@dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos...

2014 © Dino Security S.L.

All rights reserved. Todos los derechos reservados.

w w w. d i n o s e c . c o m

@ d i n o s e c

Vulnerabilidades Wi-Fi de dispositivos

móviles en redes empresariales

802.1x/EAP

Raúl Siles

[email protected]

@raulsiles

12 marzo 2014 - UCLM

Ciclo de conferencias de Seguridad Informática

2014 © Dino Security S.L.

All rights reserved. Todos los derechos reservados.


@ d i n o s e c

Mobile Devices Wi-Fi Vulnerabilities in

802.1x/EAP Enterprise Networks

Raúl Siles

[email protected]

@raulsiles

March 12, 2014 - UCLM

Ciclo de conferencias de Seguridad Informática

3 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Outline

• Wi-Fi challenges nowadays

• Wi-Fi (mobile) clients behavior

– The PNL

• Wi-Fi network impersonation

– Attacking Wi-Fi enterprise clients

• Wi-Fi clients security recommendations

• References


Wi-Fi Challenges Nowadays?


Wi-Fi Challenges Nowadays?

http://www.huffingtonpost.com/vala-afshar/50-incredible-wifi-tech-s_b_4775837.html


Wi-Fi Security Challenges

Nowadays?

Super Bowl Security Command Center 2014: Broadcast on TV


Wi-Fi Security Challenges

Nowadays?

Target: Wi-Fi Infrastructure vs. Wi-Fi Clients


Wi-Fi (Mobile) Clients Behavior


How Wi-Fi Clients Work?

• Users connect to Wi-Fi networks by…

1. Selecting them from the list of currently

available networks in the area of coverage

2. Adding them manually to the Wi-Fi client

• Security settings are mandatory (if any)

– Open, WEP, WPA(2)-Personal & WPA(2)-

Enterprise

• Networks are remembered and stored for future

connections: list of known networks

The Preferred Network List (PNL)


The Preferred Network List (PNL)


Disclosing the PNL

• How Wi-Fi clients discover available Wi-Fi networks?

• Do Wi-Fi clients really disclose their PNL?

– By default

• Hardware, firmware, Wi-Fi drivers & supplicant (SW)

– Hidden Wi-Fi networks

– Do mobile devices really disclose their PNL?

• Manually adding Wi-Fi networks

– Is Android constantly scanning for Wi-Fi networks?

– iOS 5.x case study

– Weird and difficult to reproduce scenarios…


How Wi-Fi Clients Discover

Available Wi-Fi Networks?

• Passive scan

– Beacons

– Every 100ms (10 frames/sec)

• SSID?

• Active scan

– Probe request / response

– (Wildcard or broadcast) SSID?


Hidden Wi-Fi Networks

• Hidden Wi-Fi networks (cloaked or non-broadcast) – Still today a very common security best practice…

– … with relevant security implications for the Wi-Fi clients

– Beacon frames do not contain the SSID (empty)

• Visible (or broadcast) Wi-Fi networks include the SSID in their beacon frames – Wi-Fi clients need to know the SSID to connect to the network

• So how Wi-Fi clients connect to hidden Wi-Fi networks? – Wi-Fi clients have various networks (SSIDs) in their PNL

• Wi-Fi clients have to specifically ask for the hidden Wi-Fi networks in their PNL by sending probe requests containing the SSID – As a result they have to disclose their PNL !!

PNL was disclosed by Wi-Fi clients in the past (2005; Win XP fix in 2007)


Security Risks of Disclosing the

PNL


• An attacker can impersonate the

various Wi-Fi networks available in

the PNL

– Different methods based on the security

settings

• People didn’t pay enough attention to

this because…

– …there was no name for it!

Security Risks of Disclosing the PNL

War Standing or War “Statuing” (Statue)


War Standing Risks


Wi-Fi Network Impersonation


Wi-Fi Network Impersonation (1/2)

• When entries in the PNL are disclosed by Wi-Fi

clients… someone can force the victims to

(silently) connect to the attacker’s Wi-Fi network

– Karma-like attacks (since 2004)

– AP impersonation (or fake AP): anywhere in the world

– Evil-twin: area of coverage of the legitimate network

• Strongest signal wins (or less battery drawing network)

• The victim shares the network with the attacker

– Full network connectivity at layer 1&2 and above

– MitM: Man-in-the-Middle attacks


Wi-Fi Network Impersonation (2/2)

• Fully impersonate the Wi-Fi network…

– 802.11 AP, DHCP server, DNS server, routing and

NAT capabilities, RADIUS server…

• Two prerequisites

– SSID (Wi-Fi network name)

• Disclosed from the PNL

– Wi-Fi network security type

• Security type requirements

– Open, WEP & WPA(2)-Personal, WPA(2)-Enterprise


Open Wi-Fi Networks…


Attacking Wi-Fi Clients: Open

“Nobody never ever connects to an open Wi-Fi network!” Right?


WPA(2)-Enterprise Wi-Fi Networks


Wi-Fi Enterprise Networks

• How to verify the RADIUS server

certificate?

– CN, CA, expiration + revocation & purpose

• There is no URL like in the web browsers (X.509 CN)

• Wi-Fi client, access point (AP),

and RADIUS server

• Multiple user credentials

allowed (802.1X/EAP types)


FreeRADIUS-WPE

• FreeRADIUS-Wireless Pwnage Edition (WPE) – SchmooCon 2008: Joshua Wright & Brad Antoniewicz

• Attacker impersonates the full Wi-Fi network

infrastructure (AP + RADIUS server + …)

• PEAP & TTLS – Inner authentication: MS-CHAPv2 (or others)

– Username + Challenge/Response (hash)

– Mutual authentication

http://www.shmoocon.org/2008/presentations/PEAP_Antoniewicz.pdf

http://www.willhackforsushi.com/?page_id=37

http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html

https://github.com/brad-anton/freeradius-wpe


MS-CHAPv2 Cracking

• asleap (+v2.1) - Joshua Wright – Crack challenge (-C) and response (-R)

• http://www.willhackforsushi.com/Asleap.html

– Dictionary attack (DES x 3)

• genkeys – Precomputed MD4 hashes (indexed list of passwords)

• Indexed by the last two bytes of MD4 hash (brute force) – Challenge (8-byte) & MD4 hash (16-byte) ≈ Response (24-bytes)

• MS-CHAPv2 cloud cracking – Defcon 20 (2012): Moxie Marlinspike & David Hulton

• https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

– Brute force attack (256 ≈ DES) – FPGA box: ~ 12-24h • www.cloudcracker.com & chapcrack (100% success rate = $200)

Strength of user passphrase... not any more!


FreeRADIUS-WPE in Action


SANS SEC575

(FreeRADIUS) EAP Dumb-Down

• Multiple EAP types available

– Mobile devices seem to prefer to use PEAP

(MS-CHAPv2) by default

• But in reality they use the preferred EAP

method set by the RADIUS server

– GTC-PAP: Log credentials in cleartext

• Username and passphrase

• Additionally it might allow automatic full

Wi-Fi network impersonation (MitM)

Strength of the user passphrase is irrelevant


EAP Dumb-Down in Action


Mobile Devices Behavior Against

FreeRADIUS-WPE & EAP Dumb-Down

• FreeRADIUS-WPE

– iOS: UI & configuration profile

– Android

– WP 7.x & 8

– BlackBerry 7.x

• EAP Dumb-Down

– iOS: UI & configuration profile

– Android

– WP 7.x & 8

– BlackBerry 7.x

"Why iOS (Android & others) Fail inexplicably"

User creddentials (not

just the Wi-Fi secret):

Other corporate

services?

Full MitM connectivity


Full Wi-Fi Network Impersonation For Fun & Profit by Example


Wi-Fi Network Impersonation Exploitation

For Fun

http://www.ex-parrot.com/pete/upside-down-ternet.html


• iOS update to 7.0.6 (Feb 21, 2014)

– 6.1.6 (iPhone 3GS & iPod Touch 4th)

– OS X 10.9 “Mavericks” (no patch)

• Lack of proper certificate validation

– DHE & ECDHE (CVE-2014-1266)

– https://www.imperialviolet.org:1266

– https://www.gotofail.com

https://www.imperialviolet.org/2014/02/22/applebug.html

Wi-Fi Network Impersonation Exploitation

For Profit - Goto Fail


Wi-Fi Clients Security

Recommendations


Wi-Fi Clients Configuration

Recommendations

• Turn off the Wi-Fi interface if not in use

• Do not configure Wi-Fi networks as hidden

• Do not add Wi-Fi networks manually to

mobile devices (= hidden network)

• Manage & clean-up the PNL periodically • Individually and enterprise level (MDM)

• Wi-Fi policy: What type of networks…?

• Properly add Wi-Fi enterprise networks…


Wi-Fi Enterprise Recommendations

(1/2)

• Wi-Fi supplicants must always…

– Trust only the specific CA used for the Wi-Fi network

• Not a good idea to use the full list of public trusted CAs

• A private CA is a better option than a public CA assuming an

attacker cannot get a legitimate certificate from it

– Define the specific (set of) RADIUS server(s) name(s)

used (X.509 CN)

• Do not provide options to disable certificate validation

– Define and force the specific EAP type used

• Define the inner authentication method (e.g. MS-CHAPv2)

• Do not downgrade to other EAP types (EAP dumb-down)


Wi-Fi Enterprise Recommendations

(2/2)

• WPA2-Enterprise: Full Wi-Fi network validation

– Do not ask the user!

• Wi-Fi Enterprise is inherently “broken”

– How to add a new RADIUS server?

• Modify the config of all Wi-Fi clients in the organization

• User credentials strength

– Passphrase

• EAP/TLS: client digital certificates + PKI

• WIDS (evil-twin)


References


References

• "Why iOS (Android & others) Fail inexplicably" – http://www.dinosec.com/docs/RootedCON2013_Taddong_Raul

Siles-WiFi.pdf

– http://vimeo.com/70718776

• DinoSec Security Advisories – http://blog.dinosec.com/p/security-advisories.html

• "Wi-Fi (In)Security - All Your Air Are Belong To..." – http://www.dinosec.com/docs/Wi-Fi_(In)Security_GOVCERT-

2010_RaulSiles_Taddong_v1.0_2pages.pdf

• DinoSec Lab – Publications – http://www.dinosec.com/en/lab.html

• DinoSec Lab – Tools: iStupid – http://www.dinosec.com/tools/iStupid_1.0.tgz

“You think that’s air

you’re breathing now?”

Morpheus to Neo during the scene when he was teaching him in the

virtual dojo on board the ship The Nebuchadnezzer


Questions


@ d i n o s e c

R a ú l S i l e s

r a u l @ d i n o s e c . c o m

@ r a u l s i l e s

@dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos...

Documents

Transcript of @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos...