Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | hannah-shaw |
View: | 216 times |
Download: | 1 times |
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om Tracking and
recovering a stolen iPhone…
Steven Branigan, President
Author of…
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2009, CyanLine LLC. All rights reserved.
2
Who am I?
• Former…– Bell Labs Researcher, Bellcore Engineer, Cop
• Author of High Tech Crimes Revealed.– Observed that insiders are more dangerous than
outsiders.
• My company, CyanLine handles– Wireless security products.– Network auditing and consulting.– Devising new tools for technical investigations.
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
3
The glossary for today
• The glossary• 3GThe term used to describe the next generation of mobile network infrastructure that supports high-speed, high-bandwidth wireless services
for advanced applications. • 802.11A family of wireless Local Area Network specifications also known as "Wi-Fi." The three main standards are 802.11a, 802.11b and
802.11g. • 802.11a5GHz; 5 times faster than 802.11b; fewer interference issues because of 5GHz spectrum; not backwards compatible; 54 Mbps max
link rate; 8 radio channels • 802.11b2.4 GHz; Transfers data at 11 Mbps up to 300 ft; Shares spectrum with cordless phone, microwaves; 11Mbps max link rate; 3 radio
channels • 802.11g2.4GHz; 5 times faster than 802.11b; more secure; backwards compatible with 802.11b; 54 Mbps max link rate; 3 radio channels • AMPS(Advanced Mobile Phone Service) The analog cellular air interface standard used in the United States and other countries. • AES(Advanced Encryption Standard) Federal information-coding protocol that ensures privacy via 128-, 192-, and 256-bit keys. AES is part of
the forthcoming 802.11i specification. • AP(Access Point) A hardware device or a computer's software that acts as a communication hub for users of a wireless device to connect to a
wired LAN. • Bluetooth A short-range wireless networking technology with a range of about 30 feet and a raw data transmission rate of 1Mbps. It's
designed primarily as a cable replacement.• Bluetooth SIG(Special Interest Group) A trade association comprised of industry leaders and some volunteers who are promoting the
development of Bluetooth-enabled products. • Broadband Using a wide-bandwidth channel for voice, data and/or video services • Backhaul Getting data to a point from which it can be distributed over a network. • CDMA(Code Division Multiple Access) A technology used to send digital transmissions between a mobile phone and a radio base station. It
allows for multiple transmissions to be carried simultaneously on a single wireless channel. • CDPD(Cellular Digital Packet Data) A technology that allows telecommunications companies to transfer data over existing cellular networks to
users. • Cell site The location where the wireless antenna and network communications equipment is placed. • DMZ(Demilitarized Zone) A small network inserted as a neutral area between a company's private network and the outside public network. It
provides indirect access to internal resources. • DHCP(Dynamic Host Configuration Protocol) A standard that enables individual computers on an IP network to retrieve their IP addresses and
other settings from a server on demand. • Decibel A unit used to express relative difference in power or intensity, usually between two acoustic or electric signals, equal to ten times the
common logarithm of the ratio of the two levels. • EDGE(Enhanced Data for GSM Evolution) A faster technology for GSM and TDMA networks that may offer transfer rates up to 384 Kbps• Fresnel Zone The area around the visual line-of-sight that radio waves spread out into after they leave the antenna. This area must be clear
or else signal strength will weaken • Full-Duplex The radio term applied to transmissions such as telephone calls or wireless data that allow talking and listening at the same time
by using two frequencies to create one channel. Each frequency is used solely for either transmitting or receiving. • GPRS(General Packet Radio Service) A 2.5G technology being implemented in GSM networks. It is an "always on" technology with data
transfer speeds up to 114 Kbps • GSM(Global Systems for Mobile Communication) A digital cellular or PCS standard for how data is coded and transferred through the wireless
spectrum. It is the 2G wireless standard throughout the world - except in the United States. GSM is an alternative to CDMA. • GHz(Gigahertz) One billion radio waves, or cycles, per second. Equal to 1,000 megahertz. • GPS(Global Positioning System) A satellite-based navigation system made up of a network of 24 satellites placed into orbit by the U.S.
Department of Defense. • Hot Spots Wireless access points that are found in public places such as airports, conventions centers, hotels and coffee shops • Hz(Hertz) A unit of measurement of one cycle per second, or one radio wave passing one point in one second of time. • ISP(Internet Service Provider) Company which resells internet access • LAN(Local Area Network) A system that links together electronic office equipment, such as computers and word processors, and forms a
network within an office or building. • MMS(Multimedia Messaging Service) A method for transmitting graphics, video clips, sound files and short text messages over wireless
networks using the WAP protocol. • MHz(Megahertz) One million radio waves, or cycles, per second. Equal to one thousand Kilohertz. • MAC(Media-Access Control) A hard-coded or permanent address applied to hardware at the factory. • NAT(Network Address Translation) A security technique—generally applied by a router—that makes many different IP addresses on an
internal network appear to the Internet as a single address • Ping(Packet Information Groper) A protocol that sends a message to another computer and waits for acknowledgment, often used to check if
another computer on a network is reachable. • Point-to-Point Method of transporting IP packets over a serial link between the user and the ISP. • Point-to-Multipoint A communications network that provides a path from one location to multiple locations (from one to many).• RFID(Radio Frequency Identification) An analog-to-digital conversion technology that uses radio frequency waves to transfer data between a
moveable item and a reader to identify, track or locate that item.• SID(System Identification) A five digit number that indicates which service area the phone is in. Most carriers have one SID assigned to their
service area. • SSID(Service Set Identifier) A unique 32-character password that is assigned to every WLAN device and detected when one device sends
data packets to another. • TDMA(Time Division Multiple Access) A wireless technology that allows for digital transmission of radio signals between a mobile device and a
fixed radio base station. It allows for increased bandwidth over digital cellular networks. • TCP/IP(Transmission Control Protocol / Internet Protocol) Internet protocol suite developed by the US Department of Defense in the 1970s.
TCP governs the exchange of sequential data. IP routes outgoing and recognizes incoming messages. • VoIP(Voice over Internet Protocol) Any technology providing voice telephony services over IP, including CODECs, streaming protocols and
session control. • VHG(Very High Frequency) Referring to radio channels in the 30 to 300 MHz band • WAP(Wireless Application Protocol) A technology for wideband digital radio communications in Internet, multimedia, video and other capacity-
demanding applications. It provides a data rate of 2Mbps • WEP(Wired Equivalent Privacy) A feature used to encrypt and decrypt data signals transmitted between WLAN devices • Wi-Fi Short for wireless fidelity -- used generically when referring of any type of 802.11 network, including 802.11b, 802.11a, 802.11g • WAN(Wide Area Network) A communications network that uses such devices as telephone lines, satellite dishes, or radio waves to span a
larger geographic area than can be covered by a LAN • WISP(Wireless Internet Service Provider) See ISP • Zulu Time Synonymous with Greenwich Meridian Time, a time designation used in satellite systems
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2009, CyanLine LLC. All rights reserved.
4
Terms…
• Wireless networking issues…– Rogue Access Points– Hotspots– WEP/WPA– Probing clients– SSIDs– Wi-Fi vs Wi-Max– Piggybacking…
)(4/)100( rssimwDist
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
WiFi Issues
• Sniffing network traffic– Traffic can be intercepted in clear text.
• Stealing network access– Unauthorized people getting on my network. – Anonymous access
• Denial of service• Employees using unauthorized networks.• A laptop joining unexpectedly joining with an AP.• Employees/contractors bypassing filters and accessing
inappropriate content in the office.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
5
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2006, CyanLine LLC. All rights reserved.
6
WiFi network issues
• #1 Piggybacking & the near miss search warrant
• #2 Anonymous threats• #3 Network storage devices.• #4 Why these cases are more challenging
than cellular based wireless.
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2006, CyanLine LLC. All rights reserved.
7
What if scenarios
• What if the suspect traffic is coming from an apartment building?
• What if the suspect traffic is tracked back to a corporate café’s hotspot?
• What if your jurisdiction has municipal wireless networking?
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
8
Test time 1. Can multiple wireless networks co-exist in the same room on
the same channel? YES
2. Can multiple wireless networks co-exist in the same room on the same channel with the same SSID name?
YES
3. Do users have the ability to control which wireless networks they use?
YES
4. Can you remotely detect which wireless network a computer is attached to?
YES
5. Can a wireless access point control which laptops connect to it?
YES
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Test time (2)6. Can a wireless access point control which wireless networks a
laptop connects to? NO
7. Can a laptop be remotely disconnected from a wireless network?
YES
8. Does WEP encryption protect the MAC address? NO
9. Does WPA encryption protect the MAC address while in transit?
NO 10.Do freeware solutions exist to find wireless networks?
YES
Copyright (c) 2009, CyanLine LLC. All rights reserved.
9
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Test time (3)11. If my wireless card is not attached to any network – will it
still search for networks I have attached to in the past? YES
12.Do freeware solutions exist to find hidden networks? YES
13.Do freeware solutions to defeat wireless encryption? YES
14.Can a laptop be attached to both a wired and wireless network at the same time?
YES 15.Can a stolen laptop be tracked by wireless?
YES
Copyright (c) 2009, CyanLine LLC. All rights reserved.
10
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
11
Law Enforcement Issues
• Does house have wireless AP?• Is suspect actually accessing network from someone
else’s wireless network?• Does the house have wireless disk drives?• Check passively?• Are non-standard cards being used?• a vs. b vs. g networks?• MIMO and other range extenders?• Signal strength as a piece of forensic data?• Others?
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Case start
• iPhone left in a movie theater (after Sherlock Homes no less)
• popcorn guy didn’t turn the phone in• he tried a research app that uses GPS• I disabled phone access• He deleted my email• I disabled email access• Located with GPS, WiFi (FIOS) IP accesses to• my email server, and WiFi sniffing• phone recovered, case pending
Copyright (c) 2009, CyanLine LLC. All rights reserved.
12
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om • Lost/Stolen iphone
– iPhones are 3G and WiFi capable.
• Typical owner response?– Turn off cell service.
• Well, iPhone can still be used on WiFi networks, right?
Copyright (c) 2009, CyanLine LLC. All rights reserved.
13
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Still being used
• Case changed from lost to stolen iPhone when owner noticed that he emails were deleted.
• The phone also had a research application called airgrafiti that collected GPS coordinates.
• Could this phone be found?
Copyright (c) 2009, CyanLine LLC. All rights reserved.
14
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2009, CyanLine LLC. All rights reserved.
15
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2009, CyanLine LLC. All rights reserved.
16
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Cellular aside
• AT&T store says a lot are stolen• No provision offered to blacklist the phone
– I believe this is done in Europe
• AT&T should be able to locate the phone– Has ESN/MIN pair registration data and tower
data.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
17
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om • AGPS data and tower interaction
– Tower positioning data
• National MAC address registry? – Useful in WiFi cases especially
Copyright (c) 2009, CyanLine LLC. All rights reserved.
18
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om • Expectation of privacy with stolen
iPhone?– None in NJ
Copyright (c) 2009, CyanLine LLC. All rights reserved.
19
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Mac address
• The owner had the MAC address for the wireless card.– MAC addresses should be unique.– MAC addresses can be spoofed, but we
thought unlikely with an iPhone.
• Just listen for the MAC address.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
20
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
APFinder4
• We have been working on AP-Finder, and this seemed like a perfect opportunity to exercise it in the wild.
• Taking the GPS data, drove around the neighborhood looking for the MAC address.
• Remember, we are looking for the MAC address of the client, not of the Access Point.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
21
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Mac search
Copyright (c) 2009, CyanLine LLC. All rights reserved.
22
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
23
The basics on wireless
• IEEE 802.11 (b) and (g)– 2.4 GHz– 11 channels in US, 14 in other places– 11Mbits to 54Mbits
• IEEE 802.11(a) – 5 GHz– 16 channels– 54 Mbits
• Signals can travel far, as long as you have a good receive antenna.
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
24
Network types
• “Managed” networks– Clients talk to an access point.– Very common type of network.– Easy to set up.
• Peer-to-peer networks– Computers talk to each other directly.– Usually more difficult to set up.
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
04/19/23Copyright (c) 2006, CyanLine LLC. All rights reserved.
25
Signal strength issues
• Good for distance “estimation”
• Not good for triangulation
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
04/19/23Copyright (c) 2006, CyanLine LLC. All rights reserved.
26
The theory
• Signal emanates from transmission source spherically with a specific power, say 100 mW.
• With time, the sphere gets larger
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
04/19/23Copyright (c) 2006, CyanLine LLC. All rights reserved.
27
Conversation of power
• The power per unit of area gets smaller as the sphere gets larger.
• This gives us a simple formula for distance based upon signal strength.
24)()(Dist
transmitPowerreceivedPower
)(4/)( receivedPowertransmitPowerDist
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
04/19/23Copyright (c) 2006, CyanLine LLC. All rights reserved.
28
Signal reflection
Steel Wall
AP
Receiver
= blocked signal
= primary signal
= secondary signal
= strongest signal
= medium signal
= weakest signal
Legend
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
29
Wireless conversations
• A pairing of an Access Point with a wireless client.– Can be viewed in realtime– Can be discovered “forensically”.
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Probing client
Copyright (c) 2009, CyanLine LLC. All rights reserved.
30
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2009, CyanLine LLC. All rights reserved.
31
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om • House located…
• And it was not the one identified by GPS.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
32
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Result…
• Charged with fourth degree theft, and third
degree computer crime.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
33
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Other options?
• Subpoena carrier for location information.– Would have worked. In fact, we used to
confirm data.– Only useful if you have the IP address
access, which we had because the owner was running his own email.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
34
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
35
Access the router
• Most all of these routers do not contain permanent disk storage.– Therefore, you need to access it while it is
still powered.– The storage is volatile, so you need to
move quickly.– For the very skilled, you can access it
remotely…
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
36
Access the router
• If you can gain access, be prepared to make screen snapshots.– Get the DHCP/MAC table, including expiration
times.– Get the External IP address, including the last
update/expiration time.– Get the permanent NAT address translation
information.
• Unfortunately, it is different for each vendor.
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
37
A little test
• It’s about user behavior
• Set it up and they shall come…
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
38
Forensic challenges
• What can be spoofed.
• What can be cracked.– WEP keys
• What can not be spoofed?– Power levels
• MIMO technology and implications.
• Info in wireless connector
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2006, CyanLine LLC. All rights reserved.
39
Open Issues
• Can wireless be monitored passively?
• Can wireless be monitored legally?
• Which tools to use?
• Which tools to avoid?
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2006, CyanLine LLC. All rights reserved.
40
Freeware Wireless Tools…
• Sniffers– Tcpdump– Wireshark
• Break encryption– WEPcrack– Asleap
• APtools– Hostap– Fakeap– APhopper
• Network discovery– Kismet– Netstumbler (windows)
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
41
Wireless Encryption
• If you have the key, you can listen to all the traffic on the network.– So, WEP/WPA give you a little privacy, but
not a lot.
Advanced High-tech Securityhtt
p:/
/ww
w.c
yanlin
e.c
om
Copyright (c) 2008, CyanLine LLC. All rights reserved.
42
Some more existing tools
• Mac address changing– Using MacAddressChanger.exe– Using TMAC
• Cracking WEP keys.– aircrack-ptw can crack WEP in less than a minute.
• Traffic monitoring– Wireless sniffing
• Karma– Allows a user to set up there own base station on
their laptop.