run attacks” carried out with laptops • attackers can’t be traced
2. Concern for Enterpriseabout Wireless: Security
Source: WSJ, 2/5/01
“War Driving”
News Clip: Hackers hit the Streets
• “White Hat Hackers” search for vulnerable wireless LANs
• Over 900 companies identified in a single area
Credit: KNTV San Jose
Credit: KNTV San Jose
War Driving
• Originally, WarDriving was when crackers drove around in a car equipped with wireless gear looking for unsecured wireless networks, to gain illicit access.
• Over time, the term has evolved to include harmless types that simply looking for free internet access.
• What are needed for war driving– Device capable of
• receiving 802.11b signal.
• Capable of moving around.
– Software that will log data from the device.• NetStumbler
• Over time, you can build up a database comprised of the network name, signal strength, location, and ip/namespace in use.
War Driving cont.
Netstumbler Screenshot
consume.net
How is the situation in Iceland?(War Driving)
• Less than 1 hours drive –10 Open wireless networks found
•2 Homes•2 School•6 Companies
• SSID gave ALWAYS indication of who owned the network
–Except homes (default SSID of AP)
• 50% gave IP-address via DHCP–Open Access
3. Concern for Enterpriseabout Wireless: Security
Source: WSJ, 2/5/01
Employees
Who Installs Rogue APs?—“Focus on the Frustrated Insider”
Frustrated Insider:• Employee that installs wireless AP in order to benefit from
increased efficiency and convenience it offers• Common because of wide availability of
low cost APs• Usually ignorant of AP security configuration, default
configuration most common
Malicious Hacker:• Penetrates physical security specifically to
install a rogue AP• Can customize AP to hide it from detection tools• Hard to detect—more effective to prevent via 802.1X and
physical security• More likely to install LINUX box than an AP
Jones from Accounting
>99.9% of Rogue APs
James Bond
<.1% of Rogue APs
3 Steps to Solving the Rogue AP Problem
• Step 1: Prevent– Physical Security (prevent unauthorized access to the bldg.)– Develop a company-wide WLAN Policy– Install an IT-sanctioned WLAN
• Step 2: Detect– Intermittent checking with portable wireless sniffers
• AirMagnet, NetStumbler, Sniffer, WildPackets, etc.
– Continuous Monitoring with WLAN management tools– Engage AP’s & Clients in the hunt
• Step 3: Eliminate– Locate the Rogue AP, and physically remove it
Rogue AP
Wireless LAN Security:Lessons
“War Driving”
Hacking into WEP
Lessons:
• Security must be turned on (part of the installation process)
• Employees will install WLAN equipment on their own (compromises security of your entire network)
• WEP keys can be easily broken (businesses need better security)
Employees
WLAN Security White Papers
To download these White Papers, go to: www.cisco.com/go/aironet/security To download these White Papers, go to: www.cisco.com/go/aironet/security
Wireless LAN Security & the Cisco Wireless Security Suite
SAFE for Wireless(updated Mar.’03)
