Digital attacks - WiFi

We focus on network threats based on two technologies: 802.11 and Bluetooth.  A number of attacks against 802.11 networks have been reported.

Static WEP attacks

The first line of defence of WiFi networks is the WEP/WPA key encryption used to encrypt communications within the network.  This security measure has been compromised by attacks based on [1]. This paper identified certain weak packets (IVs – Initialisation Vectors) that leak information about the secret key. In fact, there are large classes of these weak keys. When an IV is reused, we call this a collision. When a collision occurs, the combination of the shared secret and the repeated IV results in a key stream that has been used before. Since the IV is sent in clear text, an attacker who keeps track of all the traffic can identify when collisions occur. A number of attacks become possible upon the discovery of IV collisions.  A good description of attacks on both WEP and WPA is given in [2].

Brute Force vs. FMS

Traditional brute force and FMS attacks represent two very different styles of attack. With a brute force attack, you only need to capture a single encrypted packet and then apply an enormous amount of computing power. (You probably want two packets: one to crack the key and one to double check that the cracked key works.) FMS attacks, on the other hand, rely on capturing an enormous amount of encrypted traffic, then using very little CPU power for a probabilistic algorithm to crack the key. In fact, the FMS crack scales linearly, which means that cracking a 128-bit key takes only slightly longer to crack then a 64-bit key, once you have captured enough weak keys.

If you can collect enough cipher text that is derived from them, you can determine the secret key with relatively little work. This assumes, however, that the attacker has knowledge of the first few bytes of plain text. Interestingly enough, because of RFC 1042 (SNAP headers), all IP and ARP packets always start with 0xAA. Therefore, the first few bytes of plain text are (almost) always known.  Capturing a sufficient number of such packets (about 1 million) allows this statistical attack to calculate the WEP key.  However, if the network traffic is low, the gathering of IVs may be a very lengthy process.

Artificially increasing the network traffic

The problem for statistical attacks is capturing enough encrypted data to calculate the secret key. In a high traffic network, this can be accomplished in a matter of hours. However, in a low traffic environment, this process can take days or weeks. To crack the WEP key, some attackers are simply patient and resort to placing equipment in the bushes near the AP for days at a time. Other attackers have developed more clever techniques to artificially generate network traffic in order to capture cipher text to crack the key.

ARP Request

One possible packet injection attack works like this: The attacker will capture the encrypted traffic and look for a known protocol negotiation based on the size of the captured packet; for example, an ARP request has a predictable size (28 bytes). Once captured, the attacker can simply re-inject the encrypted packet (ARP request) over and over again. The ARP response will generate new traffic, which the attacker can then capture. If the attacker repeats this process over and over again, it is possible to generate enough traffic for a successful statistical attack in about an hour.

Many hardware vendors have implemented firmware updates for their wireless NICs and APs that simply skip the specific IVs that cause these weak keys. This weak key avoidance technique renders the FMS attack useless.

Authentication Spoofing

A variation of the packet injection attack is authentication spoofing.  If an attacker can observe this negotiation process, she will know the plain text (challenge text) and its associated cipher text (challenge response). Using the message injection attack methodology, the attacker could then derive the key stream, request authentication from the AP, and use the same key stream on the challenge text to create a valid challenge response. The attacker would then be authenticated to the AP even though she has no knowledge of the WEP key. This attack works because the challenge text is always 128 bytes and, again, because IVs can be repeated and reused.

WPA Improvements

The obvious answer to the WEP problem is to extend the IV space and don't reuse IVs. These issues (and more) are addressed in the WPA protocol. WPA increased the size of the IV to 48 bits, which provides at least 900 years of unique passwords and basically eliminates the problem of collision. WPA alters the values acceptable as IVs. This fix allows WPA to use the same algorithm as WEP, but plugs the hole by controlling the IV values going into the algorithm. Finally, a new password is generated automatically every 10,000 packets. This is well below the threshold of even the most successful WEP cracking efforts and all but eliminates the threat of a statistical attack.  Furthermore, WPA incorporates protections against forgery and replay attacks via the 48-bit IV value.

However, WPA has vulnerabilities as well. Remember that to crack WEP, an attacker has to gather many packets, possibly millions, but can then easily crack any key. For WPA, certain shorter or dictionary-based keys are highly crackable because an attacker can monitor a short transaction or force that transaction to occur and then perform the crack far away from the physical site. To crack a WPA key, you must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can initiate a deauthorisation attack.  Overall, however, only dictionary attacks exist for WPA 1 and 2.

Digital attacks – Bluetooth

Product developers that use Bluetooth wireless technology in their products have several options for implementing security. There are three modes of security for Bluetooth access between two devices.

Security Mode 1: non-secure

Security Mode 2: service level enforced security

Security Mode 3: link level enforced security

The difference between Security Modes 2 and 3 is that in Security mode 3 the Bluetooth device initiates security procedures before the channel is established.  There are also different security levels for devices and services.  Devices can be “trusted device” or “untrusted device”.  A trusted device has unrestricted access to all services. 

For services, 3 security levels are defined: i) services that require authorizations and authentication, ii) services that require authentication only, and iii) services that are open to all devices.

The manufacturer of each product determines these security modes. Devices and services also have different security levels. For devices, there are 2 levels, "trusted device" and "untrusted device". A trusted device, having been paired with one’s other device, has unrestricted access to all services. With regard to services, three security levels are defined: services that require authorization and authentication, services that require authentication only and services that are open to all devices.

A very good overview of Bluetooth vulnerabilities is provided at http://trifinite.org/.

Synchronisation attack

Bluetooth devices generate a secure connection by means of the initial pairing process. During this process one or both devices need a PIN code to be entered, which is used by internal algorithms to generate a secure key, which is then used to authenticate the devices whenever they connect in the future.

An academic paper puts forward a theoretical process that could potentially "guess" the security settings on a pair of Bluetooth devices. To do this the attacking device would need to listen in to the initial one-time pairing process. From this point it can use an algorithm to guess the security key and masquerade as the other o device. What is new in this paper is an approach that forces a new pairing sequence to be conducted between the two devices and an improved method of performing the guessing process, which brings the time down significantly from previous attacks.

To perform this hack, it is necessary for the attacker to overhear the initial pairing process, which normally only happens once in a private environment and takes a fraction of a second. The authors have put forward some possible methods to try and force a deletion of the security key in one of the two Bluetooth devices, and hence initiate a new pairing process, which they could then listen in to. To do this, they need to masquerade as the second device during a connection. The equipment needed for this process is very expensive and usually used by developers only. If this process succeeds the user will see a message on their device that asks them to re-enter a PIN code. If they do this while the attacker is present, and the PIN code they enter is sufficiently short, then the attack could theoretically succeed.

If the PIN key that has been used consists of only four numeric characters, a fast PC can calculate the security key in less than one tenth of a second. As the PIN key gets longer, the time to crack the security code gets longer and longer. At eight alphanumeric characters it would take over one hundred years to calculate the PIN making this crack nearly impossible.

This is an academic analysis of Bluetooth security. What this analysis outlines is possible, but it is highly unlikely for a normal user to ever encounter such an attack. The attack also relies on a degree of user gullibility, so understanding the Bluetooth pairing process is an important defense.

Divide and Conquer

The stream cipher used to encode Bluetooth communications is a 128-bit key. A divide-and conquer attack is possible to be carried out if the length of the given keystream is longer than the period of the shortest LFSR (Linear Feedback Shift Register) user in the key stream generation.  This attack, however, has been addressed as Bluetooth has been given a very high re-synchronization frequency.

Hardwired PINs

Some embedded devices contain a hard-wired unit key.  Authentication and encryption in Bluetooth are based on the assumption that the link key is the participants’ shared secret.  All other information used in the procedures is public.  Now, suppose that devices A and B use A’s unit key as their link key.  At some later time, device C may communicate with device A and use A’s unit key as the link key.  This means that device B, having obtained A’s unit key earlier, can use the unit key with a faked device address to calculate the encryption key and therefore listen to the traffic.  Device B can also authenticate itself  to device A as device C and to device C as device A.

Network intrusions

Once the security of wireless encryption has been compromised, an attacker may carry out intrusion to the network.  By intrusion, we mean that the attacker’s machine takes an active role in the network. 

MAC spoofing

A second layer of security for wireless networks involved keeping a list of allowed MAC addresses.  Any client whose MAC address is not on this list is not allowed to use the network. An intrusion approach is by faking a valid MAC address.  The intruder eavesdrops for active participants of the network, and records an active MAC address.  He is then able to generate packets which seem to come from this MAC address.  In order to avoid the confusion of having two clients generating/responding to the same MAC address, the intruder may choose to carry out a Denial of Service attack on the valid client, to shut it down.

This will allow the intruder’s machine to appear as a valid client of the network.  This allows for further attacks on the servers and other clients of the network.  These are traditional attacks that can be carried out over the cable network.

Bluetooth MAC spoofing may be used in attacks where known unit keys (such as a Bluetooth headset) may be used to eavesdrop or hijack a communication.

Rogue Access Point attacks (WiFi + Bluetooth)

In the “evil twin” example, an intruder sets its service identifier (SSID) to be the same as an access point at the local hot spot or coffee shop, or even a corporate wireless network. He then disrupts or disables the legitimate AP by disconnecting it, directing a denial of service against it, or creating sufficient RF interference around it with a metal or another obstacle to prevent it from communicating with nearby laptops or other devices. Users that were connected to the legitimate AP lose their connections and re-connect to the "evil twin," allowing the hacker to intercept all the traffic to that device.

Fishing

An intrusion approach based on the naivety of users is called fishing.  An intruder could set up an AP that overlaps the area of a legitimate AP.  The attacker could lure users into connecting to the rogue AP by providing a login/registration page that looks like a legitimate login/registration page.  The intruder would have complete access to the communications taking place. Naïve users would enter their credit card details to “register” for airtime, and the intruder could record this information.

Fishing may also be used in the case of Bluetooth access points.  Here, users are lured or tricked into using a rogue AP by providing Bluetooth services or screens that resemble the authentic AP.  Once this happens, the attacker has complete access to the traffic.

Bluejacking

A weakness allows mobile phone users to send out business cards and contacts anonymously using Bluetooth wireless technology. Bluejacking does not involve the removal or alteration of any data from the device.

These business cards often have a clever or flirtatious message rather than the typical name and phone number. Bluejackers often look for the receiving phone to ping or the user to react. They then send another, more personal message to that device. In order to carry out a Bluejacking, the sending and receiving devices must be within 10 meters of one another.

Bluebugging

This is a method skilled individuals use to access a mobile phone commands using Bluetooth wireless technology without notifying or alerting the phone's user. This vulnerability allows the hacker to initiate phone calls, send and receive text messages, read and write phone book contacts, eavesdrop on phone conversations, and connect to the Internet.  As with all other attacks, the hacker must be within a 10-metre range of the phone.

Bluesnarfing

Bluesnarfing refers to gaining access to data stored on a Bluetooth-enabled phone using Bluetooth wireless technology without alerting the phone's user of the connection made to the device.  The information that can be accessed in this manner includes the phone book and associated images, calendar, and IMEI (International Mobile Equipment Identity).

BlueDumping is the act of causing a Bluetooth device to 'dump' it's stored link key, thereby creating an opportunity for key-exchange sniffing to take place. The attacks on link keys and PINs were first publicised by Ollie Whitehouse, at CanSecWest, in which he describes a method by which the PIN and link-keys can be obtained if a pairing event can be witnessed with a Bluetooth sniffer. More recently, Shaked and Wool have proposed a method by which the key attack can be enhanced, bringing it to near-realtime, as well as a method for forcing the key-exchange to take place at a time of the attacker's choosing. 

Bluedump

BlueDumping is the act of causing a Bluetooth device to 'dump' it's stored link key, thereby creating an opportunity for key-exchange sniffing to take place. The attacks on link keys and PINs were first publicised by Ollie Whitehouse, at CanSecWest, in which he describes a method by which the PIN and link-keys can be obtained if a pairing event can be witnessed with a Bluetooth sniffer. More recently, Shaked and Wool have proposed a method by which the key attack can be enhanced, bringing it to near-realtime, as well as a method for forcing the key-exchange to take place at a time of the attacker's choosing. 

Bluebump

The BlueBump attack requires the attacker to be a social engineer. The way it works is that the attacker establishes a trusted connection to a certain device. This could be achieved by sending a business card and forcing the receiver to authenticate (Mode-3-Abuse). The attacker keeps the connection open and tells the victim to delete the link key for the attacker's device. The victim is not aware of the connection that is still active. The attacker now requests a link-key regeneration. Doing so, the attacker's device gets a new entry in the list without having to authenticate again. The attacker is then able to connect to the device at any time as long as the key is not deleted again.

Bluesmack

BlueSmack is a Bluetooth DoS attack that knocks out some Bluetooth-enabled devices immediately. The 'Ping of Death' is basically a network ping packet that used to knock out early versions of Microsoft Windows 95. The BlueSmack is the same kind of attack buit transferred in to the Bluetooth world. On the L2CAP layer there is the possibility to request an echo from another Bluetooth peer. As for the ICMP ping, the idea of the L2CAP ping (echo request) is also to check connectivity and to measure roundtrip time on the established link.

Car Whisperer

The Car Whisperer is a software tool developed by security researchers to connect to and send or receive audio to and from Bluetooth car-kits with a specific implementation. An individual using the tool could potentially remotely connect to and communicate with a car from an unauthorized remote device, sending audio to the speakers and receiving audio from the microphone in the remote device. Without specialized equipment, someone using the tool must be within a 10-meter range of the targeted car while running a laptop with the Car Whisperer tool. The security researchers’ goal was to highlight an implementation weakness in a select number of Bluetooth car-kits and pressure manufacturers to better secure Bluetooth devices.

Identifying attacks and intrusions

The AirMagnet software package helps in identifying potential attacks to WiFi networks, by carrying out the following tasks:

-        Identifies 20 different types of denial-of-service attacks, which is most often the hacker's first move in an "evil twin" attack.

-        Identifies multiple devices with the same MAC address, a circumstance that is a very good indication that a spoof is being attempted.

-        Identifies rogue devices with legitimate SSIDs that do not match up with a legitimate vendor, or are on the wrong wireless channel or band.

-        Identifies excessive AP power cycling and configuration changes, which may indicate a failing device or tampering by a user.

-        Identifies APs that should be active, but have gone silent (stopped transmitting), which may be a performance malfunction, but could be an indication of foul play.

There are currently no widespread commercial software packages for detecting Bluetooth attacks and intrusions. The website http://trifinite.org/ provides a number of tools that slightly address the issue.  These tools help in scanning for Bluetooth devices,

Scanning technologies

For generating a map of the radio in a city, we can choose to scan passively and/or actively. 

Passive Scans - WiFi

For carrying out passive scans, there exist third party software, in many cases free of charge.  An additional requirement we have is to augment our scans with GPS data.  Widows-based scanning software mostly used is Network Stumbler for PC (MiniStubler for PocketPC).  It allows for collection of WiFi data (including GPS) but provides no visualization.  For Macs, KisMac offers a good combination of WiFi scanning and GPS visualization.  Also, iStumbler is available for Macs.  For linux-based computers, Kismet and Airodump are popular.

A very good overview of the scanning, gps and mapping software and equipment required is available at http://www.wardriving.com/setup.php. Intel’s databse of hotspots for Bath yielded:

A very good overview of the scanning, gps and mapping software and equipment required is available at http://www.wardriving.com/setup.php.