applied communications technology wireless mobile security

Author: Bob Edwards, Edited by: Nic Shulver

Applied Communications TechnologyWireless Mobile Security

• Overview of needs• Wireless security• Attack types• GSM and UTMS security • Bluetooth

Slide1

“Nearly one out of every two recorded digital attacks are now taking place via the wireless route as opposed to one out of every ten, at the start of 2004.”

50% of all network breaches start with Wi-Fi

“20% of enterprise CIOs had found unsecured access points on their network.”


Why is security more of a concern in wireless?

No inherent physical protection Broadcast communications Eavesdropping is easy with a modified phone Impersonation of user’s signals and/or user data to

the network Impersonation of the network, looks like genuine

network Illegitimate access to the network and its services

is easy Denial of service is easily achieved by jamming

Slide 2


Wireless Security

Pain points:

“Air” is now a part of corporate networks. It must be monitored!RF signals can leak out of your office premisesInvisible network. Hard to manage what you cannot see“No Wi-Fi” policy keeps my network safe (yeah, right…)2.4GHz is license free, unregulated mediumFirewalls, VPNs, Wired Intrusion Detection systems are not sufficientNew stringent regulatory compliance

Slide 3


Wireless security requirements

Confidentiality : encrypt messages Authenticity: verify origin of messages Replay detection: check freshness of messages Verify message integrity - possible to modify

messages on-the-fly (during radio transmission) Access control

– access to network services only for “legitimate entities”

– access control should be constantly reapplied• Not enough to check when a user joins the

network• Or when logical associations are established• Logical associations can be hijacked at any

time Protection against jamming

Slide 4


Balancing Security and Access

Careful management of security policies is needed to maintain the balance between transparent access and use and the network security

Slide 5


WLAN Security Wheel

Always have a good WLAN Security Policy in place. Secure the network based on the policy

Slide 6


Vulnerabilities

– Configuration• Default, common or shared passwords• Unneeded services enabled• Few or no filters – router setup, file permissions etc.• Poor device maintenance

– Policy• Weak security policy (or no explicit security policy)• Poorly enforced policy• Physical access unrestricted or unsecured• Poor or no monitoring – logs, CCD, reporting

– Technology• TCP/IP – spoofing• WEP and Broadcast SSID – relatively easy to break• Association process – connection hand-shake spoofing• Wireless Interference

Slide 7


WLAN Security Attacks

Reconnaissance– unauthorized discovery (information gathering ) and

mapping of systems, services, or vulnerabilities– usually precedes an actual access or DoS attack.

Access– Usually involves running a script and/or “social

engineering”– Intruder attempts to gain access to a device for

which he does not have an account or password Denial-of-Service

– an attacker disables or corrupts the network with the intent of denying the service to authorized users

Slide 8


The “Parking Lot” Attacker

The “Rogue” Access Point

Slide 9

WLAN Security Issues


WLAN Security Considerations

Authentication – only authorized users and devices should be allowed.

Administration Security – only authorized users should be able to access the AP configuration interfaces

Encryption – traffic should be protected from unauthorized access.

– FTP, HTTP, POP3, and SMTP are insecure and should be avoided whenever possible. Utilize protocols with encryption.

Slide 10

TrafficTrafficTrafficTraffic No No EncryptionEncryption

No No EncryptionEncryption

EncryptionEncryptionEncryptionEncryption

Web BrowsingWeb BrowsingWeb BrowsingWeb Browsing HTTPS HTTPS HTTPS HTTPS HTTPHTTPHTTPHTTP

File TransferFile TransferFile TransferFile Transfer TFTP or FTPTFTP or FTPTFTP or FTPTFTP or FTP SCPSCPSCPSCP

EmailEmailEmailEmail

Remote MgmtRemote MgmtRemote MgmtRemote Mgmt

POP3 or SMTPPOP3 or SMTPPOP3 or SMTPPOP3 or SMTP SPOP3 SPOP3 SPOP3 SPOP3

TelnetTelnetTelnetTelnet SSHSSHSSHSSH

Author: Bob Edwards, Edited by: Nic Shulver Slide 11

Wireless LANs Security MAC address filtering Encryption is the method which will give the best level

of security– If companies wish to use the technology they will

want a level of knowledge that only the recipient can read the data and the non-repudiation of the packets sent

– Encryption Algorithms• WEP, WPA, WPA2


Admin Authentication on AP

To prevent unauthorized access to the AP configuration interfaces:

–Configure a secret password for the privileged mode access. (good)–Configure local usernames/passwords. (better)–Configure AP to utilize a security server for user access. (best)

SSID Stealth–In this mode, the Access point does not reveal its identity to probe requests from stations–This provides a primitive level of “security by obscurity”

Access Control Lists–The AP maintains a list of MAC addresses of trusted stations and requests from other MAC addresses are ignored

Slide 15


WLAN Security Hierarchy

No Encryption, Basic Authentication

Public “Hotspots”

Open Access

40-bit or 128-bitStatic WEP Encryption

Home Use

Basic Security802.1x,

KIP/WPA Encryption,

Mutual Authentication,

Scalable Key Mgmt., etc.

Business

Enhanced Security

Slide 16

VirtualPrivate

Network (VPN)

Business Traveler,

TelecommuterRemote

Access


Attacker Capabilities

Man-in-the-middle– This is the capability whereby the intruder puts himself in

between the target user and a genuine network and has the ability to eavesdrop, modify, delete, re-order, replay, and spoof signalling and user data messages exchanged between the two parties.

Network Authentication Compromise– The intruder possesses a compromised authentication

vector (challenge-response pairs, cipher keys, integrity keys, etc.)

– For his attacks the intruder requires a modified Mobile Station (MS) and/or a modified Base Station (BS)


Identity catching

Mobile users are identified by temporary identities, but there are cases where the network requests the user to send its permanent identity in clear text

Passive identity catching– The attacker with a modified MS waits passively for a

new registration or a database crash as in such cases the user is requested to send its identity in clear text.

Active identity catching– In this case, the attacker with a modified BS entices

the user to camp on his BS and then asks him to send his International Mobile Subscriber Identity (IMSI)

Slide 19


Impersonation of User

By the use of a compromised authentication vector By the use of an eavesdropped authentication

response– Hijacking outgoing calls in networks with encryption disabled

– Hijacking outgoing calls in networks with encryption enabled

– Hijacking incoming calls in networks with encryption disabled

– Hijacking incoming calls in networks with encryption enabled If you have a user’s authentication details you can

send a message as them, even if it’s a temporary authentication


Impersonation of the network

By suppressing encryption between the target user and the intruder: An attacker with a modified BS entices the user to camp on his false BS and when the service is initiated, the intruder does not enable encryption.

By suppressing encryption between the target user and the true network: During call setup the ciphering capabilities of the MS are modified by the intruder and it appears to the network that there is genuine mismatch of the ciphering and authentication algorithms. After this the network may decide to establish an un-enciphered connection: The intruder cuts the connection and impersonates the network to the target user.

By forcing the use of a compromised cipher key: The attacker with a modified BS/MS and a compromised authentication vector entices the user to setup a call while camped on his false BS/MS. The attacker then forces the use of a compromised cipher key. Slide 21


Intro to Mobile Phone Security

The original first generation analogue mobile systems employed a simple electronic serial number to confirm that the terminal should be allowed access to the service. – It was not long before the protection afforded to

this number was broken. Second generation systems such as GSM were

designed from the beginning with security in mind.– The Home Environment operator can control the

use of the system by the provision of the Subscriber Identity Module (SIM) which contains a user identity and authentication key.


GSM Security Features

Authentication– network operator can verify the identity of the subscriber

making it infeasible to clone someone else’s mobile phone– challenge-response authentication protocol– encryption of the radio channel

Confidentiality– protects voice, data and sensitive signalling information

(e.g. dialled digits) against eavesdropping on the radio path

– encryption of the radio channel Anonymity

– protects against someone tracking the location of the user or identifying calls made to or from the user by eavesdropping

– use of temporary identities Slide 23


GPRS Encryption

Differences compared with GSM circuit-switched– Encryption terminated further back in network– Encryption applied at higher layer in protocol stack

• Logical Link Layer (LLC)– New stream cipher with different input/output parameters

• GPRS Encryption Algorithm (GEA)– GEA generates the keystream as a function of the cipher

key and the ‘LLC frame number’ - so the cipher is re-synchronised to every LLC frame

– LLC frame number is very large so keystream repeat is not an issue

Slide 28


Bluetooth

Short-range communications, master-slave principle

Eavesdropping is difficult:– Frequency hopping– Communication is over a few metres only

Security issues:– Authentication of the devices to each other– Confidential channel

based on secret link key

Slide 31


Conclusion

Wireless and mobile security issues concentrate on the Integrity, confidentiality and authentication of the networks and users.

Access and use of service to avoid or reduce a legitimate charge.

Location privacy: unique to mobile networks. Mobile devices:

–Limited resources–Lack of physical protection

Roaming of users across different networks


Drive-by Cracking

Slide 34

applied communications technology wireless mobile security

Documents