tournament arena simulation for a wireless 'ecosystem' - Winlab
Security Challenges in Wireless Systems - WINLAB · Hysterical History of 802.11-WEP Other Wireless...
Transcript of Security Challenges in Wireless Systems - WINLAB · Hysterical History of 802.11-WEP Other Wireless...
• Confidentiality/date line: 13pt Arial Regular, whiteMaximum length: 1 line
• Information separated by vertical strokes,with two spaces on either side
• Disclaimer information may also be appear in this area. Place flush left, aligned at bottom, 8-10pt Arial Regular, white
• IBM logo must not be moved, added to, or altered in any way.
Indications in green = Live content
Indications in white = Edit in master
Indications in blue = Locked elements
Indications in black = Optional elements
• Copyright: 10pt ArialRegular, white
© 2002 IBM Corporation
Template release: Oct 02For the latest, go to http://w3.ibm.com/ibm/presentations
IBM Research
Security Challenges in Wireless Systems
David [email protected]
Outline
Threat Trends Wireless systems are just part of the overall problem
Hysterical History of 802.11-WEP
Other Wireless Systems
Solution approachesHardware Root Trust
Virtualization
What Now?
3
Introduction: State of Computer Security
“The sky isn't falling ... it fell a few years ago.”Roger Grimes, Infoworld Security Advisor, 2006
The modern threat
“Nation states, however, have the technical and operational capabilities to orchestrate the full range of adversarial cyber operations through a combination of such means as recruiting insiders, setting up front companies, establishing signals collections systems, implanting damaging hardware or software in communications networks and subverting telecommunications, cryptographic defenses and supply chains.”
National Science and technology Council, “Federal Plan for Cyber Security and Information Assurance Research and Development”, April 2006.
How do you know your hardware doesn't have a back door?
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008*
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
Vulnerabilities Discovered Per Year (CERT)
1999 2000 2001 2002 2003 2004
0
50
100
150
200
250
300
350
Days from Patch to Exploit (Information Security, July 2004)
More and More Vulnerabilities(roughly 20 per day)
Less and Less Time to Patch(zero day exploits)
We've Lost the Software Vulnerability War
Secure Software is HARD
So far, every software system has failedApollo Command Module Computer (16K words) failed on every flight
Studies shows at least 1 bug per K lines of code (LOC)IBM internal study, 2000
Information Week Jan 21 2002, p23
Reasoning, Inc 2003
coverity.com 2008
Linux and WinXP with Office each have > 200MLOC400K bugs would take 80 years @ 5000/year to fix
But we are writing roughly 50K new ones per year!
Can model this as an infinite supply of security bugs.Must design our systems to confine compromise
The Ease of Application Hacking
Attacking Servers:97% web sites vulnerable to SQL injection or XSS.
IBM ISS
Attacking Clients:Chinese Hacking
Spear phishing with Word and PDF exploits1,295 (known) PC's in 103 CountriesHigh value targetsRemarkably simple, effective attacks
The Failure of Secrecy
“Three may keep a secret, if two of them are dead.”Benjamin Franklin, 1735
Benjamin was a hopeless optimist.Individuals seem delighted to give away their secrets.
Phishing/pharming
Gartner: $3.2B losses, 3.6M victims of phishing in 2007
“One may keep a secret, if he doesn't know what it is.”Dave Safford, 2004
TPM
The High Cost of Hacking 802.11
RequiresOne generic (intersil) 802.11b card $45(range ¼ mile)Free hacking software $0
Deluxe VersionAdd one (empty) pringles can ant. $3(range approx ½ mile)
Super Deluxe VersionAdd one 18” satellite dish antenna $25(up to 3 mile range)
Long Range version (9' dish) $??(55.1 Mile range!)
WEP Encapsulation
802.11 Hdr Data
WEP Encapsulation Summary:
• Encryption Algorithm = RC4
• Per-packet encryption key = 24-bit IV concatenated to a pre-shared key
• WEP allows IV to be reused with any frame, at sender’s choice
• Data integrity provided by CRC-32 of the plaintext data (the “ICV”)
• Data and ICV are encrypted under the per-packet encryption key
802.11 Hdr DataIV ICV
Encapsulate Decapsulate
WEP encryption
The WEP encryption algorithm RC4 is a Vernam Cipher (One Time Pad). For each packet:
Pseudo-random number
generator (RC4)
Encryption Key K
Plaintext data byte p
Random byte b
⊕ Ciphertext data byte p
Decryption works the same way: p = c ⊕ b
Plaintext IV (24b)
WEP Authentication
Challenge (Nonce)
Response (Nonce RC4 encrypted under shared key)
STA APAP
Shared secret distributed out of band
Decrypted nonce OK?
802.11 Authentication Summary: Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret
802.11-WEP How NOT to do Security
Requirements Errors:WEP/Auth optional, off by default (netstumbler attack)
No Promiscuous mode
Prevents bridging, makes audit hard, does nothing for security
Design Errors - Encryption24 bits of RC4 key known (airsnort attack)
One-time pad reuse (2^12 packets) – (xor attack)
CRC not cryptographically strong (bit-twiddling attack)
IV too small (small code book)
No replay protection
Design Error – AuthenticationShared-Key authentication gives plain/cipher text pair
Implementation ErrorsNumerous overflow attacks on device drivers
802.11 Threat/Response Summary
Severe: Open AP (netstumbler)
Turn on WEP
Medium: Fluhrer/Shamir key recovery (airsnort)
Move to 802.1x-LEAP (short-term)
Move to 802.1x-PEAP or TTLS (mid/long-term)
Medium: LEAP Dictionary attack: (asleap)
Move to PEAP, or TTLS
Medium: Fragmentation: (Lackey)
Update to WPA/WPA2
Low: Wagner/Arbaugh data cracking (manual)
Update to WPA/WPA2
WPA-AES?
802.11 Threat/Response References
Wagner/Goldberg paper describing basic crypto attacks
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html, Arbaugh paper extending attacks
http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm). Fluhrer et. al. paper describing key recovering attack:
http://www.crypto.com/papers/others/rc4_ksaproc.ps Stubblefield et. al. paper describing practical implementations
http://www.cs.rice.edu/~astubble/wep/ http://www.netstumbler.com http://www.airsnort.schmoo.com LEAP Dictionary attack
http://www.securityfocus.com/archive/1/340365/2003-10-03/2003-10-09/2 Fragmentation attack
Joshua Lackey/Austin/IBM
So We've fixed the crypto?
Perfect Forward Secrecy (PFS)?
Semantic security?
Side ChanelsTiming
size
(no)
So We've Learned our lesson?
Information Security Magazine, 14 May 2009Survey of 3600 AP around Wallstreet (40% “enterprise”)57% open or weak WEP20% SSID hiding was only “security”
Auditing: The Biggest Problem
All Wireless LAN access points must be correctly configured for securityEven one misconfigured lets the hackers in.You need some way to audit
where are the access points?are they configured correctly?
client access point
Wireless Security Auditor (July 2001)
WSA AvailabilityIntegrated into Tivoli RISK Manager 3.8Available as security service from IBM Global Services
How does it work?Passively monitors the wireless networkReports policy violationsHuman expert neededPeriodic audits
Audit Alternatives
WRT54G – Linux based wireless router
Openwrt – community supported across multiple AP
Kismet Drone – agent on remote openwrt
RIF – Remote IF – proxies openwrt “if” device to local laptop, where all tools are available
Distributed Wireless Security Auditor
DWSA (Dec 2002)Integrated into Tivoli RISK Manager 4.1Available as security service from IBM Global ServicesIntegration with WIDE
What does it do?Distributed: wireless clients do the workReal-time: continuous auditsAutonomic: network fixes its problems automaticallyAudit: looks for vulnerabilities, andLocates: rogue access points
DWSA
Deploying across 300K Windows and Linux Machines
NDIS AP scan provides:SSIDSignal strength (db)MAC addressChannelWEP state (on-off)Mode (ad-hoc...)Type (a,b,g,FH...)
What will we be able to correllate with this much data?
Location Technologies
Trilateration Timing (GPS)
Site Calibration (Skyhook, Ekahau, MS)
Error canceling signal strength (DWSA)
Phased array (bearing/distance)Vivato
Cell phone - TDOA/AGPS
Skyhook Location Hacking: Getting the Location of any AP by MAC
[dave@localhost rutgers]$ more skyhook.sh
MYMAC=000E8321CEC0 && curl --header "Content-Type: text/xml" --data "<?xml versiOn='1.0'?><LocationRQ xmlns='http://skyhookwireless.com/wps/2005' version='2.6' street-address-lookup='full'><authentication version='2.0'><simple><username>beta</username><realm>js.loki.com</realm></simple></authentication><access-point><mac>$MYMAC</mac><signal-strength>-50</signal-strength></access-point></LocationRQ>" https://api.skyhookwireless.com/wps2/location
Skyhook location hacking:
[dave@localhost rutgers]$ sh < skyhook.sh
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><LocationRS version="2.6" xmlns="http://skyhookwireless.com/wps/2005"><location nap="1"><latitude>41.0860503</latitude><longitude>-73.8180824</longitude><hpe>150</hpe><street-address distanceToPoint="1.7976931348623157E308"><city>Mount Pleasant</city><postal-code>10595</postal-code><county>Bronx</county><state code="NY">New York</state><country code="US">United States</country></street-address></location></LocationRS>
New 802.11 Location Research
Existing location techniques do not support/take advantage of:
Station to Station Correlations
Moving Stations If system has a large number of stations, optimization across all
location estimates simultaneously should dramatically improve accuracy
Current trilateration algorithms assume stationary nodes. Supporting moving nodes is more realistic, and maintaining motion estimates with Kalman filtering should also improve location estimates.
Other Systems
CellularJail Breaking
How many free Apps have trapdoors?
BluetoothKeypadless devices
RFIDBiometric Passports anyone?
RF EmissionsReally hard to contain/blind
Practical attacks 15 feet away
The start of pervasive (bluetooth) hacking
•Building your own Bluetooth Rifle• http://www.tomsnetworking.com/Sections-article106.php••Bluesnarf (crypto attack on short pins)• http://trifinite.org/trifinite_stuff.html••No one seems to care that bluetooth•data and voice hackable over a mile•away.
•
IBM PCI-X Cryptographic Coprocessor (PCIXCC)
Basic text slide
Announced in September, 2003
Greatly improved performance
PCI-X and network interface
Same physical / logical security feature set as 4758
Received FIPS 140-2 Level 4 validation
Support for IBM zSeries (mainframes) today
Trusted Platform Module (TPM)
RSA cryptokey generation, signature, encrypt, decrypt
Secure storageprivate keys
master keys (eg loopback)Integrity measurement
Platform Configuration Registers (PCR)
compromise detection
Tie key use to uncompromised environmentAttestation
host based integrity/membership reporting
(RSA 2004 Demo)
http://trustedcomputinggroup.org
Integrity Measurement architecture (IMA) in linux-2.6.30!!!
A Blatant Plug
Programming– BIOS
– Device Driver
– TPM
– TSS
Applications– Trusted Boot
– Key Management
– Authentication
– Attestation
TPM as a Root of Trust
Static Root of Trust (SRTM)Immutable BIOS measures mutable BIOS
Each step thereafter measures the next stage
Dynamic Root of Trust (DRTM)Atomic measure/load/execute bootstrap
Not dependent on BIOS
But: Rutkowska, “Attacking Intel's Trusted Execution Technology” Blackhat 2009 (See later slide)
Addressing the generalized problem
“Fixing SMM” addresses just this set of attacksIf you run someone else's program on your computer, it's no longer your computerIf you don't know what's running on your computer, you cannot know if it is still your computerThis includes ALL TCB files, at ALL levels
BIOS GRUB tboot kernel initrd init daemons applications......
DRTMSRTM IMA
Attestation (mutually verifiable environments): can verify exact HW & SW configuration, and whether it has been compromised
Authentication:each system can be identified, allowing the auditing of transactions
Isolation: each domain is protected against attacks from other domains; damage is limited to one domain
Trusted Virtual Datacenter (TVDc)Built on Trusted Virtual Domains (TVDs) Trust & Containment
Mediated Communications: exchange of information between members of domains is transparently authorized and audited
Trusted Virtualized Client
Key Research Components: PTS, IMA, vTPM, vBoot, Provision, 802.1x-PTS, Vmware/KVM configuration
5/6/2009For Official Use Only
How many gates in an undetectable CPU backdoor?
Underhanded Hardware competition http://isis.poly.edu/csaw/embedded
How many gates in an undetectable CPU backdoor?
Underhanded Hardware competition http://isis.poly.edu/csaw/embedded
1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08
How many gates in an undetectable CPU backdoor?
Underhanded Hardware competition http://isis.poly.edu/csaw/embedded
1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08
0 (just exploit design errors) Loic DuFlot, Using CPU System Management Mode to Circumvent Operating System Security Functions, Cansecwest 2009
How many gates in an undetectable CPU backdoor?
Underhanded Hardware competition http://isis.poly.edu/csaw/embedded
1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08
0 (just exploit design errors) Loic DuFlot, Using CPU System Management Mode to Circumvent Operating System Security Functions, Cansecwest 2009
0 (just use the existing errata)Kris Kaspersky, Remote Code Execution through Intel CPU Bugs, HITBSecConf2008
How many gates in an undetectable CPU backdoor?
Underhanded Hardware competition http://isis.poly.edu/csaw/embedded
1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08
0 (just exploit design errors) Loic DuFlot, Using CPU System Management Mode to Circumvent Operating System Security Functions, Cansecwest 2009
0 (just use the existing errata)Kris Kaspersky, Remote Code Execution through Intel CPU Bugs, HITBSecConf2008
0 (just steal Intel's microcode patch signing key)
How many gates in an undetectable CPU backdoor?
Underhanded Hardware competition http://isis.poly.edu/csaw/embedded
1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08
0 (just exploit design errors) Loic DuFlot, Using CPU System Management Mode to Circumvent Operating System Security Functions, Cansecwest 2009
0 (just use the existing errata)Kris Kaspersky, Remote Code Execution through Intel CPU Bugs, HITBSecConf2008
0 (just steal Intel's microcode patch signing key)
0 (force the microcode signature verification – who's going to check?)
Summary
Crypto is hard – use experts and open reviewWEP still isn't Wired EquivalentAudit, Audit, AuditWireless devices have to deal with all the current threatsSecurity Approach
Hardware root of trust – attestationVirtualization for containmentIntegrate into Trusted Virtual Domains
Interesting QuestionsHow hard is hardware?Can location take advantage of clients and motion?