Course 8 Wireless Network Security.pptx

Full Transcript

Security Princ & Practice
Course 7 : Wireless Network Security
Professor Okba Kazar
Email:
[email protected]/[email protected]
m

What is a Wireless Network?
A group of connected devices that
communicate through the air by
means of electromagnetic waves,
such as radio waves.

History of Wireless
Networking
 Wireless Local Area Networks (WLAN) have been

around since 1970.

 The first model was created at the University of

Hawaii by Norman Abramson.

 This was a star topology and connected 7 computers

across 4 islands.



Today, wireless networking is largely standardized by
IEEE and their various versions of 802.11.

Types of Wireless Networks
WPAN’s dynamically connect devices within

a relatively small area; maintain random
network configurations. (Wireless Personal
Area Network)
i.e. Bluetooth, ad-hoc networks
WLAN’s connect devices over a more broad

area, known as a cell. Can be found in our
homes, libraries, and coffee shops.
(Wireless Local Area Network)
i.e. Wi-Fi, laser bridges

Types of Wireless Networks
WMAN’s are the connection of multiple

WLAN’s and may span an entire city or
college campus.
(Wireless metropolitan area network)
i.e. WiMAX
Mobile device networks which are used by

our cell phones.
i.e. GSM (2G), 3G cellular networks

Wireless Applications
Laptops
Cellular phones
Headphones
Keyboards
Printers
Speakers
Global Positioning

Systems (GPS)

Laser Bridges
Emergency

Services
Robotics
Biotechnology
Nanotechnology
Radio Frequency
Identification
(RFID)
transponders

Wireless Networks and
Security
1) What are Wireless Networks?
• A wireless network is the way that a computer is
connected to a router without a physical link.
2) Why do we need?
• Facilitates mobility – You can use lengthy wires
instead, but someone might trip over them.
3) Why security?
• Attacker may hack a victim’s personal computer
and steal private data or may perform some illegal
activities or crimes using the victim’s machine and
ID. Also there's a possibility to read wirelessly
transferred data (by using sniffers)

Wireless Networks and
Security
Three security approaches:
WEP (Wired Equivalent Privacy)
2. WPA (Wi-Fi Protected Access)
3. WPA2 (Wi-Fi Protected Access, Version 2)
1.

WPA also has two generations named Enterprise
and Personal.

WEP (Wired Equivalent
Privacy)
Encryption:
 40 / 64 bits
 104 / 128 bits

24 bits are used for IV (Initialization vector)

Passphrase:
 Key 1-4
 Each WEP key can consist of the letters "A" through "F"

and the numbers "0" through "9". It should be 10 hex or
5 ASCII characters in length for 40/64-bit encryption
and 26 hex or 13 ASCII characters in length for 104/128bit encryption.

WPA/WPA2 Personal
Encryption:
 TKIP (Temporal Key Integrity Protocol)
 AES

Pre-Shared Key:
 A key of 8-63 characters

Key Renewal:
 You can choose a Key Renewal period, which instructs

the device how often it should change encryption keys.
The default is 3600 seconds

Unsecured
 A wireless network with no sort of encryption

algorithm applied.

 Any user can readily authenticate and access the

internet.



Packets are unencrypted and visible.



Attacks:
o ARP Spoofing - Associate attacker's MAC address
with default gateway's IP. All traffic meant for
gateway goes through attacker's machine first.
Traffic can be passed through (passive sniff) or
modified and passed (MIM).
o Firesheep - Firefox extension that decodes cookies
on unsecured network. Allows log in as user for

WEP: Wired Equivalent Privacy
 Deprecated security algorithm for IEEE 802.11

networking.

 Introduced as part of original 802.11 protocol in 1997.
 Standard 64 bit WEP uses 40 bit key. Other 24 bits is IV.
 Can also use 128/256 bit protocols.
 IV (Initialization Vector) - prepended onto packets and is

based on pre-shared key.
 Such short IVs in 64 bit caused reuse of IVs with same
key, which significantly shortened key cracking times of
WEP.
 Attacks:

WPA: Wi-Fi Protected Access
 Released by Wi-Fi Alliance in 2004 in IEEE 802.11i






standard
Replaced the exploitable WEP Encryption scheme
Required support of TKIP protocol
Also supported AES encryption
Designed to be backward compatible with older
hardware after firmware upgrades
4-Way Handshake and Group Key Handshake

 "Beck-Tews Attack" – TKIP (Temporal Key

Integrity Protocol) Exploit:
o PhD Candidate in Germany discovered a method
for injecting small packets into a network using
WPA and TKIP
o Does not reveal full network key though, but can

WPA2: Wi-Fi Protected Access
v2
 Released by Wi-Fi Alliance as upgrade to WPA
 Backward compatible with WPA
 Required support of TKIP and AES protocols
 "Hole 196" Attack:
o

o

Allows already authenticated user to spoof mac
address of router using the Group Temporal Key
(known to all clients)
Client responds using their Pairwise Transient Key,
which is unique to them, allowing attacker to
decrypt the clients packets

Why does it matter?
 Unencrypted networks or exploitable encryption

schemes allow hackers to:
o Steal login credentials
o

Hijack browser sessions by stealing session cookies

o

Spoof packets on your network

o

Use your network for malicious activity (ie Spam,
DDOS)
 Authorities will charge you with the crimes
because it's your network

Other Security Measures
 Enable MAC Address filtering
o

Prevents unauthorized computers from gaining
access even if they have the correct network key

 Enable router firewall
 Change default Network SSID to something obscure
 Change default router password
 Change encryption password frequently

What to do on Unsecured
Wireless
 Setup VPN Tunnel to a secured machine
 Setup an SSH Tunnel to a secured machine
 Force HTTPS on all possible connections
 Do not transfer sensitive information

Wrap-Up
 WEP is no longer a secure wireless method
 WPA2 with AES encryption is currently the best

encryption scheme

 Enable any additional security measures supported

by your router

 If on an unsecured network, use SSH or VPN

tunneling to secure your data

What is RFID?
By means of a
simple integrated
circuit and an
antenna, RFID tags
can quickly and
reliably identify
nearly anything
when scanned with
an RFID reader.

Radio Frequency Identification
EASE OF USE
• The RFID solution does not
require a line of sight access to
be able to read tags. Still, the
tag can also include a human
readable data label (2 in 1).
•

Reader
and
communication
not orientation sensitive.

tag
are

Three types:
1. Passive does not
have a power supply.
2. Active has a power
supply that powers
the transmission.
3. Semi-passive has a
power supply that
powers the chip, but
not the transmission.

•
•
•
•

SECURITY
The tag can trigger security alarm systems if removed from
its correct location.
Automatic scanning and data logging is possible without
human intervention.
Each tag can have a unique product code like standardized.
Each item can be individually labeled.

Wireless Network Security.

Wireless Security Overview
Concerns for wireless security are similar to those

found in a wired environment
Security requirements are the same:
Confidentiality, integrity, availability, authenticity,

accountability
Most significant source of risk is the underlying
communications medium

Wireless Network Modes
The 802.11 wireless networks operate in two basic modes:
 Infrastructure mode
 Ad-hoc mode
IEEE 802.11 is part of the IEEE 802 set of local area network (LAN)
technical standards, and specifies the set of media access control (MAC) and
physical layer (PHY) protocols for implementing wireless local area network
(WLAN) computer communication

 Infrastructure mode
Each wireless client connects directly to a central device called Access Point (AP)
No direct connection between wireless clients
AP acts as a wireless hub that performs the connections and handles them
between wireless clients

Wireless Network Modes
Ad-hoc mode:
Each wireless client connects directly with each other
No central device managing the connections
Rapid deployment of a temporal network where no
infrastructures exist (advantage in case of disaster…)
Each node must maintain its proper authentication
list

Key Factors Contributing to Risks
Channel: broadcast communication (more

susceptible to eavesdropping and jamming)
Mobility: additional risks (later)
Resources: advanced OS (iPhone, Android), but

limited resources (memory, processing)
Accessibility: Certain devices may be left

unattended

Wireless Networking Components (Facilitating
points of attack)

ess client: WIFI-enabled laptop/tablet, cell phone, Bluetooth dev

s point: Cell towers, WIFI hotspots, wireless routers

mission medium: carries signals

Wireless Network Threats
Accidental
association

Malicious
association

Ad hoc
networks

Nontradition
al networks

Identity
theft (MAC
spoofing)

Man-in-the
middle
attacks

Bluetooth,
PDAs (spoofing
and eavesdropping)

Denial of
service
(DoS)

Network
injection

No central
point
of control

Bogus reconfiguration
cmds to routers/switches
and degrade performanc

Threats from Wireless Devices


Rogue Devices signals bleed around physical walls and firewalls



Intruders or hackers can launch attacks (DoS, Identity Theft)



Associations accidental, malicious; peer-to-peer/ad hoc. VPN & Authentication don’t help



Bridging wireless laptops: opens back doors and exposes wired network



Wireless Phishing: can hijack users at hotspots (AirSnarf, Hotspotter, Evil Twin)
Neighboring WLAN

Intruder

Accidental
Association
Rogue
Access Point

Hardware AP

BEACONS

Parking Lot

Barcode Scanner

Malicious
Association

Soft AP

Hotspot
Confidential Data

Corporate Network

Wireless Laptop

Ad-Hoc

Evil
Twin

WLAN Monitoring/IPS: Secures from Threats


Proactively Prevents Exploitation of Wireless Network


Prevents authorized stations from attaching to unauthorized devices



Prevents unauthorized devices to attach to the network
 Surgically identifies and removes threatening rogues


Extends wireless protection to the mobile worker
Neighboring WLAN

Intruder

Rogue
Access Point

Hardware AP

Parking Lot
Barcode Scanner

Soft AP

Hotspot
Confidential Data

Corporate Network

Wireless Laptop

Secure

Secure

Evil
Twin

Wireless Security Measures
Signal hiding
Turn off SSID (Service Set IDentifier) name
broadcasting
Cryptic names
Reduce signal strengths (place away from
windows and external walls
Directional antennas
Encryption (standard)

Securing Wireless
Networks
Use encryption
Use and enable anti-virus, anti-spyware,

firewall
Turn off SSID broadcasting
Change default identifier on router
Change router’s preset password
Apply MAC-filtering

SSID – Service Set Identification
Identifies a particular wireless network
A client must set the same SSID as the one in that

particular AP Point to join the network
Without SSID, the client won’t be able to select and
join a wireless network
Hiding SSID is not a security measure because the
wireless network in this case is not invisible
It can be defeated by intruders by sniffing it from any
probe signal containing it.

SSID
A way for vendors to make more money
It is easy to find the ID for a “hidden”

network because the beacon broadcasting
cannot be turned off
Simply use a utility to show all the current
networks:
 inSSIDer
 NetStumbler
 Kismet

Mobile Device Security
Strategy
Device security (next slide)
Traffic security (e.g., SSL, VPNs)
Barrier security (e.g., firewalls, IDS/IPS)

An SSL VPN is a type of virtual private network (VPN) that uses
the Secure Sockets Layer (SSL) protocol

Mobile Device Security
Configure (enable) auto-lock
Configure/enable SSL
Enable password/PIN protection
Configure (disable/discourage) auto-completion (for

passwords)
Enable remove wipe
Up-to-date OS/software
Install anti-virus software
Encrypt sensitive data on mobile devices
Prohibit installation of third-party apps
Policy development followed by training

Mobile Device Security Elements

Encrypt

Configure based
on policy

Authenticate/
access control

IEEE 802.11 Wireless LAN
IEEE 802: a committee responsible for LANs
IEEE 802.11: responsible for developing

wireless protocols
Many standards

The Wi-Fi alliance: became popular with

802.11b
Wi-Fi Protected Access (WPA, WPA2)

IEEE 802.11 Protocol Stack
Physical layer

(encode/decode
signals)
MAC layer:
assembles MAC
frame, disassembles
frames and performs
address recognition
LLC: keeps track of
frame transmission

A MAC Frame (MPUD)
MAC protocol data unit (MPUD)

IEEE 802.11 Extended Service Set
BSS: the

smallest building
block
BSSs connected
via APs
Aps functions as

bridges

ESS: two or

more BSSs

WEP vs WPA vs
WPA2
WEP

WPA

WPA2

RC4
AES
Dynamic
Dynamic
Session
Session
Keys
Keys
Manually
Automatic Automatic
KEY
DISTRIBUTION typed into distributio distributio
each device n available n available
Can use
Can use
AUTHENTICATI Uses WEP
key as
802.1x &
802.1x &
ON
Authenticati
EAP
EAP
on

ENCRYPTION
KEY ROTATION

RC4
NONE

Rivest Cipher 4, or RC4, is a stream cipher created in 1987. A
stream cipher is a type of cipher that operates on data a byte at a
time to encrypt that data

Procedures to Improve Wireless
Security








Use wireless intrusion prevention system (WIPS)
Enable WPA-PSK
Use a good passphrase (https://grc.com/password)
Use WPA2 where possible
AES is more secure, use TKIP for better performance
Change your SSID every so often
Wireless network users should use or upgrade their
network to the latest security standard released

Wireless Network
Tools
 MAC Spoofing
 http://aspoof.sourceforge.net/
 http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp
 http://www.klcconsulting.net/smac/

 WEP Cracking tools
http://www.backtrack-linux.org/
 http://www.remote-exploit.org/articles/backtrack/index.html
 http://wepattack.sourceforge.net/
 http://wepcrack.sourceforge.net/
 Wireless Analysers
 http://www.kismetwireless.net/
 http://www.netstumbler.com/


Securing Wireless
Transmission
Signal hiding (and SSID hiding)
Reduce signal strengths
Encryption: encrypt all wireless

transmissions

Securing Access Point
Disallow unauthorized access to the AP
Require authentication for any access

including for devices wishing to attach
themselves to the AP

Networks
use
encryption

use anti-virus
and antispyware
software and
a firewall
turn off
identifier
broadcasting

allow only
specific
computers to
access your
wireless
network
change your
router’s preset password
for
administratio
n
change the
identifier on
your router
from the
default

IEEE 802.11 Terminology

Summary
Wireless security overview
wireless network threats
wireless security measure
 IEEE 802.11 wireless LAN overview

Wi-Fi alliance
IEEE 802 protocol architecture
IEEE 802.11 network components and

architectural model
IEEE 802.11 services