International Telecommunication Union
IPv6 WiFi Internet Security 23-27 May 2016, Bangkok, Thailand
26 May 2016 – Session x
By Ronald van Kleunen (CEO Globeron Pte Ltd) [email protected]
2 2
Session x: WiFi Internet Security
Objective: To learn overall topics on implementing security measures in Wifi networks including its monitoring from IPv4 and IPv6 perspective.
Demonstration of implementing Wifi security measures
Wireless Security Initiatives by ITU and WiFi Organisations
3
4
SSC – Smart Sustainable Cities and CyberSecurity
Integrated Management
ITU–T Study Group 20 IoT
ITU-T Focus Group FG-SSC-0090-R7
An ITU Telecommunication Standardization Sector (ITU–T)
Technical Report on “Cybersecurity, data protection and cyber
resilience in Smart Sustainable Cities” takes a direct approach to
its discussion of the most prominent cyberthreats to smart cities.
ITU
Consists of member organizations – primarily equipment vendors Certifies Wi-Fi equipment for interoperability Promote adoption of IEEE 802.11 standards in the market
Consists of member
individuals Design and document network protocols, such as:
802.3 Ethernet 802.11 Wi-Fi 802.15 Bluetooth 802.16 WiMAX
Certifies Products
Set Local Regulations
Creates Standards
WI-FI ORGANIZATIONS
1.3
WIRELESS TRAINING & EDUCATION - VENDOR NEUTRAL WIRELESS CERTIFICATION ROADMAP
Expert Level #108 Trainer Level CWNT Learning Partner Level 1st in APAC since 2005
Certified Wireless Technology Specialist
Certified Wireless Network Administrator
(RF,Antenna, Protocols, Spectrum analysis, Site Survey)
Security Analysis Design
Expert Level
Wireless Communication Layers in the stacks
7
PROTOCOLS AT EACH LAYER (TCP/IP VS OSI MODEL)
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Application
Transport (Host-to-host)
Internet
Link (Network Interface or
Network Access)
TCP/IP Model OSI Model
DNS, DHCP, LDAP, HTTP, FTP, TFTP, SNMP, SMTP, POP3, IMAP4, SMB
TCP, UDP
IPv4, IPv6, ARP, IGMP, ICMP, IPSec, RIP, OSPF
Ethernet, Wi-Fi
9
WIRELESS INFRASTRUCTURE OVERVIEW
Wireless – Wireless - Access - Wired - Wired - Wired - Access - Wireless - Wireless Client Medium Point Medium Bridge/Switch Medium Point Medium Client
10
WIRELESS COMMUNICATION LAYERS – OSI LAYERS
IPv4 IPv6 IPv4 IPv6
Wirele
ss
Wirele
ss
Wireless Tools operate at OSI layers 1 and 2
11
SPECTRUM ANALYZERS – OSI LAYER 1
OSI LAYER 2 - DISCOVERY / SCANNING
Beacon: Status and capability information that is broadcasted at a scheduled interval Probe Request: A request from a client for most of the same AP information that is found in a beacon Probe Response: A response from the AP to a client that sent a correct probe request
Active Scanning Passive Scanning
Beacons
Beacons
Beacons
Beacons
AP Discovery
OSI LAYER 2 - WLAN PROTOCOL ANALYZERS
OSI LAYER 1 AND 2 - RF SITE SURVEYS AND MONITORING
WIRELESS INFRASTRUCTURE AND NETWORK ACCESS CONTROL (NAC)
Ensures all appropriate policies and security
mechanisms are met by endpoints
Policies are applied to enforce security on a
network
Includes requirements like antivirus software
version and scans, OS updates, security patches,
firewalls, user restrictions, etc.
RADIUS Directory
Services WLAN
Controller
Authentication & Authorization
Posture Assessment
Quarantine
Remediation
NAC
Appliance
NAC Endpoint
WPA/WPA2 network authentication
NAC posture assessment and response
ENTERPRISE WIPS TOPOLOGY (WIRELESS INTRUSION PREVENTION SYSTEMS)
WIPS Server WIPS Console
WIPS Sensors WIPS Sensors
Wireless operates at Layer 1 and 2, why bother about IPv4 and IPv6 ?
18
19 19
Wireless Access Points (AP) are layer 2 devices, but require an IP address to a wireless LAN or cloud controller for management purposes
The wired side requires a dual stack or NAT (Network Address Translation)
features. Similar for Wireless Routers (Layer 3). Both can setup a tunnel
to centralised management devices.
Wireless LAN and Cloud controllers and Wireless Network Management Systems require a dual stack to support adoption of the Wireless access points and secure communications between them via secure tunnels
Wireless Sensors (Access Points in “listening” mode) require a dual stack
Wireless Intrusion Detection/Prevention Systems (WIDPS) require a dual stack
IPV4 AND IPV6 RELATIONS TO WIRELESS INFRASTRUCTURES
20 20
Network related services:
DHCPv6 (Dynamic Host Configuration Protocol) to support IPv6 addressing to issue IP address to Access Points and Sensors (e.g. large wireless network deployments) for stateless and statefull auto-configuration
(IETF RFC 3315, 3319, 3633, 3646, 3736, 5007, 6221)
ICMPv6 - Internet Control Message Protocol version 6 (IETF RFC 4443)
Mobile IPv6 or MIPv6 (IETF RFC 6275) to allow mobile device users to move from one network to another while maintaining a permanent IP address
DNS extensions (IETF RFC 3596, 3901, 4472)
Routing extensions (IETF RFC 6564)
(because of IEEE 802.11ac and 802.11n distributed forwarding designs)
Enterprise class environments require RADIUS (Remote Access Dial-in User Services) and related options to include IPv6 addressing
LDAP (Light weight Directory Access Protocol)
IPV4 AND IPV6 RELATIONS TO WIRELESS INFRASTRUCTURES
Wireless Security Risks
21
22 22
Exponential increase of wireless networks (WISP, Hotspot, Corporate/Home, Neighbours, Ad-Hoc, Direct) and many end-user devices
Wireless is an extension of the wired network, but wireless propagation goes further than you think
Different type of devices on the network, each having their own security settings (and limitations)
Many (wireless) freeware tools on the internet to “hack” the network
Lack of end-user awareness how wireless communications work
Policy creation (if any) and enforcement
WIRELESS SECURITY RISKS
23 23
Default configurations of wireless equipment
Limited end-point security
Unauthorized implementations of wireless networks
(e.g. contractors, employees setting up their own wireless networks)
“Tethering”
End users not familiar with corporate use policy and limited knowledge how to recognize / enforce security
Lack of 24x7 wireless security monitoring and reporting
No standardization on wireless design and wireless security
but in progress with WiFi industry experts
WIRELESS SECURITY RISKS
24 24
Airline and agreements with telecom providers
Mobile hotspot with wrong SSID delayed an airplane in Australia
(2nd of May 2016)
Software Defined Radios (SDR) how many radios are on an airplane
Boeing 737 – passengers
A380 – passengers with mobile phones (Cellular, WiFi)
No standardization on policies
Some airlines allow mobile devices continuously on some airlines don’t allow it, but there is no policy enforcement
WIRELESS SECURITY RISKS - AVIATION
WIFI – EXAMPLE OF WIRELESS SECURITY ISSUES
25
Hacker
INTRANET
INTERNET
Desktop
Rogue APs
Non-Compliant APs
Municipal Wi-Fi
Leaking Wired Traffic & Insertion
Hotspot Phishing
Hotspot Evil Twin
Mobile User
Laptop
AP
Server
WIFI - WIRELESS VULNERABILITIES
Type Attacks
Reconnaissance
Rogue APs
Open/Misconfigured APs
Ad Hoc stations
Sniffing/Eavesdropping
WEP, WPA, LEAP cracking
Dictionary attacks / Brute Force / Rainbow Tables
Leaky APs
Masquerade
MAC spoofing
HotSpot attacks
Evil Twin / Wi-Phishing attacks
Insertion
Multicast / Broadcast injection
Routing cache poisoning
Man in the Middle attacks (MITM)
Denial-of-Service
Disassociation
Duration field spoofing
RF jamming
27
MOBILE – EXAMPLE OF WIRELESS SECURITY ISSUES
Home Location Register
Visitor Location Register
Mobile Station Controller
Base Station Controller
Base Transceiver Station
International mobile subscriber identity
International Mobile Station Equipment Identity
Vulnerabilities: • IMEI • BTS – BSC • HLR • VLR
MOBILE - WIRELESS VULNERABILITIES
Type Attacks
Reconnaissance Baseband Fuzzing (Rogue BTS)
Sniffing/Eavesdropping (Telco’s Protocol Analysers?)
Masquerade IMEI spoofing (using MTK/SDK boards)
Insertion
IMSI Detach, send multiple Location Update Requests
including spoofed IMSI. Prevent SIM from receiving calls
and SMS (only backend HLR is off), but still can call and
SMS
Denial-of-Service
Request Channel Allocation
(Flood BTS and possible BSC)
RF jamming
IMSI Flood (pre-authentication) and overload HLR/VLR
IMSI Detach also disconnects user
29 29
iPhone/iPad/iPod
Android
Blackberry
Windows phone
Tethering / Hotspot using a mobile phone Termination by service providers
Case: hotel USD 600.000 fine by FCC
and public council WiFi provider USD 750.000 fine by FCC
Naming of hotspots
http://mashable.com/2016/05/02/qantas-wifi-scare/#P9g.PDs.IGqX
MOBILE DEVICE SECURITY
30 30
BlueTooth
Virus / Worms / Malware
Listening to phone calls (headset) or car audio systems
Changing languages (“DoS”)
Car Hacking via Bluetooth (Controlling the car)
NFC (Near Field Communication)
Credit Cards with NFC communication
Transportation cards (“Bus”, “Train”)
Toll gates using wireless cards
Hotel Key cards
ZigBee
Home Automation equipment
Floor Controllers
Thermostats
OTHER WIRELESS SECURITY RISKS
31
http://money.cnn.com/2014/03/20/technology/security/drone-phone/
http://ht3.cdn.turner.com/money/big/technology/2014/03/20/t-drone-steals-phone-info.cnnmoney_620x348_dl.flv
20 March 2014 Snoopy - Drone can steal what's on your phone via WiFi (kind of a HoneyPot attack)
The research will be presented at the Black Hat Asia cybersecurity conference in Singapore 25-28 March 2014
WiFi Security measures Demo
32
Live Demonstration
Wireless Security and protection using a
Wireless Intrusion Prevention System
Disclaimer
All demonstrations are done in
compliance with the laws in Thailand
(Thai Computer Crime Misuse Act)
Demonstration:
1. What is Radio Frequency (RF) WiFi ?
2. DoS – Denial of Service attacks
3. Evil Twin and impersonation attacks
4. Rogue clients and
Rogue Access Points (AP) mitigation techniques
4. WiFi Forensic analysis
5. 24x7 Wireless Security Compliance reporting
Education – Standardization in the organisation by having certified personnel who understand the wireless
security risks and use the same terminology.
Page - 36
Skilled wireless professionals
Certified Wireless Trainer
Certified Wireless & Cabling installers and the right wireless + cabling measurement tools
Certified Wireless Support teams
Certified Sales Person Selling Wireless
Certified Wireless Auditor
Certified Wireless Designer and Technical Specialist
Certified Wireless Professionals & Customer
Customer
Customer
Page - 37
aligned with ISO/IEC 27001 ISMS standard
Wireless Service Security Management System (WSSMS)
Note: Wireless = Mobile/Cellular, WiFi and indoor/outdoor mission/business critical wireless technologies
.
aligned with ISO/IEC 20000 ITSMS standard
Wireless Service Management System (WSMS)
Standardization
International Telecommunication Union
End of Session