analysis of 802.11 privacy jim mccann & daniel kuo eecs 598
Post on 20-Dec-2015
219 views
TRANSCRIPT
Analysis of 802.11 Privacy
Jim McCann & Daniel Kuo
EECS 598
Overview
Part 1:
• The idea– What our software does
Part 2:
• Applications: Locating rogue access points– How our software can help
Part 1
User identity / MAC address
Relationship Identification
Collection Method
• Run a laptop as a sniffer in a wireless network
• Record packets that are sent
• Software used:– Kismet– Ethereal– Lots of PERL
Wirelesscommunication
Base station
Clients
Sniffer
Personal Information
Some interesting packets that leak personal information:
• SMTP packets – unencrypted packets contain source and destination email address
• IMAP packets – though encrypted versions are available, some people don’t use them
Personal Information
• Multicast DNS packets – information broadcast for device discovery in Apple’s Rendezvous service. Reveals a computer’s ID (user’s name by default)
• NetBIOS Name Service – used when browsing windows networks, also shows computer’s name (though windows defaults are less revealing)
Personal Information
• HTTP post – some personal information may be leaked if unencrypted post is used
• MSN Messenger packets – the hotmail address is found in some packets
• Also AIM, YMSG, FTP, Telnet (if anyone still use it), many other protocols.
Findings
Most of our data is collected in the EECS building, where two networks are available:
• EECS-PRIV: an unencrypted wireless network
• CAEN wireless: can be connected only with VPN client
Findings
• Two weeks of data from the EECS-PRIV network:
• Of the 1744 MACs we saw:– 850 had some identifying information– About 200 had strong identifying info
• Why not more?– This counts computers on the VPN which we
make no attempt to identify.
Time profile of user
At a coarser level …
Time profile of user
• Based on a MAC address, a time plot of network usage can be used to analyze user’s behavior.
• Typical plots reveal:- what time of the day - what days of the weeka user is present.
• Might be interesting for malicious parties when MAC can be correlated to identity.
Typical User's Time Profile
0
5
10
15
20
25
30
35
40
45
Fri0:00
12:00 Sat0:00
12:00 Sun0:00
12:00 Mon0:00
12:00 Tue0:00
12:00 Wed0:00
12:00 Wed0:00
12:00 Thu0:00
12:00 Fri0:00
12:00 Sat0:00
12:00 Sun0:00
Time
Kil
oB
ytes
tra
nsf
erre
d
Demo
• Demo of our software
Feasibility of identity analysis
• Unencrypted network like EECS-PRIV is easiest to perform the analysis on user identity from an attacker’s perspective
• In a WEP environment, it is also possible for an “insider” who has the key, or an attacker who can break the key using chosen plaintext attacks.
• Much more difficult in the CAEN VPN environment
Implications
• A user’s movement can be tracked if the laptop’s wireless card is on, and data collecting nodes are set up in multiple locations.
• Also, attackers can use this technique to target important people (for example, professors or network administrators).
Possible Defense Mechanism
Simple ways to stop others from correlating your personal information with MAC Addresses:
• Don’t send personal data
or
• Don’t keep the same MAC address
Possible Defense Mechanism
Not sending personal data:
• Be paranoid- Do not send email, passwords in the clear- Do not name your computer with your name or uniqname
• Use encryption whenever possible- Best to use VPN- Using WEP is still better than nothing
Possible Defense Mechanism
Changing your MAC Addresses:
• Software can change the MAC address of many wireless cards
• When is a good time interval?
Possible Defense Mechanism
• Changing every time you start using the network will be a problem if you stay connected for a long time.
• Changing MAC address every given amount of time (say 1 hour) may help.– Special software to do this seamlessly would be
nice, but there are hard cases to deal with (MAC address conflicts!).
Part 2:
Laptops as Rogue Access Points
Laptops as Rogue Access Points
• How to do this:– Have the laptop establish an ad-hoc network
using the wireless card– Access the internet through ethernet
• This is similar to a commercial access point.
Ad-hocnetwork Authorized
accessEthernet hub
Authorizedclient
Unauthorizedclients
1 2 3 4 5 6
7 8 9101112
AB
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Eth
erne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
Laptops as Rogue Access Points
• It is possible for a laptop to act as a wireless router and allow access to an authorized network.
• It establishes an ad-hoc network with unauthorized clients and routes their packets over to the network that it is authorized on.
Ad-hocnetwork Authorized
accessBase station
Authorizedclient
Unauthorizedclients
Laptops as Rogue Access Points
• This requires additional hardware (second wireless card) and/or software for the laptop to establish both an ad-hoc network and connect to the authorized network.
Discovering access points
Finding if unauthorized access points or ad hoc networks exist isn’t hard.
• Look for people sending packets with BSS Id’s you don’t approve of (if you are an admin).
• Look for networks you can connect to (if you are an attacker).
Discovering access points
• Kismet does just this:
Tracking
Finding where they actually are is harder.
Tracking by Identity (our method)
• Possible to figure out who controls the access point by looking at identity data.
• Hypothesis: unauthorized APs are carelessly administrated and don’t use encryption.
• Our software can figure out who is using them.
Tracking by Connections
• Find identity on our network of the rogue access provider by comparing data sent over the ad-hoc network.
• In an unencrypted network (or one we have the keys for), this can be detected by passively sniffing packets.
• More tricky if the data is encrypted – Using Signal Processing to Analyze Wireless Data Traffic (Craig Partridge, et al.)
Tracking by Connections
• Problem: We haven’t found a person, just another computer address.
• We need a list of who uses what on the local network.
• Our software helps!
Tracking by Signal Strength
Alternative:
• Collect data and use signal strength to pinpoint the location of unauthorized clients and access points.
• More complicated.
• A Practical Approach to Identifying and Tracking Unauthorized 802.11 Cards and Access Points (Interlink Networks)
Tracking by Signal Strength
• Locating an access point with signal strength
Uses and Abuses
• Some users may not want their locations to be revealed.
• Spammers may start wardriving.
Conclusion
• Privacy is an issue for wireless networks, especially unencrypted networks.
• MAC addresses can be used to track users.• Our software can be used to help discover
what types of privacy information are leaked over the network.
• Can also help track users related to an unauthorized access point.
Questions
Questions?
Laptops as Rogue Access Points
Situation where this may be a problem:
• Lufthansa airline is providing in-flight wireless internet service starting this month
• Cost is $29.95 for flights over 6 hours
• Can imagine people ‘sharing’ the internet by using their laptops as rogue access points to share the cost
Uses and Abuses
• Making the location of a user available may be beneficial.
• Google has a beta version of local search. This returns local information like restaurants for a location you enter.
• Can imagine in the future that the location of the user can be made available for google by the access point.
Uses and Abuses
Tradeoff between convenience and privacy
• Apple’s Rendezvous service automatically discovers available services.
• User will (by default), name the computer “<First name> <Last name>’s Computer” for sharing purpose, and broadcast this info.
• This reveals the user’s personal information, so it would be better in privacy’s perspective to set the default identifier to something else.
Collection Method
• A captured packet viewed with Tethereal