A Proof of MITM Vulnerability in Public WLANs Guarded by

Captive Portal

Speaker : Po-Kang ChenAdvisor : Quincy WuDate : 2010/06/13

Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment result Conclusion

2

Introduction The Internet has become more important and

wireless network is more convenient. A lot of public areas begin to provide the Wireless LAN for users, it is called Public WLAN (PWLAN).

PWLANs are usually provided by Wireless Internet Service Providers (WISPs) which manage the payment mechanism of PWLANs.

The users can sign a contract with the WISP or buy the pre-paid cards for using PWLAN.

3

Introduction Nowadays it is easy to find PWLAN service in a

coffee shop or a fast food restaurant, people enjoy this convenience to access Internet in these public places.

According the TWNIC reports the sample survey on January 2010, the frequency of using the Internet service in public areas which becomes higher.

4

Figure 1. 2010 年 1 月台灣網路使用調查報告 ( 單位：相對次數 )http://www.twnic.net.tw/download/200307/200307index.shtml

5

Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment result Conclusion

6

Motivation As more people are utilizing the PWLANs, the

security of PWLANs is more important than the past.

Traditionally, we rely WEP or WPA-PSK to protect our WLAN. The vulnerability of WEP and WPA-PSK has been pointed out.

The malicious user uses the readily available tools to perform Caffe Latte Attack which can crack the WEP or WPA-PSK secret keys within a tea break time.

7

Motivation Therefore, most PWLANs now use a new

secure mechanism, called Captive Portal. The Captive Portal uses a webpage to

authenticate users. It was widely accepted by WISPs as a useful

mechanism to ensure that all users must be authenticated before accessing Internet via the WLAN.

8Figure 2. Login webpage

Motivation Although a new standard IEEE 802.1X is

proposed to replace the Captive Portal, the 802.1X standard is more complicated than Captive Portal, so 802.1X is not widely deployed in PWLANs.

We shall show that for PWLANs which are guarded by Captive Portal will be vulnerable to Man-In-The-Middle attacks, so that unauthenticated users can access Internet via the PWLANs.

9

Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment result Conclusion

10

ARP ARP (Address Resolution Protocol)

To convert IP address to MAC address in order to communicate in Ethernet communications

Broadcast ARP Request message to ask for the MAC address associated with the destination IP address

The host sends a unicast ARP Reply message to sender with the IP-MAC address pairing

It update the ARP cache after receiving ARP Reply

11

ARP Spoof The malicious user sends ARP Reply with fake

IP-MAC pairing, in an attempt to spoof the ARP cache of other hosts on the network.

ARP Spoof can perform Man-In-The-Middle (MITM) attacks or Denial of Service (DoS) attacks.

12

MITM Before the network does not occur the MITM

attack, the hosts has correct MAC address for both, they communicates with each other directly.

After the network occur the MITM attack, the dynamic IP-MAC pairing will be modified in ARP cache for both hosts. The attacker can receive the packet from one side host and forward it to other host.

The MITM often use to sniff the sensitive information in network.

13

MITM

14Figure 3. MITM attack

Outline Introduction Motivation Related Work Captive Portal in Public WLANs Implementation & Experiment result Conclusion

15

Captive Portal The Captive Portal deploys the authentication

architecture which has the Access Controller, Web Application Server and RADIUS server.

If the unauthenticated users tries to access the Internet, the Access Controller responds the packet with HTTP status code 302 to redirect the users.

The user must be authenticated with a correct username/password provided by the WISPs.

16

17 Figure 4. PWLANs architecture

18 Figure 5. Captive Portal process

Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment

result Conclusion

19

Implementation

20

Figure 6. MITM in Captive Portal (1/2)

21 Figure 7. MITM in Captive Portal (2/2)

Victim packetsAttacker packets

Implementation

Data

TCP/UDP/ICMP

IP

ETHERNET

TCP/UDP : checksum

IP : source IP address & checksum

22Figure 8. To modify of masquerade packet

Experiment & Result

Eee PC 701 (victim)

Lenovo X200 (attacker)

Remote FTP server

CPU Intel Celeron M processor 900MHz

Intel Core2 Duo CPU P8600 2.40GHz

Intel Pentium Dual CPU E2200 2.20GHz

Memory 512MB 4GB 2GB

Operating System

Windows XP 32-bit

Windows 7 32-bit

Ubuntu 9.10

TCP buffer size (bytes)

65,535 65,535 65,535

23Table 1. Implementation spec.

24Figure 9. Implementation environment

25 Figure 11. Download 20MB files

Figure 10. Download 10MB files

Experiment & Result

File size Average Download Speed (Kbps)

Performance

without relay with relay

10MB 241.55 234.06 97%

20MB 243.34 235.72 97%

26Table 2. Experiment result

Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment result Conclusion

27

Conclusion We demonstrate how ARP Spoof can be used

to launch MTIM attack in PWLANs, the unauthenticated users can access Internet via the PWLANs.

We advise the WISPs can deploy the network devices that support the intrusion detection feature, or re-design the PWLANs architecture and authenticate users by 802.1X.

28