Chapter 5 Protecting Wireless Networks Security+ Chapter 5 Protecting Wireless Networks Modified 9/13/2016- jw

TJX Data Breach TJX used WEP security They lost 45 million customer records They settled the lawsuits for $40.9 million http://www.bankinfosecurity.com/articles.php?art_id=791

Man charged with hacking neighbor's Wi-Fi http://www.networkworld.com/article/2212621/malware-cybercrime/man-charged-with-hacking-neighbor-s-wi-fi-to-threaten-biden.html

Wireless router hijacked for child pornography Sarasota attorney Malcolm Riddell’s wireless router was used by a boat captain in Sarasota Bay, FL to download 10 million files of child pornography http://www.heraldtribune.com/article/20110131/ARTICLE/101311038

Chapter 5: Protecting Wireless Networks Describe the different types of wireless network attacks List the vulnerabilities in IEEE 802.11 security Explain the solutions for securing a wireless network

Introduction Wireless data communications have revolutionized computer networking Benefits of Wireless Increased flexibility Increased productivity Reduced costs Ability to grow and adapt to changing requirements 4.1.1.2 Benefits of Wireless

Introduction continued Wireless data networks have been targets for attackers Attacks can be directed against: Bluetooth systems Near field communication devices Wireless local area networks

Wireless Technologies

Bluetooth An IEEE 802.15 WPAN standard Personal Area Network (PAN) technology Uses a device-pairing process to wirelessly and virtually instant communication over distances up to .05 mile (100m). Uses short-range radio frequency transmissions Provides for rapid, ad-hoc device pairings Example: smartphone and Bluetooth headphones’

Cars Hands-free Calling Drive Smart, Drive Safe Consumer Electronics Music Photos & Video Home Entertainment Computers Health & Fitness Medical & Health Devices Sports & Fitness Devices Phones Smart Home http://www.bluetooth.com/Pages/Product-Directory.aspx

Bluetooth Two types of Bluetooth network topologies Piconet Scatternet

Bluetooth (cont’d.) Piconet Established when two Bluetooth devices come within range of each other One device (master) controls all wireless traffic Other device (slave) takes commands Active slaves can send transmissions Parked slaves are connected but not actively participating

Bluetooth (cont’d.) Scatternet Group of piconets with connections between different piconets Bluetooth scatternet © Cengage Learning 2012

Bluetooth Attacks Bluejacking Attack that sends unsolicited messages to Bluetooth-enabled devices Text messages, images, or sounds Considered more annoying than harmful No data is stolen

Bluetooth Attacks (cont’d.) Bluesnarfing Unauthorized access to wireless information through a Bluetooth connection Often between cell phones and laptops Attacker copies e-mails, contacts, or other data by connecting to the Bluetooth device without owner’s knowledge

Bluetooth Attacks (cont’d.) Bluebugging Similar to Bluesnarfing, but the Attackers has full unauthorized access to a wireless device through a Bluetooth connection http://www.localsyr.com/content/news/real_deal/story/BBB-warns-of-Bluetooth-hacking-scams-The-Real-Deal/d/story/eAAJq9Dsu02cjD4ZZ8HKjQ

Near Field Communication (NFC) Near field communication (NFC) –Low speed and low power technology for smartphones and smart cards Used to establish communication between devices in close proximity Once devices tapped together or brought within several centimeters each other two-way communication established NFC’s ease of use opened door for wide range of practical short-range communications Near Field Communication (NFC) Near field communication (NFC) –Low speed and low power technology for smartphones and smart cards Used to establish communication between devices in close proximity Once devices tapped together or brought within several centimeters each other two-way communication established NFC’s ease of use opened door for wide range of practical short-range communications

NFC Contactless Payment NFC devices increasingly used in contactless payment systems so consumer can pay for purchase by tapping store’s payment terminal with smartphone Users store credit card and/or store loyalty card information in “virtual wallet” the smartphone to pay for purchases at NFC-enabled point-of-sale (PoS) checkout device NFC contactless payment systems has risks because of the nature of this technology NFC Contactless Payment NFC devices increasingly used in contactless payment systems so consumer can pay for purchase by tapping store’s payment terminal with smartphone Users store credit card and/or store loyalty card information in “virtual wallet” the smartphone to pay for purchases at NFC-enabled point-of-sale (PoS) checkout device NFC contactless payment systems has risks because of the nature of this technology

NFC Contactless Payment System Contactless Payment System (Figure 9-3) A figure. A hand holding a smartphone is help inches above a point-of-sale terminal.

NFC risks and defenses NFC risks and defenses (Table 9-2) A table with three columns and five rows. The first row is composed of column headers: Vulnerability, Explanation, and Defense. Row 2. Vulnerability: Eavesdropping Explanation: The NFC communication between device and terminal can be intercepted and viewed. Defense: Because an attacker must be extremely close to pick up the signal, users should be aware of this. Also, some NFC applications can perform encryption. Row 3. Vulnerability: Data manipulation Explanation: Attackers can jam an NFC signal so transmission cannot occur. Defense: Some NFC devices can monitor for data manipulation attacks. Row 4. Vulnerability: Man-in-the-middle attack Explanation: An attacker can intercept the NFC communications between devices and forge a fictitious response. Defense: Devices can be configured in active-passive pairing so one device only sends while the other can only receive. Row 5. Vulnerability: Device theft Explanation: The theft or loss of a smartphone could allow an attacker to use that phone for purchases. Defense: Smartphones should be protected with passwords or PINs.

Wireless Application Protocol Data transmission standard for accessing information over a mobile wireless network equivalent to TCP/IP A WAP browser is a web browser for mobile devices such as mobile phones that use WAP. Considered to be legacy because of HTML browsers on mobile devices

Institute of Electrical and Electronics Engineers (IEEE) In the early 1980s, the IEEE began work on developing computer network architecture standards This work was called Project 802

Institute of Electrical and Electronics Engineers (IEEE) In 1990, the IEEE formed a committee to develop a standard for WLANs (Wireless Local Area Networks) At that time WLANs operated at a speed of 1 to 2 million bits per second (Mbps) In 1997, the IEEE approved the IEEE 802.11 WLAN standard

IEEE 802.11 WLAN Standard Revisions IEEE 802.11a – 54Mbps 5GHz Specifies maximum rated speed of 54Mbps using the 5GHz spectrum IEEE 802.11b – 11Mbps 2.4GHz Ratified in 1999 IEEE 802.11g – 54Mbps 2.4Ghz Preserves stable and widely accepted features of 802.11b Increases data transfer rates similar to 802.11a

IEEE 802.11 WLAN Standard Revisions continued IEEE 802.11n – >100Mbps 2.4 & 5GHz Ratified in 2009 Improvements in IEEE 802.11n Multiple input/multiple output (MIMO) Speed – minimum 100Mbps Throughput Coverage area Interference Security

IEEE 802.11 WLAN Standard Revisions continued IEEE 802.11ac – Gigabit Wi-Fi 5Ghz Expected throughput of at least 1Gbps Initial products – up to 500Mbps throughput IEEE 802.11ad – WiGig Operates in 2.4GHz, 5GHz and 60Ghz Up to 7Gbps within line of sight using 60GHz Initial products in 2015

802.11 Standards 4.1.1.5 802.11 Standards

Wireless NICs Wireless deployment requires: End devices with wireless NICs Infrastructure device, such as a wireless router or wireless AP 4.1.2.1 Wireless NICs

Access Points Access point (AP) major parts Antenna and radio transmitter/receiver send and receive wireless signals Bridging software to interface wireless devices to other devices Wired network interface allows it to connect by cable to standard wired network

Access Points (cont’d.) AP functions Acts as “base station” for wireless network Acts as a bridge between wireless and wired networks Can connect to wired network by a cable

Access Points (cont’d.) Autonomous access points (WAP) Separate from other network devices and access points Have necessary “intelligence” for wireless authentication, encryption, and management Thin access point or Lightweight access points (LWAP) An access point without the authentication and encryption functions These features reside on the wireless switch or wireless controller

Access Points (cont’d.) Wireless Router - Multi-function Device Incorporates a switch, router, and wireless access point. Provides routing, switching and wireless connectivity.   Wireless routers, are simple in design and used in home networks providing services such as NAT and DHCP 11.5.1.1 Multi-function device 11.5.1.2 Types of Integrated Routers

Wireless Home Router A home user typically interconnects wireless devices using a small, integrated wireless router. These serve as: Wireless Access point Ethernet switch Router Firewall (Some Models) 4.1.2.2 Wireless Home Router

Access Points (cont’d.) Wireless networks have been vulnerable targets for attackers Not restricted to a physical location

Wireless Threats 4.3.1.1 Securing Wireless

Wireless LAN Attacks Types of wireless LAN attacks Discovering the network Attacks through the RF spectrum Attacks involving access points

Wireless LAN Attacks (cont’d.) Discovering the network One of the first steps in an attack is to discover presence of a network Beaconing APs send beacon frames at regular intervals to announce the SSID (network name) Wireless devices passively scan for beacon frames

War driving Process of passive discovery of wireless network locations Table 8-2 War driving tools

War chalking Documenting and then advertising location of wireless LANs for others to use Previously done by drawing on sidewalks or walls around network area Today, locations are posted on Web sites War chalking symbols © Cengage Learning 2012

Wireless LAN Attacks (cont’d.) Attacks through the RF spectrum Wireless protocol analyzer Generating interference Wireless traffic captured to decode and analyze packet contents Network interface card (NIC) adapter must be in correct mode

Wireless LAN Attacks (cont’d.) Six modes of wireless NICs Master (acting as an AP) Managed (client) Repeater Mesh Ad-hoc Monitor

Wireless LAN Attacks (cont’d.) Interference Signals from other devices can disrupt wireless transmissions Devices that can cause interference with a WLAN Microwave ovens Elevator motors Copy machines Outdoor lighting (certain types) Theft protection devices Bluetooth devices Other 802.11 Wireless Devices

Requires a powerful transmitter

Wireless LAN Attacks (cont’d.) Attacks using access points Rogue access points Evil twins Rogue access point Unauthorized access point that allows attacker to bypass network security configurations May be set up behind a firewall, opening the network to attacks

Rogue access point © Cengage Learning 2012

Wireless LAN Attacks (cont’d.) Man-in-the-Middle Attack “Evil twin AP” attack: A popular wireless MITM attack where an attacker introduces a rogue AP and configures it with the same SSID as a legitimate AP. Locations offering free Wi-Fi, such as airports, cafes, and restaurants, are hotbeds for this type of attack due to the open authentication. Connecting wireless clients would see two APs offering wireless access. Those near the rogue AP find the stronger signal and most likely associate with the evil twin AP. User traffic is now sent to the rogue AP, which in turn captures the data and forwards it to the legitimate AP. Return traffic from the legitimate AP is sent to the rogue AP, captured, and then forwarded to the unsuspecting STA. 4.3.1.4 Man-in-the-Middle Attack

Vulnerabilities of IEEE 802.11 Security Original IEEE 802.11 committee recognized wireless transmissions could be vulnerable Implemented several wireless security protections in the standard Left others to WLAN vendor’s discretion Protections were vulnerable and led to multiple attacks

MAC Address Filtering Method of limiting / controlling WLAN access Media Access Control (MAC) address filtering Used by nearly all wireless AP vendors Permits or blocks device based on MAC address

MAC Address Filtering

MAC Address Filtering Usually implemented by permitting instead of preventing

MAC Address Filtering Weaknesses Addresses exchanged in unencrypted format An attacker can just sniff for MACs Scalability Issues - Managing a large number of MAC addresses is difficult MAC address filtering does not provide a means to temporarily allow a guest user to access the network Other than manually entering the user’s MAC address into the access point

MAC Address Filtering Weaknesses MAC Address Spoofing – Easy to accomplish since many operating systems have built in tools Technitium’s freeware MAC Address Changer software allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. Supports - Windows 2000/XP/Server 2003/Vista/Server 2008/7/Server 2008 R2/8/Server 2012 http://www.technitium.com/

SSID Broadcast Each device must be authenticated prior to connecting to the WLAN Open system authentication Device discovers wireless network and sends association request frame to AP Frame carries Service Set Identifier (SSID) User-supplied network name Can be any alphanumeric string 2-32 characters long AP compares SSID with actual SSID of network If the two match, wireless device is authenticated

Open System Authentication

SSID Broadcast (cont’d.) Open system authentication is weak Based only on match of SSIDs Attacker can wait for the SSID to be broadcast by the AP Users can configure APs to prevent beacon frame from including the SSID Provides only a weak degree of security Can be discovered when transmitted in other frames Older versions of Windows XP have an added vulnerability if this approach is used

Turning Off Beaconing For "security" some people turn off beacons This can annoy your legitimate users, who must now type in the SSID to connect It doesn't stop intruders, because the SSID is sent out in management frames anyway It can also affect roaming Many Operating Systems prefer networks that broadcast

Wired Equivalent Privacy (WEP) IEEE 802.11 security protocol Designed to ensure that only authorized parties can view transmitted wireless information Encrypts plaintext into ciphertext Uses encryption to protect traffic WEP was designed to be: Efficient and reasonably strong Secret key is shared between wireless client device and AP Key used to encrypt and decrypt packets

Wired Equivalent Privacy (WEP) WEP vulnerabilities WEP can only use 64-bit or 128-bit number to encrypt Initialization vector (IV) is only 24 of those bits Short length makes it easier to break

WEP encryption process © Cengage Learning 2012

Wired Equivalent Privacy (cont’d.) WEP vulnerabilities (cont’d.) Violates cardinal rule of cryptography: avoid a detectable pattern Attackers can see duplication when IVs start repeating Keystream attack (or IV attack) Attacker identifies two packets derived from same IV Uses XOR to discover plaintext

Cracking WEP With the right equipment, WEP can be cracked in just a few minutes You need a support wireless card Kismet Aircrack-ng

Wi-Fi Protected Setup (WPS) Wi-Fi Protected Setup (WPS) - Optional means of configuring security on wireless local area networks Designed to help users with limited knowledge of security to quickly and easily implement security on their WLANs Accomplished by pushing button or entering PIN Design and implementation flaws in WPS using PIN method makes it vulnerable Wi-Fi Protected Setup (WPS) Wi-Fi Protected Setup (WPS) - Optional means of configuring security on wireless local area networks Designed to help users with limited knowledge of security to quickly and easily implement security on their WLANs Accomplished by pushing button or entering PIN Design and implementation flaws in WPS using PIN method makes it vulnerable

Wireless Security Solutions Unified approach to WLAN security was needed IEEE and Wi-Fi Alliance began developing security solutions Resulting standards used today IEEE 802.11i WPA and WPA2

Wi-Fi Protected Access (WPA) Introduced in 2003 by the Wi-Fi Alliance A subset of IEEE 802.11i Design goal: protect present and future wireless devices Temporal Key Integrity Protocol (TKIP) Encryption Used in WPA Uses longer 128 bit key than WEP Dynamically generated for each new packet

Wi-Fi Protected Access (cont’d.) Preshared Key (PSK) Authentication After AP configured, client device must have same key value entered Key is shared prior to communication taking place Uses a passphrase to generate encryption key Key must be entered into both the access point and all wireless devices Not used for encryption Instead, it serves as the starting point (seed) for mathematically generating the encryption keys

Wi-Fi Protected Access (cont’d.) WPA support also supports Enterprise Authentication   Requires a Remote Authentication Dial-In User Service (RADIUS) authentication server. Provides additional security. Users must authenticate using 802.1X standard, which uses the Extensible Authentication Protocol (EAP) for authentication. 4.3.2.4 Authenticating a Home User

Wi-Fi Protected Access (cont’d.) Vulnerabilities in WPA Key management Key sharing is done manually without security protection Keys must be changed on a regular basis Key must be disclosed to guest users Passphrases PSK passphrases of fewer than 20 characters subject to cracking

Cracking WPA With the right equipment, WPA can be cracked in just a few minutes You need a support wireless card Kismet Aircrack-ng Source: 3/21/2011 http://www.backtrack-linux.org/forums/

Wi-Fi Protected Access 2 (WPA2) Second generation of WPA known as WPA2 Introduced in 2004 Based on final IEEE 802.11i standard Uses Advanced Encryption Standard (AES) Supports both PSK (Personal) and IEEE 802.1x (Enterprise) authentication AES-CCMP Encryption Encryption protocol standard for WPA2 CCM is algorithm providing data privacy CBC-MAC component of CCMP provides data integrity and authentication

Wi-Fi Protected Access 2 (cont’d.) AES encryption and decryption Should be performed in hardware because of its computationally intensive nature IEEE 802.1x authentication Originally developed for wired networks Provides greater degree of security by implementing port security Blocks all traffic on a port-by-port basis until client is authenticated Radius Server AP Client

Components Required for 802.1x Authentication Authentication server is an EAP-capable RADIUS server: Cisco Secure ACS, Microsoft IAS, Meetinghouse Aegis Local authentication service on Cisco IOS access point May use either local RADIUS database or an external database server such as Microsoft Active Directory Authenticator is an 802.1x-capable access point. Supplicant is an EAP-capable client: Requires 802.1x-capable driver Requires an EAP supplicant—either available with client card, native in operating system, or from third-party software This topology shows the components that a system needs for 802.1x authentication. An authentication server is required for 802.1x. 802.1x uses a RADIUS server to authenticate clients to the network. An authenticator can be a device such as a switch or an access point. This device operates on the enterprise edge, meaning that the device is the interface between the enterprise network and the public or semipublic network, where security is most needed. The client device contains a supplicant. The supplicant sends authentication credentials to the authenticator, and the authenticator then sends the information to the authentication server. At the authentication server, the login request is compared to a user database to determine whether and at what level the user is granted access to network resources.

Wi-Fi Protected Access 2 (cont’d.) Extensible Authentication Protocol (EAP) Authentication for WPA2 Enterprise model uses IEEE 802.1x standard Framework for transporting authentication protocols Defines message format Uses four types of packets Request Response Success Failure EAP created as more secure alternative than weak Challenge-Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) EAP is framework but not authentication protocol

EAP Protocols Lightweight EAP (LEAP) Protected EAP (PEAP) Proprietary method developed by Cisco Systems Requires mutual authentication used for WLAN encryption using Cisco client software Can be vulnerable to specific types of attacks No longer recommended by Cisco Protected EAP (PEAP) Simplifies deployment of 802.1x by using Microsoft Windows logins and passwords Creates encrypted channel between client and authentication server

Wireless Security Overview Use authentication and encryption to secure a wireless network. 4.3.2.1 Wireless Security Overview

Shared Key Authentication Methods

Table 8-3 Wireless security solutions

Enterprise Wireless Security Devices Thin Access Point or Lightweight Access Point (LWAP) An access point without the authentication and encryption functions These features reside on the wireless switch or wireless controller Advantages The APs can be managed from one central location All authentication is performed in the wireless switch

Enterprise Wireless Security Devices (continued) For larger organizations with many APs, controller-based managed solutions are used to simplify the wireless deployment. Using this architecture, APs are centrally managed from a controller in the cloud. 4.1.2.6 Large Wireless Deployment Solutions

Enterprise Wireless Security Devices (continued) 4.1.2.7 Large Wireless Deployment Solutions, Cont.

Enterprise Wireless Security Devices (continued) Wireless VLANs Can segment traffic and increase security The flexibility of a wireless VLAN depends on which device separates the packets and directs them to different networks

Enterprise Wireless Security Devices (continued) For enhanced security, set up two wireless VLANs One for employee access One for guest access

Site Survey In-depth examination and analysis of wireless LAN site Several reasons for conducting a site survey (example: achieving best possible performance from WLAN) Can be used to enhance security of WLAN Survey can provide optimum location of APs so minimum amount of signal extends past boundaries of organization to be accessible to attackers Site Survey Site survey - In-depth examination and analysis of wireless LAN site Several reasons for conducting a site survey (example: achieving best possible performance from WLAN) Can also can be used to enhance security of WLAN Survey can provide optimum location of APs so minimum amount of signal extends past boundaries of organization to be accessible to attackers

Antenna Types Antennas generally fall into two categories: Directional Radiate RF energy equally in all horizontal directions. Radiate RF energy predominantly in one direction. Antennas generally fall into two categories: Directional Omnidirectional

Antenna Types Vendor ranges are usually optimized for best conditions. A link distance can exceed standard distances, if consistently higher error rates are acceptable.

Antenna Types (cont’ d) Different types of antennas can be used to increase or reduce signals in certain directions

Wireless Power Level Controls Wireless Power can be: Increased (gain) Decreased (loss) Wireless power levels become very small, very quickly after leaving the transmitting antenna. Wireless power levels do not decrease linearly with distance, but decrease inversely as the square of the distance increases.

Wireless Power Level Controls Inverse Square Law Signal strength does not fade in a linear manner, but inversely as the square of the distance. If you are a particular distance from an access point and you move measure the signal level, and then move twice a far away, the signal level will decrease by a factor of four. Twice the distance Point A Point B ¼ the power of Point A

Wireless Power Level Controls As signal strength decreases, so will the transmission rate and the distances wireless signals travel. Reduce Transit Power on Access Point to limit wireless signal range

Wi-Fi-Blocking Wallpaper Protects Your Web Fortress by Keeping Neighbors Out http://www.itproportal.com/2012/05/08/anti-wi-fi-wallpaper-go-sale-2013-costs-tad-more-normal-ones/#ixzz1uHFfOUzq

Rogue AP Detection Several methods to detect rogue AP: Wireless device probe - Standard wireless device (i.e. portable laptop computer) can be configured as wireless probe Desktop probe – Desktop computer used as probe Access point probe – APs can detect neighboring APs Dedicated probe – Exclusively monitor RF frequency for transmissions Rogue AP Detection Several methods to detect rogue AP: Wireless device probe - Standard wireless device (portable laptop computer) can be configured as wireless probe Desktop probe – Desktop computer used as probe Access point probe – APs can detect neighboring APs Dedicated probe – Exclusively monitor RF frequency for transmissions

Rogue Access Points Organizations are becoming increasingly concerned about existence of rogue APs Rogue access point discovery tools Security personnel can manually audit airwaves using wireless protocol analyzer Continuously monitoring the RF airspace using a wireless probe

Rogue Access Point Video Video: Hacking at LAX Airport https://www.youtube.com/watch?v=lFo49yL06Qg

Follow-up http://news.yahoo.com/minnesota-wi-fi-hacker-gets-18-years-prison-032803295.html

Summary Bluetooth is a wireless technology using short-range RF transmissions IEEE has developed five wireless LAN standards to date, four of which are popular today (IEEE 802.11a/b/g/n) Attackers can identify the existence of a wireless network using war driving Wired Equivalent Privacy relies on a secret key shared between wireless client device and access point

Summary (cont’d.) Wi-Fi Protected Access (WPA) and WPA2 have become the foundations of wireless security today Other steps to protect a wireless network include: Antenna positioning Access point power level adjustment Detecting rogue access points