802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.
-
Upload
adelia-adams -
Category
Documents
-
view
214 -
download
1
Transcript of 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.
![Page 1: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/1.jpg)
802.11 Wireless Insecurity802.11 Wireless Insecurity
By: By: No’eau KamakaniNo’eau KamakaniRobert WhitmireRobert Whitmire
![Page 2: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/2.jpg)
OutlineOutline
BackgroundBackground Security FeaturesSecurity Features AttacksAttacks DemonstrationsDemonstrations ConclusionConclusion
![Page 3: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/3.jpg)
BackgroundBackground
![Page 4: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/4.jpg)
Wireless DefinitionsWireless Definitions
802.11802.11• 802 = LANs (Local Area Network)802 = LANs (Local Area Network)• 11 = Wireless11 = Wireless
WiFiWiFi• Wireless FidelityWireless Fidelity
HotspotsHotspots• Connection point for a WiFi network Connection point for a WiFi network
hardwired to the Internethardwired to the Internet
![Page 5: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/5.jpg)
How Does It Work?How Does It Work?
Transmits over radio frequencyTransmits over radio frequency• 2.4 – 2.483 GHz2.4 – 2.483 GHz• 5 GHz range5 GHz range
Channels (for B and G)Channels (for B and G)• Direct Sequence Spread Spectrum Direct Sequence Spread Spectrum • USA 1-11USA 1-11• Europe 1-13Europe 1-13• Japan 1-14Japan 1-14
![Page 6: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/6.jpg)
ProtocolsProtocols
![Page 7: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/7.jpg)
ProductsProducts
![Page 8: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/8.jpg)
Why go wirelessWhy go wireless
Infrastructure easyInfrastructure easy• Goes thru walls, no wiringGoes thru walls, no wiring
Portability and FlexibilityPortability and Flexibility• Access from anywhereAccess from anywhere
InteroperabilityInteroperability• Compatible with all WiFi products certified by Compatible with all WiFi products certified by
Wireless Ethernet Compatibility Alliance Wireless Ethernet Compatibility Alliance (WECA)(WECA)
Increased ProductivityIncreased Productivity• Endless connectivityEndless connectivity
![Page 9: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/9.jpg)
SecuritySecurity
![Page 10: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/10.jpg)
WEPWEP
Wired Equivalent PrivacyWired Equivalent Privacy Secret Key for encrypting dataSecret Key for encrypting data
• Shared between mobile card and access Shared between mobile card and access pointpoint
• 40-128 bits (includes IV)40-128 bits (includes IV) Initialization Vector (IV)Initialization Vector (IV)
• 24 bit, randomly generated24 bit, randomly generated• Sent in clear textSent in clear text• FiniteFinite
![Page 11: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/11.jpg)
RC4 Encryption AlgorithmRC4 Encryption Algorithm
Stream cipherStream cipher• Generates infinite pseudo-random Generates infinite pseudo-random
keystreamkeystream Keystream generated with key and IVKeystream generated with key and IV
• XOR’ed with message and Checksum to XOR’ed with message and Checksum to generate ciphertextgenerate ciphertext
• Receiver generates same keystream Receiver generates same keystream and XOR’s with ciphertext to get and XOR’s with ciphertext to get message and checksummessage and checksum
![Page 12: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/12.jpg)
Visualizing RC4Visualizing RC4
![Page 13: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/13.jpg)
CRC-32 ChecksumCRC-32 Checksum
Linear Checksum algorithmLinear Checksum algorithm• Integrity checkingIntegrity checking• A bit in message correlates directly to A bit in message correlates directly to
set of checksum bitsset of checksum bits
![Page 14: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/14.jpg)
WEP VulnerabilitiesWEP Vulnerabilities
Relies on flawed encryption methodRelies on flawed encryption method• RC4 is crackable through statistical analysisRC4 is crackable through statistical analysis
IV’s collisions, calculate key from thisIV’s collisions, calculate key from this
• Checksum is predictableChecksum is predictable IV implemented incorrectlyIV implemented incorrectly Better than nothingBetter than nothing
• Not on as defaultNot on as default• Not end all security measureNot end all security measure
Easily Crackable (AirSnort)Easily Crackable (AirSnort)
![Page 15: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/15.jpg)
WPAWPA
WiFi Protected AccessWiFi Protected Access Latest snapshot of 802.11iLatest snapshot of 802.11i
• Explained laterExplained later Rotating KeysRotating Keys
• Temporal Key Integrity ProtocolTemporal Key Integrity Protocol Increased IV (24-48 bits)Increased IV (24-48 bits) ChecksumChecksum Order of magnitude harder to crackOrder of magnitude harder to crack
![Page 16: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/16.jpg)
802.1X802.1X
User not Machine AuthenticationUser not Machine Authentication Supposed to provide a vendor-Supposed to provide a vendor-
independent way to control accessindependent way to control access Authentication through EAP Authentication through EAP
(Extensible Authentication Protocol)(Extensible Authentication Protocol)• Tokens, Kerberos, one-time passwords, Tokens, Kerberos, one-time passwords,
certificates, etc..certificates, etc..
![Page 17: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/17.jpg)
Other Security AttemptsOther Security Attempts 802.11i802.11i
• IEEE attempt to provide strong securityIEEE attempt to provide strong security• Dynamically updating WEP KeyDynamically updating WEP Key• Not completeNot complete
VPNVPN• Providing security through VPN tunneling protocolsProviding security through VPN tunneling protocols• Compatibility issues, better than WEP but not universal Compatibility issues, better than WEP but not universal
solutionsolution MAC FilteringMAC Filtering
• MAC addresses sent in clearMAC addresses sent in clear• Easy to sniffEasy to sniff• Easy to spoofEasy to spoof
![Page 18: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/18.jpg)
AttacksAttacks
Passive attack to decrypt trafficPassive attack to decrypt traffic• Waits for keystream collisionWaits for keystream collision• Gets XORGets XOR• Statistically reveals plain textStatistically reveals plain text
Active attack to inject trafficActive attack to inject traffic• RC4(X) xor X xor Y = RC4(Y)RC4(X) xor X xor Y = RC4(Y)
Unauthorized Access Points on a NetworkUnauthorized Access Points on a Network• Attacker set up own access point on network Attacker set up own access point on network
effectively circumventing security measureseffectively circumventing security measures• Resetting access points to defaultResetting access points to default
![Page 19: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/19.jpg)
Fun DemonstrationsFun Demonstrations
![Page 20: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/20.jpg)
War DrivingWar Driving
![Page 21: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/21.jpg)
War Driving Silicon ValleyWar Driving Silicon Valley
![Page 22: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/22.jpg)
War SpyingWar Spying
Also called Also called WarviewingWarviewing
2.4 GHz wireless 2.4 GHz wireless CamerasCameras
GearGear
![Page 23: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/23.jpg)
ConclusionConclusion
WEP is better than nothingWEP is better than nothing Never settle for default settingsNever settle for default settings Base protection level on sensitivity of Base protection level on sensitivity of
datadata Provide backup network protectionProvide backup network protection Remember, anyone can sniff your Remember, anyone can sniff your
wireless network.wireless network.
![Page 24: 802.11 Wireless Insecurity By: No’eau Kamakani Robert Whitmire.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649e955503460f94b99bd7/html5/thumbnails/24.jpg)
Questions?Questions?