Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based.

Slides:

Advertisements

Similar presentations

Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.

Advertisements

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

Chunyi Peng, Guobin Shen, Yongguang Zhang, Yanlin Li, Kun Tan BeepBeep: A High Accuracy Acoustic Ranging System using COTS Mobile Devices.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

In-Band Flow Establishment for End-to-End QoS in RDRN Saravanan Radhakrishnan.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Technologies Networking for Home and Small Businesses – Chapter 7.

CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino

University of Massachusetts Amherst InteLock TM Team: Emmanuel Seguin Josh Coffin Anh-Kiet Huynh Christos Tsiokos Remote Access and Proximity Key Advisor:

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From ： Proceeding of the First International Conference on Security and Privacy for.

Computer Networking Devices Seven Different Networking Components.

Cellular IP: Proxy Service Reference: “Incorporating proxy services into wide area cellular IP networks”; Zhimei Jiang; Li Fung Chang; Kim, B.J.J.; Leung,

Presented by Tao HUANG Lingzhi XU. Context Mobile devices need exploit variety of connectivity options as they travel. Operating systems manage wireless.

Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University

1 Computer Networks Course: CIS 3003 Fundamental of Information Technology.

Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Secure Localization Algorithms for Wireless Sensor Networks proposed by A. Boukerche, H. Oliveira, E. Nakamura, and A. Loureiro (2008) Maria Berenice Carrasco.

Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.

Wireless Network Security By Patrick Yount and CIS 4360 Fall 2009 CIS 4360 Fall 2009.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.

“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Guided by: Jenela Prajapati Presented by: (08bec039) Nikhlesh khatra.

Chapter 6 – Connectivity Devices

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

Chapter 21 Distributed System Security Copyright © 2008.

Specialist communication channel. Sarah-Jane king.

WEP Protocol Weaknesses and Vulnerabilities

Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson

Wi-Fi Technology. Agenda Introduction Introduction History History Wi-Fi Technologies Wi-Fi Technologies Wi-Fi Network Elements Wi-Fi Network Elements.

Protecting Privacy in WLAN with DoS Resistance using Client Puzzle Team 7 Yanisa Akkarawichai Rohan Shah CSC 774 – Advanced Network Security Prof. Peng.

Load-Balancing Routing in Multichannel Hybrid Wireless Networks With Single Network Interface So, J.; Vaidya, N. H.; Vehicular Technology, IEEE Transactions.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

STORE AND FORWARD & CUT THROUGH FORWARD Switches can use different forwarding techniques— two of these are store-and-forward switching and cut-through.

Ad Hoc Network.

An Efficient Wireless Mesh Network A New Architecture 指導教授：許子衡教授學生：王志嘉.

Adversary models in wireless security Suman Banerjee Department of Computer Sciences Wisconsin Wireless and NetworkinG Systems (WiNGS)

Dependability in Wireless Networks By Mohammed Al-Ghamdi.

Security in Wireless Networks Mike Swift CSE b Summer 2003.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

Wi-Fi Technology PRESENTED BY:- PRIYA AGRAWAL.

Secure positioning in Wireless Networks Srdjan Capkun, Jean-Pierre Hubaux IEEE Journal on Selected area in Communication Jeon, Seung.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.

Chapter-7 Basic Wireless Concepts and Configuration.

Virtual Local Area Networks In Security By Mark Reed.

TBAS: Enhancing Wi-Fi Authentication by Actively Eliciting Channel State Information Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida.

Database and Cloud Security

Introduction to Networks v6.0

Introduction Wireless devices offering IP connectivity

Instructor Materials Chapter 6 Building a Home Network

Instructor Materials Chapter 5: Ethernet

QianZhu, Liang Chen and Gagan Agrawal

CSE 4905 Network Security Overview

Wireless LAN Security 4.3 Wireless LAN Security.

Security in SDR & cognitive radio

An Overview of Security Issues in Sensor Network

Presentation transcript:

Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based Positioning Systems In Proceedings of the ACM/Usenix International Conference on Mobile Systems, Applications and Services (MobiSys), 2009

Online Introduction Background Location Spoofing Location Database Manipulation Conclusion

Introduction Public WLAN-based Positioning Systems Allow localization using omnipresent wireless access points Enable device without GPS to establish their position Allow localization with precision of ≤ 10m, even indoors or underground

Introduction Skyhook’s WPS in the iPod and iPhone In iPhone and iPod touch since late 2007 Skyhook also offers additional services such as localization of stolen device iPhone OS 3.0 allows tracking of iPhone via PC

Example attack case Security box holding valuables, transported by courier Reporting WLAN-based position periodically to a controller Attacker wants to move box to a safe location to open it Goal: Make the box believe it never left intended path

How does it actually work 1. The localized node (LN) sends out probe request frames on all channels 2. Access points announce their presence 3. Observed MAC addresses are sent to the location lookup table (LLT) 4. The LLT replies with location information The traffic between LN and LLT is encrypted

AP impersonation attack 2a. Attacker jams legitimate AP announcements 2b. Attacker inserts own impersonated AP announcements 3. LLT is now queried for location of remote APs

Attack details Jamming the legitimate APs sent noise on 3 channels using two GNURadios Many alternative options: physical layer, protocol layer Fourth channel was used to send data of 4 impersonated APs

Attack details Impersonating APs MAC addresses of real APs at remote location Obtained through WiGLE – a public wardriving database Impersonation by single laptop constantly changing its MAC address

Results Jamming worked very reliably and was easy to achieve When using only the public WLAN localization, the devices localized themselves at the remote location in New York city For the iPhone, additional GSM cell localization prevented a change of location outside the local city radius

Countermeasures Several proposals to mitigate the presented impersonation attack: AP authentication Aggregation of multiple localization methods LN-based integrity checks AP fingerprinting

LN based integrity checks Basic variant: Compare new position with last known position Assume maximum speed to detect large displacements Continuous version: Periodically record MAC addresses from present location Integrity check over last n locations Warn user or abort localization

Fingerprint based countermeasures Use more data to identify APs, such as: Configuration Implementation of protocols [Bratus,WiSec’08] Physical characteristics of signals [Brik,MobiCom’08] Collect these in the LLT as well, and verify reported APs.

Database manipulation attacks Attacks on the LLT are possible as well, and will affect all users of the service.

Database manipulation attacks Data enters the LLT in the following way: Collected or bought by the owner Positioning requests by the LNs Manual update by users By arbitrarily choosing the reported MAC addresses, the attacker can perform the following attacks Inject own AP entries into the database Perform reverse location lookup (track people moving to a different city!) Change the stored location for existing entries

Database manipulation attacks 1. The AP’s location in the LLT is A 2. The attacker reports the AP among other APs at location B 3. As a result, the AP’s location is changed to location B in the LLT

Database manipulation countermeasures Data update rules: allow several possible locations with different confidence values The location with the highest confidence value is active Confidence depends on majority votes or consistency of location reports with current data Temporal update rules: update the LLT quicker for changes with high confidence, and slower for changes with low confidence Tradeoff between database freshness and resistance against attacks The provider can choose to only rely on self collected data, but this will lead to outdated entries

Conclusion Summary Study the security of Public WLAN-based positioning system Presented LN and LLT based attacks and discussed countermeasures Demo the current systems should not be used in security relevant contexts Future work Similar attacks are possible on GSM and even GPS Combine these attacks to defeat devices using all these mechanisms Exploration of signal fingerprints of APs

Map and Track Friends