The Wireless Trip: Turn On, Tune In, Drop Out

About This Presentation

Title:

The Wireless Trip: Turn On, Tune In, Drop Out

Description:

At 2.4 Ghz, microwave ovens, X10 cams, and wireless phones can be a problem ... 2) If none found, use Kismet! 3) If encryption is active, use AirSnort/WEPcrack! ... – PowerPoint PPT presentation

Number of Views:25

Avg rating:3.0/5.0

Slides: 37

Provided by: laphroa

Category:

more less

Transcript and Presenter's Notes

Title: The Wireless Trip: Turn On, Tune In, Drop Out

1
The Wireless TripTurn On, Tune In, Drop Out

Alan Whinery
U. Hawaii ITS
alan_at_hawaii.edu
whinery_at_hawaii.edu

2
Wireless What?

Computer peripherals
Bluetooth
Wireless Keyboards, wireless mice
Networks
802.11 Wireless Ethernet
2G, 2.5G, 3G

3
Wireless What?

Phones
Analog Cellular
PCS
GSM
CDMA
802.11 based wireless IP phones

4
Interference/DoS

At 2.4 Ghz, microwave ovens, X10 cams, and
wireless phones can be a problem
Other wireless LANs can be a problem
Packet flooding attacks are easy and effective
By statute, anyone transmitting solely to
interfere can be prosecuted (go try proving
that).
The Phone Always Wins

5
The Audience is ListeningTM

Wireless devices emit radio waves
Radio waves dont care who receives them
Not all wireless technologies are secure
Actually, not many wireless technologies are
secure
Anybody who knows encryption keys can generally
listen in on encrypted traffic

6
Bluetooth (PAN)

2.4Ghz band
Short Range Inter-device wireless
Computer gt computer
Phone gt laptop
PDA gt phone
Headset gt phone
Computer gt printer
Phone gt Coke Machine
Up to 128-bit encryption
V 1.0 1 device at a time
V 1.1 8 devices at a time
Prices coming down, choices going up

7
Wireless Keyboards/Mice/Joysticks

Useful and convenient
Caveat Emptor
What happens when your next-door neighbor buys
the same keyboard?
It is possible to intentionally eavesdrop on some
wireless keyboards and mice
Various frequencies 27 Mhz, 430 Mhz, 900 Mhz
(plus Bluetooth Versions)

8
Your Grandpappys wireless

Analog Cellular 800 Mhz 1G
D-AMPS Digital Cellular 800 Mhz 2G
CDMA American-style PCS 1.9 Ghz 2G
Sprint, Verizon, ATT
14.4kbps modem speed
GSM Euro-style PCS 1.9 Ghz 2G
T-Mobile (VoiceStream), Cingular
14.4kbps modem speed

9
2.5/3G Wireless

Integrated Phone, Data, Video
CDMA2000, GPRS, WCDMA
Data channel rates from 144 Kbps to 2 Mbps
Nokia N-Gage 2.5G, Bluetooth portable game
platform

10
Wi-Fi

home wireless networks
802.11 FHSS 2.4 Ghz, 1 Mbps or 2 Mbps
802.11a 5 Ghz, 54 Mbps
802.11b DSSS 2.4 Ghz, 5.5 Mbps or 11 Mbps
Turbo, enhanced
802.11g 2.4 Ghz, 54 Mbps (Draft, Incl. b)
802.11h Extension to 802.11a for
Euro-compatibility
802.11i Umbrella for new encryption/auth, incl.
802.1X and re-WEP (2003) WPA

11
AP Topology

12
AP/Client Parameters

Lan Name
Identifies AP and its clients
ANYon client causes open polling
WEP Encryption/Key
Manually-entered pass key
Or not.
AP Can be friendly or cloaked
Friendlies respond to who's there?
Cloaked respond to Is ltnamegt there?
Cloaking widely unsupported

Set your client's LAN name to ANY and it will
detect friendly Access Points.

Other APs may not respond, or may require a WEP
key

15
www.netstumbler.com
16
www.netstumbler.com

Runs on Windows
Works with many wireless NICs
Polls actively detects friendlies that can hear
polls
Takes GPS input for recording position of
wireless APs
Easy to detect

17
www.kismetwireless.net

Runs on Linux
Picky about chipsets/drivers
Detects everything that can be heard, cloaked or
not, including lone workstations without APs
Takes GPS input, records positions
Harder to detect than Netstumbler
Pronunciation 'kiz met
From Arabic qismah portion, lot means FATE

18
A Stumble About Town

Friday - Saturday June 13-14, 2003
2 Hours 4 minutes, 1156 PM to 200 AM
Covering downtown, Waikiki, Kal Hwy to Aina Haina
Found a total of 878 devices with NetStumbler

19

20

21
802.11 Channels
22
Device Manufacturers
23
WEP Deployment
24
Wired-Equivalent Privacy

Encrypts user data using RSA's RC4 (1987)
RC4 isn't bad, also present in SSL
Reduces overall throughput
Most 802.11b implementations are easily cracked
Newest firmware from prominent vendors supposedly
fixes WEP problems
A single client device that uses weak RC4 keys
makes your WEP vulnerable

25
Wired Equivalent Privacy

Most keys are easier to learn by other means,
anyways.
Changing keys is hard.
Without any mischief, WEP is transparent to
others who have the key!

26
Cracking the WEP

Key Length doesn't matter.
Takes between 1 million and 5 million packets
Depends upon at least one NIC (AP or Client)
using weak RC4 keys
In an open environment, there are weak keys

27
What Do We Fear?

Unauthorized access
Someone stealing Internet access
Someone going around a defense
Someone pretending to be us
Eavesdropping
Acquisition of sensitive information
Invasion of privacy
Je Ne Sais Quois

28
The Big Joke

Even if WEP was secure, things protected only by
WEP would be vulnerable as soon as they crossed
onto the wired network.
You should always assume that someone is
listening, wires or no...

29
What is there to protect?

passwords (the primary problem)
sensitive info
Credit Card (should be SSL anyways)
Proprietary/Personnel Info (!!/SSL)
Etc.
Letters to Grandma/Illicit Affairs/Trysts/
BirthdayParty Invites/e-Greetings you can elect
to protect yourself (SSH/SSL/VPN)

30
You Can Get Internet for FREE!