• Confidentiality/date line: 13pt Arial Regular, whiteMaximum length: 1 line

• Information separated by vertical strokes,with two spaces on either side

• Disclaimer information may also be appear in this area. Place flush left, aligned at bottom, 8-10pt Arial Regular, white

• IBM logo must not be moved, added to, or altered in any way.

Indications in green = Live content

Indications in white = Edit in master

Indications in blue = Locked elements

Indications in black = Optional elements

• Copyright: 10pt ArialRegular, white

© 2002 IBM Corporation

Template release: Oct 02For the latest, go to http://w3.ibm.com/ibm/presentations

IBM Research

Security Challenges in Wireless Systems

David Saffordsafford@us.ibm.com

Outline

Threat Trends Wireless systems are just part of the overall problem

Hysterical History of 802.11-WEP

Other Wireless Systems

Solution approachesHardware Root Trust

Virtualization

What Now?

3

Introduction: State of Computer Security

“The sky isn't falling ... it fell a few years ago.”Roger Grimes, Infoworld Security Advisor, 2006

The modern threat

“Nation states, however, have the technical and operational capabilities to orchestrate the full range of adversarial cyber operations through a combination of such means as recruiting insiders, setting up front companies, establishing signals collections systems, implanting damaging hardware or software in communications networks and subverting telecommunications, cryptographic defenses and supply chains.”

National Science and technology Council, “Federal Plan for Cyber Security and Information Assurance Research and Development”, April 2006.

How do you know your hardware doesn't have a back door?

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008*

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

Vulnerabilities Discovered Per Year (CERT)

1999 2000 2001 2002 2003 2004

0

50

100

150

200

250

300

350

Days from Patch to Exploit (Information Security, July 2004)

More and More Vulnerabilities(roughly 20 per day)

Less and Less Time to Patch(zero day exploits)

We've Lost the Software Vulnerability War

Secure Software is HARD

So far, every software system has failedApollo Command Module Computer (16K words) failed on every flight

Studies shows at least 1 bug per K lines of code (LOC)IBM internal study, 2000

Information Week Jan 21 2002, p23

Reasoning, Inc 2003

coverity.com 2008

Linux and WinXP with Office each have > 200MLOC400K bugs would take 80 years @ 5000/year to fix

But we are writing roughly 50K new ones per year!

Can model this as an infinite supply of security bugs.Must design our systems to confine compromise

The Ease of Application Hacking

Attacking Servers:97% web sites vulnerable to SQL injection or XSS.

IBM ISS

Attacking Clients:Chinese Hacking

Spear phishing with Word and PDF exploits1,295 (known) PC's in 103 CountriesHigh value targetsRemarkably simple, effective attacks

The Failure of Secrecy

“Three may keep a secret, if two of them are dead.”Benjamin Franklin, 1735

Benjamin was a hopeless optimist.Individuals seem delighted to give away their secrets.

Phishing/pharming

Gartner: $3.2B losses, 3.6M victims of phishing in 2007

“One may keep a secret, if he doesn't know what it is.”Dave Safford, 2004

TPM

802.11-WEP

Wireless LAN Hacking in the News (2002)

war driving / war chalking

The High Cost of Hacking 802.11

RequiresOne generic (intersil) 802.11b card $45(range ¼ mile)Free hacking software $0

Deluxe VersionAdd one (empty) pringles can ant. $3(range approx ½ mile)

Super Deluxe VersionAdd one 18” satellite dish antenna $25(up to 3 mile range)

Long Range version (9' dish) $??(55.1 Mile range!)

WEP Encapsulation

802.11 Hdr Data

WEP Encapsulation Summary:

• Encryption Algorithm = RC4

• Per-packet encryption key = 24-bit IV concatenated to a pre-shared key

• WEP allows IV to be reused with any frame, at sender’s choice

• Data integrity provided by CRC-32 of the plaintext data (the “ICV”)

• Data and ICV are encrypted under the per-packet encryption key

802.11 Hdr DataIV ICV

Encapsulate Decapsulate

WEP encryption

The WEP encryption algorithm RC4 is a Vernam Cipher (One Time Pad). For each packet:

Pseudo-random number

generator (RC4)

Encryption Key K

Plaintext data byte p

Random byte b

⊕ Ciphertext data byte p

Decryption works the same way: p = c ⊕ b

Plaintext IV (24b)

WEP Authentication

Challenge (Nonce)

Response (Nonce RC4 encrypted under shared key)

STA APAP

Shared secret distributed out of band

Decrypted nonce OK?

802.11 Authentication Summary: Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret

802.11-WEP How NOT to do Security

Requirements Errors:WEP/Auth optional, off by default (netstumbler attack)

No Promiscuous mode

Prevents bridging, makes audit hard, does nothing for security

Design Errors - Encryption24 bits of RC4 key known (airsnort attack)

One-time pad reuse (2^12 packets) – (xor attack)

CRC not cryptographically strong (bit-twiddling attack)

IV too small (small code book)

No replay protection

Design Error – AuthenticationShared-Key authentication gives plain/cipher text pair

Implementation ErrorsNumerous overflow attacks on device drivers

802.11 Threat/Response Summary

Severe: Open AP (netstumbler)

Turn on WEP

Medium: Fluhrer/Shamir key recovery (airsnort)

Move to 802.1x-LEAP (short-term)

Move to 802.1x-PEAP or TTLS (mid/long-term)

Medium: LEAP Dictionary attack: (asleap)

Move to PEAP, or TTLS

Medium: Fragmentation: (Lackey)

Update to WPA/WPA2

Low: Wagner/Arbaugh data cracking (manual)

Update to WPA/WPA2

WPA-AES?

802.11 Threat/Response References

Wagner/Goldberg paper describing basic crypto attacks

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html, Arbaugh paper extending attacks

http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm). Fluhrer et. al. paper describing key recovering attack:

http://www.crypto.com/papers/others/rc4_ksaproc.ps Stubblefield et. al. paper describing practical implementations

http://www.cs.rice.edu/~astubble/wep/ http://www.netstumbler.com http://www.airsnort.schmoo.com LEAP Dictionary attack

http://www.securityfocus.com/archive/1/340365/2003-10-03/2003-10-09/2 Fragmentation attack

Joshua Lackey/Austin/IBM

So We've fixed the crypto?

Perfect Forward Secrecy (PFS)?

Semantic security?

Side ChanelsTiming

size

(no)

So we've learned our lesson?Latest AP hack

So We've Learned our lesson?

Information Security Magazine, 14 May 2009Survey of 3600 AP around Wallstreet (40% “enterprise”)57% open or weak WEP20% SSID hiding was only “security”

So We've Learned our lesson?

Auditing: The Biggest Problem

All Wireless LAN access points must be correctly configured for securityEven one misconfigured lets the hackers in.You need some way to audit

where are the access points?are they configured correctly?

client access point

Wireless Security Auditor (July 2001)

WSA AvailabilityIntegrated into Tivoli RISK Manager 3.8Available as security service from IBM Global Services

How does it work?Passively monitors the wireless networkReports policy violationsHuman expert neededPeriodic audits

WSA Main Window

Policy violation

Undecided yet

No violation

Audit Alternatives

WRT54G – Linux based wireless router

Openwrt – community supported across multiple AP

Kismet Drone – agent on remote openwrt

RIF – Remote IF – proxies openwrt “if” device to local laptop, where all tools are available

Distributed Wireless Security Auditor

DWSA (Dec 2002)Integrated into Tivoli RISK Manager 4.1Available as security service from IBM Global ServicesIntegration with WIDE

What does it do?Distributed: wireless clients do the workReal-time: continuous auditsAutonomic: network fixes its problems automaticallyAudit: looks for vulnerabilities, andLocates: rogue access points

DWSA Table View

DWSA Location View

DWSA

Deploying across 300K Windows and Linux Machines

NDIS AP scan provides:SSIDSignal strength (db)MAC addressChannelWEP state (on-off)Mode (ad-hoc...)Type (a,b,g,FH...)

What will we be able to correllate with this much data?

Location Technologies

Trilateration Timing (GPS)

Site Calibration (Skyhook, Ekahau, MS)

Error canceling signal strength (DWSA)

Phased array (bearing/distance)Vivato

Cell phone - TDOA/AGPS

Skyhook Location Hacking: Getting the Location of any AP by MAC

[dave@localhost rutgers]$ more skyhook.sh

MYMAC=000E8321CEC0 && curl --header "Content-Type: text/xml" --data "<?xml versiOn='1.0'?><LocationRQ xmlns='http://skyhookwireless.com/wps/2005' version='2.6' street-address-lookup='full'><authentication version='2.0'><simple><username>beta</username><realm>js.loki.com</realm></simple></authentication><access-point><mac>$MYMAC</mac><signal-strength>-50</signal-strength></access-point></LocationRQ>" https://api.skyhookwireless.com/wps2/location

Skyhook location hacking:

[dave@localhost rutgers]$ sh < skyhook.sh

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><LocationRS version="2.6" xmlns="http://skyhookwireless.com/wps/2005"><location nap="1"><latitude>41.0860503</latitude><longitude>-73.8180824</longitude><hpe>150</hpe><street-address distanceToPoint="1.7976931348623157E308"><city>Mount Pleasant</city><postal-code>10595</postal-code><county>Bronx</county><state code="NY">New York</state><country code="US">United States</country></street-address></location></LocationRS>

Skyhook – location of target

New 802.11 Location Research

Existing location techniques do not support/take advantage of:

Station to Station Correlations

Moving Stations If system has a large number of stations, optimization across all

location estimates simultaneously should dramatically improve accuracy

Current trilateration algorithms assume stationary nodes. Supporting moving nodes is more realistic, and maintaining motion estimates with Kalman filtering should also improve location estimates.

Other Wireless Systems/Issues

Other Systems

CellularJail Breaking

How many free Apps have trapdoors?

BluetoothKeypadless devices

RFIDBiometric Passports anyone?

RF EmissionsReally hard to contain/blind

Practical attacks 15 feet away

The start of pervasive (bluetooth) hacking

•Building your own Bluetooth Rifle• http://www.tomsnetworking.com/Sections-article106.php••Bluesnarf (crypto attack on short pins)• http://trifinite.org/trifinite_stuff.html••No one seems to care that bluetooth•data and voice hackable over a mile•away.

•

Approach: Trusted Virtual Domains Hardware Root of trust Virtualization

IBM PCI-X Cryptographic Coprocessor (PCIXCC)

Basic text slide

Announced in September, 2003

Greatly improved performance

PCI-X and network interface

Same physical / logical security feature set as 4758

Received FIPS 140-2 Level 4 validation

Support for IBM zSeries (mainframes) today

Trusted Platform Module (TPM)

RSA cryptokey generation, signature, encrypt, decrypt

Secure storageprivate keys

master keys (eg loopback)Integrity measurement

Platform Configuration Registers (PCR)

compromise detection

Tie key use to uncompromised environmentAttestation

host based integrity/membership reporting

(RSA 2004 Demo)

http://trustedcomputinggroup.org

Integrity Measurement architecture (IMA) in linux-2.6.30!!!

IMA measurement list

Attestation 802.1x-TNC-PTS

A Blatant Plug

Programming– BIOS

– Device Driver

– TPM

– TSS

Applications– Trusted Boot

– Key Management

– Authentication

– Attestation

TPM as a Root of Trust

Static Root of Trust (SRTM)Immutable BIOS measures mutable BIOS

Each step thereafter measures the next stage

Dynamic Root of Trust (DRTM)Atomic measure/load/execute bootstrap

Not dependent on BIOS

But: Rutkowska, “Attacking Intel's Trusted Execution Technology” Blackhat 2009 (See later slide)

SMM Attack on DRTM (Rutowska, Blackhat 2009)

Addressing the generalized problem

“Fixing SMM” addresses just this set of attacksIf you run someone else's program on your computer, it's no longer your computerIf you don't know what's running on your computer, you cannot know if it is still your computerThis includes ALL TCB files, at ALL levels

BIOS GRUB tboot kernel initrd init daemons applications......

DRTMSRTM IMA

Attestation (mutually verifiable environments): can verify exact HW & SW configuration, and whether it has been compromised

Authentication:each system can be identified, allowing the auditing of transactions

Isolation: each domain is protected against attacks from other domains; damage is limited to one domain

Trusted Virtual Datacenter (TVDc)Built on Trusted Virtual Domains (TVDs) Trust & Containment

Mediated Communications: exchange of information between members of domains is transparently authorized and audited

Trusted Virtualized Client

Key Research Components: PTS, IMA, vTPM, vBoot, Provision, 802.1x-PTS, Vmware/KVM configuration

5/6/2009For Official Use Only

Hardware Challenges

How “Hard” is Hardware?

Firmware

microcode/patches

FPGA

BIOS

SMI/SMM

All of these can be attacked

How many gates in an undetectable CPU backdoor?

Underhanded Hardware competition http://isis.poly.edu/csaw/embedded

How many gates in an undetectable CPU backdoor?

Underhanded Hardware competition http://isis.poly.edu/csaw/embedded

1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08

How many gates in an undetectable CPU backdoor?

Underhanded Hardware competition http://isis.poly.edu/csaw/embedded

1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08

0 (just exploit design errors) Loic DuFlot, Using CPU System Management Mode to Circumvent Operating System Security Functions, Cansecwest 2009

How many gates in an undetectable CPU backdoor?

Underhanded Hardware competition http://isis.poly.edu/csaw/embedded

1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08

0 (just exploit design errors) Loic DuFlot, Using CPU System Management Mode to Circumvent Operating System Security Functions, Cansecwest 2009

0 (just use the existing errata)Kris Kaspersky, Remote Code Execution through Intel CPU Bugs, HITBSecConf2008

How many gates in an undetectable CPU backdoor?

Underhanded Hardware competition http://isis.poly.edu/csaw/embedded

1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08

0 (just exploit design errors) Loic DuFlot, Using CPU System Management Mode to Circumvent Operating System Security Functions, Cansecwest 2009

0 (just use the existing errata)Kris Kaspersky, Remote Code Execution through Intel CPU Bugs, HITBSecConf2008

0 (just steal Intel's microcode patch signing key)

How many gates in an undetectable CPU backdoor?

Underhanded Hardware competition http://isis.poly.edu/csaw/embedded

1341 (mainly for cryptographic triggering)Samuel King, Designing and Implementing Malicious Hardware, leet08

0 (just exploit design errors) Loic DuFlot, Using CPU System Management Mode to Circumvent Operating System Security Functions, Cansecwest 2009

0 (just use the existing errata)Kris Kaspersky, Remote Code Execution through Intel CPU Bugs, HITBSecConf2008

0 (just steal Intel's microcode patch signing key)

0 (force the microcode signature verification – who's going to check?)

Summary

Summary

Crypto is hard – use experts and open reviewWEP still isn't Wired EquivalentAudit, Audit, AuditWireless devices have to deal with all the current threatsSecurity Approach

Hardware root of trust – attestationVirtualization for containmentIntegrate into Trusted Virtual Domains

Interesting QuestionsHow hard is hardware?Can location take advantage of clients and motion?