Wireless Security

1
Wireless Security

• Chapter 12

2
Objectives

• Describe the different wireless systems in use
  today.
• Detail WAP and its security implications.
• Identify 802.11s security issues and possible
  solutions.

3
Key Terms

• 2.4 GHz band
• 5 GHz band
• Beacon frames
• Bluejacking
• Bluesnarfing
• Bluebugging
• Confidentiality
• Direct-sequence spread spectrum (DSSS)
• IEEE 802.1X
• IEEE 802.11
• Initialization vector (IV)

• Orthogonal frequency division multiplexing (OFDM)
• RC4 stream cipher
• Service set identifier (SSID)
• WAP gap
• Wired Equivalent Privacy (WEP)
• Wireless Application Protocol (WAP)
• Wireless Transport Layer Security (WTLS)

4
Introduction to Wireless Networking

• Wireless networking is the transmission of
  packetized data by means of a physical topology
  that does not use direct physical links.
• IEEE 802.11 is a family of protocols that have
  been standardized by the IEEE for wireless local
  area networks (LANs).
• Wireless Application Protocol (WAP) was one of
  the pioneers of mobile data applications.
• Bluetooth is a short-range wireless protocol
  typically used on small devices such as mobile
  phones.

5
Summary Table of the 802.11 Family
6
Wireless Transmission Extending Beyond the
Facilitys Walls
7
Mobile Phones

• Traditional wireless devices such as cellular
  phones and pagers are being replaced by wireless
  e-mail devices and PDAs.
• Wireless Application Protocol (WAP) attempted to
  satisfy the needs for more data on mobile devices.

8
WAP

• Wireless Application Protocol (WAP) is a
  lightweight protocol designed for mobile devices.
• Wireless Transport Layer Security (WTLS) is a
  lightweight security protocol designed for WAP.
• WTLS uses a modified version of the Transport
  Layer Security (TLS) protocol, formerly known as
  Secure Sockets Layer (SSL) to ensure
  confidentiality.
• WTLS implements integrity through the use of
  message authentication codes (MACs).

9
WAP Vulnerabilities

• The TLS protocol that WTLS is based on is
  designed around Internet-based computers.
• Mobile phone clients with low memory or CPU
  capabilities cannot support encryption, and
  choosing null or weak encryption greatly reduces
  confidentiality.
• WAP is a point-to-multipoint protocol, but it can
  face disruptions or attacks because it aggregates
  at well-known points the cellular antenna
  towers.
• WAP gap involves confidentiality of information
  where the two different networks meet, the WAP
  gateway.

10
The WAP Gap Shows an Unencrypted Space Between
Two Enciphered Connections
11
3G Mobile Networks

• Mobile wireless networks have been or are being
  upgraded to 3G, greatly enhancing speed and
  lowering latency.
• Increased power and memory of handheld devices
  also reduces the need for lighter-weight
  encryption protocols.
• The cryptographic standard proposed for 3G is
  known as KASUMI.
• KASUMI is a modified version of the MISTY1
  algorithm uses 64-bit blocks and 128-bit keys.

12
Bluetooth

• Bluetooth is a short-range (approx. 32 feet),
  low-power wireless protocol transmitting in the
  2.4 GHz band.
• Bluetooth transmits data in Personal Area
  Networks (PANs) through mobile phones, laptops,
  printers, and audio devices.
• Version 1.2 allows speeds up to 721 Kbps and
  improves resistance to interference over version
  1.1.
• Bluetooth 2.0 introduced enhanced data rate
  (EDR), which allows the transmission of up to 3.0
  Mbps.

13
Bluetooth Headsets
14
Bluetooth Vulnerabilities

• Bluejacking Term used for the sending of
  unauthorized messages to another Bluetooth
  device.
• Bluesnarfing Execution is similar to
  bluejacking, however with bluesnarfing the
  attacker copies off the victims information,
  which can include e-mails, contact lists,
  calendar, etc.
• Bluebugging A far more serious attack than
  either bluejacking or bluesnarfing. In
  bluebugging, the attacker uses Bluetooth to
  establish a serial connection to the device.

15
Wireless File Sharing
16
802.11

• Group of IEEE standards also called Wi-Fi
• The table below shows an overview of each protocol

17
802.11 Modulation

• Direct-sequence spread spectrum (DSSS) is a
  modulation type that spreads the traffic sent
  over the entire bandwidth.
• Orthogonal frequency division multiplexing (OFDM)
  multiplexes, or separates, the data to be
  transmitted into smaller chunks and then
  transmits the chunks on several subchannels.

18
802.11 Individual Standards

• 802.11a is the wireless networking standard that
  supports traffic on the 5 GHz band, allowing
  speeds up to 54 Mbps.
• 802.11b protocol provides for multiple-rate
  Ethernet over 2.4 GHz spread-spectrum wireless.
  It provides transfer rates of 1 Mbps, 2 Mbps, 5.5
  Mbps, and 11 Mbps and uses DSSS.
• Features of 802.11b and 802.11a were joined to
  create 802.11g, 802.11g allows the faster speeds
  of the 5 GHz specification on the 2.4 GHz band.
• 802.11n is on the horizon, with many
  manufacturers shipping devices based upon the
  draft specification. 802.11n offers speeds up to
  248 Mbps.

19
802.11 Protocol

• Authentication is handled in its most basic form
  by the 802.11 AP, forcing the clients to perform
  a handshake when attempting to associate to the
  AP.
• Service set identifier (SSID). The SSID setting
  should limit access only to the authorized users
  of the wireless network.
• Beacon Frame is an 802.11 management frame for
  the network and contains several different
  fields, such as the timestamp and beacon
  interval, but most importantly the SSID.
• Wired Equivalent Privacy (WEP) uses the RC4
  stream cipher to encrypt the data as it is
  transmitted through the air.

20
A Common Wireless Router
21
Attacking 802.11

• Wireless is a popular target for several reasons
• Access gained from wireless
• Lack of default security
• Wide proliferation of devices
• Anonymity
• Low cost

22
Attacking 802.11

• War-driving is driving around with a wireless
  locater program recording the number of networks
  found and their locations.
• NetStumbler is a reception-based program that
  listens to the beacon frames output by other
  wireless devices.
• The network sniffer when combined with a wireless
  network card it can support, is a powerful attack
  tool.
• Wired Equivalent Privacy (WEP) an encryption
  protocol that 802.11 uses to attempt to ensure
  confidentiality of wireless communications.
• Site survey an important step in securing a
  wireless network to avoid sending critical data
  beyond company walls.
• A rogue access point is an unauthorized wireless
  access point within an organization.

23
Attacking 802.11 (continued)

• Service set identifier (SSID) - unique
  32-character identifier is attached to the header
  of the packet
• The purpose of beacon frames is to announce the
  wireless networks presence and capabilities so
  that WLAN cards can attempt to associate to it.
• MAC address restriction provides limited
  authentication capability.
• WEP encrypts the data traveling across the
  network with an RC4 stream cipher, attempting to
  ensure confidentiality.
• WEP should not be trusted alone to provide
  confidentiality.

24
NetStumbler on a Windows PC
25
Windows Displaying Access Points
26
New Security Protocols

• Wi-Fi Protected Access (WPA and WPA2 uses 802.1X
  to provide authentication and uses Advanced
  Encryption Standard (AES) as the encryption
  protocol.
• Temporal Key Integrity Protocol (TKIP) overcomes
  the WEP key weakness, as a key is used on only
  one packet.
• 802.1X protocol supports a wide variety of
  authentication methods and also fits well into
  existing authentication systems such as RADIUS
  and LDAP.

27
Implementing 802.X

• Three common methods are used to implement
  802.1X EAP-TLS, EAPTTLS, and EAP-MD5.
• EAP-TLS relies on TLS, an attempt to standardize
  the SSL structure to pass credentials.
• EAPTunneled TLS Protocol (EAPTTLS) based on
  EAP-TLS, but allows the use of legacy
  authentication protocols such as Password
  Authentication Protocol (PAP), Challenge-Handshake
  Authentication Protocol (CHAP), MS-CHAP, or
  MS-CHAP-V2.
• EAP-MD5 - does improve the authentication of the
  client to the AP, but does little else to improve
  the security of your AP.
• The use of encryption should always be employed,
  typically with WPA or WPA2. Turing off SSID
  broadcasting can help avoid some scanning.
  Additionally, regular site surveys will help
  avoid rogue access points.

28
Chapter Summary

• Describe the different wireless systems in use
  today.
• Detail WAP and its security implications.
• Identify 802.11s security issues and possible
  solutions.