Presentation by AirTight Networks

Wireless Vulnerability Management 

Understanding WiFi 

Cyber-attacks 

http://www.airtightnetworks.com/seminar/dsci.html 

Pravin Bhagwat 

pravin.bhagwat@airtightnetworks.com 

Co-founder and CTO 

AirTight Networks 

www.airtightnetworks.com 

To learn how AirTight can help secure your 

wireless network, send email to: 

contact@airtightnetworks.com 

©2008 AirTight Networks, Inc.

WiFi: Background 

Ethernet 

WPA2 

WiFi Access Point 

WPA 

- Extension of wired Ethernet 

- Unlicensed frequency 

- Built-in in laptops, phones 

WiFi Signal area 

WEP 

Open 

WiFi laptop 

Page 2 

Wireless Vulnerability Management ©2008 AirTight Networks, Inc.

Security Breach through WiFi: 

Recent Incidents 

Page 3 


TJX Breach - The Tip of the Iceberg 

• TJX network & servers compromised for 18+ months 

• 94 million payment card accounts compromised 

• Estimated liabilities >$4.5B 

• Other breaches uncovered during the investigation 

• BJ’s Wholesale 

• OfficeMax 

• Boston Market 

• DSW 

• Barnes and Noble 

• Sports Authority 

• Marshalls 

• Forever 21 

Page 4 


Types of WiFi Cyber Attacks 

Attacker 

Sensitive Data Storage 

Attacker 

Firewall 

Wired IPS 

SPAM/AV 

URL filtering 

External AP 

Misuse of Internet access 

Theft of confidential 

data or service 

disruption 

Mobile users can 

bypass security 

controls or become 

an easy target 

Page 5 


Wireless Breaks the Wired Security Model 

Layer 7 (Application) 

Layer 6 (Presentation) 

Layer 5 (Session) 

Layer 4 (TCP) 

Layer 3 (IP) 

Layer 2 (MAC) 

Layer 1 (PHY) 

Anti-virus/ spyware/ malware/ spam 

URL filters, Web proxies, IDS 

SSL VPN, Network IDS, Host IDS 

Network & Personal Firewalls, IP-SEC VPN 

Unprotected 

Unprotected 

Wired Security 

Page 6 


Why WiFi Cyber Crime is on Rise? 

Attacker 


Attacker 

Firewall 

Wired IPS 

SPAM/AV 

URL filtering 

External AP 

Widespread WiFi 

vulnerabilities & lack of 

public awareness 

Vulnerability 

exploitation is easy; 

Hacking tools are 

readily available 

Breach detection is not 

possible using currently 

deployed security 

systems. 

Page 7 


WiFi Vulnerabilities: 

Airport Scanning Report 

Mumbai, Pune & Bangalore Scan 

Results 

Page 8 


Airport WiFi Scan Study Methodology 

• Phase 1: Visited 14 airports world-wide (11 in US; 3 in Asia-Pacific). Number of 

Access Points = 478; Number of Clients = 585 

• Phase 2: Visited 13 additional airports worldwide (9 in US, 2 in Europe, 2 in Asia- 

Pacific) 

• Traces collected between 30 Jan 2008 through 8 Feb 2008. 5 minute scans at 

randomly selected location 

>> Portland (PDX) 

>> Chicago (ORD) 

>> Ottawa (YOW) 

>> Newark (EWR) 

Seoul (ICN) 

>> San Francisco(SFO) 

>> San Jose (SJC) 

>> Pittsburgh (PIT) 

>> Philadelphia (PHL) 

Malaysia (KLIA) 

Singapore (SIN) 

>> Orange County (SNA) 

>> Myrtle Beach (MYR) 

Page 9 

Wireless Vulnerability Management ©2008 AirTight Networks, Inc. 

>> West Plam Beach (PBI)

WiFi Scan of Mumbai, Pune and Bangalore 

Page 10 


A Closer Look at South Mumbai Results 

Access Points (Total 637) 

WPA 

12% 

WEP 

42% 

802.11i 

6% 

Open 

(default) 

13% 

Open 

27% 

• 40% of the APs in the survey are 

OPEN 

• 13% APs being used in default 

configuration -- factory default 

setting (OPEN, default password, 

SSID) 

• 42% (security conscious users?) are 

relying on WEP 

• Only 18% using WPA/WPA2 

Strong Strong evidence highlighting the the need need to to educate WiFi WiFi users users about about security 

Page 11 


Similar Trend Found in Airport Scan Results 

• Majority of Wi-Fi networks are 

OPEN 

• A large number of WEP 

installations are also visible 

~28% 

• Small % of secure WPA/WPA2 

Wi-Fi networks 

But are all these hotspots? 

Page 12 


A magnified look at “unsecured” access 

points 

41% Hotspot APs 

Non Hotspot APs 59% 

• Concourse 

• tmobile 

• Wayport 

• AttWi-Fi 

• FlyPittsburgh 

• Flypdx 

• singaporeair_B 

• singaporeair_F 

• JWA Hotspot 

• Ft.Laud-Hlwd_ Airport-Public 

• ACCESS-StarHub 

(1) Hotspot APs don’t 

hide SSID 

(2) Hotspot SSIDs are 

well known/published 

and advertised 

(3) Usually signal from 

multiple hotspot APs is 

visible at any coverage 

location 

• (null ssid) 

• Backbone 

• PacGate 

• LGDacom 

• SFOPRIVATE 

• Ice Currency Services 

• IAACCO 

• KIOSKWIRELESS 

• BullPenH1 

• AceRail 

• e-Baggage Trial AP1 

Page 13 


What is WEP being used for? – Airport 

Scan Example 

• Many of the unsecured WiFi networks being used 

for: 

• Baggage handling 

• Passenger ticketing 

• Retailer stores 

“Hidden” SSID of an 

AP can be discovered 

in minutes! 

Page 14 


Target Networks are Also Easy to Identify 

Nandish 3Com DISHNET-BLR THE SLDASM PARK HOTEL The Oberoi, 

Bangalore, Taj, INFOEDGE, NSN-Guests Sunrise SMC SJCC.PG siraj SignaDesign 

SHELLVMR NSN-DC-BLR-Corina Unison SJCC.BCOM International 

CENTRAL PARK Sterling Suites Livevox linksys-usl lakhome KZAVMI Kusuma HCLD5 

HCLconf Pioneer HCLACCOUNTS INSPIRON INSILICA Infospace hm-wifi-data Highstreet 

Capital Hcbg3rd1 Hathway Microsense-Savannah UTStarcom BroVis Aricent Guest 

Aricent Employee guest-access ABD Network INN BANGALORE linksys 

guest-access Airlink EDGESOFT Taj hotels AMAT_Prod Lepapillon lekhraj 

Opsource_India Axentis Software India Blr Fortune Select JAGRANSOLUTIONS 

vger Trinity Mobily Infotech MSFTWLAN HHPL Hcbg3rd2 IBM Fidility1 A A 

ROYAL SUBWAY SMCBLR ORCHID Prudential WiFi Madhu lr LORDS essar-beetel 

domino's aztec1ff3 Amadeus-WAP-3F CENTRAL PARK Sysfore-Conference 

Page 15 


Tackling WiFi Security Challenge 

Page 16 


DoT Regulation dated 23 Feb 2009 

Home Users 

WiFi Hotspots 

Organizations 

• Aimed at regulating anonymous misuse of Internet access 

• Mandates use of centralized authentication for Internet usage/WiFi services 

• Regulation being channeled through ISPs. Compliance is required within 

four months 

Page 17 


Types of WiFi Cyber Attacks: Revisited 

Attacker 


Attacker 

Firewall 

Wired IPS 

SPAM/AV 

URL filtering 

External AP 

Misuse of Internet access 

DoT regulation is aimed at 

solving only the first 

problem 

Theft of confidential 

data or service 

disruption 

Mobile users can 

bypass security 

controls or become 

an easy target 

Page 18 


WiFi Security: Practical Issues from 

Enterprise and Service Provider’s 

Perspective 

Page 19 


Using Centralized Authentication over WPA/WPA2 

Eavesdropping 

Unauthorized Access 

Unauthorized access to network will be blocked 

WPA, WPA2 

Firewall 

Wired IPS 

SPAM/AV 

URL filtering 

Page 20 


Practical Issues: #1 

Using Centralized Authentication 

over OPEN or WEP 

‣Guest access in enterprise scenario 

‣Hotspot service providers 

‣Home WiFi 

Page 21 


Recall: Wireless Breaks the Wired Security 

Model 

Layer 7 (Application) 

Layer 6 (Presentation) 

Layer 5 (Session) 

Layer 4 (TCP) 

Layer 3 (IP) 

Layer 2 (MAC) 

Layer 1 (PHY) 

Anti-virus/ spyware/ malware/ spam 

URL filters, Web proxies, IDS 

SSL VPN, Network IDS, Host IDS 

Network & Personal Firewalls, IP-SEC VPN 

Unprotected 

Unprotected 

Wired Security 

Page 22 


Using Centralized Authentication over OPEN or WEP 

-Most hot spot providers using 

Web based authentication 

-After authentication is 

successfully carried out, a hacker 

can still gain network access 

using MAC address spoofing 

tools 

2) Free toosl such as S-Mac or 

Mac MakeUp make spoofing a 

push button exercise 

Unauthorized access still possible despite use of 

central authentication! 

Page 23 



Open Access Points 

Misconfigured Access Points 

Rogue Access Points 

Page 24 


Rogue AP = Unauthorized AP attached to 

the enterprise network 

• Backdoor to the wired enterprise network 

• If goes undetected, can completely compromise all your network 

defenses 

• Comes in many forms 

Host AP 

• Corporate espionage, insider attack, or simply an unwitting, 

impatient employee looking for WiFi access 

WiFi USB drives 

Pocket AP 

Wall jack AP 

Page 25 


Presence of Open, Misconfigured and Rogue AP can 

cause problem 

Unauthorized User 


OPEN 

Misconfigued 

APs 

Rogue 

APs 

Firewall 

Wired IPS 

SPAM/AV 

URL filtering 

Adhoc connections 

• Outsider can steal sensitive data on the 

wire 

• Outsider can scan all enterprise devices 

and servers for vulnerabilities and exploit 

them 

• Unauthorized internet access still 

possible! 

Page 26 



Dealing with Open Neighbor APs 

Page 27 


WiFi Signal Spillage from Neighbor’s APs 

Page 28 


Deliberate or inadvertent connections to 

neighbor APs 


OPEN 

• Deliberate 

• Employees get enticed to connect to Open external APs 

– Unprotected APs in the neighborhood, Hotspots 

• Inadvertent 

• Windows wireless connection utility caches earlier connected networks 

• Actively seeks to connect to those networks later 

– Most common with default SSIDs (linksys, default) and hotspot SSIDs (tmobile, 

GoogleWiFi) 

• Traffic over such connections bypasses enterprise security controls 

Page 29 



Threat of Wi-Phishing & 

Man-in-the-middle attacks 

Page 30 


Misassociations: Connections to a 

Honeypot (evil twin) 

• An attacker sets up an AP that advertises SSID 

which is being probed by WiFi clients or that 

advertises SSID of a nearby enterprise or hotspot 

• Induces WiFi clients into connecting to it 

Hacker 

• Can launch variety of attacks after connection is 

established 

• Stealing sensitive corporate data 

• Man-in-the-middle/Wi-Phishing 

• Scanning the laptop for vulnerabilities (e.g., 

Metasploit) 

Free WiFi 

• Honeypot attack tools are freely available over 

Internet 

• KARMA, Delegated 

Page 31 


Video: Wi-Phishing using Honeypot 

Page 32 


Best Practices Enterprise Wireless 

Security: 

Page 33 


Layered Approach to Wireless Security 

Eavesdropping 


Cracking Exploits 

MAC spoofing attacks 

Denial of Service 

Wi-Phishing 

Honeypots 

External APs 

External Users 

WEP, WPA, WPA2 

Guest Access 

Misconfigured AP 

Rogue AP 

Firewall 

Wired IPS 

SPAM/AV 

URL filtering 


Common Wireless Vulnerabilities and Threats 

Page 34 


Layered Approach to Wireless Security 

Eavesdropping 


Cracking Exploits 

MAC spoofing attacks 

Denial of Service 

Wi-Phishing 

Honeypots 

External APs 

External Users 

WEP, WPA, WPA2 

Guest Access 

Misconfigured AP 

Rogue AP 

Firewall 

Wired IPS 

SPAM/AV 

URL filtering 


Re-establish Your Network Security Perimeter 

Page 35 


Wireless Intrusion Prevention System (WIPS): 

Making sure someone is watching! 

Page 36 


SpectraGuard Product Family 

• SpectraGuard Enterprise Server and Sensors for 

mid to large organizations 

• Server can be delivered on an AirTight Appliance or 

a ProCurve ONE Service Module 

• Sensors to support 802.11n and 802.11abg 

networks 

• SpectraGuard Online 

• AirTight SpectraGuard delivered as a service 

offering with no capital equipment purchase 

required 

Page 37 


Implementing Secure WiFi 

1. WiFi access should 

be secure and 

restricted to only 

authorized users 

Guest Users 

Unauthorized users 

4. Unauthorized 

access & security 

policy violations 

should be centrally 

detected, logged 

and blocked. 

WPA, WPA2 

Guest Access 

Autonomous APs 

Test APs 

Firewall 

Wired IPS 

SPAM/AV 

URL filtering 

2. Guest WiFi access 

(for visitors) should 

be monitored so that 

its misuse can be 

detected and 

prevented 

3. Autonomously 

operated APs 

should conform to 

enterprise security 

policies 

Page 38 


Promote Safe and Secure Use of WiFi 

Regulatory Regulatory Framework Framework 

Policy Making 

Awareness Awareness Campaign Campaign 

Education 

WiFi WiFi Security Security Audits Audits 

Regulation/ 

Law Enforcement 

WiFi WiFi Security Security Technology 

Technology 

Technology Solutions 

Who’s at risk 

Home Users 

WiFi Hotspots 

Organizations 

• Promote measures to reduce WiFi Cyber Attack Exposure through collaboration of 

regulatory, law enforcement agencies and through public private partnership 

• Education: encourage users to adopt security best practices 

• Regulation: require periodic self-audits, forensic log maintenance and compliance to standards 

• Enforcement: empower & train law enforcement agencies 

• Technology: use technology where appropriate to meet the desired security objectives 

Page 39 


Is Your Network at Risk? 

Are your sensitive corporate 

secrets leaking over the air? 

Are your employees connecting 

to neighbor’s WiFi networks? 

Are you having difficulty 

enforcing your corporate security 

policies at multiple sites? 

Internet 

If answer to any of these questions is a 

“Not Sure” or “Yes” then your enterprise 

is vulnerable to a wireless security breach. 

Can someone across the 

street shutdown your 

WiFi network? 

Are rogue WiFi devices attached 

to you enterprise network? 

Page 40 


Offerings by AirTight Networks 

WiFi Security Training 

WiFi Security Audit 

WiFi Intrusion Prevention 

Services 

WiFi Security Course 

(2 days) 

After attending this course you 

should be able to: 

Understand the risks 

associated with WLANs 

Learn threats posed by WiFi 

hackers 

Learn different techniques to 

manage and secure WLANs 

Services 

Vulnerability Scan and Audit 

Detect unauthorized or 

insecure WiFi devices in your 

premises 

Assess compliance to WiFi 

security best practices 

Detailed reports 

One time or Quarterly 

Products 

SpectraGuard Enterprise 

Best wireless intrusion prevention 

for complete 24/7 protection from 

all wireless threats: 

Detect and Locate block rouge 

devices 

Stop Data Leakage 

Prevent unauthorized access 

Prevent WiFi hack attacks 

Page 41

Presentation by AirTight Networks

Create successful ePaper yourself

Delete template?

Save as template?