The Information Security Professionals
Wireless Hotspot Security
and
Client AttacksAlmerindo Graziano
www.silensec.com
2
The Information Security Professionals
The Menu :-)
The WiFi Explosion Common misconceptions Wireless hotspots attacks Wireless Client Attacks Rogue Access Points WEP Insecurity WPA Security General recommendations
3
The Information Security Professionals
About Silensec
IT Governance ISO 27001 Implementation Gap Analysis Risk Management
Penetration Testing Web apps, Systems, Networks
Security Training BSI ISO 27001, BS25999 SANS Wireless Security, Hacking Techniques
4
The Information Security Professionals
Common Misconceptions
We do not use/allow wireless networks Our network is secure We use firewalls We use VPN Nobody would attack us
5
The Information Security Professionals
Mobile Phones Explosion
Over 100 mobile phone handsets with wi-fi
capability (June 2007) 213 million Wi-Fi chipsets shipped worldwide in
2007 (32% growth) 20%of the total chipset market by 2009
Dual-mode phones in 2008 Bypass mobile operator
Skype mobile phones
6
The Information Security Professionals
Wifi in Everything!
Digital Camera Mobile TVs Presentation Projectors Stereos CCTV Cameras Swipe cards systems Medical monitoring equipment Portable digital players
7
The Information Security Professionals
Wireless Networks are Everywhere
8
The Information Security Professionals
Terminology
Station (STA) Laptop, PDA, mobile
phone Access Point (AP)
Connect STAs to the main
network Infrastructure Mode
Most common (home and
corporate) Ad-Hoc Mode
Connecting STAs without
an AP
Infrastructure
Mode
Ad-Hoc Mode
9
The Information Security Professionals
Terminology (2)
WEP (Wired Equivalent Privacy) WEP Key (64, 128, 256, 512 bits)
WEP+ Dynamic WEP WPA and WPA2 (Wireless Protected Access)
Passphrase (8-63 characters)
10
The Information Security Professionals
Wireless Hotspots
Provide public access to the Internet through
wireless networks Public does NOT mean FREE
Often located in airports, train stations, libraries, hotels, coffee bars
Designed to be easy to use Find the network Click and connect Authenticate and you are in!
11
The Information Security Professionals
Hotspot Example: T-Mobile
Secure
Connection
12
The Information Security Professionals
Hotspot Example: T-Mobile (2)
Enter
Credentials
13
The Information Security Professionals
Hotspot Security Risks
Information disclosure Most information is not encrypted and may be captured
easily Identity theft Fraud and financial loss Compromise your computer Expose personal info (contacts)
Catch a virus Back in the workplace
Expose even more personal info Spread the virus
14
The Information Security Professionals
Wireless Isolation
Commonly used by hotspots Most modern AP support it too Traffic between hotspot clients not allowed Protect hotspot clients from possible malicious
clients And anyway you have your firewall.. What about non-connected clients?
15
The Information Security Professionals
DEMO
16
The Information Security Professionals
Wireless Client Attacks
17
The Information Security Professionals
Windows Preferred Network List (PNL)
Includes networks created
by the user Networks are also added
when we connect to a new
network (hotspot) Connection can be
automatic or manual
18
The Information Security Professionals
Windows Preferred Network List (PNL)
Will always connect to the
networks higher on the
list.. even is already connected
to another network! even if that network is
more secure AP with stronger power are
preferred User is not notified of AP
switch!
19
The Information Security Professionals
Dangerous Connections..
Newly networks are
added to the PNL If new network is in
range windows may
connect to it
20
The Information Security Professionals
Rogue Access Points
More powerful signal Karma-based
21
The Information Security Professionals
Power Rogue Access Point
Windows wireless
configuration AP chosen based on
position in the PNL signal power
tmobile
tmobile
22
The Information Security Professionals
Power Rogue Access Points
DEMO
23
The Information Security Professionals
Client Attacks with Karma
Powerful tool Responds to any probe request Comes with DHCP, DNS, Web server Exploits clients which broadcast SSIDs with no
security...hotspots
24
The Information Security Professionals
Judicious Karma
Preferred Network List (PNL)
CorpNet
HomeNet
Linksys
tmobile
25
The Information Security Professionals
KARMA
DEMO
26
The Information Security Professionals
Wifizoo
Gathers information
passively No connection required Cookies Passwords from
FTP,POP3 etc.. ..and lots more
27
The Information Security Professionals
Wifizoo at Work..
DEMO
28
The Information Security Professionals
Wireless Hacking in the Skies..
Just relax and enjoy the flight Watch a film on your laptop
...while you are being hacked...
But don't you worry, there will be no interruption
to your film entertainment
29
The Information Security Professionals
arking Mode
Found by Simple Nomad
If DHCP fails to provide an IP
address, interfaces with Link-
Local configurations will auto-
assign an address in the
169.254.0.0/16 range
Link-Local is on by default on all
interfaces on all Windows
platforms, including wireless
interfaces
Try available PNL networks
Scan for available networks (ANL)
Try PNL networks
Connect to 1st Ad-Hoc network in PNL
Any Ad-Hoc network in PNL?
Connect to Non-Preferred Nets?
Connect to available networks (ANL)
Set Random SSID and go in infrastruture mode
Keep looking for preferred networks
No No
YesYes
Parking Mode
30
The Information Security Professionals
Windows Wireless Client UpdateHotfix described in KB917021Non-broadcast networks
Allows to set a network as non-broadcast by setting “Connect even if the network is not broadcasting”
WAC only sends probe requests for non-broadcast networks Preferred broadcast networks in the PNL are not advertised
Parking behaviour Security configuration is passed onto the wireless adapter driver, using the
most secure encryption method that the wireless network adapter supports (including random encryption key)
Ad-hoc Manual connection WAC doesn't probe ad-hoc SSID contained in the PNL
31
The Information Security Professionals
Windows Wireless Client Update (ctd.)
• Not included in SP2
• Many clients have not installed it
• Parking mode is driver-dependant
– Most driver still use no security
• You can still override secure default settings
32
The Information Security Professionals
Vista Wireless
VISTA allows to define non-broadcast wireless networks Listed as Unnamed Network
WAC will try to connect to wireless networks in the order they are listed in the PNL, whether they are broadcast or not
Support ad-hoc using WPA2-PSK Strong passphrase selection
33
The Information Security Professionals
Hotspot Security Tips
Doublecheck the name and presence of an official
Hotspot network where the service is provided
Remember that the majority of Hotspots do not
ensure data confidentiality
Always look out for a padlock and https sign on
the hotspot login page
Do NOT implicitly trust advertised “Free Public
WiFi”
34
The Information Security Professionals
WEP
WEP IS DEAD
You MUST NOT use it
Equivalent to no security (almost)
Aircrak-ptw < 1 minute
35
The Information Security Professionals
WPA and WPA2
WPA
Stronger security, maintaining hardware
compatibility WPA2
Even stronger security
Need new hardware
36
The Information Security Professionals
WPA Personal/WPA-PSK
Both WPA and WPA2 can be used with a passphrase (8-63 character)
Weak passphrases offer WEP-like protection..NONE
Use a strong password generator (free https://www.grc.com/passwords.htm
37
The Information Security Professionals
Wireless Security Tips – At Home
Change default values IP addresses Admin passwords
Adjust the power output of your access point if possible
Use MAC address filtering Change the default SSID Enable WPA/WPA2
Use a strong passphrase (20+ char) Set AP configuration to HTTPS if possible
38
The Information Security Professionals
Wireless Security Tips – On the move
Switch off your wireless card if not needed Do no connect automatically to wireless networks
(nothing comes free) Change your personal firewall settings to not trust
the local network Be on your guard
39
The Information Security Professionals
General Wireless Security Tips
Download and instal MS wireless update Uncheck automatic connection to unprotected
networks Keep your computers patched all the time Remember that hotspot networks are not secure
40
The Information Security Professionals
Questions?