Wi-Fi Threats and Countermeaures - SharkFest

Wi-Fi Threats and
Countermeaures
Gopinath KN (Gopi)
AirTight Networks
Secure Cloud-Managed Wi-Fi
http://airtightnetworks.com/
Wi-Fi Security: Hot Off the Press, Jun 2014
Cupid – a variant of OpenSSL Heartbleed bug in the Wi-Fi World
http://arstechnica.com/security/2014/06/meet-cupid-the-heartbleed-attack-spawns-evil-wi-fi-networks/
Sharkfest 2014
Wireless LAN Security Trivia
Myth: My wireless LAN is secure as it is attached to the
corporate LAN protected by a firewall.
Internet
Authorized WLAN Security
Sharkfest 2014
Background: Stages of
establishing a WiFi connection
Access Point
(AP)
Client
Client discovers AP,
requests connection.
1. Discovery
AP asks Client to proves
its identity.
2. Authentication
Client binds its identity
to AP.
3. Association
Higher Level
Authentication
4. With WPA/WPA2
Start communication.
5. (Encrypted) Data
Stages of establishing a WEPencrypted WiFi connection
Step 4
WEP Encrypted Data Communication
Step 3
Association
Step 2
Open (No)
Authentication
WEP Shared Key
Authentication
Step 1
AP Discovery (SSID, signal strength)
WEP is broken. Let’s move on!
Sharkfest 2014
Stages in establishing a WPAencrypted WiFi connection
Step 5
Step 4.2
Step 4.1
Step 3
Step 2
Step 1
WEP Like Encrypted Data Communication
Addition of TKIP
Dynamic Encryption Key Generation
Session specific
802.1x (EAP)
Authentication
Pre-shared Keys
(PSK)
Association
Open (No)
Authentication
WEP Shared Key
Authentication
AP Discovery (SSID, signal strength)
802.1x or PSK
Pre-Shared Key (PSK)
authentication & TKIP Encryption
• In PSK
• Master keys are pre-configured in Client and AP
• Encryption keys are derived using EAPOL 4-way
handshake
• Authentication Server is not needed
• TKIP
• Band-aid on top of “WEP”
PSK vulnerability
• In WPA the master key is used to generate transient
session keys
• With PSK, all devices are configured with the same
passphrase (or password) that serves as the master key
• Like any other password, the strength of the
passphrase determines if it can be guessed using a
dictionary attack
• Once passphrase is guessed, an attacker can generate
transient keys to decrypt all traffic
• WPA-PSK and WPA2-PSK (also known as WPA-Personal,
WPA2-Personal) are vulnerable to dictionary attack
Cloud Service for WiFi Cracking
If using WPA/WPA2 - PSK
Use a password with at least eight characters long
and mix of alphanumeric and special characters
TKIP was considered safe enough
• RSA Security White Paper, “The Wireless Security Survey of New York City”,
October 2008 says:
“
While WPA1 was designed as a temporary replacement for WEP until
WPA2 arrived, it would be incorrect to state that its security level is
inferior to that of WPA2: Over the years of practical use, no exploitable
WPA1-specific vulnerabilities have been discovered that are not
present within WPA2.
”
 According to Payment Card Industry (PCI) Data Security Standard,
version 1.2, October 2008:
Upgrade to WPA from WEP suffices to achieve PCI compliance.
TKIP vulnerability exposed
for the first time
Erik Tews and Martin Beck Demonstrated at PacSec, Japan, Nov 2008
• For further technical details refer to:
• Tkiptun-ng documentation: http://www.aircrack-ng.org/doku.php?id=tkiptun-ng
• AirTight Knowledge Center
http://www.airtightnetworks.com/home/resources/knowledge-center/wpa-wpa2-tkip-attack.html
Wi-Fi Alliance disallows the use of TKIP in high speed networks
(e.g., 802.11n, 802.11ac)
Stages in establishing a WPA2
(802.11i) encrypted WiFi connection
Step 5
Step 4.2
Step 4.1
Step 3
Step 2
Step 1
CCMP Encrypted Data Communication
Dynamic Encryption Key Generation
802.1x (EAP)
Authentication
Pre-shared Keys
(PSK)
Association
Open (No)
Authentication
WEP Shared Key
Authentication
AP Discovery (SSID, signal strength)
CCMP (Change in h/w
encryption engine)
Session specific
802.1x or PSK
Wireless Link
Wired LAN
Authentication
Server
Access Point
Wireless Client
Open Authentication
Open Controlled
Port allowing only
EAP messages to
pass through.
Association
EAP Identity Request
EAP Identity Response
Generate
Master
Key
RELAY
Authentication Method Handshake
EAP Success
Generate
Transient
Keys
EAPOL 4-Way Handshake
Encrypted Data Exchange
EAPOL Logoff
Identity Proof and
Master Key Generation
Accept/Provide Master Key
Generate
Transient
Keys
Open Uncontrolled
Port allowing data to
pass through.
Generate
Master
Key
Wireless Link
Wired LAN
Authentication
Server
Access Point
Wireless Client
Open Authentication, Association, EAP Identity Request
Phase 1: Est.
TLS tunnel,
auth server
EAP Identity Response (anonymous@realm)
RELAY
TLS Client Hello (Rand1)
TLS Server Hello (Rand2, server public certificate)
TLS Client Key Exchange (Encryption key Encrypted with public certificate)
Phase 2:
MSCHAPv2 in TLS
tunnel, auth Client
EAP Identity Request
EAP Identity Response (userid@realm)
Server Challenge
Response to Server Challenge / Client Challenge
Success / Response to Client Challenge
. / Success
EAP Success
EAPOL 4-Way Handshake
Accept/Provide Master Key
802.1x example: Protected Extensible
Authentication Protocol (PEAP)
• PEAP is a popular authentication method supported over 802.1x
• Supported in Windows XP, Windows Vista, Linux
• PEAP operates in 2 phases
• Phase 1: Client authenticates the Authentication Server using TLS server
certificate; builds an encrypted tunnel between Client and Authentication
server
• Phase 2: Another authentication method such as MSCHAPv2 (a two-way
challenge and response password based authentication method) can be
executed within this tunnel
• Word of caution: PEAP is not full-proof; depends on the configuration
More details: https://wiki.bc.net/atl-conf/download/attachments/12615756/PEAP_Shmoocon2008_Wright_Antoniewicz.pdf
Summary: wireless authentication
and encryption
• WEP is fundamentally broken and it cannot be fixed
• A variety of vulnerabilities and freely available attack tools
• PSK (WPA/WPA2) is vulnerable to dictionary attacks
• Not for enterprise class security
• Use strong passphrase
• TKIP vulnerable
• Not a key cracking exploit
• Can be used (in conjunction with QoS) to inject packets
• WPA2 with AES encryption and 802.1x authentication
provides best known security (with proper
configuration of course!)
So, Is WPA2/802.11i Sufficient for
Overall enterprise WLAN security?
Sharkfest 2014
Video
Threats Due To Unauthorized Wi-Fi
Communication
Sharkfest 2014
Enterprise Security Perimeter Bypass:
Five Common Scenarios
Scenario #1: Misconfigured Devices
WPA2
WPA
WEP
Open
Misconfigured AP
Sharkfest 2014
Scenario #2: Rogue Access Points
What are different types of Rogue APs
Various permutations and combinations of
• Bridging APs (on subnets coinciding with or different from wired
interface address)
• Router (NAT) APs (with and without MAC cloning)
• APs with encrypted wireless links
• APs with open wireless links
• Soft APs (natively configured on wireless client or which use external
devices such as USB sticks)
Windows 7 Virtual AP
Evolution of Wi-Fi support on laptops
Traditional Wi-Fi
Operate as client/ad-hoc
Windows 7 Virtual WiFi –
The Next Gen Soft AP
First Gen “Soft AP”
Convert laptop into AP
But, single function: Can
operate either as AP OR
client/ad-hoc
Can operate as Soft AP and
Client/Ad-hoc simultaneously
Windows 7 Soft AP: A User’s
Delight
• No new hardware/software
needed
• Connect to two different
wireless networks with a single
card
• One virtual interface acts as a
client
• Easy to configure the other
interface as an AP or a client
• Configure other virtual interface
in AP mode to
• Form a personal wireless network
with PDAs and other devices
• Share Internet
• Extend the range of an AP by
introducing a hop
Scenario #3: Uncontrolled Clients
BYOD
Authorized Client Extrusions
BYOD
A Wireless Tsunami of Devices
Managing the “Unmanaged”
WPA2/802.1x cannot prevent unauthorized devices from accessing the
enterprise network
32
Real-life Examples:
BYOD is rampant!
Client Extrusions (Mis-associated
Clients)
Sharkfest 2014
Misassociations: Deliberate or unwitting
connections to external APs
• Deliberate
• Employees get enticed to connect to Open external APs
• Unprotected APs in the neighborhood, Hotspots
• Unwitting
• Windows wireless connection utility caches earlier connected
networks
• Actively seeks to connect to those networks later
• Most common with default SSIDs (linksys, default) and hotspot SSIDs
(tmobile, GoogleWiFi)
• Traffic over such connections bypasses enterprise security
controls
Mis-associations: Evil-Twin Attack
• An attacker sets up an AP that advertises SSID which is being probed by WiFi
clients or that advertises SSID of a nearby enterprise or hotspot
• Induces WiFi clients into connecting to it
• Can launch variety of attacks after connection is established
• Stealing sensitive corporate data
• Man-in-the-middle/Wi-Phishing
• Scanning the laptop for vulnerabilities (e.g., Metasploit)
• Honeypot attack tools are freely available over Internet
• KARMA, Delegated
• Can be easily carried out using just a Smartphone!
• “Smartpots” (http://www.marketwired.com/press-release/Smartphone-asAttacker-AirTight-Demos-SmartPots-CSI-2010-Next-Generation-Wi-Fi-Attacks1341134.htm)
Today, This is all you need!
Scenario #4: Ad Hoc Networks
“Known” Vulnerable SSIDs Probed For
103 distinct SSIDs recorded
Certain (8%) Authorized Clients Probing for 5 or more SSIDs
Adhoc Authorized Clients!
565 distinct Adhoc SSIDs found, About half of them Vulnerable
15% of these are default SSIDs. 26,443 (7%) clients in adhoc mode.
Scenario #5: War Driving, DoS, Hacking Tools
DoS By Disassociation Flood
Sharkfest 2014
DoS By RTS Flood
Sharkfest 2014
DoS By NAV Duration
Sharkfest 2014
RF Jamming
Sharkfest 2014
Wi-Fi Threats: A Quick View From the Trenches
Sharkfest 2014
Statistics From Real-Life Deployments
May-Jun 2014 (Data for 30 days)
Number of
Rogue AP
Sites
Threat
Instance
Client Misassociations
Mobile
Hotspots/
Virtual
APs
DoS Attacks
Customer 1
(258)
84
4963
35
1
Customer 2
(188)
4
97
6
33
Customer 3
(507)
196
446
48
21
Sharkfest 2014
Threat Mitigation
Sharkfest 2014
Unfortunately, none of these strategies work!
Let’s ban Wi-Fi
We don’t have “that” problem because…
Use Strong Encryption and Authentication
For Your Authorized WLAN (WPA2)!
But, this does not protect against threats due to unmanaged devices!
Packet Sniffers & Pen Testing Tools
Sharkfest 2014
Several Free and Commercial
Sniffers available
• Wireshark
• Airpcap
• Backtrack
• KARMA
• Metasploit
• AirCrack-ng
Sharkfest 2014
Wireless IDS (WIDS)
Sharkfest 2014
WIDS: Sniff and Detect Threats
Sharkfest 2014
Threat Mitigation: The Essence
AP Classification
Authorized
APs
Policy
GO
Client Classification
Authorized
Clients
STOP
Rogue APs
(On Network)
STOP
Rogue
Clients
External Clients
External APs
IGNORE
AUTOMATICALLY DETECT AND BLOCKS RED PATHS!
55
Wireless IPS (WIPS)
Sharkfest 2014
WIPS – 24x7 Visibility & Protection
Adding another layer to Network Security
Capabilities of a WIPS
• Report wireless vulnerabilities proactively
and detect all types of threats in real-time
• Classify what is a real threat and if it is on
your network
X
• Automatically block unauthorized wireless
activity
• Physically locate and remove threats
• Enforce security policies at multiple
distributed sites without leaving your desk
Rogue AP Detection
 Automatically classifying APs visible in airspace into three
categories: Authorized, External and Rogue
Managed APs
(Static Part)
Authorized AP
External
AP
The biggest challenge in
implementing such a clean
workflow is:
Robust on-wire/off-wire
detection
Rogue
AP
All APs visible in air
Unmanaged APs
(Dynamic Part)
Not connected
to my network
Connected to
my network
Key Enabler For Connectivity
Definitive “on-wire / off-wire” test
ARP Request Marker Packet
UDP Reverse Marker Packet
Sensor sends ARP requests with signatures
on the wire and detects if any get forwarded
onto the wireless side
Sensor sends UDP packets with signatures in
the air and server detects if any get
forwarded onto the wire
SGE Server
VLAN 2
VLAN
ARP Request
with signature
Bridge
Rogue AP
LAN
Sensor
VLAN 1
NAT
Rogue AP
UDP packet
containing signature
60
Can wire side only scanning protect from all Rogue AP
No!
Several Rogue AP types are undetectable by wire
side only scanning, examples:
• Bridging APs on a subnet inconsistent with their wired IP address
(default configuration)
• Soft APs
• Router (NAT) APs with cloned wire side MAC address
See http://blog.airtightnetworks.com/rogue-ap-
detection-pci-compliance/ for more details
How does WIPS block Rogue AP
 Over the air quarantine
 Switch port disable
• WIPS sensor blocks client’s connection
• WIPS attempts to locate switch port
to Rogue AP by transmitting spoofed
disconnection frames
into which Rogue AP is connected
• Deauthentication is popularly used
disconnection frame
WIPS Sensor
Rogue AP
• If found, disables the switch port using
SNMP
BYOD Mitigation
Sharkfest 2014
Extending the WIPS for BYOD
Policy Enforcement
STOP
unapproved
devices!
GO
Authorized
APs
STOP
Authorized
Users
Clients
STOP
External
APs
Mobile Hotspots
64
Automatic Device Fingerprinting
and Classification

MDM and NAC are unable to provide
the first line of defense

WIPS complements these solutions to
fully automate secure BYOD
65
DoS Attack Mitigation
Sharkfest 2014
802.11w: Basic Idea
Can we introduce some notion of authentication/integrity in
management frames so that a receiver can differentiate
legitimate packets from that of an attacker?
802.11w based Deauthentication
Attack Prevention
• Only legitimate Deauth is accepted
• Spoofed Deauth is ignored
MIC (Message
Integrity Code)
added using
shared key
Legitimate Deauth
Legacy Deauth
MIC
Secret key
shared
between AP
and Client
No MIC or
bad MIC
What does IEEE 802.11w achieve?
• 802.11w gets rid of certain types of DoS Attacks only
– “Spoofed Disconnect” DoS attacks resulting from spoofing of
• (i) Deauthentication (Deauth), (ii) Disassociation (Disassoc), (iii) Association (Assoc)
Request in existing connection, or (iv) Authentication (Auth) Request in existing
connection
• Certain “Action Management Frames” are also made antispoofing
– Spectrum Management, QoS, BlockAck, Radio Measurement, Fast BSS
Transition
• But, other DoS attacks are still possible!
WIPS Complements 802.11w by providing a
detection & location based DoS mitigation workflow!
RF Jamming DOS Mitigation
MAC Level DoS Attacks
Summary: Five steps to protect
against WiFi security breaches
Recommended Best Practice
Use strong authentication and encryption: Use the best
standards for authentication and encryption (e.g., WPA/WPA2)
when deploying WiFi networks
Monitor guest WiFi access: Authenticate guest users and
monitor unauthorized access when providing guest access over
WiFi networks
Conduct wireless security audits and scans: Periodically
conduct wireless scans to detect presence of unauthorized WiFi
devices and activity in your premises.
Follow endpoint wireless security best practices:
Promote WiFi security best practices among laptop users. Using
wireless security endpoint security agent, enforce your enterprise
policies seamlessly across all laptops and secure them even when
they are away.
Use a Wireless Intrusion Prevention System (WIPS):
Prevent leakage of sensitive data and protect your network from
wireless security threats with 24/7 wireless monitoring
WiFi
deployed
WiFi not
deployed
Limitations of Solutions Discussed
So Far …
• No one can protect a mis-configured network –
e.g., WEP or Open Wi-Fi Network 
• Educate your users – otherwise, technology
solutions can just go only so much!
ACKNOWLEDGEMENTS
• Many Thanks To
• Sharkfest organizing committee
• Rohan Shah, AirTight Networks
• Davneet Singh, AirTight Networks
• Ranganath Jilla, AirTight Networks
Sharkfest 2014
Thank You
Questions?
gopi@airtightnetworks.com
Sharkfest 2014
Download PDF