ebook img

Seven Deadliest Wireless Technologies Attacks PDF

124 Pages·2010·4.665 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Seven Deadliest Wireless Technologies Attacks

Syngress is an imprint of Elsevier. 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA This book is printed on acid-free paper. © 2010 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our Web site: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods, they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-541-7 Printed in the United States of America 10 11 12 13 5 4 3 2 1 Elsevier Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights; e-mail: [email protected] For information on all Syngress publications, visit our Web site at www.syngress.com Typeset by: diacriTech, Chennai, India Acknowledgments I would like to acknowledge all the people who have helped me over the years to gain my knowledge of wireless and provided me with a fun and interesting hobby and career and the opportunity to share that knowledge with others. • Mike Kershaw (Dragorn) for putting up with my constant feature requests and bug reports for Kismet and for making his wonderful tool free to the world. • Frank Thornton (Thorn) for providing mentorship and camaraderie at many a con- vention and for helping design some great wireless contests to hone my skills. • Chris Hurley (Roamer) for many of the wireless contests and for years of direct and honest opinions and comments on everything wireless. • Josh Wright for his wonderful work on coWPAtty and the WPA cracking tables and for many other tools used by thousands of people on a daily basis. • Emmanual Goldstein, 2600 magazine, and the HOPE organizers for another won- derful conference full of new ideas and experiences and giving me the opportu- nity to meet my wife. • Jeff Moss (Dark Tangent) and the DEFCON staff for continually putting on a wonderful conference and providing a great environment to learn and explore new things and ideas. • The DEFCON and Netstumbler forum regulars who have provided years of insight, tutelage, and, at times, questionable encouragement in my research. • The “Church of WiFi” members for helping on so many projects and for keeping wireless sexy. • Jesse Burns, Simple Nomad, Adam Laurie, Zac Franken, and all the others who have helped over the years. • Finally, and most importantly, my wife Dianna (Grey Frequency) for always being there for me no matter how weird, outlandish, or crazy the project and for being a voice of reason when I need it. ix About the Authors Brad “RenderMan” Haines Contributing Author to RFID Security (ISBN: 978-1- 59749-047-4, Syngress) and Kismet Hacking (ISBN: 978-1-59749-117-4, Syngress), is chief researcher of Renderlab.net and co-refounder of “The Church of WiFi” wire- less thinktank. He currently operates his own consulting company in Edmonton, Alberta, Canada, providing wireless performance and security assessment services to a variety of clients both large and small. A noted expert in the hacker community in the field of wireless security, he has spoken at many international conferences such as Black Hat and DEFCON and taught several classes on free wireless assessment tools. He has also contributed over time to many wireless security tools such as the Kismet wireless sniffer and coWPAtty. Technical Editor Tim Kramer (CISSP, CEH, GSEC, GCIH, NSA IAM/IEM) recently served as sub- ject matter expert (SME) for Information Assurance (IA), Unix systems, and wireless technologies for Honeywell Technology Solutions and General Dynamics. Currently, he is providing IA and Unix support for various organizations in Portsmouth, Virginia. Tim’s background includes positions such as vulnerability analyst at NETWARCOM (Naval Network Warfare Command) and roles such as the Navy’s wireless SME, coau- thor of Navy and Joint Forces wireless policies, and IA review of one of Electronic Data System’s wireless solutions. xi Introduction InformatIon In thIs Chapter • Book Overview and Key Learning Points • Book Audience • How This Book Is Organized Look around any street, business, or home. There is a world of information passing in front of us and through us that many people just don’t perceive. Wireless signals are everywhere, passing information between sources at incredible speeds just beyond our vision. We all use dozens of wireless devices in our daily lives, simple things like wireless doorbells that communicate very simple information to modern smart phones that have access to all the knowledge of the Internet. It’s when you start to realize the amount of information that is flowing freely past our eyes and that with the right tools, you can see that information that the need for security becomes appar- ent and the value it has to an attacker. If you can see this information, who else may be able to? This book attempts to show the implications of this brave new wireless world with seven major attacks against them along with how best to protect yourself and your private information. From Wi-Fi networks and cordless phones to RFID and good old analog, there is no end to the threats from wireless devices. Book overvIew and key LearnIng poInts Each chapter in this book covers an example of a failure of wireless technology. Sometimes, it is a specific and familiar technology, and others are more about spe- cific concepts that cover multiple technologies. It is important to learn the implica- tions of deploying wireless devices in your home or business, and each chapter starts with an example of a danger associated with wireless. From there, workings of the attack works are discussed so that you can see things from an attacker’s view, to help you better understand the risks and how best to mount a defense. From there, options for defense are discussed with associated strengths and possible weaknesses. Wireless security is tricky and, short of not using wireless, there is no one single solution to this very complex problem. xiii xiv Introduction Information is a commodity; it can be bought and sold just like any tangible product. Attackers are already well aware of the ease and availability at which wireless signals can yield valuable information for identity theft, fraud, industrial espionage, black- mail, and to facilitate other types of crime, both high and low tech. Book audIenCe This book was written with the novice in mind, the small business IT guy who is trying to understand how best to secure things when his boss sends down a request for some new wireless piece of technology. This book is applicable to anyone in a technical role either as the family tech support to corporate IT managers. Since wire- less affects us all, we all have know how to take steps to protect ourselves. While this book only covers seven specific issues, you will hopefully learn the tricks and tools needed to assess the security of the potentially millions of different wireless devices on the market and how they impact your security. This book is assuming some familiarity with basic networking and computer use. Knowledge of radio is not required, but certainly worth exploring on your own if you find this fascinating. how thIs Book Is organIzed This book contains seven chapters that address different attacks against popular wireless protocols and systems. Each chapter includes an example real attack scenario, an analy- sis of the attack, and methods for mitigating the attack. Common themes will emerge throughout the book, but each wireless technology has its own unique quirks that make it useful to attackers in different ways, making understanding all of them important to overall security as rarely is just one wireless technology in use at a home or office. Chapter 1: 802.11 wireless – Infrastructure attacks The ubiquitous 802.11 wireless network is covered first. It’s hard to go anywhere without running across this type of network. It has become an invaluable resource for both home and office for networking and Internet access. Wireless networking is also incredibly valuable to attackers as it gives the attacker opportunity to access networks at a safe distance, almost as if they were connected to the wired network. Chapter 1 focuses on the infrastructure of these networks and the security implica- tions of their use and how to and how to not secure them. They may be ubiquitous, but that doesn’t mean they are secure. Chapter 2: 802.11 wireless – Client attacks Wireless clients, those devices that talk to the rest of the wireless network, are cov- ered in Chapter 2. Attackers, stymied by increasing amounts of security on the infra- structure side, are changing tactics and attacking client devices directly. At home or Introduction xv away, wireless clients and the information they contain and communicate are tempt- ing targets for pranksters and thieves alike. Chapter 3: Bluetooth attacks Bluetooth is the subject of Chapter 3. This common protocol was meant to replace cable clutter but has become so much more. While it is meant for short range, any distance can be a comfort for an attacker. Modern devices carry a great deal of infor- mation, tempting for a new era of digital pick pockets. You could lose everything without losing anything. Chapter 4: rfId attacks RFID is a technology most people are not even aware of despite the billions of tags in use everyday. As the subject of Chapter 4, RFID is looked at with an eye to how its perceived benefits can actually be their greatest vulnerability and how they can be thwarted by those with ill intentions. RFID is all around us, and knowing how to identify it and how to protect it is a very important topic not often understood by many people. Chapter 5: analog wireless devices Even the most modern of wireless devices often at their heart are still just radios. Often these new devices are using age-old radio techniques to allow their commu- nication. Chapter 5 will show you how to identify these devices and understand the risks associated with their use and how vulnerabilities apparent over 100 years ago are still around to make life interesting. Chapter 6: Bad encryption A common solution to wireless security problems is to add encryption. The com- mon problem though with wireless security is bad encryption. Poor design choices, hardware limitations, and cost can all turn a good security idea into a failure at record speed. Chapter 6 looks at this problem with a number of real-world examples and shows how something that was supposed to protect communications can end up pro- viding less security than advertised. Chapter 7: Cell phones, pdas, and other hybrid devices It’s impossible to escape them, but cell phones are everywhere. Today’s modern smart phones and other hand-held gizmo’s are at their heart, computers in their own right and have their own unique security issues that need to be considered. Chapter 7 will look at these new generation devices and how their small size, portability, and communication capacity make them interesting and tempting targets for today and the future. xvi Introduction ConCLusIon Wireless devices are here to stay, and anyone involved in IT or just life in general will end up interacting with wireless devices almost everyday. They are highly unlikely to go away and are more than likely to become more pervasive and more complex as time progresses. A firm understanding of the risks involved with deploying and using wireless devices in your life will help you protect against attacks and allow for all the benefits of the wireless world while minimizing the risk. chapter 1 802.11 Wireless – Infrastructure Attacks InformatIon In thIs Chapter • How Wireless Networks Work • Case Study: TJX Corporation • Understanding WEP Cracking • How to Crack WEP • It Gets Better and Worse • WPA and WPA2 in a Nutshell • How to Crack WPA PSK and WPA2 PSK Wireless is a term thrown about quite a bit lately. Everything seems to be wireless to one degree or another, even some things no one ever expected to be, like refrigera- tors and other appliances. Most often, when the term wireless is used in regards to computing, it’s to do with 802.11 networks. Just about every new laptop that hits the market today has an 802.11 network card built in. It’s a technology that has become ubiquitous in our lives, and we can hardly remember a time when it wasn’t part of our days. It’s a technology that has grown in terms of speed and range to provide the capability to be connected to the Internet from anywhere in our homes or businesses. This widespread technology would also very quickly become quite an issue from a security perspective. Users quickly demanded to “cut the cable” and be able to access the network from anywhere in the office. Home users were quick to adopt the technology to work from the kitchen, the couch, or (more oddly) the bathroom. This intense push led to a lot of overworked and underpaid information technology (IT) administrators and neighborhood computer know-it-alls to install wireless networks without properly understanding the security risks involved. These early networks would continue to “just work” with users not realizing that the security arms race caught up with them and even passed them, making them prime targets for attack. 1 2 chapter 1 802.11 Wireless – Infrastructure Attacks In November 2003, Toronto, Ontario, police held a press conference to announce a (at the time) new and unusual crime.A The police report indicates that at around 5:00 a.m. an officer noticed a car slowly driving the wrong way down a one-way street in a residential neighborhood. The officer pulled the car over, and when he walked up to the driver, he was greeted with several disturbing sights. The driver was first of all not wearing any pants, which is probably disturbing in and of itself, but more alarmingly, on the passenger seat was a laptop clearly displaying child pornography. The driver had been using open wireless networks in the area to obtain Internet access to download child pornography, unbeknownst to the owners of those networks. The owners were victims themselves, twice. First, they were victims of theft of service since their communications had to compete for bandwidth with the traffic of the unauthorized user. Second, they were victimized because, for all intents and purposes, the child pornography was being downloaded through their connec- tion. Any digital trail left would lead back to them, potentially exposing them to false accusations of downloading child pornography themselves and all the emotional and financial damage that accusation can bring. The suspect’s home was searched as a result, and 10 computers and over 1,000 CDs worth of illegal material were seized.B This case, along with others through the years, has shown that operating an access point (AP) without any authentication of client devices is dangerous. If anyone can connect, there is no restriction on what sort of activities those users can partake in. Often, it’s simply to check an e-mail or catch up on the latest news, but it may be someone downloading copyrighted materials, sending threatening messages, or doing worse. Sometimes, connecting to an open network without authorization can occur even without someone realizing he or she is doing it. Windows XP, before Service pack 2, was notorious for automatically connecting to networks named the same as ones it had connected to before. A person carrying a laptop down the street configured for a common network name like “linksys” could drift to any network similarly named “linksys” and be committing an unauthorized access without knowing or interact- ing. Many users noticed this behavior and thought it more than helpful in gaining access to free Wi-Fi. Attackers noticed this and began to exploit it (more on that in Chapter 2, 802.11 Wireless – Client Attacks). It’s sad to consider that leaving your APs open for anyone to connect to is a dan- gerous proposition. The idea of everyone sharing free Internet access anywhere he or she goes is a tempting one, but society, as a cross section, contains all sorts of people, some good and some bad, and often the bad ruin such freedoms for everyone. The Institute of Electrical and Electronics Engineers (IEEE) knew that they had to establish some mechanism to maintain privacy of communications as they were broadcast and restrict who can connect and from where. This is why all APs sold contain various methods of securing communications and limiting who can connect. A www.ctv.ca/servlet/ArticleNews/story/CTVNews/1069439746264_64848946/?hub=CTVNewsAt B See http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.116.850 and click on the PDF icon underneath the cached link on the upper-right side of the page. How Wireless Networks Work 3 Originally, Wired Equivalent Privacy (WEP) was the only option available, but as time went on, Wi-Fi Protected Access (WPA) was introduced as an interim solution when WEP was shown to be weak, and eventually WPA2 was brought forth with the final ratification of 802.11i. As with many security technologies, if you give users the option of using it, they often won’t. If you give them too many options, there’s no way of guaranteeing that they will keep their systems up to date either. how wIreless networks work A wireless network typically is made up of two classes of device: APs and client devices, typically called stations (STAs). This chapter focuses on security of APs typically found in a home or business. Client security is discussed in Chapter 2, 802.11 Wireless – Client Attacks. These networks can be 802.11a, b, g, or n, but for the most part, and for discussion purposes in this chapter, it doesn’t matter. The infrastructure needed is fairly universal, and standards for security are pretty much the same for all of them. The APs are something everyone in the IT industry and most home computer users are probably familiar with. They come in all shapes and sizes and can have varying features. They are the gateways between the wired and wireless network. If you don’t have one at home already, you can usually see them bolted to the wall at many businesses or in public spaces with one or more antennas sticking out of them. The AP is what the client STA connects to in a wireless network (as opposed to the other way around). In their default state, most APs will accept connections from any client STA that asks to join the network. While this is convenient for users, it is also very convenient for anyone else who wants to connect, for good reasons or bad. In the early days of wireless, this was seen as something positive. Wireless brought out ideas of a brave new world with free Internet access and sharing of a new and useful resource. It didn’t take long for the bad guys to figure out that this was very useful for them as well. note It’s hard to imagine a world without wireless networking. It’s absolutely everywhere. Since 2001, Wigle.net, an online repository of data submitted by users, has collected tens of m illions of unique network locations with Global Positioning System (GPS) coordinates and over a bil- lion points of observations of those networks. The site also includes some automatically gener- ated maps of that data that can pretty conclusively show that wherever there are people and computers, there are wireless networks. Figure 1.1 shows Wigle.net’s map of North America. While this sort of activity may seem odd, companies like Skyhook Wireless (www.skyhookwireless.com) has made a business out of wardriving themselves. They map the location of networks throughout the world and use that information to provide GPS-like location sensing via triangulation of known APs as opposed to satellites, which has the added benefit of working indoors in many cases, unlike GPS.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.