Docstoc

0703 SecurityOpus WifiMythsBusting

Document Sample
0703 SecurityOpus WifiMythsBusting Powered By Docstoc
					             The point of Wireless security...
     Protecting yourself from the bad guys...
                              Open networks
                                  Conclusion
                                Bibliography




             Wireless Security Myth Busting
                What is wrong about Wi-fi security ?


                                 e
                                C´dric BLANCHER


cedric.blancher@eads.net                                        sid@rstack.org
  EADS Innovation Works                                           Rstack Team
    EADS/IW/SE/CS                                           http://sid.rstack.org/


                       SecurityOpus, San Franciso
                           2007 March 19-21
                      http://securityopus.com/

                          e
                         C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


$ whoami


  Research engineer at EADS Innovation Works, running IT Security
  Lab in France
  Member of Rstack Team, French Honeynet Project and casual
  author for french IT security magazine MISC
  Interests
      Network & wireles security
      GNU/Linux in particular and free software in general
      Conferencing ;)
  My website : http://sid.rstack.org/


                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                    Open networks
                                        Conclusion
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                    Open networks
                                        Conclusion
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


Wireless security...



  People care about Wi-Fi[IEEE99] security, but often misunderstand
  the real issues
      Open wireless networks don’t scare anyone
      Security schemes are not trusted

  People fell safe when exposed and vulnerable when safe ? !




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


Wireless security...



  People care about Wi-Fi[IEEE99] security, but often misunderstand
  the real issues
      Open wireless networks don’t scare anyone
      Security schemes are not trusted

  People fell safe when exposed and vulnerable when safe ? !




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


What is Wi-Fi security about ?


  Wireless security is about perimeter control.
      You can’t control signal unless using Faraday cage
      You can’t prevent signal eavesdropping
      You can’t prevent people frrm emitting signal
      You can’t prevent people from jamming your network

  Wireless security is a tough challenge...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


What is Wi-Fi security about ?


  Wireless security is about perimeter control.
      You can’t control signal unless using Faraday cage
      You can’t prevent signal eavesdropping
      You can’t prevent people frrm emitting signal
      You can’t prevent people from jamming your network

  Wireless security is a tough challenge...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


What is Wi-Fi security for ?


  What’s the goal of Wireless security ?
       A : protecting the wireless workstation
       B : preventing users from spying each other
       C : ethernet wire security level

  Answer :
  C : provide wired equivalent security...

  Nothing else, nothing more !




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


What is Wi-Fi security for ?


  What’s the goal of Wireless security ?
       A : protecting the wireless workstation
       B : preventing users from spying each other
       C : ethernet wire security level

  Answer :
  C : provide wired equivalent security...

  Nothing else, nothing more !




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


What is Wi-Fi security for ?


  What’s the goal of Wireless security ?
       A : protecting the wireless workstation
       B : preventing users from spying each other
       C : ethernet wire security level

  Answer :
  C : provide wired equivalent security...

  Nothing else, nothing more !




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
                                                       Wired Equivalent Privacy
           Protecting yourself from the bad guys...
                                                       Wi-Fi Protected Access
                                    Open networks
                                                       802.11i and WPA2
                                        Conclusion
                                                       Other features...
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


Some protections out there


  You can choose one of the three available security protocols :
      WEP
      WPA
      WPA2
  Additional features :
      MAC addresses filtering
      SSID cloaking
      Stations isolation



                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
                                                       Wired Equivalent Privacy
           Protecting yourself from the bad guys...
                                                       Wi-Fi Protected Access
                                    Open networks
                                                       802.11i and WPA2
                                        Conclusion
                                                       Other features...
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
                                                     Wired Equivalent Privacy
         Protecting yourself from the bad guys...
                                                     Wi-Fi Protected Access
                                  Open networks
                                                     802.11i and WPA2
                                      Conclusion
                                                     Other features...
                                    Bibliography


How weak is WEP ?


  What time do you need to break WEP ?
      A : few seconds
      B : few minutes
      C : few hours
      D : few days

  Answer :
  It depends... On what you mean by cracking WEP !




                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
                                                     Wired Equivalent Privacy
         Protecting yourself from the bad guys...
                                                     Wi-Fi Protected Access
                                  Open networks
                                                     802.11i and WPA2
                                      Conclusion
                                                     Other features...
                                    Bibliography


How weak is WEP ?


  What time do you need to break WEP ?
      A : few seconds
      B : few minutes
      C : few hours
      D : few days

  Answer :
  It depends... On what you mean by cracking WEP !




                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
                                                     Wired Equivalent Privacy
         Protecting yourself from the bad guys...
                                                     Wi-Fi Protected Access
                                  Open networks
                                                     802.11i and WPA2
                                      Conclusion
                                                     Other features...
                                    Bibliography


How weak is WEP ?


  What time do you need to break WEP ?
      A : few seconds
      B : few minutes
      C : few hours
      D : few days

  Answer :
  It depends... On what you mean by cracking WEP !




                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
                                                                Wired Equivalent Privacy
         Protecting yourself from the bad guys...
                                                                Wi-Fi Protected Access
                                  Open networks
                                                                802.11i and WPA2
                                      Conclusion
                                                                Other features...
                                    Bibliography


Have a look at WEP...
                                                              24bits IV                       40bits or 104bits WEP key




    RC4 cipher                                                                 64bits or 128bits RC4 key


    Auth with RC4                                                         RC4 PRGA


    CRC32 ICV
    Fixed key plus                                                                   RC4 PRGA output


    24bits IV                                                                    Cleartext message                ICV (CRC32)
                                                                                                                                XOR


                                    802.11 header (inc. IV)                                      Ciphered message




  WEP maths
                            P = (C                        ICV (C )) ⊕ RC 4(IV                                  K)
          C      ICV (C ) = P ⊕ RC 4(IV                                         K)

                              e
                             C´dric BLANCHER                    Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


WEP weaknesses



  Main weaknesses leading to attacks :
      RC4 keystream reuse[WAL00]
      Access Point handling of WEP
      Weak IVs attack[RW95]
  Each one of them, or combination of them leads to different effects
  against WEP[BLA06a]




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


RC4 keystream reuse

  Cleartext attacks allow one to grab parts of RC 4(IV                                 K ) factor
      WEP authentication bypass[ASW01]
      Arbitrary traffic injection
      Opportunistic decryption
      Full decryption through IV/RC4 tables
  This is quite bad from a cryptographic perspective, but wasn’t
  enough to discourage vendors...
  ETA :
     Simple keystream grab : immediate
      Full table : few days, record is 17h


                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


RC4 keystream reuse

  Cleartext attacks allow one to grab parts of RC 4(IV                                 K ) factor
      WEP authentication bypass[ASW01]
      Arbitrary traffic injection
      Opportunistic decryption
      Full decryption through IV/RC4 tables
  This is quite bad from a cryptographic perspective, but wasn’t
  enough to discourage vendors...
  ETA :
     Simple keystream grab : immediate
      Full table : few days, record is 17h


                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


Access Point handling of WEP

  AP needs to decrypt and check every single frame it handles,
  leading to oracle attacks such as Chopchop[KO04b]
      Capture a frame on the network
      Wipe last data byte
      Compensate ICV making assumptions on last byte value
  Send each 256 possible frames and see which one will get through
  the AP to get last byte value. Iterate until frame is completely
  decrypted.
  ETA :
     Decrypting one frame : 15 seconds to few minutes


                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


Access Point handling of WEP

  AP needs to decrypt and check every single frame it handles,
  leading to oracle attacks such as Chopchop[KO04b]
      Capture a frame on the network
      Wipe last data byte
      Compensate ICV making assumptions on last byte value
  Send each 256 possible frames and see which one will get through
  the AP to get last byte value. Iterate until frame is completely
  decrypted.
  ETA :
     Decrypting one frame : 15 seconds to few minutes


                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


Weak IVs attack

  Weak IVs attack is based on Fluhrer, Mantin and Shamir work and
  Korek optimizations[FMS01][KO04a]
      Mathematical deterministic attack
      Effort is linear to key length
      Needs a fairly big amount of traffic
  This attack limitating factor is traffic sniffing...
  ETA :
     Traffic gathering : few hours to ages...
      Key cracking : few seconds



                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


Weak IVs attack

  Weak IVs attack is based on Fluhrer, Mantin and Shamir work and
  Korek optimizations[FMS01][KO04a]
      Mathematical deterministic attack
      Effort is linear to key length
      Needs a fairly big amount of traffic
  This attack limitating factor is traffic sniffing...
  ETA :
     Traffic gathering : few hours to ages...
      Key cracking : few seconds



                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                    The point of Wireless security...
                                                        Wired Equivalent Privacy
            Protecting yourself from the bad guys...
                                                        Wi-Fi Protected Access
                                     Open networks
                                                        802.11i and WPA2
                                         Conclusion
                                                        Other features...
                                       Bibliography


Combination of attacks
Fragmentation attack

   Combination of keystream reuse and AP handling of WEP
   frames[BIT05][BIT06]




   ETA :
      Keystream expansion : few seconds
                                 e
                                C´dric BLANCHER         Wireless Security Myth Busting
                    The point of Wireless security...
                                                        Wired Equivalent Privacy
            Protecting yourself from the bad guys...
                                                        Wi-Fi Protected Access
                                     Open networks
                                                        802.11i and WPA2
                                         Conclusion
                                                        Other features...
                                       Bibliography


Combination of attacks
Fragmentation attack

   Combination of keystream reuse and AP handling of WEP
   frames[BIT05][BIT06]




   ETA :
      Keystream expansion : few seconds
                                 e
                                C´dric BLANCHER         Wireless Security Myth Busting
                      The point of Wireless security...
                                                          Wired Equivalent Privacy
              Protecting yourself from the bad guys...
                                                          Wi-Fi Protected Access
                                       Open networks
                                                          802.11i and WPA2
                                           Conclusion
                                                          Other features...
                                         Bibliography


Combination of attacks
Aircrack(-ng) tools



   Aircrack(-ng)[AIRC][ACNG] relies on traffic replay and FMS attack

         aireplay(-ng) replays ARP requests to boost traffic generation
         airodump(-ng) captures traffic
         aircrack(-ng) cracks the key

   ETA :
      Traffic gathing : few minutes to one hour
         Key cracking : few seconds



                                   e
                                  C´dric BLANCHER         Wireless Security Myth Busting
                      The point of Wireless security...
                                                          Wired Equivalent Privacy
              Protecting yourself from the bad guys...
                                                          Wi-Fi Protected Access
                                       Open networks
                                                          802.11i and WPA2
                                           Conclusion
                                                          Other features...
                                         Bibliography


Combination of attacks
Aircrack(-ng) tools



   Aircrack(-ng)[AIRC][ACNG] relies on traffic replay and FMS attack

         aireplay(-ng) replays ARP requests to boost traffic generation
         airodump(-ng) captures traffic
         aircrack(-ng) cracks the key

   ETA :
      Traffic gathing : few minutes to one hour
         Key cracking : few seconds



                                   e
                                  C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
                                                       Wired Equivalent Privacy
           Protecting yourself from the bad guys...
                                                       Wi-Fi Protected Access
                                    Open networks
                                                       802.11i and WPA2
                                        Conclusion
                                                       Other features...
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


What do you think of WPA


  Is WPA secure ?
      A : Yes
      B : No, because it still uses RC4
      C : No, I read there’s a flaw in WPA authentication
      D : No, in addition to C, authentication is non-mutual !

  Answer :
  A : Properly deployed, WPA is secure, sorry.




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


What do you think of WPA


  Is WPA secure ?
      A : Yes
      B : No, because it still uses RC4
      C : No, I read there’s a flaw in WPA authentication
      D : No, in addition to C, authentication is non-mutual !

  Answer :
  A : Properly deployed, WPA is secure, sorry.




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


What do you think of WPA


  Is WPA secure ?
      A : Yes
      B : No, because it still uses RC4
      C : No, I read there’s a flaw in WPA authentication
      D : No, in addition to C, authentication is non-mutual !

  Answer :
  A : Properly deployed, WPA is secure, sorry.




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
                                                     Wired Equivalent Privacy
         Protecting yourself from the bad guys...
                                                     Wi-Fi Protected Access
                                  Open networks
                                                     802.11i and WPA2
                                      Conclusion
                                                     Other features...
                                    Bibliography


What is WPA ?



  WPA[WPA] is recommendation by Wi-Fi Alliance to fill the gap
  between WEP and 802.11i
      PSK or 802.1x[IEEE04a] based authentication
      Brand new key scheduling algorithm, TKIP
      Brand new MIC, Michael




                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


What’s up with WPA authentication, then ?
  When using PSK, passphrase has to be difficult to crack[MOS03]
      Compromised PSK leads to unathorized access
      Compromised PSK leads to eavesdropping

  PSK attack efficiency
  Brute force or dictionnary attack : few thousand keys/sec

  When using 802.1x, choose your method wisely
      PEAP
      EAP-TLS
  WPA authentications
  In both case, authentication is completely mutual

                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


What’s up with WPA authentication, then ?
  When using PSK, passphrase has to be difficult to crack[MOS03]
      Compromised PSK leads to unathorized access
      Compromised PSK leads to eavesdropping

  PSK attack efficiency
  Brute force or dictionnary attack : few thousand keys/sec

  When using 802.1x, choose your method wisely
      PEAP
      EAP-TLS
  WPA authentications
  In both case, authentication is completely mutual

                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


What’s up with WPA authentication, then ?
  When using PSK, passphrase has to be difficult to crack[MOS03]
      Compromised PSK leads to unathorized access
      Compromised PSK leads to eavesdropping

  PSK attack efficiency
  Brute force or dictionnary attack : few thousand keys/sec

  When using 802.1x, choose your method wisely
      PEAP
      EAP-TLS
  WPA authentications
  In both case, authentication is completely mutual

                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


What’s up with WPA authentication, then ?
  When using PSK, passphrase has to be difficult to crack[MOS03]
      Compromised PSK leads to unathorized access
      Compromised PSK leads to eavesdropping

  PSK attack efficiency
  Brute force or dictionnary attack : few thousand keys/sec

  When using 802.1x, choose your method wisely
      PEAP
      EAP-TLS
  WPA authentications
  In both case, authentication is completely mutual

                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
                                                       Wired Equivalent Privacy
           Protecting yourself from the bad guys...
                                                       Wi-Fi Protected Access
                                    Open networks
                                                       802.11i and WPA2
                                        Conclusion
                                                       Other features...
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


Have you heard of WPA2 ?


  What is WPA2[WPA2] ?
      A : Replacement of WEP by AES
      B : WPA with AES
      C : Something definitly new
      D : Something that rocks !

  Answer :
  None of them...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


Have you heard of WPA2 ?


  What is WPA2[WPA2] ?
      A : Replacement of WEP by AES
      B : WPA with AES
      C : Something definitly new
      D : Something that rocks !

  Answer :
  None of them...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


Have you heard of WPA2 ?


  What is WPA2[WPA2] ?
      A : Replacement of WEP by AES
      B : WPA with AES
      C : Something definitly new
      D : Something that rocks !

  Answer :
  None of them...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
                                                     Wired Equivalent Privacy
         Protecting yourself from the bad guys...
                                                     Wi-Fi Protected Access
                                  Open networks
                                                     802.11i and WPA2
                                      Conclusion
                                                     Other features...
                                    Bibliography


OK, what is WPA2 then ?

  WPA2 is a Wi-Fi Alliance recommandation based on IEEE
  802.11i[IEEE04b]
      PSK or 802.1x based authentication
      Ciphering using TKIP+RC4 or AES CCMP
      Integrity using Michael or AES CCMP

  Hey wait ! AES was not in WPA
  Right, I lied ;) You can use AES CCMP on WPA...

  OK, then what’s the difference ?
  Very few things, mainly RSN, roaming and adhoc support


                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
                                                     Wired Equivalent Privacy
         Protecting yourself from the bad guys...
                                                     Wi-Fi Protected Access
                                  Open networks
                                                     802.11i and WPA2
                                      Conclusion
                                                     Other features...
                                    Bibliography


OK, what is WPA2 then ?

  WPA2 is a Wi-Fi Alliance recommandation based on IEEE
  802.11i[IEEE04b]
      PSK or 802.1x based authentication
      Ciphering using TKIP+RC4 or AES CCMP
      Integrity using Michael or AES CCMP

  Hey wait ! AES was not in WPA
  Right, I lied ;) You can use AES CCMP on WPA...

  OK, then what’s the difference ?
  Very few things, mainly RSN, roaming and adhoc support


                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
                                                     Wired Equivalent Privacy
         Protecting yourself from the bad guys...
                                                     Wi-Fi Protected Access
                                  Open networks
                                                     802.11i and WPA2
                                      Conclusion
                                                     Other features...
                                    Bibliography


OK, what is WPA2 then ?

  WPA2 is a Wi-Fi Alliance recommandation based on IEEE
  802.11i[IEEE04b]
      PSK or 802.1x based authentication
      Ciphering using TKIP+RC4 or AES CCMP
      Integrity using Michael or AES CCMP

  Hey wait ! AES was not in WPA
  Right, I lied ;) You can use AES CCMP on WPA...

  OK, then what’s the difference ?
  Very few things, mainly RSN, roaming and adhoc support


                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


If WPA2 is better than WPA, why doesn’t it rock ?


  They’re both secure, but subject to the same flaws :
      PSK authentication needs strong passphrase
      Management traffic is not protected
      Physical DoS can’t be prevented

  That said...
  WPA/WPA2 is efficient, but only protects wireless segment at
  layer 2...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


If WPA2 is better than WPA, why doesn’t it rock ?


  They’re both secure, but subject to the same flaws :
      PSK authentication needs strong passphrase
      Management traffic is not protected
      Physical DoS can’t be prevented

  That said...
  WPA/WPA2 is efficient, but only protects wireless segment at
  layer 2...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                     The point of Wireless security...
                                                         Wired Equivalent Privacy
             Protecting yourself from the bad guys...
                                                         Wi-Fi Protected Access
                                      Open networks
                                                         802.11i and WPA2
                                          Conclusion
                                                         Other features...
                                        Bibliography


WPA2 availability
What do you think ?




   WPA2 isn’t available on :
        A : Linux
        B : Windows
        C : FreeBSD
        D : OpenBSD

   Answer :
   D : OpenBSD... Ouch...




                                  e
                                 C´dric BLANCHER         Wireless Security Myth Busting
                     The point of Wireless security...
                                                         Wired Equivalent Privacy
             Protecting yourself from the bad guys...
                                                         Wi-Fi Protected Access
                                      Open networks
                                                         802.11i and WPA2
                                          Conclusion
                                                         Other features...
                                        Bibliography


WPA2 availability
What do you think ?




   WPA2 isn’t available on :
        A : Linux
        B : Windows
        C : FreeBSD
        D : OpenBSD

   Answer :
   D : OpenBSD... Ouch...




                                  e
                                 C´dric BLANCHER         Wireless Security Myth Busting
                     The point of Wireless security...
                                                         Wired Equivalent Privacy
             Protecting yourself from the bad guys...
                                                         Wi-Fi Protected Access
                                      Open networks
                                                         802.11i and WPA2
                                          Conclusion
                                                         Other features...
                                        Bibliography


WPA2 availability
What do you think ?




   WPA2 isn’t available on :
        A : Linux
        B : Windows
        C : FreeBSD
        D : OpenBSD

   Answer :
   D : OpenBSD... Ouch...




                                  e
                                 C´dric BLANCHER         Wireless Security Myth Busting
                        The point of Wireless security...
                                                            Wired Equivalent Privacy
                Protecting yourself from the bad guys...
                                                            Wi-Fi Protected Access
                                         Open networks
                                                            802.11i and WPA2
                                             Conclusion
                                                            Other features...
                                           Bibliography


WPA2 availability
The situation

   Here is the situation
       Windows 9x/Me/2k with third party supplicant
       Windows XP SP2 with patch
       MacOS X since 10.4
       Most Linux drivers using wpa supplicant[WPAS]
       FreeBSD using wpa supplicant[WPAS]
       SoftAP on Linux or FreeBSD using hostapd[HAPD]
   But my adapter/AP/router firmware sucks !
   Check for Wi-Fi certification !
   Wi-Fi certification implies WPA support since 2003 and WPA2
   since 2004
   Update your firmwares !
                                     e
                                    C´dric BLANCHER         Wireless Security Myth Busting
                        The point of Wireless security...
                                                            Wired Equivalent Privacy
                Protecting yourself from the bad guys...
                                                            Wi-Fi Protected Access
                                         Open networks
                                                            802.11i and WPA2
                                             Conclusion
                                                            Other features...
                                           Bibliography


WPA2 availability
The situation

   Here is the situation
       Windows 9x/Me/2k with third party supplicant
       Windows XP SP2 with patch
       MacOS X since 10.4
       Most Linux drivers using wpa supplicant[WPAS]
       FreeBSD using wpa supplicant[WPAS]
       SoftAP on Linux or FreeBSD using hostapd[HAPD]
   But my adapter/AP/router firmware sucks !
   Check for Wi-Fi certification !
   Wi-Fi certification implies WPA support since 2003 and WPA2
   since 2004
   Update your firmwares !
                                     e
                                    C´dric BLANCHER         Wireless Security Myth Busting
                        The point of Wireless security...
                                                            Wired Equivalent Privacy
                Protecting yourself from the bad guys...
                                                            Wi-Fi Protected Access
                                         Open networks
                                                            802.11i and WPA2
                                             Conclusion
                                                            Other features...
                                           Bibliography


WPA2 availability
The situation

   Here is the situation
       Windows 9x/Me/2k with third party supplicant
       Windows XP SP2 with patch
       MacOS X since 10.4
       Most Linux drivers using wpa supplicant[WPAS]
       FreeBSD using wpa supplicant[WPAS]
       SoftAP on Linux or FreeBSD using hostapd[HAPD]
   But my adapter/AP/router firmware sucks !
   Check for Wi-Fi certification !
   Wi-Fi certification implies WPA support since 2003 and WPA2
   since 2004
   Update your firmwares !
                                     e
                                    C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
                                                       Wired Equivalent Privacy
           Protecting yourself from the bad guys...
                                                       Wi-Fi Protected Access
                                    Open networks
                                                       802.11i and WPA2
                                        Conclusion
                                                       Other features...
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


MAC addresses filtering



  Restrict AP access to limited list of MAC addresses
      MAC address is readable in 802.11 header
      Can grab an authorized MAC by looking around !
      MAC spoofing is trivial on 802.11

  Well...
  MAC addresses filtering is very easy to bypass




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
                                                      Wired Equivalent Privacy
          Protecting yourself from the bad guys...
                                                      Wi-Fi Protected Access
                                   Open networks
                                                      802.11i and WPA2
                                       Conclusion
                                                      Other features...
                                     Bibliography


MAC addresses filtering



  Restrict AP access to limited list of MAC addresses
      MAC address is readable in 802.11 header
      Can grab an authorized MAC by looking around !
      MAC spoofing is trivial on 802.11

  Well...
  MAC addresses filtering is very easy to bypass




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
                                                       Wired Equivalent Privacy
           Protecting yourself from the bad guys...
                                                       Wi-Fi Protected Access
                                    Open networks
                                                       802.11i and WPA2
                                        Conclusion
                                                       Other features...
                                      Bibliography


SSID cloaking
  What is it ?
       Remove SSID from beacons
       Does not answer anonymous probe requests
       Requires targeted probe requests for association
  But...
       SSID appears in probe requests
       SSID appears in authentication and association requests

  Well...
  You SSID is not hidden...
  Attackers can even discover it from your probes and create fake
  AP[WRI07]

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
                                                       Wired Equivalent Privacy
           Protecting yourself from the bad guys...
                                                       Wi-Fi Protected Access
                                    Open networks
                                                       802.11i and WPA2
                                        Conclusion
                                                       Other features...
                                      Bibliography


SSID cloaking
  What is it ?
       Remove SSID from beacons
       Does not answer anonymous probe requests
       Requires targeted probe requests for association
  But...
       SSID appears in probe requests
       SSID appears in authentication and association requests

  Well...
  You SSID is not hidden...
  Attackers can even discover it from your probes and create fake
  AP[WRI07]

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
                                                       Wired Equivalent Privacy
           Protecting yourself from the bad guys...
                                                       Wi-Fi Protected Access
                                    Open networks
                                                       802.11i and WPA2
                                        Conclusion
                                                       Other features...
                                      Bibliography


SSID cloaking
  What is it ?
       Remove SSID from beacons
       Does not answer anonymous probe requests
       Requires targeted probe requests for association
  But...
       SSID appears in probe requests
       SSID appears in authentication and association requests

  Well...
  You SSID is not hidden...
  Attackers can even discover it from your probes and create fake
  AP[WRI07]

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                          The point of Wireless security...
                                                              Wired Equivalent Privacy
                  Protecting yourself from the bad guys...
                                                              Wi-Fi Protected Access
                                           Open networks
                                                              802.11i and WPA2
                                               Conclusion
                                                              Other features...
                                             Bibliography


Stations isolation
    Batman


                                     Without PSPF

                                    To = Robin
     To = Robin                     From-DS = 1               AP refuses communication
     To-DS = 1
                        Access                                between wireless stations
                        Point

    Batman
                                                              Seriously...
                                        Robin                 Do you really think this is
                                     With PSPF                working ? !

    To = Robin       X                                        We’ll get back to this later...
    To-DS = 1
                       Access
                       Point



                                        Robin



                                       e
                                      C´dric BLANCHER         Wireless Security Myth Busting
                          The point of Wireless security...
                                                              Wired Equivalent Privacy
                  Protecting yourself from the bad guys...
                                                              Wi-Fi Protected Access
                                           Open networks
                                                              802.11i and WPA2
                                               Conclusion
                                                              Other features...
                                             Bibliography


Stations isolation
    Batman


                                     Without PSPF

                                    To = Robin
     To = Robin                     From-DS = 1               AP refuses communication
     To-DS = 1
                        Access                                between wireless stations
                        Point

    Batman
                                                              Seriously...
                                        Robin                 Do you really think this is
                                     With PSPF                working ? !

    To = Robin       X                                        We’ll get back to this later...
    To-DS = 1
                       Access
                       Point



                                        Robin



                                       e
                                      C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                                       Infrastructure perspective
                                    Open networks
                                                       Client side...
                                        Conclusion
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


Open networks security



  What is your exposure on open networks ?
      A : comparable to ethernet network
      B : A plus very easy eavesdropping
      C : B plus zillions of nasty attacks

  Answer :
  C : You’re pretty naked on an open wireless network[BLA06b]...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


Open networks security



  What is your exposure on open networks ?
      A : comparable to ethernet network
      B : A plus very easy eavesdropping
      C : B plus zillions of nasty attacks

  Answer :
  C : You’re pretty naked on an open wireless network[BLA06b]...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


Open networks security



  What is your exposure on open networks ?
      A : comparable to ethernet network
      B : A plus very easy eavesdropping
      C : B plus zillions of nasty attacks

  Answer :
  C : You’re pretty naked on an open wireless network[BLA06b]...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                                       Infrastructure perspective
                                    Open networks
                                                       Client side...
                                        Conclusion
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                    The point of Wireless security...
            Protecting yourself from the bad guys...
                                                        Infrastructure perspective
                                     Open networks
                                                        Client side...
                                         Conclusion
                                       Bibliography


Hotspots and captive portals

                                                                                     Authenticated   New client
                                                                                     Client


Open infrastructure network : anyone                              Internet


can join
    Outbound traffic is filtered out
    HTTP traffic is redirected to auth.
    portal
    Once registered, client can access
    Internet




                                 e
                                C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


Bypassing hotspots ?


  Captive portals track network parameter to identify clients
      MAC address
      IP address
  You can flaw the system by :
      Using Rogue AP to proxify legitimate client registration
      Spoof MAC or IP or both...

  Hotspot ?
  If you can find someone registered, you’re out



                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


Bypassing hotspots ?


  Captive portals track network parameter to identify clients
      MAC address
      IP address
  You can flaw the system by :
      Using Rogue AP to proxify legitimate client registration
      Spoof MAC or IP or both...

  Hotspot ?
  If you can find someone registered, you’re out



                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                    The point of Wireless security...
            Protecting yourself from the bad guys...
                                                        Infrastructure perspective
                                     Open networks
                                                        Client side...
                                         Conclusion
                                       Bibliography


Mesh networks



Adhoc based network
    Clients to clients links                                    Internet



    Clients can join/move/leave
    Dynamic and adaptative routing
AODV, OLSR provide dynamic and
adaptative routing




                                 e
                                C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


Is it secure ?


  How do you think adhoc is good compared to AP based
  architecture ?
       A : better
       B : just the same
       C : worse
  Answer :
  B or C : whether you consider dynamic routing as an additional
  vuln...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


Is it secure ?


  How do you think adhoc is good compared to AP based
  architecture ?
       A : better
       B : just the same
       C : worse
  Answer :
  B or C : whether you consider dynamic routing as an additional
  vuln...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


Is it secure ?


  How do you think adhoc is good compared to AP based
  architecture ?
       A : better
       B : just the same
       C : worse
  Answer :
  B or C : whether you consider dynamic routing as an additional
  vuln...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


attacks on mesh networks


  Same attacks as classical AP based open networks (see below) and
  tampering dynamic routing :
      OLSR fake announces (i.e. Internet connectivity)
      OLSR routes injection
      OLSR tampering by overpowered adapter

  Mesh networks ?
  They’re pretty easy to attack...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                                       Infrastructure perspective
                                    Open networks
                                                       Client side...
                                        Conclusion
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                                      Infrastructure perspective
                                   Open networks
                                                      Client side...
                                       Conclusion
                                     Bibliography


What about associated stations ?



  All known ”LAN attacks” are available
      LAN attacks (ARP, DHCP, DNS, etc.)
      Traffic interception and tampering
      Direct station attacks
  Think of infamous personal firewalls exception for local network or
  loose firewall settings...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                    The point of Wireless security...
            Protecting yourself from the bad guys...
                                                        Infrastructure perspective
                                     Open networks
                                                        Client side...
                                         Conclusion
                                       Bibliography


Rogue AP



Classical, unexpensive, well known layer                                                                  Batman

1/2 attack
                                                                  Internet
    Set up AP with same configuration                                                 RogueAP


    Power-up and associate clients
    Divert client traffic and play                                             Joker

                                                                                               Legitimate AP
Easy, efficient, powerful tools
available[KRM]




                                 e
                                C´dric BLANCHER         Wireless Security Myth Busting
                    The point of Wireless security...
            Protecting yourself from the bad guys...
                                                        Infrastructure perspective
                                     Open networks
                                                        Client side...
                                         Conclusion
                                       Bibliography


Traffic tampering


WiFi communication can be listened on                                                        @Src = Server
                                                                                             @Dst = Robin
the air                                                                                      From-DS = 1
                                                                                     Joker

    Listen to WiFi traffic                                    Server


    Spot interesting requests
                                                                     Internet                                Robin
    Inject your own crafted answers
    You’ve done airpwn-like[AIRP] tool                                                         @Src = Robin
                                                                                               @Dst = Server
Applications : ARP spoofing, DNS                                                                To-DS = 1


spoofing, malicious data injection, etc.




                                 e
                                C´dric BLANCHER         Wireless Security Myth Busting
                       The point of Wireless security...
               Protecting yourself from the bad guys...
                                                           Infrastructure perspective
                                        Open networks
                                                           Client side...
                                            Conclusion
                                          Bibliography


 Stations isolation
 Reloaded...


Security feature that blocks traffic                                   Batman


within BSS                                                                                       Without PSPF
Usually known as station isolation
                                                                                                 To = Robin
       Station sends To-DS frame                                      To = Robin                 From-DS = 1
                                                                      To-DS = 1
                                                                                        Access
       AP sees destination is in BSS                                                    Point


       AP drops the frame                                            Batman

                                                                                                     Robin

No From-DS frame, so no                                                                          With PSPF
communicationa : stations can’t talk to
each other...                                                        To = Robin    X
                                                                     To-DS = 1
                                                                                        Access
   a
    Does not work between 2 APs linked via                                              Point

wired network
                                                                                                    Robin



                                    e
                                   C´dric BLANCHER         Wireless Security Myth Busting
                    The point of Wireless security...
            Protecting yourself from the bad guys...
                                                        Infrastructure perspective
                                     Open networks
                                                        Client side...
                                         Conclusion
                                       Bibliography


Bypass using traffic injection

                                                                                                  Joker




Joker can inject From-DS frames                                      To = Batman
                                                                     From-DS = 1
directly
    No need for AP approval                                       Batman
                                                                                                          To = Robin
    You can spoof about anyone                                                                            From-DS = 1

    You’re still able to sniff traffic
Traffic injection allows complete                                    To = Robin        X
                                                                   To-DS = 1
isolation bypass                                                                         Access
                                                                                         Point



                                                                                                    Robin




                                 e
                                C´dric BLANCHER         Wireless Security Myth Busting
                      The point of Wireless security...
              Protecting yourself from the bad guys...
                                                          Infrastructure perspective
                                       Open networks
                                                          Client side...
                                           Conclusion
                                         Bibliography


 Bidirectionnal communication with injection
 Sending packets the ninja way




Sending traffic directly to
stations[WTAP] allows direct station to                                                    Joker
                                                                                                         To = Robin
                                                                                                         From-DS = 1

station communication, even if :
     AP applies restrictions
     AP refuses association                                   Batman                       To = Joker                 Robin
                                                                                           To-DS = 1

     AP is out of reach
Talking to stations the ninja way,                                To = Robin
                                                                  To-DS = 1
                                                                                                        To = Batman
                                                                                                        To-DS = 1

without being associated                                                          X         X
                                                                                                   X



                                   e
                                  C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                    Open networks
                                        Conclusion
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


What can we tell about Wi-Fi security ?



  Two things :

      Open networks sucks
      WEP sucks
      When properly implemented, WPA/WPA2 is good security

  When on open network, launch VPN as soon as possible...




                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                    Open networks
                                        Conclusion
                                      Bibliography


What about vulnerable drivers ?...



  What do you think of drivers vulnerabilities[ELL06] ?
       A : FUD
       B : maybe true
       C : True and exploitable

  Answer :
  C : it works, very well...




                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                    Open networks
                                        Conclusion
                                      Bibliography


What about vulnerable drivers ?...



  What do you think of drivers vulnerabilities[ELL06] ?
       A : FUD
       B : maybe true
       C : True and exploitable

  Answer :
  C : it works, very well...




                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                    Open networks
                                        Conclusion
                                      Bibliography


What about vulnerable drivers ?...



  What do you think of drivers vulnerabilities[ELL06] ?
       A : FUD
       B : maybe true
       C : True and exploitable

  Answer :
  C : it works, very well...




                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                   The point of Wireless security...
           Protecting yourself from the bad guys...
                                    Open networks
                                        Conclusion
                                      Bibliography


Agenda

  1   The point of Wireless security...
  2   Protecting yourself from the bad guys...
        Wired Equivalent Privacy
        Wi-Fi Protected Access
        802.11i and WPA2
        Other features...
  3   Open networks
       Infrastructure perspective
       Client side...
  4   Conclusion
  5   Bibliography

                                e
                               C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
         Protecting yourself from the bad guys...
                                  Open networks
                                      Conclusion
                                    Bibliography


Bibliography I

     [IEEE04a] IEEE Std 802.1x, Port-Based Network Access
     Control, 2004,
     http://standards.ieee.org/getieee802/download/802.1X-20
     [IEEE99] ANSI/IEEE Std 802.11, Wireless LAN
     Medium Access Control and Physical Layer Specifications, 1999,
     http://standards.ieee.org/getieee802/download/802.11-19
     [IEEE04b] IEEE Std 802.11i, Medium Access Control Security
     Enhancements, 2004,
     http://standards.ieee.org/getieee802/download/802.11i-2
     [WPA] WiFi Protected Access,
     http://www.wi-fi.org/OpenSection/protected_access_archi

                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                  The point of Wireless security...
          Protecting yourself from the bad guys...
                                   Open networks
                                       Conclusion
                                     Bibliography


Bibliography II

      [WPA2] WiFi Protected Access 2,
      http://www.wi-fi.org/OpenSection/protected_access.asp
      [RW95] A. Roos and D.A. Wagner, Weak keys in RC4,
      sci.crypt Usenet newsgroup
      [WAL00] J. Walker, Unafe at any key size ; An analysis of
      WEP encapsulation, 2000,
      http://www.dis.org/wl/pdf/unsafew.pdf
      [ASW01] W.A. Arbaugh, N. Shankar and Y.C.J. Wan, Your
      802.11 Wireless Network Has No Clothes, 2001,
      http://www.cs.umd.edu/~waa/wireless.pdf


                               e
                              C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
         Protecting yourself from the bad guys...
                                  Open networks
                                      Conclusion
                                    Bibliography


Bibliography III

      [FMS01] S. Fluhrer, I. Mantin and A. Shamir, Weaknesses in
      the Key Scheduling Algorithm of RC4, 2001,
      http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
      [MIR02] I. Mironov, (Not so) Random shuffles of RC4, 2002,
      http://eprint.iacr.org/2002/067
      [MOS03] R. Moskowitz, Weakness in Passphrase Choice in
      WPA Interface, 2003,
      http://wifinetnews.com/archives/002452.html
      [HM04] C. He and J.C. Mitchell, 1 Message Attack on 4-Way
      Handshake, 2004,
      http://www.drizzle.com/~aboba/IEEE/11-04-0497-00-000i-1

                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
         Protecting yourself from the bad guys...
                                  Open networks
                                      Conclusion
                                    Bibliography


Bibliography IV

     [MRH04] V. Moen, H. Raddum and K.J. Hole, Weakness in
     the Temporal Key Hash of WPA, 2004,
     http://www.nowires.org/Papers-PDF/WPA_attack.pdf
     [BIT06] A. Bittau, M. Handley and J. Lackey, The Final Nail
     in WEP’s Coffin,
     http://tapir.cs.ucl.ac.uk/bittau-wep.pdf
     [WRI07] J. Wright, Issues with SSID cloaking,
     http://www.networkworld.com/columnists/2007/030507-wire
     [ABOB] Bernard Aboba, The Unofficial 802.11 Security Web
     Page, http://www.drizzle.com/~aboba/IEEE/
     [WIFI] WiFi Alliance, http://www.wi-fi.org/

                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
         Protecting yourself from the bad guys...
                                  Open networks
                                      Conclusion
                                    Bibliography


Bibliography V


     [MISC] MISC Magazine, http://www.miscmag.com/
     [WACR] Cracking WEP in 10 minutes with WHAX,
     http://sid.rstack.org/videos/aircrack/whax-aircrack-wep
     [ARB01] W.A. Arbaugh, An Inductive Chosen Plaintext Attack
     against WEP/WEP2, 2001,
     http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm
     [BLA02] C. Blancher, Switched environments security, a fairy
     tale, 2002,
     http://sid.rstack.org/pres/0207_LSM02_ARP.pdf



                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
         Protecting yourself from the bad guys...
                                  Open networks
                                      Conclusion
                                    Bibliography


Bibliography VI


     [BLA03] C. Blancher, Layer 2 filtering and transparent
     firewalling, 2003,
     http://sid.rstack.org/pres/0307_LSM03_L2_Filter.pdf
     [KO04a] Korek,
     http://www.netstumbler.org/showthread.php?p=89036
     [KO04b] Korek, Chopchop,
     http://www.netstumbler.org/showthread.php?t=12489
     [BIT05] A. Bittau, The Fragmentation Attack in Practice, 2005,
     http://www.toorcon.org/2005/slides/abittau/paper.pdf



                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
         Protecting yourself from the bad guys...
                                  Open networks
                                      Conclusion
                                    Bibliography


Bibliography VII

     [BLA06b] C. Blancher, WiFi traffic injection based attacks,
     2006,
     http://sid.rstack.org/pres/0602_Securecon_WirelessInject
     [CAC06] J. Ellch and D. Maynor, Device Drivers,
     http://www.blackhat.com/presentations/bh-usa-06/BH-US-0
     [BLA06b] C. Blancher, Messing up with WiFi public networks,
     2006,
     http://sid.rstack.org/pres/0608_BCS_OpenWireless.pdf
     [AIRC] C. Devine, Aircrack,
     http://www.cr0.net:8040/code/network/aircrack/
     [ACNG] Aircrack-ng, http://www.aircrack-ng.org/

                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                 The point of Wireless security...
         Protecting yourself from the bad guys...
                                  Open networks
                                      Conclusion
                                    Bibliography


Bibliography VIII

     [AIRP] Airpwn, http://www.evilscheme.org/defcon/
     [ARPS] Arp-sk, http://sid.rstack.org/arp-sk/
     [EBT] Ebtables, http://ebtables.sourceforge.net/
     [HAP] Hostap Linux driver, http://hostap.epitest.fi/
     [HAPD] Hostapd authenticator,
     http://hostap.epitest.fi/hostapd/
     [KRM] Karma, http://theta44.org/karma/
     [MADW] MadWiFi project,
     http://madwifi.sourceforge.net/

                              e
                             C´dric BLANCHER         Wireless Security Myth Busting
                The point of Wireless security...
        Protecting yourself from the bad guys...
                                 Open networks
                                     Conclusion
                                   Bibliography


Bibliography IX

     [NSTX] Nstx, http://nstx.dereference.de/nstx/
     [OZY] OzymanDNS,
     http://www.doxpara.com/ozymandns_src_0.1.tgz
     [PR54] Prism54 Linux driver, http://prism54.org/
     [PYTH] Python, http://www.python.org/
     [RT25] RT2500 Linux driver,
     http://rt2x00.serialmonkey.com/
     [RTL8] RTL8180 Linux driver,
     http://rtl8180-sa2400.sourceforge.net/
     [SCAP] Scapy, http://www.secdev.org/projects/scapy/

                             e
                            C´dric BLANCHER         Wireless Security Myth Busting
                The point of Wireless security...
        Protecting yourself from the bad guys...
                                 Open networks
                                     Conclusion
                                   Bibliography


Bibliography X



     [WLAN] Linux Wlan-ng, http://www.linux-wlan.org/
     [WPAS] Wpa supplicant,
     http://hostap.epitest.fi/wpa_supplicant/
     [WTAP] Wifitap,
     http://sid.rstack.org/index.php/Wifitap_EN
     [ISCD] ISC Handler’s Diary,
     http://isc.sans.org/diary.php?date=2005-06-26




                             e
                            C´dric BLANCHER         Wireless Security Myth Busting

				
DOCUMENT INFO
Tags: security
Stats:
views:3
posted:4/22/2010
language:English
pages:97
burmesepentester burmesepentester YGN Ethical Hacker http://yehg.net
About