Wireless Spreading of WiFi APs Infections Using WPS Flaws

Wireless Spreading of WiFi APs Infections Using WPS Flaws

1dd7176bac1e853c31abbde4bdd12c92?s=128

Amirali Sanatinia

October 16, 2013
Tweet

Transcript

  1. 1 Wireless Spreading of WiFi APs Infections Using WPS Flaws

    Amirali Sanatinia, Sashank Narain, Guevara Noubir
  2. 2 In a Nutshell • Security flaws in WiFi APs

    • Measurement study in Boston • Network of susceptible APs • Possibility of an airborne infection • Compromise one AP, and let the infection spread
  3. 3 Outline • Introduction • WiFi Security • Data Collection

    • Connectivity Analyses • Spread Analyses • Countermeasures • Conclusion
  4. 4 WiFi APs • Gateway to home connectivity • Do

    not run Anti Virus (AV), no supervision • No automatic update mechanism, rarely patched • Wirelessly interconnected • Can result in DoS attack on Internet and RF spectrum • Ideal target
  5. 5 AP Gone Rogue • Eavesdrop on un-encryprted traffic •

    Man-in-the-middle (MITM) attacks, strip TLS • CRIME, BEAST, BREACH attack • Phishing, DNS pharming • Inject “crafted” signatures in Android [Fahl, CCS '12] • Prevent or delay updates to desktop and mobile OS • Privacy concerns – Identify user behaviour, whereabouts, leak information • Disturbed botnet
  6. 6 WiFi Security • WEP (1999) as part of IEEE

    802.11 standard • First broken in 2001, [Fluhrer, SAC '01] • WPA (2003) as an more secure intermediate before WPA2 • WPA2 (2004), secure but not perfect • WPS (2006), facilitate establishment of secure connections • In 2011 Stefan Viehböck found flaws in WPS [VU#723755]
  7. 7 WPS Protocol

  8. 8 Data Collection • War-driving in four neighbourhoods of Boston

    • Asus Eee PC 1000 HE • Three TP-Link TL-WN722N, Alfa 9dBi high gain antennas • GlobalSat BU-335 USB GPS
  9. 9 Data Collection • Passive data collection • Beacon frames

    broadcasts, with PPI GPS header • Channel 1, 6, 11 (orthogonal) • BSSID, ESSID, signal strength, latitude, longitude, encryption mode
  10. 10 Neighbourhoods 1) Allston: residential, young population, BU students 2)

    Back Bay: residential, young professional and families, high income 3) Fenway: home to many schools, mostly students, NEU 4) South Boston: Dense residential area, large working class population
  11. 11 Neighbourhoods South Boston Back Bay Allston Fenway

  12. 12 Basic Statistics Back Bay (32787) Encryption Number of APs

    Percentage WEP 5369 16% OPEN 5051 15% WPA/WPA2 22367 69% WPS 7809 35% Allston (15422) Encryption Number of APs Percentage WEP 1667 11% OPEN 1598 10% WPA/WPA2 12157 79% WPS 6149 51% South Boston (14756) Encryption Number of APs Percentage WEP 1874 13% OPEN 1110 7% WPA/WPA2 11772 80% WPS 5504 47% Fenway (26306) Encryption Number of APs Percentage WEP 4093 16% OPEN 3427 13% WPA/WPA2 18786 71% WPS 5764 31%
  13. 13 Connectivity Radius • Convex hull algorithm to compute a

    lower bound for R • Calculated the farthest distance between the points on the convex hull, divided by two; (41 meters)
  14. 14 Connectivity Graph • Two APs are connected if they

    are in R-proximity • Coordinates of the strongest signal as the location of AP • Attack can be performed any time during the day • Higher reach of the wireless signal at quiet and idle times
  15. 15 Connectivity Graph South Boston WEP Radius Avg. Deg. Conn.

    Comp. 15 8.34 437 30 12.99 117 50 20.16 15 75 31.52 2 WPS 15 18.38 277 30 33.64 23 50 55.77 1 75 93.36 1 WEP+WPS 15 23.64 223 30 43.36 10 50 72.43 1 75 121.09 1 Back Bay WEP Radius Avg. Deg. Conn. Comp. 15 42.62 216 30 69.85 32 50 115.10 1 75 119.74 1 WPS 15 40.02 124 30 82.36 20 50 157.90 3 75 285.97 1 WEP+WPS 15 65.48 57 30 126.19 11 50 233.73 1 75 420.98 1
  16. 16 Infection Steps • Check if AP is vulnerable (WEP/WPS)

    • Crack WEP/WPS • Guess Admin Password • Infect and re-flash • Try to compromise other APs
  17. 17 SIR Compartmental Model • Models the progress of an

    epidemic • Divides population to compartments – Susceptible, Infected, Recovered (SIR) • Captures characteristics of our model • Other alternatives, e.g. SEIR
  18. 18 SIR Spread Model

  19. 19 SIR Parameters • p 1 = 60 60% •

    p 1Stime = 3 3, 6 6, 9 9 hours, p 1Ftime = 10 10 min • Many use default configurations, out of the box ➔ q 1 = 50 50%, u 1 =50 50% • t 1 =100 100%, t 1Stime = 20 20 min • r 1 = 80 80% and s 1 = 10 10% • r 1Stime = r 1Ftime = 60 60 min • s 1Stime = s 1Ftime = 120 120 min
  20. 20 Infection Spread • %WPS WPS * (p 1 *

    q 1 * r 1 + p 1 * (1-q 1 ) * s 1 ) • %WEP WEP * (t 1 * u 1 * r 1 + t 1 * (1-u 1 ) * s 1 ) ➢ Theoretical average upper bound in a single connected component is 32 32% • R = 50m; 19% to 23%, in 97.1 to 137.5 days • R = 75m; 33% to 35%, in 109.1 to 194.5 days • R = 90m; 34% to 35%, in 62.5 to 189.9 day
  21. 21 Infection Spread 50 M 75 M 90 M

  22. 22 Countermeasures • Disable WPS; unfortunately not possible with some

    vendors • WPS enabled by default without users knowledge • APs not wireless ready , high chance of misconfiguration • Investigate over 540,000 publicly available devices, over 13% use default root passwords [Cui, ACSAC '10 ] • Intrusion Detection System that use flow characteristics of WiFi network, e.g. Kismet • Use of reliable bootstrap architect5ures and malicious code detectors [Arbaugh, ACSAC '02; Adelstein SP '97]
  23. 23 Suggestions • More secure and more intuitive authentication mechanisms

    [Cassola, Mobisys '11] • New trend (SDN) and view of the APs [Kim, Comm. Mag. '13] • Easier management and configuration mechanism • Incentive for vendors to maintain APs • Roku, Meraki are good examples of such view
  24. 24 Lessons • Similar infection and spreading characteristics in different

    neighbourhoods • WEP is still used, although it's known to be flawed • WPA/WPA2 are “secure” alternatives, not perfect • New enhancement (WPS) made it worst
  25. 25 Thank You! Questions?