A world with free wireless internet access How safe are you?

A world with free wireless internet access How safe are you? (2) Dangers of an increasingly Networked World Selma Ardelean Romania Imperial College London Nicolae-Dan Demeter, Romania Imperial College London David Harrison United Kingdom Imperial College London 1

Contents 1. History 2. How wireless networks work 3. Present usage of wireless networks 4. Current threats 5. Case Study 6. Statistics 7. Countermeasures 8. Conclusions 9. References 2

1. History The first IEEE workshop on wireless LAN was held on 1991. At that early stage in the development of the technology the IEEE 802.11 committee was just starting to work towards developing a standard for wireless LANs. As a result of the continuous efforts, in 1996, wireless was first unleashed onto the unsuspecting public. As with any newly emerged technology, WLAN hardware was so expensive that it could only be efficiently used as an alternative to wired network in places where cabling was difficult or even impossible. It would be some time before the WLAN could become widely used and even more time until the end-user would actually understand both the advantages and disadvantages of it. Once the standards 802.11a and 802.11b were established the revolution of wireless technology was in full swing. These two standards rendered the initial 802.11, with its low data rate capabilities and reduced range, obsolete. These two standards, however, had the same relatively short life-span, being replaced in 2003 and 2007 by the 802.11g and 802.11n respectively. In today s society one can scarcely imagine a household, university, firm, city, town or country without at least one form of wireless technology. Wires are being replaced, and this creates a number of potential consequences. 2. How wireless networks work For a device to connect to a wireless network it has to be equipped with a wireless network interface card. The cards fall into one of the two categories: Access Points and Clients. For efficient communication, every client is part of a Basic Service Set, commonly called BSS. BSSs also fall into one of the two categories: Independent Basic Service Sets and infrastructure Basic Service Sets. The independent BSS is just and ad-hoc network (commonly created by a laptop, PDA device, etc) and generally, is not connected to the internet. On the other hand, the infrastructure BSS is generally used to connect devices to each other or to the internet. Every BSS has an identification: the Media Access Control (MAC) address of the router [1]. A set of access points connected to a Basic Service Set represent an extended service set (ESS) which is defined by its Service Set Identifier (SSID). A wireless connection is defined by a SSID (broadcasted or not), a network mode, channel number and network configuration (Unbridged or Bridged). The SSID is limited to 32 characters and represents the network s name. The network mode is used to define the standard within the wireless network functions. The first standard used in wireless networks was 802.11a. It operates in the 5-6 GHz range with data rates commonly around 6mbps, 12mbps, or 24mbps. Because 802.11a uses the Orthogonal Frequency- Division Multiplexing (OFDM), it can achieve data transfer rates up to 54Mbit/s. In addition, this technique breaks up fast serial information signals into several slower sub signals that are transferred at the same time via different frequencies, providing more resistance to radio frequency 3

interference. Its main characteristics are that it has a fast speed, but very limited distance. The second standard is 802.11b, which operates in the 2.4 GHz range, with a maximum speed of 11 Mbit/s. It is compatible with the 802.11a standard, but uses Direct-Sequence Spread Spectrum (DSSS). In this way, it allows a higher data rate with less probability of the signal bouncing off walls (which would cause a duplicate signal which could interfere with normal operation). The most widely used standard nowadays is 802.11g, which operates like the b standard at 2.4 GHz, but uses the a standard modulation technique (OFDM) [2][3]. It is backwards compatible with the b standard and because of this; in the summer of 2003 many vendors upgraded their products to be compatible with the 802.11g standard. The next standard that will be adopted in the future is 802.11n. It uses both the 2.4 and 6 GHz bands, and supports multiple-input and multiple-output (MIMO), which significantly increases data throughput and link range without using addition bandwidth or a more powerful antenna, which in turn improves communication performance [4] ). Channels are the physical medium through which packets are transmitted. Generally there are 13 channels, each of them having a width of 22 MHz, and spaced apart 5 Mhz. Channel 1 is centred on 2.412 GHz and channel 13 on 2.472 GHz. Some countries add an extra channel, whereas others disallow the use of certain channels [5]. A major problem with the use of wireless is that it can interfere with other wireless devices, such as wireless keyboards, cordless telephones and Bluetooth devices. 3. Present usage of wireless networks It is hard to imagine life without wireless networks, but there is always a concern regarding privacy. The main difference between a wired and a wireless network is that you are not constrained to a specific location. This means that traffic in a wireless network is transmitted to everyone within the device s perimeter, rather than just a single client (as with a wired network), and so it can be intercepted very easily. Because of this, sensitive information like SSID, BSSID, and traffic (in case of an open wireless network) becomes available to anybody. As a testimony to this, in April 2010 it was discovered that Google Street View Cars, as well as taking pictures in order to map a particular street, they were collecting Wi-Fi network information. In one of their blog posts, they admit that they collected data, including SSID, and MAC addresses and also traffic! [6]. Furthermore, they mention that this data can be used by third parties, but only through the Geo Location API, and the results are in the form of a triangulated geo code. 4

4. Current threats The most important thing to bear in mind about wireless networks is that they work exactly as wired ones, so all attacks that can be used on wired networks can also be used in a wireless environment. On the other hand, due to the nature and characteristics of wireless networks new attack vectors emerged, and attackers could remain anonymous. Because data is transmitted over the air it is available to anyone within that perimeter. From the point of view of an attacker, he can be completely anonymous on the network, as he is not constrained to be in a specific location. Seeing as the only available information about him is his MAC address, he can easily spoof it in order to gain multiple identities and because of the mobility a wireless network gives, he can move in different locations within the range of the Access Point, making it hard to be traced. Also, as data transmitted is available to anyone within the perimeter, an attacker is able to capture traffic without even being detected [7]. In this way, he can save the captured log files for later analysis. Depending on the level of security a wireless has, it can expose different layers of private data. Examples vary from capturing all traffic (including passwords for unsecured connections to websites and personal data in the case of an open wireless networks) to storing just the BSSID of an access point (for encrypted wireless networks). Encrypted or open, all wireless networks face a possible data privacy leak. It was discovered this year that using a simple XSS exploit against routers, an attacker can successfully identify the MAC address of that router. While this may appear to be a valueless piece of information, when combined with Google Location Services it can accurately show the location of the user: country, city, street name, latitude and longitude. The most interesting fact is that the user is not even asked about it (his MAC address is acquired through the XSS exploit) so the user is not even aware of the fact that his location has been exposed to the attacker. This is possible because Google decided to collect data about wireless networks and released it publicly through its API. Although Google stated that we have decided that it s best to stop our Street View cars collecting WiFi network data entirely [6], the data is still available, and you can still search for MAC addresses through their API. And this is just the beginning. Google was not the first and it will not be the last company to collect pieces of information about networks. Other attacks affecting wireless networks are: Rogue Access Points (the access point is used to connect users to the internet through a connection where a sniffer is running. Also, the Rogue AP can also serve rogue DNS servers which can redirect users to different sites), 802.11 Data Replay (the attacker captures the data, but it replays it modified), Cracking the WEP / WAP key (Because of the design of the WEP algorithm, no matter how long is the password, it can be decrypted in due time. Also, WPA keys can be decrypted using Brute Force Attacks and a good Dictionary [8] ), Evil Twin AP (Posing as an authorized access point by using the same SSID as the target wireless), MITM Attack (One of the most used attacks. The attacker is situated between his targets, acting as a proxy. He then can intercept all the traffic), Authenticate Flood (It is based on the fact that the attackers is anonymous so he can generate countless MAC addresses in order to fill the association table), 802.1X EAP Downgrade (In this case the attacker forces the server to offer a weaker type of authentication by issuing continuous NAK (Negative Acknowledgement) / EAP packets in response). From the above, we consider that the most successful and easy to deploy are Evil Twin AP and Rogue AP, because the attacker doesn t have to struggle to find the encryption key (for a WAP2 network, for example), instead he lures the users directly to his packet sniffer. 5

5. Case Study As part of the research we conducted we have decided to find how many clients would connect to an open wireless network in different locations, and then log all their traffic. The study was conducted in 2 main locations: in a crowded place (during an hour) and near a block of flats (for 1 week). For the first location we used a laptop connected to a wireless broadband modem as a storage device for the logs. In the second location, we used a computer connected to a broadband internet connection and a wireless router (Broadcom BCM5354) which was connected to it. Below is the network diagram We created a Rogue Access Point that appeared to be configured with default values (SSID: default, open wireless network). We set up the backend such that the Access Point was bridging the wireless adaptor to the wired one, so that the clients were talking directly with the computer and not with the Access Point. Also, the Access Point was accepting connections only from 192.168.1.1, for better separation of the Access Point and the rest of the network. For security reasons, clients overall were limited to a transfer rate of only 1 Mbit /s [9]. Logging of network packets was possible with the program tcpdump, which was listening on the network card connected to the Access Point. 6

With the help of Wireshark, a network utility program, packets saved by tcpdump were analysed and statistics produced. Wireshark is capable of reproducing an entire http session from log files (including images, files, etc), provided they have been captured entirely (using the s switch) 6. Statistics Logs were captured throughout a time span of 11 days in order to provide a wide range of data and try to map the activity of as many users as possible. Unfortunately, because of the limited range of the wireless router used, the number of clients who were actually in the range of the machine is limited. In the period mentioned we were able to log the activity of at least 10 different users. By analysing this data we successfully determined the preferences of the users, discovered general trends in their online activity and were even able to deduce personal data about them. Identifying these seemingly minor details does not seem like a useful feat. However, because some of the websites do not provide secure login, we were also able in some instances to discover passwords and user names. For a real attacker, there would not be much left to do in order to use this information to commit identity theft. Without even considering the possibility that their traffic may be monitored, users connected to our rogue access point and used it just as they would do any other network. One of the most common tendencies was that all the users who used the connection checked their e-mail accounts. Without proper encryption these would have been exposed in seconds. The next major trend is that people often tend to access their preferred social networks and blogs. Facebook and Twitter take the first place here. The next most popular websites are news websites, online stores and video streaming services such as YouTube. Unfortunately, at the moment, these services are often not encrypted in any way thus enabling attackers to easily take over the users account. About 8 in 10 users logged on to one or more of the frequently used instant messaging clients and their entire conversations could be reconstructed from the logs. By connecting to an open wireless network, the clients loose all their privacy. Just from analyzing the online activity of one computer one could easily identify what the person's interests are and what field he/she works in. Furthermore, in one case we were able to deduce that in one household had two residents. This was based solely on their web activity and the sites that they accessed. The potential loss of privacy that comes along with the use of open wireless networks has various implications and the information obtained by third parties could be used in many different ways. All in all, users are not always aware of the possible outcome of their actions, and therefore need to be alerted and made aware of all the dangers and threats that come with the use of a wireless environment. Although the majority of websites that handle sensitive personal data provide secure access, there are still some that do not and these make the users vulnerable. 7

General trends for users connected to the rogue Access Point 7. Countermeasures As you can see, there exists a large number of threats related to wireless networks and as wireless becomes more and more widely adopted, security should not be considered just an extra setup, but should be the first thing to consider. A bulletproof solution that works 100% of the time does not exist. Instead, security should be more like a process in which the user is aware and tries to protect himself against ever emerging threats. For the average user, having the latest updates or patches for the software they re using and having the latest definitions for the antivirus are enough. In most of cases, it is up to the user to protect his public/private data. As wireless networks require special attention, the first layer of protection should encrypt the connection only with WPA or WPA2 because they provide different per session key for data encryption. PSKs start with the same passphrase, however each station is given different key for communicating with the router. Secondly, a method which can be circumvented, but prevents unwanted intruders is MAC filtering by using blacklists or especially whitelists. Another method to limit access to a wireless network is to position the Access Point such that its signal doesn t travel far away. Most of the routers nowadays have an interface which allows the user to modify the signal strength to his or her needs. Finally, the encryption key used to encrypt the wireless network should be changed on a regular basis. Unfortunately, as people spend more than half of their time outside their home, the chances that they connect to an unsecure wireless network is quite high. Fortunately, even in this case, there are some methods to protect your data. Firstly, only secure channels should be used when visiting sites 8

that require some sort of credentials. Most of the time, https instead of http should be used but the user should be aware of the fact that if he logs in through https and then he stays for the rest of the connection on unsecure http, his session can be hijacked and an attacker can gain control over his account. An example of a user-friendly tool that can be used to hijack said connection is Firesheep. This is a Firefox add-on that was launched in October 2010. The process of hijacking someone s session is pretty simple: you install the add-on, connect to the open wireless network and then if someone near you and surfing a site which uses a session cookie, his session will appear in the add-on panel. This allows you to connect to his session instantly and use his identity. The only solution to this problem, when connecting to an unsecure service (it may be an website using only http, a chat server, or even VoIP connections) through an unsecure wireless network is to establish an encrypted connection to a remote proxy and then to initiate the connections through it. The most commonly used technique is to use a VPN, so you can connect to a virtual private network somewhere else on the internet. Another technique is to use an SSH tunnel to make a dynamic SOCKS proxy between you and the remote server. Unfortunately, both cases require access to a remote server, which can be expensive for the average user. Nevertheless, the rule of thumb is that whenever you are in doubt about the security of the connection you re using, it is better not to use it. Unfortunately, this behaviour is not encouraged by the software vendors, who sometimes decide to trade security with convenient practices. A clear example is the default option for Windows XP when connecting to wireless networks: it will connect to any available network and automatically connect to non-preferred networks. This is very convenient for the regular user, but it exposes different security risks such as: Rogue AP or Evil Twin AP attacks. 8. Conclusions The subject of wireless network security is always in people s attention because this technology is always changing as years pass. We predict that in the future wireless networks will be available in almost every place. This represents a new step towards an interconnected world. Unfortunately it is also assumed that the average user knows all the potential threats that emerge. Through our study we have shown that at this moment this is not the case. However, some states, like Germany, take security into consideration very seriously, and they even impose fines for people who do not secure their wireless connection properly [10]. We consider that this is a big step towards a secured world and we believe that only with proper information, the average user would be able to protect its data against intruders. 9

9. References [1] Wikipedia: Wireless LAN - Last update: 20 November 2010 http://en.wikipedia.org/wiki/wireless_lan [2] How Stuff Works: How WiFi Works Last visited: 24 November 2010 http://computer.howstuffworks.com/wireless-network1.htm [3] Cisco Academy: IT 1 Networking Course (Course not available online) [4] Wikipedia: MIMO Last update: 27 November 2010 http://en.wikipedia.org/wiki/multiple-input_multiple-output [5] Wikipedia: IEEE 802.11 Last update: 4 December 2010 http://en.wikipedia.org/wiki/ieee_802.11 [6] Official Google Blog : WiFi data collection: An update Last update: 14 May 2010 http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html [7] Ezine @rticles: Wireless Network Monitor - The Promiscuous Mode Last visited: 16 October 2010 http://ezinearticles.com/?wireless-network-monitor---the-promiscuous-mode&id=5160653 [8] Cracking WEP and WPA Wireless Networks Last update: 24 Nov 2005 http://docs.lucidinteractive.ca/index.php/cracking_wep_and_wpa_wireless_networks#dictionar y_brute_force [9] Linux Binary: /usr/sbin/wondershaper eth0 4000 4000 [10] BBC News: Wi-fi owner fined for lax security in Germany Last update: 14 May 2010 http://www.bbc.co.uk/news/10116606 10