1MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

THE THREAT OF WIRELESS AND EMERGING ATTACKS FEB 23, 2011

AIRDEFENSE SOLUTIONS, MOTOROLA SOLUTIONSAIRDEFENSE SOLUTIONS, MOTOROLA SOLUTIONS

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

2

AGENDA

COMMON WIRELESS NETWORK RISKS

EMERGING THREATS

RECOMMENDATIONS

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

3

INTERNET

Server

Network Edge Blurred

New AttackVectors ‘Behind’

the Firewall

WIRELESS SECURITY CONCERNS

1Rogue AP Connected to Network(Network Breach)Hacker

3Leaked Wired Traffic & Insertion(Data Leakage)

Hotspot Evil Twin

Mobile User2Hotspot Phishing(Data Leakage)

5Users Bypassing Network Security Controls(Data Leakage/Network Backdoor)

4Non-Compliant AP(Network Breach/Data Leakage/Data Compromise)

Muni Wi-Fi or Neighbors

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

4

MOBILE WORKERSVULNERABILITIES

Do I have wired & wireless on at the same time?

Is my laptop probing for SSIDs not on the safe list?

Are my employees using Municipal Wi-Fi?

Am I connected to an insecure access point?

Am I connected to a real hotspot connection?

Am I connected to someone nearby in ad-hoc mode?

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

5

HOTSPOT PHISHING/ EVIL TWIN & MORE

Attack Vector: Any Wi-Fi Enabled Device

New Hotspot Phishing(Data Leakage):

PalmPre with Hacked Mobile Hotspot

+ Mobile Devices

Direct attacks on Wireless Clients using Cellphone

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

6

COMPARING PACKETSComparing packets from Access Points versus Wireless Clients

3Naïve user Associates with Fake AP

Laptop sends Probe Request

AP provides IP address to User

Scan laptop for vulnerabilities & compromise it

5

Use station as a launch pad6

User Station

Co

rpo

rate

Net

wo

rk

Intruder Laptop

2Fake AP responds with Probe Response

PalmPre sending beacons & probe responses

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

7

Type Attacks Tools

Reconnaissance Rogue APs Open/Misconfigured APs Ad Hoc stations

Netstumbler, Kismet, Wellenrighter

Sniffing WEP, WPA, LEAP cracking Dictionary attacks Leaky APs

AirSnort, Wepcrack, Cowpatty, Wireshark, Cain, Ettercap

Masquerade MAC spoofing AirSnarf/HotSpot attacks Evil Twin/Wi-Phishing attacks

AirSnarf, Hotspotter, HostAP, SMAC

Insertion Multicast/Broadcast injection Routing cache poisoning Man in the Middle attack

Airpwn, WepWedgie, ChopChop, Vippr, irpass, CDPsniffer

Denial-of-Service Disassociation Duration field spoofing RF jamming

AirJack, void11, Bugtraq, IKE-crack

SUMMARY OF 802.11 VULNERABILITIES

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

8

CAPTIVE PORTAL BYPASS – GUEST ACCESS

What can I do with access to the

local network? Scan and target other users of the

wireless network Exploit laptops and steal credentials

for other wireless networks Validate if portal ACL rules are

properly prohibiting access Ping, ssh, telnet, ftp, etc. without

EVER authenticating to the portal

WAN

Appsvr1.corp.com 10.5.1.15

IP: 192.168.1.45

DNS: 10.5.1.10

Appsvr1.corp.com

Credit card system exposed to the wireless network!

!

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

9

EMERGING ATTACK VECTORS

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

10

PINPAD SWAPPING: BLUETOOTH

Bluetooth Specs:

All Bluetooth devices operate at the 2.4 GHz band

Bluetooth defines 79 channels for communication on the 2.4 GHz band each channel being separated by 1 MHz

The frequency range 2.402 GHz - 2.480 GHz

Allows for 1600 frequency hops per second

Class

Maximum Permitted PowerRange(approximate)mW dBm

Class 1 100 20 ~100 meters

Class 2 2.5 4 ~10 meters

Class 3 1 0 ~1 meters

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

11

WINDOWS 7 VIRTUAL WI-FI Setup at the DOS Prompt & Share either a Wired or Wireless connection The user can share their own desktop (like an ad-hoc network) & the user can share their network connection with others Wireless network may use authentication and encryption, BUT the user can share that connection with others, allowing those users to connect to the corporate network with weaker authentication & encryption

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

12

Comparing packets from Access Points versus Wireless Clients

2Win7 responds with Probe Response

Laptop sends Probe Request1

Win7 provides IP address to User3

Intruder on Network4

Intruder Laptop User Station

Co

rpo

rate

Net

wo

rkWINDOWS 7 – COMPARING PACKETS

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

13

Historical

Device logs/syslog

Firewall logs (Wireless Switches, APs, Wired Firewall)

Wireless IDS alarms, events, logs

Wired IDS alarms, events, logs

Remnants on wireless clients (registry, saved wireless networks, etc.)

Live

Wired Sniffing

Wireless Sniffing

Spectrum Analysis

Bluetooth

RF Analysis, Heat Maps/Location Tracking

Live analysis on IPS, WIPS, Firewalls, etc.

Roaming behavior (AP to AP, or client to client )

Others…

INCIDENT RESPONSE & FORENSIC ANALYSIS

Sources for Analyzing Wireless Attacks

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

14

Ensure Security and Comply with

Regulatory & Industry Requirements

Centrally Control and Monitor WLAN Infrastructure with One

Management Console

Solutionsfor AnyWLAN

Allows Remote Troubleshooting and Proactive Analysis of Wireless Issues

MOTOROLA AIRDEFENSE SOLUTION

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2010. All rights reserved.

15

THANK YOU…