Wireless Security

鈺松國際資訊有限公司
cclin@iss.com.tw
Agenta

• Wireless Introduction
• Wireless security issue
• Wardriving and LIVE DEMO(Maybe)
• Countermesure
What’s not coverd

• 802.1X
• Algorithm of crypto
Introduction

• Wireless Security
• Wireless Technologies
• Network Topologies
Wireless Security

• Wireless networks becoming prevalent

• New security concerns
– More attack opportunities
• No need for physical access
– Attack from a distance
• 1km or more with good antennae
– No physical evidence of attack
• Typical LAN protection insufficient
– Need stronger technological measures
 Wireless Technologies

Wireless
WirelessApplications
Applications((WAP,
WAP,I-mode,
I-mode,Messaging,
Messaging,Voice
Voice
Application
& Service Over
Overwireless
wirelessnetwork,
network,location-based services))
location-basedservices

Physical Wireless
WirelessStandards
Standards((802.11a,
802.11a,802.11b,
802.11b,AX.25,
AX.25,3G,
3G,CDPD,
CDPD,
layer GPRS,
GPRS,Radio,Microwave,
Radio,Microwave,Laser,
Laser,Bluetooth, 802.15))
Bluetooth,802.15

Mobile
MobileDevices
Devices((PDA,
PDA,Notebook,
Notebook,Cellular
CellularPhone,
Phone,Pager,
Pager,
Devices
Handheld
HandheldPC,
PC,Wearable Computers))
WearableComputers
Network Topologies

• Ad-Hoc Mode (without base station)

• Infrastructure Mode (with base station)
Configuration Options

AD Hoc Infrastructure
Why Wireless?

• No cable plant
– Lower cost
– Rapid deployment
• Enhanced mobility

• Many different requirements

Security Issues

• Information Exposure
• Weak Authentication/Authorization
• Application Level Attack
• Denial-of-Service Attack
• Auditing
• Policy/Procedure
Information Exposure

• Footprinting Wireless Network

– Netstumbler, dstumbler, airosniff, wavelan-tools
• Eavesdrop/Sniff
– Airopeek, Sniffer Pro Wireless, Grasshopper
• ARP Spoof/Poison Attack
• Breaking the WEP
– Airsnort, wepcrack.pl
Footprinting background

• SSID to identify a WLAN

• Beacon and Probe request/response contain
SSID
• Acess Point responses to SSID “ANY”
• Sniff to get SSID
Footprinting Background (con’t)

• Low cost on device

• High Returns
• Easy to carry out with available tools
• Network mapping/discovery
CNET文章

• 黑客的日子一天比一天好過。Granite Island
Group 公司總裁詹姆士•艾金森（James
Atkinson）指出，「要入侵無線區域網絡所需
要的專業知識門檻相當高」
Wardialing

• 目的
– 找尋 modem access point
• 方法
– 以 PC+modem 撥打指定範圍電話
– 可配合 bluebox

Old School，but it works ☺

Wardriving

• 目的
– 找尋 Wi access point
• 方法
– 以 PC+802.11b adapter進行搜尋，以步行或使用
交通工具進行
Warchalking
Why Wardriving?

• Free wireless access

• Penetration ☺
Why Wardriving?

• Free wireless access

– 隨時隨地上網 →處處皆跳板
– Insecure Wi-Fi does not just put your data at risk.
If hackers use it to hack other companies, you
could be vulnerable to lawsuits.(Hackers use Wi-Fi
invisibility cloak，2002/07/25 zdnet.co.uk)
Why Wardriving?

• Penetration ☺
– 內部有 wireless AP，可透過 AP進入到公司內部
– AP並未整合進 Security policy，有機會可以
bypass ACL
– 案例
Live Demo
Netstumbler

• Send out probe request with ssid “ANY”

• Access Point responses with its ssid
Netstumbler
MAP

• Netstumbler can output

coordinates from GPS
• Combines with GIS, you
got the MAP
• GIS can be indexed and
searched on
mapservers
GAWD – Global Access Wireless
Database
Eveasdrop background

• Wherever the signal reaches

• Broadcast by nature
• Tools!
– Airopeek, Sniffer Wireless Pro (not free!)
– Prismdump, Kismet and etc. (free!)
Airopeek

• DEMO
Wireless Vulnerability Scanner

• Scan for Wireless network vulnerability

– AP vulnerability
• Broadcast SSID
• No WEP enable
• DHCP Optain IP
– Attack
• Bruteforce SSID attack
• Connect to AP directly
• Tools
– ISS Wireless Scanner (目前唯一之掃瞄工具)
Countermeasures

• Firewall
– Separate the wireless network
• VPN
– Protecting access to your wireless network
– 802.1x
• Protecting Access Points
– Directional antenna
– ACL on management interface
• Intrusion detection
Conclusion

• Do not use wireless in sensitive area

• Wait for new standard or improvement
Question?