Wireless Security…

The cost of convenience.

Erik Graham, CISSP-ISSAP

Wireless Security…

Key Aspects of Information Security Wireless Technologies General Attacks/Defense Wireless - 802.11 a/b/g

– Overview– Attacks/Defense

Wireless - Bluetooth– Overview – Attacks/Defense

Questions

What Is Information Security?

Key Aspects of Information Security

Confidentiality– Protecting information from unauthorised

disclosure Integrity

– Protecting information from unauthorised modifications, and ensure that information is accurate and complete

Availability– Ensuring information is available when

needed

Know Your Enemy

“Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.”

Sun Tsu, Art of War

Wireless Technologies

What are wireless technologies?– Wireless technologies allow users to

access/exchange information without having to be physically connected

– RF (Radio Frequency)• Bluetooth• 802.11

– IR (Infrared)• Wireless handheld devices (require line of site)

– Cellular

Wireless Technologies

What problems are associated with this technology?– Information now moving across airwaves rather

than a fixed cable– Devices are normally made for easy install – Convenience vs security

Wireless Technologies

Why should I care?– Scenario 1: An individual uses your open wireless

connection to attack other computers…

– Scenario 2: Your open wireless allows an individual to access your sensitive/personal data…

– Scenario 3: An individual uses your open wireless connection to access your computer and store illegal images…

General Attacks/Defense

General Attacks/Defense

Common defense for all attacks…

… EDUCATION …

“I don’t care how many millions of dollars you spend on technology. If you don’t have people trained properly, I’m going to get in if I want to get in.”

Susie Thunder, Cyberpunk

Wireless - 802.11 a/b/g

Alert the users to possible threats Educate users on the security policy Educate users on social engineering Train users on security software

Wireless - 802.11 a/b/g

Wireless - 802.11 a/b/gOverview

Common to all versions:– Frequency range is international (ISM band)

802.11b– Maximum transfer rate: 11Mb– Range – 50m (150ft)– Operating frequency – 2.4 GHz

802.11a– Maximum transfer rate: 54Mb– Range – 25m (75ft)– Operating frequency – 5 GHz

802.11g– Maximum transfer rate: 54Mb– Range – 50m (150ft)– Operating frequency – 2.4 GHz– Backwards compatible with 802.11b

Wireless - 802.11 a/b/gArchitecture

Wireless LANs– Ad-Hoc Mode:

Wireless - 802.11 a/b/gArchitecture

Wireless LANs– Infrastructure Mode:

Wireless – 802.11 a/b/g

Attack/Defense

Wireless – 802.11 a/b/g

Attack: – Default Settings

Defense:– Change default passwords to access point!– Implement security

Wireless – 802.11 a/b/g

Attack: – Signal propagation

Defense:– Use directional antennas– Control the broadcast power to limit the signal

propagation to company owned or controlled property.

– Think in three dimensions!

Wireless – 802.11 a/b/g

Wireless – 802.11 a/b/g

Attack: – Sniffing

• Kismet - www.kismetwireless.net– Can be used to determine SSID and MAC addresses

• Netstumber - www.netstumbler.com

Defense:– Encryption

• Use the strongest encryption algorithm available

• Use the highest level of encryption available

Wireless – 802.11 a/b/g

Attack: – Jamming

• Void11 – www.wlsec.net/void11

Defense:– Solution will vary based on the specifics of

the attack– Difficult to stop intentional jamming

Wireless – 802.11 a/b/g

Attack: – Cracking WEP encryption

• WEPCrack - wepcrack.sourceforge.net • DWEPCrack – www.dachb0den.com

Defense:– Avoid encryption algorithms that have

know issues such as WEP

Wireless – 802.11 a/b/g

Attack: – Breaking LEAP authentication

• Anwrap – www.securiteam.com

Defense:– Avoid authentication algorithms that have

know issues such as LEAP

Wireless – 802.11 a/b/g

Attack: – Information Disclosure

• Kismet - www.kismetwireless.net• Netstumber - www.netstumbler.com

Defense:– Do not use an SSID that can identify the

location/owner– Disable broadcasting of the SSID

Wireless – 802.11 a/b/g

Attack: – Intercepting client– Rogue Access Point

• Airsnarf - airsnarf.shmoo.com

Defense:– Use strong forms of machine authentication such as 802.1x

EAP– Use user authentication in addition to machine

authentication– User authentication should be two-factor– Educate the user on what a valid authentication will look like

Wireless - Bluetooth

Bluetooth Overview

What is bluetooth?– Open specification to enable short-range, low

power, low cost inter-device communication - to untether cabled devices

Originally started in 1994 by Ericsson Bluetooth Special Interest Group (SIG)

– Formed in 1998– 3Com, Ericsson, IBM, Intel, Lucent, Microsoft,

Motorola, Nokia and Toshiba• Consumer: http://www.bluetooth.com• Technical: http://www.bluetooth.org

Bluetooth Overview

Frequency range is international (ISM band)

Range :– Class 1 – 100m (330ft)– Class 2 – 10m (33ft)– Class 3 – 1m (3ft)

Operating frequency – 2.4 GHz Maximum transfer rate: 2Mb

Bluetooth - Architecture

Bluetooth Piconet Model– Bluetooth devices form an

ad-hoc network called a piconet

master

Slave

Slave

Slave

Slave

Wireless - Bluetooth

Attack/Defense

Wireless – Bluetooth

Attack: – Signal propagation

Defense:– Turn off devices/Bluetooth when not in use or if its

not needed– Use correct class of Bluetooth device for task– Think in three dimensions!

Wireless – Bluetooth

Attack: – Sniffing

• hcidump

Defense:– Turn off Bluetooth if its not needed– Encryption

• Use the highest level of encryption available

Wireless - Bluetooth

Attack: – Bluejacking

• Sending messages to other devices by placing the message in the name field

Defense:– Disable Bluetooth– Do not advertise your Bluetooth device

Wireless - Bluetooth

Attack: – Bluesnarfing

• Making copies of data on a open Bluetooth device– Phonebook, calendar, and anything else that the vendor

has allowed the user to share via Bluetooth

• Hacking tools exist to aid in Bluesnarfing

Defense:– Disable Bluetooth– Do not advertise your Bluetooth device– Secure Bluetooth to require PIN to access

information

Wireless – Bluetooth

Attack: – Bluebugging

• Uses basic AT commands to read/write data• Tool: Blooover - trifinite.org

Defense:– Ensure device is using latest

firmware/operating system– Disable Bluetooth

Wireless - Bluetooth

Attack: – Denial of Service (DoS)

• Tool: Bluesmack - trifinite.org

Defense:– Disable Bluetooth

Wireless - Bluetooth

Source: http://www.thebunker.net/security/bluetooth.htm

Questions

Resources

Resources

Books– Hacking Exposed

• ISBN: 0072260815

– Wi-Foo: The Secrets of Wireless Hacking• ISBN: 0321292171

Resources

Web:– Airsnarf - airsnarf.shmoo.com– Anwrap – www.securiteam.com– Blooover - trifinite.org– Bluetooth (Consumers) - www.bluetooth.com– Bluetooth (Technical) – www.bluetooth.org– BluejackHQ - www.bluejackq.com– CWNP – www.cwnp.com– DWEPCrack – www.dachb0den.com– Kismet - www.kismetwireless.net– Marcel Holtman - www.holtmann.org– Netstumber - www.netstumbler.com– Void11 – www.wlsec.net/void11– WEPCrack - wepcrack.sourceforge.net

E-Mail

Erik Graham, CISSP-ISSAP– Erik.Graham@GDC4S.com