wireless (in)security or why you will weep when you learn about wep kevin w. wall staff software...

Wireless (In)SecurityWireless (In)Securityoror

Why You Will WEEP When Why You Will WEEP When You Learn About WEPYou Learn About WEP

Kevin W. WallKevin W. Wall

Staff Software EngineerStaff Software Engineer

Qwest ITQwest IT

[email protected]@acm.org

http://www.wowway.com/~kwwall/presentations/security/cocacm-20040218.ppt

Copyright © 2004 - Kevin Wall -Copyright © 2004 - Kevin Wall -

All Rights Reserved.All Rights Reserved.

IEEE Wireless StandardsIEEE Wireless Standards IEEE 802.11 standardsIEEE 802.11 standards

• A.K.A.: Wireless LAN (WLAN) & Wi-FiA.K.A.: Wireless LAN (WLAN) & Wi-Fi• 802.11b was original standard802.11b was original standard

Transmits up to 11 MbpsTransmits up to 11 Mbps Operates at frequency of 2.4GHzOperates at frequency of 2.4GHz Typical range of ~300 feetTypical range of ~300 feet

• 802.11a is successor802.11a is successor Transmits up to 54 MbpsTransmits up to 54 Mbps Operates at frequency of 5GHzOperates at frequency of 5GHz Shorter range; ~60-70 feet.Shorter range; ~60-70 feet.

• 802.11g802.11g Up to 54 Mbps, but at 2.4GHz (comp. w/ 802.11b)Up to 54 Mbps, but at 2.4GHz (comp. w/ 802.11b) Added security; fixes some problems w/ WEP.Added security; fixes some problems w/ WEP.

• 802.11i — Coming RSN802.11i — Coming RSN• Wired Equivalent Privacy (WEP) provides security for these first Wired Equivalent Privacy (WEP) provides security for these first

three.three.



Wi-Fi Security VulnerabilitiesWi-Fi Security Vulnerabilities

Interception and sniffing wireless Interception and sniffing wireless traffictraffic

JammingJamming Insertion attacksInsertion attacks MisconfigurationMisconfiguration Client-to-client attacksClient-to-client attacks



Wi-Fi Vulnerabilities: SniffingWi-Fi Vulnerabilities: Sniffing

All wireless standards (802.11, Bluetooth, All wireless standards (802.11, Bluetooth, etc.) are etc.) are broadcastbroadcast networks. networks.

Intruder must be in range of signal to Intruder must be in range of signal to intercept it.intercept it.• Properly selected / positioned antenna aids Properly selected / positioned antenna aids

security by minimizing how far signal can security by minimizing how far signal can reach (i.e., reduces leakage).reach (i.e., reduces leakage).

• Range given for receiving w/ omnidirectional Range given for receiving w/ omnidirectional antennas; directional antennas give greater antennas; directional antennas give greater range.range.



Wi-Fi Vuln: Sniffing (cont’d)Wi-Fi Vuln: Sniffing (cont’d)

“Antenna on the Cheap (er, Chip)”

— Rob Flickenger



Wi-Fi Vuln: Sniffing (cont’d)Wi-Fi Vuln: Sniffing (cont’d)

Same basic principles as sniffing Ethernet.Same basic principles as sniffing Ethernet.• Sniffing wireless easier since no need to Sniffing wireless easier since no need to

physicallyphysically attach to LAN segment. attach to LAN segment.• Many password sniffers (e.g., dsniff) work on Many password sniffers (e.g., dsniff) work on

WLAN since same protocols (telnet, POP3, etc.) WLAN since same protocols (telnet, POP3, etc.) still used.still used.

Beyond sniffing: attackers can inject false Beyond sniffing: attackers can inject false traffic into a connection, running traffic into a connection, running unintended commands as legitimate user.unintended commands as legitimate user.



Wi-Fi Vuln: Sniffing (cont’d)Wi-Fi Vuln: Sniffing (cont’d) If AP is connected to hub rather than If AP is connected to hub rather than

network switch, any network traffic network switch, any network traffic across that hub can be potentially across that hub can be potentially broadcasted out over the wireless broadcasted out over the wireless network.network.

ARP spoofing technique can trick switch ARP spoofing technique can trick switch into passing data from backbone of into passing data from backbone of subnet and route it through attacker’s subnet and route it through attacker’s wireless client.wireless client.

Attacker can trick wireless client into Attacker can trick wireless client into using unauthorized AP with stronger using unauthorized AP with stronger signal.signal.



War-drivingWar-driving Term from “war-dialing” which was Term from “war-dialing” which was

taken from move taken from move War GamesWar Games.. War-driving (-walking, -flying) is driving War-driving (-walking, -flying) is driving

(walking, flying) around to collect (walking, flying) around to collect access points.access points.• Map location (using GPS), MACs, SSIDs, and Map location (using GPS), MACs, SSIDs, and

bandwidth.bandwidth.• Usually reported to centralized location on Usually reported to centralized location on

Internet.Internet.• Used by many to gain free Internet accessUsed by many to gain free Internet access



War-chalkingWar-chalking

War-chalking is War-chalking is act of marking act of marking sidewalks, sidewalks, walls, etc. with walls, etc. with a symbol to a symbol to infer that an AP infer that an AP is within range.is within range.

War-chalking War-chalking symbols shown symbols shown on right.on right.



War-chalking ExamplesWar-chalking Examples



Wi-Fi Vuln: JammingWi-Fi Vuln: Jamming

DoS attack for WLANs.DoS attack for WLANs.• Same principle for (wired) LANSame principle for (wired) LAN• Easier to mount than for LAN. Need not Easier to mount than for LAN. Need not

belong to network.belong to network. Attacker floods 2.4GHz network that signal-Attacker floods 2.4GHz network that signal-

to-noise ration drops so low Wi-Fi network to-noise ration drops so low Wi-Fi network ceases to function.ceases to function.

May happen accidentally! Cordless phones, May happen accidentally! Cordless phones, baby monitors, Bluetooth, etc. all use same baby monitors, Bluetooth, etc. all use same 2.4GHz band.2.4GHz band.



Wi-Fi Vuln: Insertion AttacksWi-Fi Vuln: Insertion Attacks

Based on putting unauthorized Based on putting unauthorized devices on Wi-Fi network w/out proper devices on Wi-Fi network w/out proper security process / review.security process / review.• Attacker tries to connect their wireless Attacker tries to connect their wireless

client to AP w/out authorization. client to AP w/out authorization.

• Attacks though renegade AP.Attacks though renegade AP.

Safeguard: Have and follow policy for Safeguard: Have and follow policy for securely attaching Wi-Fi clients and securely attaching Wi-Fi clients and new AP.new AP.



Wi-Fi Vuln: MisconfigurationWi-Fi Vuln: Misconfiguration

By default, APs usually configured By default, APs usually configured w/out any or very little security.w/out any or very little security.• Misconfigured Server Set IDs (SSID)Misconfigured Server Set IDs (SSID)• Misconfigured Wired Equivalent Misconfigured Wired Equivalent

Privacy (WEP)Privacy (WEP)• Misconfigured SNMP for AP Misconfigured SNMP for AP

managementmanagement



Wi-Fi Vuln: Misconfigured SSIDsWi-Fi Vuln: Misconfigured SSIDs

Server Set ID (SSID) configured w/ default Server Set ID (SSID) configured w/ default password, differing only by manufacturer. password, differing only by manufacturer. Can tell manufacture based on leading digits Can tell manufacture based on leading digits of MAC address.of MAC address.

Brute force AP’s SSID w/ dictionary attacks.Brute force AP’s SSID w/ dictionary attacks. Need to change SSID whenever employee Need to change SSID whenever employee

leaves company.leaves company. SSID not encrypted, even when WEP is used!SSID not encrypted, even when WEP is used! Disabling broadcast SSID hardly helps at all.Disabling broadcast SSID hardly helps at all.



Wi-Fi Vuln: Misconfigured WEPWi-Fi Vuln: Misconfigured WEP

WEP usually disabled by default.WEP usually disabled by default.• Most public WLAN APs like those at airports, Most public WLAN APs like those at airports,

hotels, cafes, etc. never enable WEP.hotels, cafes, etc. never enable WEP.• Only ~20% of companies seem to use WEP.Only ~20% of companies seem to use WEP.• WEP is severely broken anyway (more later).WEP is severely broken anyway (more later).

In some APs, use of WEP is optional even In some APs, use of WEP is optional even when enabled.when enabled.

Some manufacturers of APs have default Some manufacturers of APs have default WEP keys which are never changed.WEP keys which are never changed.



Wi-Fi Vuln: Misconfigured Wi-Fi Vuln: Misconfigured SNMPSNMP

Most Wi-Fi base stations have support SNMP Most Wi-Fi base stations have support SNMP for AP management.for AP management.• Community strings must be changed from defaults.Community strings must be changed from defaults.

Typically “public” for public community and “private” Typically “public” for public community and “private” for private community.for private community.

Other manufacturers use different, but well-known Other manufacturers use different, but well-known community strings.community strings.

Same risk applies to wireless clients if they Same risk applies to wireless clients if they have SNMP enabled.have SNMP enabled.

Many SNMP implementations (still) vulnerable Many SNMP implementations (still) vulnerable to attack discovered in Feb, 2002 and to attack discovered in Feb, 2002 and embodied in PROTOS tool.embodied in PROTOS tool.



Wi-Fi Vuln: Client-to-client Wi-Fi Vuln: Client-to-client AttacksAttacks

File sharing and other TCP/IP service File sharing and other TCP/IP service attacksattacks• Previously laptops protected by company Previously laptops protected by company

firewalls or VPNs. No longer true.firewalls or VPNs. No longer true. DoS attacksDoS attacks

• Intentional flooding of one client by another.Intentional flooding of one client by another.• Unintentional from duplicate IP or MAC Unintentional from duplicate IP or MAC

address.address. Hybrid threads: Next generation Hybrid threads: Next generation

worms / viruses.worms / viruses.



IEEE’s WEP StandardIEEE’s WEP Standard

IEEE standard (1999-2000)IEEE standard (1999-2000) Wired Equivalent PrivacyWired Equivalent Privacy (WEP) should (WEP) should

have been called have been called Wildly Exceeding Wildly Exceeding Expectations of PrivacyExpectations of Privacy (WEEP). WEP (WEEP). WEP severely broken in several major ways.severely broken in several major ways.

WEP uses RC4 as encryption algorithm.WEP uses RC4 as encryption algorithm.• 40-bit encryption specified by original 40-bit encryption specified by original

standardstandard• Also uses 24-bit IV; sometimes called 64-bit Also uses 24-bit IV; sometimes called 64-bit

RC4RC4• 128 RC4 (104-bit really) also available.128 RC4 (104-bit really) also available.



Wi-Fi Insecurity (by Team)Wi-Fi Insecurity (by Team) October 2000: Jesse WalkerOctober 2000: Jesse Walker January 2001: UC Berkley cryptographers January 2001: UC Berkley cryptographers

NikitaNikita Borisov, Ian Goldberg, and David Borisov, Ian Goldberg, and David WagnerWagner

March 2001: Univ of Maryland researchers March 2001: Univ of Maryland researchers William Arbaugh, Narendar Shankar, and Y.C. William Arbaugh, Narendar Shankar, and Y.C. Justin WanJustin Wan

May 2001: William ArbaughMay 2001: William Arbaugh June 2001: Tim NewshamJune 2001: Tim Newsham August 2001: Scott Fluhrer, Itsik Mantin, and August 2001: Scott Fluhrer, Itsik Mantin, and

Adi ShamirAdi Shamir February 2002: Arunesh Mishra and W. February 2002: Arunesh Mishra and W.

ArbaughArbaugh



Wi-Fi Insecurity (by Attack) Wi-Fi Insecurity (by Attack) (1/6)(1/6)

IV / key reuse (Walker, Berkeley team, IV / key reuse (Walker, Berkeley team, Arbaugh)Arbaugh)• Possible because of small IV space (24-bits), Possible because of small IV space (24-bits),

lack of IV replay protection.lack of IV replay protection. IV should be at least same as key size for stream IV should be at least same as key size for stream

cipher.cipher. XOR w/ key instead of concatenating to key.XOR w/ key instead of concatenating to key.

• Enables statistical attack of ciphertexts w/ Enables statistical attack of ciphertexts w/ replayed IVsreplayed IVs

• Worsened by many HW vendors resetting IV Worsened by many HW vendors resetting IV to 0 when NIC powered off.to 0 when NIC powered off.



Wi-Fi Insecurity (by Attack) (2/6)Wi-Fi Insecurity (by Attack) (2/6)

Known plaintext attacks (Walker, Known plaintext attacks (Walker, Berkeley team, Arbaugh)Berkeley team, Arbaugh)• Lot’s of known plaintext in IP traffic: Lot’s of known plaintext in IP traffic:

ICMP, ARP, TCP ACKs, etc. More in e-ICMP, ARP, TCP ACKs, etc. More in e-mail headers, etc.mail headers, etc.

• Possible to send “ping” from Internet Possible to send “ping” from Internet through AP to snooping attacker.through AP to snooping attacker.




Partial known plaintext attacks Partial known plaintext attacks (Berkeley team, Arbaugh)(Berkeley team, Arbaugh)• Only part of message (plaintext) may be Only part of message (plaintext) may be

known; e.g., IP header.known; e.g., IP header.• Possible to flip bits in real time and Possible to flip bits in real time and

recompute CRC-32, divert traffic to recompute CRC-32, divert traffic to attackerattacker

CRC32 is linear; no keyed hashCRC32 is linear; no keyed hash




Authentication forging (Berkeley team)Authentication forging (Berkeley team)• WEP 1.0 encrypts challenge w/ IV chosen by WEP 1.0 encrypts challenge w/ IV chosen by

client.client.• Recovery of key stream for given IV allows Recovery of key stream for given IV allows

reuse of that IV for forging WEP authentication.reuse of that IV for forging WEP authentication. DoS attacksDoS attacks

• Disassociate, reassociate messages not Disassociate, reassociate messages not authenticatedauthenticated




Dictionary attacksDictionary attacks• Possible when WEP keys are derived from Possible when WEP keys are derived from

passwords.passwords. Real-time decryption (Berkeley team, Real-time decryption (Berkeley team,

Arbaugh)Arbaugh)• Repeated IV use (NIC deficiency), probing Repeated IV use (NIC deficiency), probing

allows building IV lookup table for given allows building IV lookup table for given key.key.

Need 1500 bytes of key stream per IVNeed 1500 bytes of key stream per IV 222424* 1500 bytes = ~24GB* 1500 bytes = ~24GB

• Enables decryption of traffic in real-time Enables decryption of traffic in real-time after table computed.after table computed.




Weakness in RC4 key setup algorithm Weakness in RC4 key setup algorithm (Fluhrer, Mantin, & Shamir)(Fluhrer, Mantin, & Shamir)• Completely passive attack; requires collection Completely passive attack; requires collection

of sufficient WEP data packets.of sufficient WEP data packets.

• Certain “weak” IVs result in ~5% chance of Certain “weak” IVs result in ~5% chance of exposing single byte of key.exposing single byte of key.

• Gather sufficient # of weak IVs along w/ Gather sufficient # of weak IVs along w/ statistical analysis eventually results in key.statistical analysis eventually results in key.

• Tools such as airsnort automate this.Tools such as airsnort automate this.



Screen Shot of AirsnortScreen Shot of Airsnort

See http://airsnort.shmoo.com/



Example of Broken WEPExample of Broken WEP

Borisov, Goldberg, and Wagner (Berkeley Borisov, Goldberg, and Wagner (Berkeley team) discovered following flaws:team) discovered following flaws:• Passive attacks to decrypt traffic based on Passive attacks to decrypt traffic based on

statistical analysis.statistical analysis.

• Active attack to inject new traffic from Active attack to inject new traffic from unauthorized mobile stations, based on known unauthorized mobile stations, based on known plaintext.plaintext.

• Active attacks to decrypt traffic, based on Active attacks to decrypt traffic, based on tricking the access point.tricking the access point.

• Dictionary-building attack that, after analysis Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-of about a day's worth of traffic, allows real-time automated decryption of all traffictime automated decryption of all traffic



Better Luck Next Time? WEP 2Better Luck Next Time? WEP 2

Increase size of IV to 128 bits.Increase size of IV to 128 bits. To avoid staleness and repeating key stream, To avoid staleness and repeating key stream,

key may be changed periodically via IEEE key may be changed periodically via IEEE 802.1X reauthentication.802.1X reauthentication.

Still no keyed message integrity code.Still no keyed message integrity code. Still no IV replay protection.Still no IV replay protection. Still no authentication for reassociate, Still no authentication for reassociate,

disassociate messagesdisassociate messages Mandatory support of Kerberos V for IEEE Mandatory support of Kerberos V for IEEE

802.1X802.1X



WEP 2 Security IssuesWEP 2 Security Issues

Known / partial plaintext attacks not Known / partial plaintext attacks not affected by larger IVaffected by larger IV• Still possible to recover key streams via ping Still possible to recover key streams via ping

from Internet.from Internet. Authentication forging: not affectedAuthentication forging: not affected DoS attacks not addressed. DoS attacks not addressed. Dictionary attack: new attacks based on Dictionary attack: new attacks based on

improper mandatory use of Kerberos V improper mandatory use of Kerberos V authentication.authentication.



WPA: A WEP ReplacementWPA: A WEP Replacement Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)

• Temporary solution, forward compatible Temporary solution, forward compatible with 802.11i.with 802.11i.

• Includes 802.1X (not a typo), EAP, and Includes 802.1X (not a typo), EAP, and TKIPTKIP

• Special “home mode” where no central Special “home mode” where no central authorization servers.authorization servers.

• Reviewed by cryptographers!Reviewed by cryptographers!• Deployment started in early 2003.Deployment started in early 2003.

802.11 - Longer term solution.802.11 - Longer term solution.



WEP vs. WPAWEP vs. WPA

WEP WPA

Encryption Several known severe flaws.

Fixes all known WEP encryption flaws.

40-bits 128-bits

Static keys – same key used by everyone on network

Dynamic keys – per user, per session, and per packet keys

Manual distribution of keys makes changing keys hard.

Automatic distribution of keys.

Authentication Flawed; used WEP key itself for authentication.

Stronger user authentication using 802.1X and EAP.



Minimizing Wi-Fi Security RisksMinimizing Wi-Fi Security Risks Change your SSID to a strong password Change your SSID to a strong password

and change periodically.and change periodically. Use MAC filtering.Use MAC filtering. Set up fake access points (“fakeAP” Set up fake access points (“fakeAP”

tool).tool). Disable SSID broadcasts.Disable SSID broadcasts. Use low power. Turn off when not used.Use low power. Turn off when not used. Map out your own networks.Map out your own networks. Use VPNs if you really need security.Use VPNs if you really need security. If possible, wait for 802.11i, else use If possible, wait for 802.11i, else use

WPA or 128-bit WEP if available to you. WPA or 128-bit WEP if available to you.



Wireless Security ToolsWireless Security Tools

airsnotairsnot netstumblernetstumbler kismetkismet wepcrackwepcrack fakeapfakeapSee See http://www.networkintrusion.co.uk/wireless.htmhttp://www.networkintrusion.co.uk/wireless.htm

for more complete list.for more complete list.



Wi-Fi ReferencesWi-Fi References

http://www.wifimaps.com/http://www.wifimaps.com/ -- interactive -- interactive maps of wireless access-points across the maps of wireless access-points across the globe; search by city / state or SSID.globe; search by city / state or SSID.

http://www.iss.net/wireless/WLAN_FAQ.phphttp://www.iss.net/wireless/WLAN_FAQ.php -- -- FAQ on Wi-Fi security problems.FAQ on Wi-Fi security problems.

http://www.cs.umd.edu/~waa/wireless.htmlhttp://www.cs.umd.edu/~waa/wireless.html -- list -- list of 802.11b security vulnerabilities, of 802.11b security vulnerabilities, including WEP.including WEP.

wireless (in)security or why you will weep when you learn about wep kevin w. wall staff software...

Documents

kevin wall

wireless network

wireless insecurity

wep kevin

attackers wireless client

range of signal

sniffing contd antenna

sniffing ethernet