210 likes | 297 Views
Reasons Not to Trust Wireless Networks. Bruce Potter Potter_bruce@bah.com || gdead@shmoo.com June 23, 2006. Don’t Believe Anything I Say.
E N D
Reasons Not to Trust Wireless Networks Bruce Potter Potter_bruce@bah.com || gdead@shmoo.com June 23, 2006
Don’t Believe Anything I Say • "Do not believe in anything simply because you have heard it. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply because it is found written in your religious books. Do not believe in anything merely on the authority of your teachers and elders. Do not believe in traditions because they have been handed down for many generations. But after observation and analysis, when you find that anything agrees with reason and is conducive to the good and benefit of one and all, then accept it and live up to it.” - Buddha • By Day, Senior Associate for Booz Allen Hamilton • By Night, Founder of The Shmoo Group and restorer of hopeless Swedish cars
High Assurance is Out of Bounds • With enough money, nearly anything can be made to be “secure” • High assurance wireless options exist, but the development and testing costs make them prohibitively expensive to the average Joe/Jane • Wouldn’t it be nice to have high assurance without the high cost? • But I think that’s a topic for another conference
For the record, we’ve been trying to solve the same problem for a while • “Another major problem is the fact that there are growing pressures to interlink separate but related computer systems into increasingly complex networks” • “Underlying most current users’ problems is the fact that contemporary commercially available hardware and operating systems do no provide adequate support for computer security” • “In addition to the experience of accidental disclosure, there has also been a number of successful penetrations of systems where the security was ‘added on’ or claimed from fixing all known bugs in the operating system. The success of the penetrations, for the most part, has resulted from the inability of the system to adequately isolate a malicious user, and from inadequate access control mechanisms built into the operating system” • Computer Security Technology Planning Study - October 1972, Electronic Systems Division, Air Force
First, Some Trends… Vulnerability Hype by Security Industry • The fox is guarding the hen house • The security industry has a vested interest in making the situation sound as bad as possible • Technologies such as firewalls, IDS, and AV have lead us to believe that security software is a requirement • “A firewall is a network response to a software engineering problem” • As application and operating system security improve, these technologies may come under pressure • However, due to the hype, these technologies are becoming ubiquitous • Microsoft just entered the fray… the likely outcome is that the security bar will be raised significantly in consumer and enterprise networks. • Example - WMF • British Parliament was one of many organizations attacked with directed attacks after the WMF vulnerability came to light
Another Trend - Mercenary Exploit Development • A new market has emerged for exploit development • Not the historical underground market, but rather a “legit” marketplace • Many security companies now offer money in exchange for exclusive rights to exploits from mercenary exploit developers • Tipping Point’s Zero Day Initiative (ZDI) • iDefense’s Vulnerability Contributor Program (VCP) • Etc… • These programs have “rewards” programs, as well as other incentives • Also, eBay and other online commerce sites have become storefronts for vulnerability information • Many niche security companies are hording 0-day • Who knows who’s buying this information and what they are using it for?
Wireless Device discovery • First part of attacking wireless devices is finding them • Obviously, wireless devices can be “found”, especially given enough resources • Spectrum analyzers, protocol analyzers, custom gear can be great at finding cell phones, 802.11 radios, and Bluetooth devices…. At high cost • However, device discovery can dramatically change the threat against a technology if it can be put in the hands of many • How much will geeks pay to find wireless devices? $1000? $500? $300? $100? Free?
Bluetooth Device Discovery • FHSS harder to “find” • Must align with hopping pattern • BT uses 1/2 the normal hop time to Jump Around • Still averages 2.5 to 10 secs to find known device • Devices can be Discoverable • Respond to inquiry requests • Means both devices need to be able to hear each other • Devices can also be non-discoverable • Must be directly probed by MAC addr • Little to no traffic for extended periods of time (esp in low power mode) • Cannot easily be listened to b/c receiver cannot sync on hopping pattern
802.11 Rogue AP • Rogue Access Points are the biggest threat against WiFi Networks • WEP is Broken… Surprise! • We’re actually getting pretty good at securing the enterprise • Clients are the real problem • Two types of Rogue AP’s • One is plugged into your network by “accident” • The other is directly targeting your laptop
Rogue AP Powerpoint Foo SSID: Stardollar Disassociate Rogue Access Point -40dBm SSID: Stardollar Laptop -50dBm SSID: Stardollar Access Point
Rogue AP - Lessons Learned • Authenticating Management Frames is a good idea ™ • Disruptive technologies will succeed even in the face of poor security • There’s a corollary that says that people don’t want to pay for privacy and security.. They expect it exists already • Need to protect the client • Not something currently done “out of the box”
Bluetooth Basics • Pairing • Establishes a trust relationship • Uses a shared secret (PIN), exchanges a random number to form key • Key used to derive session key for future comms • Ie: Pairing only done once • NOTE: Pairing is not required to transmit data between devices • Used for Trusted <-> Trusted comms • Profiles are a mechanism to standardize on higher level functionality • Keyboard, serial port, file transfer, etc…
Bluetooth Attacks • Adam Laurie and the Crew at Trifinite.org have been doing much of the publicly available research • Bluesnarf, Bluebug, CarWhisperer, etc… • Also, a PIN attack that has a flavor of social engineering to it • No real direct attacks against the security aspects of Bluetooth • However, security is not required by default • Further, Bluetooth is VERY complicated
Vulnerability Matrix (* = NOT Vulnerable) Make Model Firmware Rev BACKDOOR SNARF when Visible SNARF when NOT Visible BUG Ericsson T68 20R1B 20R2A013 20R2B013 20R2F004 20R5C001 ? Yes No No Sony Ericsson R520m 20R2G ? Yes No ? Sony Ericsson T68i 20R1B 20R2A013 20R2B013 20R2F004 20R5C001 ? Yes ? ? Sony Ericsson T610 20R1A081 20R1L013 20R3C002 20R4C003 20R4D001 ? Yes No ? Sony Ericsson T610 20R1A081 ? ? ? Yes Sony Ericsson Z1010 ? ? Yes ? ? Sony Ericsson Z600 20R2C007 20R2F002 20R5B001 ? Yes ? ? Nokia 6310 04.10 04.20 4.07 4.80 5.22 5.50 ? Yes Yes ? Nokia 6310i 4.06 4.07 4.80 5.10 5.22 5.50 5.51 No Yes Yes Yes Nokia 7650 ? Yes No (+) ? No Nokia 8910 ? ? Yes Yes ? Nokia 8910i ? ? Yes Yes ? * Siemens S55 ? No No No No * Siemens SX1 Bluetooth - Lessons Learned • Implementation errors are teh suck • Most of what’s been uncovered to date with respect to Bluetooth vulnerabilities are actually device vulnerabilities • Writing secure code in an emerging technology is hard
IR Remotes • IR has been around for years… and it’s used everywhere. What security concerns could there be? • IR systems tend to use a predefined series of signals to make events happen • European garage door openers use IR… different signals make the door go up and down • Hotel remote systems use different patterns to select premium content, modify bar inventory, view bill, etc… • If you know the patterns, you can replicate the actions using a Linux laptop • No real state machine for things like hotel systems, therefore you can get free movies, bill beer consumption to other rooms, “tag” the TV, etc… • http://www.toorcon.org/2005/conference.html?id=21
IR Remotes - Lessons Learned • First, never let Adam into a hotel room without supervision • Security through obscurity is not an answer • Several payment systems have learned this lesson the hard way • BlackBoard also learned this
More Trends - Hardware Security • Having trusted hardware can completely change the face of information assurance • Secure cryptographic operations • Secure key storage • Integrity attestation • By some accounts, can ultimately rid us of the problems of malware, viruses, etc… • Shockingly Apple is leading the charge • Made Digital Rights Management acceptable to the masses • Now using Trusted Platform Module (TPM) for protection of proprietary software • Many other vendors also working to integrate trusted hardware • Changes the wireless security situation • Makes device authentication easier (hopefully) • Real Network level access control can be applied • Low probability of near term success • Massive impact, however • More info: http://www.trustedcomputing.org/
Summary and Questions? • Bruce Potter • potter_bruce@bah.com • gdead@shmoo.com