Wireless LAN Security

1
Wireless LAN Security
Network Security
Lecture 8
2
WLAN Security - Contents

• Wireless LAN 802.11
• Technology
• Security History
• Vulnerabilities
• Demonstration

3
Wireless LANs

• IEEE ratified 802.11 in 1997.
• Also known as Wi-Fi.
• Wireless LAN at 1 Mbps 2 Mbps.
• WECA (Wireless Ethernet Compatibility Alliance)
  promoted Interoperability.
• Now Wi-Fi Alliance
• 802.11 focuses on Layer 1 Layer 2 of OSI model.
• Physical layer
• Data link layer

4
802.11 Components

• Two pieces of equipment defined
• Wireless station
• A desktop or laptop PC or PDA with a wireless
  NIC.
• Access point
• A bridge between wireless and wired networks
• Composed of
• Radio
• Wired network interface (usually 802.3)
• Bridging software
• Aggregates access for multiple wireless stations
  to wired network.

5
802.11 modes

• Infrastructure mode
• Basic Service Set
• One access point
• Extended Service Set
• Two or more BSSs forming a single subnet.
• Most corporate LANs in this mode.
• Ad-hoc mode
• Also called peer-to-peer.
• Independent Basic Service Set
• Set of 802.11 wireless stations that communicate
  directly without an access point.
• Useful for quick easy wireless networks.

6
Infrastructure mode
Access Point
Basic Service Set (BSS) Single cell
Station
Extended Service Set (ESS) Multiple cells
7
Ad-hoc mode
Independent Basic Service Set (IBSS)
8
802.11 Physical Layer

• Originally three alternative physical layers
• Two incompatible spread-spectrum radio in 2.4Ghz
  ISM band
• Frequency Hopping Spread Spectrum (FHSS)
• 75 channels
• Direct Sequence Spread Spectrum (DSSS)
• 14 channels (11 channels in US)
• One diffuse infrared layer
• 802.11 speed
• 1 Mbps or 2 Mbps.

9
802.11 Data Link Layer

• Layer 2 split into
• Logical Link Control (LLC).
• Media Access Control (MAC).
• LLC - same 48-bit addresses as 802.3.
• MAC - CSMA/CD not possible.
• Cant listen for collision while transmitting.
• CSMA/CA Collision Avoidance.
• Sender waits for clear air, waits random time,
  then sends data.
• Receiver sends explicit ACK when data arrives
  intact.
• Also handles interference.
• But adds overhead.
• 802.11 always slower than equivalent 802.3.

10
Hidden nodes
11
RTS / CTS

• To handle hidden nodes
• Sending station sends
• Request to Send
• Access point responds with
• Clear to Send
• All other stations hear this and delay any
  transmissions.
• Only used for larger pieces of data.
• When retransmission may waste significant time.

12
802.11b

• 802.11b ratified in 1999 adding 5.5 Mbps and 11
  Mbps.
• DSSS as physical layer.
• 11 channels (3 non-overlapping)
• Dynamic rate shifting.
• Transparent to higher layers
• Ideally 11 Mbps.
• Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
• Higher ranges.
• Interference.
• Shifts back up when possible.
• Maximum specified range 100 metres
• Average throughput of 4Mbps

13
Joining a BSS

• When 802.11 client enters range of one or more
  APs
• APs send beacons.
• AP beacon can include SSID.
• AP chosen on signal strength and observed error
  rates.
• After AP accepts client.
• Client tunes to AP channel.
• Periodically, all channels surveyed.
• To check for stronger or more reliable APs.
• If found, reassociates with new AP.

14
Access Point Roaming
Channel 1
Channel 4
Channel 9
Channel 7
15
Roaming and Channels

• Reassociation with APs
• Moving out of range.
• High error rates.
• High network traffic.
• Allows load balancing.
• Each AP has a channel.
• 14 partially overlapping channels.
• Only three channels that have no overlap.
• Best for multicell coverage.

16
802.11a

• 802.11a ratified in 2001
• Supports up to 54Mbps in 5 Ghz range.
• Higher frequency limits the range
• Regulated frequency reduces interference from
  other devices
• 12 non-overlapping channels
• Usable range of 30 metres
• Average throughput of 30 Mbps
• Not backwards compatible

17
802.11g

• 802.11g ratified in 2002
• Supports up to 54Mbps in 2.4Ghz range.
• Backwards compatible with 802.11b
• 3 non-overlapping channels
• Range similar to 802.11b
• Average throughput of 30 Mbps
• 802.11n due for November 2006
• Aiming for maximum 200Mbps with average 100Mbps

18
Open System Authentication

• Service Set Identifier (SSID)
• Station must specify SSID to Access Point when
  requesting association.
• Multiple APs with same SSID form Extended Service
  Set.
• APs can broadcast their SSID.
• Some clients allow as SSID.
• Associates with strongest AP regardless of SSID.

19
MAC ACLs and SSID hiding

• Access points have Access Control Lists (ACL).
• ACL is list of allowed MAC addresses.
• E.g. Allow access to
• 0001420E121F
• 000142F172AE
• 0001424FE201
• But MAC addresses are sniffable and spoofable.
• AP Beacons without SSID
• Essid_jack
• sends deauthenticate frames to client
• SSID then displayed when client sends
  reauthenticate frames

20
Interception Range
Station outside building perimeter.
100 metres
Basic Service Set (BSS) Single cell
21
Interception

• Wireless LAN uses radio signal.
• Not limited to physical building.
• Signal is weakened by
• Walls
• Floors
• Interference
• Directional antenna allows interception over
  longer distances.

22
Directional Antenna

• Directional antenna provides focused reception.
• DIY plans available.
• Aluminium cake tin
• Chinese cooking sieve
• http//www.saunalahti.fi/elepal/antennie.html
• http//www.usbwifi.orcon.net.nz/

23
WarDriving

• Software
• Netstumbler
• And many more
• Laptop
• 802.11b,g or a PC card
• Optional
• Global Positioning System
• Car, bicycle, boat
• Logging of MAC address, network name, SSID,
  manufacturer, channel, signal strength, noise
  (GPS - location).

24
WarDriving results

• San Francisco, 2001
• Maximum 55 miles per hour.
• 1500 Access Points
• 60 in default configuration.
• Most connected to internal backbones.
• 85 use Open System Authentication.
• Commercial directional antenna
• 25 mile range from hilltops.
• Peter Shipley - http//www.dis.org/filez/openlans.
  pdf

25
WarDriving map
Source www.dis.org/wl/maps/
26
Worldwide War Drive 2004

• Fourth WWWD
• www.worldwidewaredrive.org
• 228,537 Access points
• 82,755 (35) with default SSID
• 140,890 (60) with Open System Authentication
• 62,859 (27) with both, probably default
  configuration

27
Further issues

• Access Point configuration
• Mixtures of SNMP, web, serial, telnet.
• Default community strings, default passwords.
• Evil Twin Access Points
• Stronger signal, capture user authentication.
• Renegade Access Points
• Unauthorised wireless LANs.

28
War Driving prosecutions

• February 2004, Texas, Stefan Puffer acquitted of
  wrongful access after showing an unprotected
  county WLAN to officials
• June 2004, North Carolina, Lowes DIY store
• Botbyl convicted for stealing credit card numbers
  via unprotected WLAN
• Timmins convicted for checking email web
  browsing via unprotected WLAN
• June 2004, Connecticut, Myron Tereshchuk guilty
  of drive-by extortion via unprotected WLANs
• make the check payable to M.Tereshchuk
• Sep 2004, Los Angeles, Nicholas Tombros guilty of
  drive-by spamming via unprotected WLANs

29
802.11b Security Services

• Two security services provided
• Authentication
• Shared Key Authentication
• Encryption
• Wired Equivalence Privacy

30
Wired Equivalence Privacy

• Shared key between
• Stations.
• An Access Point.
• Extended Service Set
• All Access Points will have same shared key.
• No key management
• Shared key entered manually into
• Stations
• Access points
• Key management nightmare in large wireless LANs

31
RC4

• Rons Code number 4
• Symmetric key encryption
• RSA Security Inc.
• Designed in 1987.
• Trade secret until leak in 1994.
• RC4 can use key sizes from 1 bit to 2048 bits.
• RC4 generates a stream of pseudo random bits
• XORed with plaintext to create ciphertext.

32
WEP Sending

• Compute Integrity Check Vector (ICV).
• Provides integrity
• 32 bit Cyclic Redundancy Check.
• Appended to message to create plaintext.
• Plaintext encrypted via RC4
• Provides confidentiality.
• Plaintext XORed with long key stream of pseudo
  random bits.
• Key stream is function of
• 40-bit secret key
• 24 bit initialisation vector
• Ciphertext is transmitted.

33
WEP Encryption
IV Cipher text
Initialisation Vector (IV)
RC4 PRNG

Key stream
?
Secret key
Plaintext

32 bit CRC
34
WEP Receiving

• Ciphertext is received.
• Ciphertext decrypted via RC4
• Ciphertext XORed with long key stream of pseudo
  random bits.
• Key stream is function of
• 40-bit secret key
• 24 bit initialisation vector (IV)
• Check ICV
• Separate ICV from message.
• Compute ICV for message
• Compare with received ICV

35
Shared Key Authentication

• When station requests association with Access
  Point
• AP sends random number to station
• Station encrypts random number
• Uses RC4, 40 bit shared secret key 24 bit IV
• Encrypted random number sent to AP
• AP decrypts received message
• Uses RC4, 40 bit shared secret key 24 bit IV
• AP compares decrypted random number to
  transmitted random number
• If numbers match, station has shared secret key.

36
WEP Safeguards

• Shared secret key required for
• Associating with an access point.
• Sending data.
• Receiving data.
• Messages are encrypted.
• Confidentiality.
• Messages have checksum.
• Integrity.
• But management traffic still broadcast in clear
  containing SSID.

37
Initialisation Vector

• IV must be different for every message
  transmitted.
• 802.11 standard doesnt specify how IV is
  calculated.
• Wireless cards use several methods
• Some use a simple ascending counter for each
  message.
• Some switch between alternate ascending and
  descending counters.
• Some use a pseudo random IV generator.

38
Passive WEP attack

• If 24 bit IV is an ascending counter,
• If Access Point transmits at 11 Mbps,
• All IVs are exhausted in roughly 5 hours.
• Passive attack
• Attacker collects all traffic
• Attacker could collect two messages
• Encrypted with same key and same IV
• Statistical attacks to reveal plaintext
• Plaintext XOR Ciphertext Keystream

39
Active WEP attack

• If attacker knows plaintext and ciphertext pair
• Keystream is known.
• Attacker can create correctly encrypted messages.
• Access Point is deceived into accepting messages.
• Bitflipping
• Flip a bit in ciphertext
• Bit difference in CRC-32 can be computed

40
Limited WEP keys

• Some vendors allow limited WEP keys
• User types in a passphrase
• WEP key is generated from passphrase
• Passphrases creates only 21 bits of entropy in 40
  bit key.
• Reduces key strength to 21 bits 2,097,152
• Remaining 19 bits are predictable.
• 21 bit key can be brute forced in minutes.
• www.lava.net/newsham/wlan/WEP_password_cracker.pp
  t

41
Creating limited WEP keys
42
Brute force key attack

• Capture ciphertext.
• IV is included in message.
• Search all 240 possible secret keys.
• 1,099,511,627,776 keys
• 170 days on a modern laptop
• Find which key decrypts ciphertext to plaintext.

43
128 bit WEP

• Vendors have extended WEP to 128 bit keys.
• 104 bit secret key.
• 24 bit IV.
• Brute force takes 1019 years for 104-bit key.
• Effectively safeguards against brute force
  attacks.

44
Key Scheduling Weakness

• Paper from Fluhrer, Mantin, Shamir, 2001.
• Two weaknesses
• Certain keys leak into key stream.
• Invariance weakness.
• If portion of PRNG input is exposed,
• Analysis of initial key stream allows key to be
  determined.
• IV weakness.

45
IV weakness

• WEP exposes part of PRNG input.
• IV is transmitted with message.
• Every wireless frame has reliable first byte
• Sub-network Access Protocol header (SNAP) used in
  logical link control layer, upper sub-layer of
  data link layer.
• First byte is 0xAA
• Attack is
• Capture packets with weak IV
• First byte ciphertext XOR 0xAA First byte key
  stream
• Can determine key from initial key stream
• Practical for 40 bit and 104 bit keys
• Passive attack.
• Non-intrusive.
• No warning.

46
Wepcrack

• First tool to demonstrate attack using IV
  weakness.
• Open source, Anton Rager.
• Three components
• Weaker IV generator.
• Search sniffer output for weaker IVs record 1st
  byte.
• Cracker to combine weaker IVs and selected 1st
  bytes.
• Cumbersome.

47
Airsnort

• Automated tool
• Cypher42, Minnesota, USA.
• Does it all!
• Sniffs
• Searches for weaker IVs
• Records encrypted data
• Until key is derived.
• 100 Mb to 1 Gb of transmitted data.
• 3 to 4 hours on a very busy WLAN.

48
Avoid the weak IVs

• FMS described a simple method to find weak IVs
• Many manufacturers avoid those IVs after 2002
• Therefore Airsnort and others may not work on
  recent hardware
• However David Hulton aka h1kari
• Properly implemented FMS attack which shows many
  more weak IVs
• Identified IVs that leak into second byte of key
  stream.
• Second byte of SNAP header is also 0xAA
• So attack still works on recent hardware
• And is faster on older hardware
• Dwepcrack, weplab, aircrack

49
Generating WEP traffic

• Not capturing enough traffic?
• Capture encrypted ARP request packets
• Anecdotally lengths of 68, 118 and 368 bytes
  appear appropriate
• Replay encrypted ARP packets to generate
  encrypted ARP replies
• Aireplay implements this.

50
802.11 safeguards

• Security Policy Architecture Design
• Treat as untrusted LAN
• Discover unauthorised use
• Access point audits
• Station protection
• Access point location
• Antenna design

51
Security Policy Architecture

• Define use of wireless network
• What is allowed
• What is not allowed
• Holistic architecture and implementation
• Consider all threats.
• Design entire architecture
• To minimise risk.

52
Wireless as untrusted LAN

• Treat wireless as untrusted.
• Similar to Internet.
• Firewall between WLAN and Backbone.
• Extra authentication required.
• Intrusion Detection
• at WLAN / Backbone junction.
• Vulnerability assessments

53
Discover unauthorised use

• Search for unauthorised access points, ad-hoc
  networks or clients.
• Port scanning
• For unknown SNMP agents.
• For unknown web or telnet interfaces.
• Warwalking!
• Sniff 802.11 packets
• Identify IP addresses
• Detect signal strength
• But may sniff your neighbours
• Wireless Intrusion Detection
• AirMagnet, AirDefense, Trapeze, Aruba,

54
Access point audits

• Review security of access points.
• Are passwords and community strings secure?
• Use Firewalls router ACLs
• Limit use of access point administration
  interfaces.
• Standard access point config
• SSID
• WEP keys
• Community string password policy

55
Station protection

• Personal firewalls
• Protect the station from attackers.
• VPN from station into Intranet
• End-to-end encryption into the trusted network.
• But consider roaming issues.
• Host intrusion detection
• Provide early warning of intrusions onto a
  station.
• Configuration scanning
• Check that stations are securely configured.

56
Location of Access Points

• Ideally locate access points
• In centre of buildings.
• Try to avoid access points
• By windows
• On external walls
• Line of sight to outside
• Use directional antenna to point radio signal.

57
WPA

• Wi-Fi Protected Access
• Works with 802.11b, a and g
• Fixes WEPs problems
• Existing hardware can be used
• 802.1x user-level authentication
• TKIP
• RC4 session-based dynamic encryption keys
• Per-packet key derivation
• Unicast and broadcast key management
• New 48 bit IV with new sequencing method
• Michael 8 byte message integrity code (MIC)
• Optional AES support to replace RC4

58
WPA and 802.1x

• 802.1x is a general purpose network access
  control mechanism
• WPA has two modes
• Pre-shared mode, uses pre-shared keys
• Enterprise mode, uses Extensible Authentication
  Protocol (EAP) with a RADIUS server making the
  authentication decision
• EAP is a transport for authentication, not
  authentication itself
• EAP allows arbitrary authentication methods
• For example, Windows supports
• EAP-TLS requiring client and server certificates
• PEAP-MS-CHAPv2

59
Practical WPA attacks

• Dictionary attack on pre-shared key mode
• CoWPAtty, Joshua Wright
• Denial of service attack
• If WPA equipment sees two packets with invalid
  MICs in 1 second
• All clients are disassociated
• All activity stopped for one minute
• Two malicious packets a minute enough to stop a
  wireless network

60
802.11i

• Robust Security Network extends WPA
• Counter Mode with Cipher Block Chaining Message
  Authentication Code Protocol (CCMP)
• Based on a mode of AES, with 128 bits keys and 48
  bit IV.
• Also adds dynamic negotiation of authentication
  and encryption algorithms
• Allows for future change
• Does require new hardware
• www.drizzle.com/aboba/IEEE/

61
Relevant RFCs

• Radius Extensions RFC 2869
• EAP RFC 2284
• EAP-TLS RFC 2716

62
Demonstration

• War driving
• Packet sniffing
• Faking Aps
• Cracking WEP
• brute force
• Dictionary attack
• FMS / H1kari attack
• Airsnarf?
• Packet injection?