@dinosec vulnerabilidades wi-fi de … · 2014-03-23 · vulnerabilidades wi-fi de dispositivos...
TRANSCRIPT
2014 © Dino Security S.L.
All rights reserved. Todos los derechos reservados.
w w w. d i n o s e c . c o m
@ d i n o s e c
Vulnerabilidades Wi-Fi de dispositivos
móviles en redes empresariales
802.1x/EAP
Raúl Siles
@raulsiles
12 marzo 2014 - UCLM
Ciclo de conferencias de Seguridad Informática
2014 © Dino Security S.L.
All rights reserved. Todos los derechos reservados.
w w w. d i n o s e c . c o m
@ d i n o s e c
Mobile Devices Wi-Fi Vulnerabilities in
802.1x/EAP Enterprise Networks
Raúl Siles
@raulsiles
March 12, 2014 - UCLM
Ciclo de conferencias de Seguridad Informática
3 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Outline
• Wi-Fi challenges nowadays
• Wi-Fi (mobile) clients behavior
– The PNL
• Wi-Fi network impersonation
– Attacking Wi-Fi enterprise clients
• Wi-Fi clients security recommendations
• References
4 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Challenges Nowadays?
5 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Challenges Nowadays?
http://www.huffingtonpost.com/vala-afshar/50-incredible-wifi-tech-s_b_4775837.html
6 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Security Challenges
Nowadays?
Super Bowl Security Command Center 2014: Broadcast on TV
7 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Security Challenges
Nowadays?
Target: Wi-Fi Infrastructure vs. Wi-Fi Clients
8 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi (Mobile) Clients Behavior
9 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
How Wi-Fi Clients Work?
• Users connect to Wi-Fi networks by…
1. Selecting them from the list of currently
available networks in the area of coverage
2. Adding them manually to the Wi-Fi client
• Security settings are mandatory (if any)
– Open, WEP, WPA(2)-Personal & WPA(2)-
Enterprise
• Networks are remembered and stored for future
connections: list of known networks
The Preferred Network List (PNL)
10 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
The Preferred Network List (PNL)
11 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Disclosing the PNL
• How Wi-Fi clients discover available Wi-Fi networks?
• Do Wi-Fi clients really disclose their PNL?
– By default
• Hardware, firmware, Wi-Fi drivers & supplicant (SW)
– Hidden Wi-Fi networks
– Do mobile devices really disclose their PNL?
• Manually adding Wi-Fi networks
– Is Android constantly scanning for Wi-Fi networks?
– iOS 5.x case study
– Weird and difficult to reproduce scenarios…
12 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
How Wi-Fi Clients Discover
Available Wi-Fi Networks?
• Passive scan
– Beacons
– Every 100ms (10 frames/sec)
• SSID?
• Active scan
– Probe request / response
– (Wildcard or broadcast) SSID?
13 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Hidden Wi-Fi Networks
• Hidden Wi-Fi networks (cloaked or non-broadcast) – Still today a very common security best practice…
– … with relevant security implications for the Wi-Fi clients
– Beacon frames do not contain the SSID (empty)
• Visible (or broadcast) Wi-Fi networks include the SSID in their beacon frames – Wi-Fi clients need to know the SSID to connect to the network
• So how Wi-Fi clients connect to hidden Wi-Fi networks? – Wi-Fi clients have various networks (SSIDs) in their PNL
• Wi-Fi clients have to specifically ask for the hidden Wi-Fi networks in their PNL by sending probe requests containing the SSID – As a result they have to disclose their PNL !!
PNL was disclosed by Wi-Fi clients in the past (2005; Win XP fix in 2007)
14 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Security Risks of Disclosing the
PNL
15 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
• An attacker can impersonate the
various Wi-Fi networks available in
the PNL
– Different methods based on the security
settings
• People didn’t pay enough attention to
this because…
– …there was no name for it!
Security Risks of Disclosing the PNL
War Standing or War “Statuing” (Statue)
16 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
War Standing Risks
17 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation
18 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation (1/2)
• When entries in the PNL are disclosed by Wi-Fi
clients… someone can force the victims to
(silently) connect to the attacker’s Wi-Fi network
– Karma-like attacks (since 2004)
– AP impersonation (or fake AP): anywhere in the world
– Evil-twin: area of coverage of the legitimate network
• Strongest signal wins (or less battery drawing network)
• The victim shares the network with the attacker
– Full network connectivity at layer 1&2 and above
– MitM: Man-in-the-Middle attacks
19 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation (2/2)
• Fully impersonate the Wi-Fi network…
– 802.11 AP, DHCP server, DNS server, routing and
NAT capabilities, RADIUS server…
• Two prerequisites
– SSID (Wi-Fi network name)
• Disclosed from the PNL
– Wi-Fi network security type
• Security type requirements
– Open, WEP & WPA(2)-Personal, WPA(2)-Enterprise
20 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Open Wi-Fi Networks…
21 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Attacking Wi-Fi Clients: Open
“Nobody never ever connects to an open Wi-Fi network!” Right?
22 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
WPA(2)-Enterprise Wi-Fi Networks
23 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Networks
• How to verify the RADIUS server
certificate?
– CN, CA, expiration + revocation & purpose
• There is no URL like in the web browsers (X.509 CN)
• Wi-Fi client, access point (AP),
and RADIUS server
• Multiple user credentials
allowed (802.1X/EAP types)
24 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
FreeRADIUS-WPE
• FreeRADIUS-Wireless Pwnage Edition (WPE) – SchmooCon 2008: Joshua Wright & Brad Antoniewicz
• Attacker impersonates the full Wi-Fi network
infrastructure (AP + RADIUS server + …)
• PEAP & TTLS – Inner authentication: MS-CHAPv2 (or others)
– Username + Challenge/Response (hash)
– Mutual authentication
http://www.shmoocon.org/2008/presentations/PEAP_Antoniewicz.pdf
http://www.willhackforsushi.com/?page_id=37
http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html
https://github.com/brad-anton/freeradius-wpe
25 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
MS-CHAPv2 Cracking
• asleap (+v2.1) - Joshua Wright – Crack challenge (-C) and response (-R)
• http://www.willhackforsushi.com/Asleap.html
– Dictionary attack (DES x 3)
• genkeys – Precomputed MD4 hashes (indexed list of passwords)
• Indexed by the last two bytes of MD4 hash (brute force) – Challenge (8-byte) & MD4 hash (16-byte) ≈ Response (24-bytes)
• MS-CHAPv2 cloud cracking – Defcon 20 (2012): Moxie Marlinspike & David Hulton
• https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
– Brute force attack (256 ≈ DES) – FPGA box: ~ 12-24h • www.cloudcracker.com & chapcrack (100% success rate = $200)
Strength of user passphrase... not any more!
26 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
FreeRADIUS-WPE in Action
27 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
SANS SEC575
(FreeRADIUS) EAP Dumb-Down
• Multiple EAP types available
– Mobile devices seem to prefer to use PEAP
(MS-CHAPv2) by default
• But in reality they use the preferred EAP
method set by the RADIUS server
– GTC-PAP: Log credentials in cleartext
• Username and passphrase
• Additionally it might allow automatic full
Wi-Fi network impersonation (MitM)
Strength of the user passphrase is irrelevant
28 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
EAP Dumb-Down in Action
29 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Mobile Devices Behavior Against
FreeRADIUS-WPE & EAP Dumb-Down
• FreeRADIUS-WPE
– iOS: UI & configuration profile
– Android
– WP 7.x & 8
– BlackBerry 7.x
• EAP Dumb-Down
– iOS: UI & configuration profile
– Android
– WP 7.x & 8
– BlackBerry 7.x
"Why iOS (Android & others) Fail inexplicably"
User creddentials (not
just the Wi-Fi secret):
Other corporate
services?
Full MitM connectivity
30 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Full Wi-Fi Network Impersonation For Fun & Profit by Example
31 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation Exploitation
For Fun
http://www.ex-parrot.com/pete/upside-down-ternet.html
32 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
• iOS update to 7.0.6 (Feb 21, 2014)
– 6.1.6 (iPhone 3GS & iPod Touch 4th)
– OS X 10.9 “Mavericks” (no patch)
• Lack of proper certificate validation
– DHE & ECDHE (CVE-2014-1266)
– https://www.imperialviolet.org:1266
– https://www.gotofail.com
https://www.imperialviolet.org/2014/02/22/applebug.html
Wi-Fi Network Impersonation Exploitation
For Profit - Goto Fail
33 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Clients Security
Recommendations
34 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Clients Configuration
Recommendations
• Turn off the Wi-Fi interface if not in use
• Do not configure Wi-Fi networks as hidden
• Do not add Wi-Fi networks manually to
mobile devices (= hidden network)
• Manage & clean-up the PNL periodically • Individually and enterprise level (MDM)
• Wi-Fi policy: What type of networks…?
• Properly add Wi-Fi enterprise networks…
35 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Recommendations
(1/2)
• Wi-Fi supplicants must always…
– Trust only the specific CA used for the Wi-Fi network
• Not a good idea to use the full list of public trusted CAs
• A private CA is a better option than a public CA assuming an
attacker cannot get a legitimate certificate from it
– Define the specific (set of) RADIUS server(s) name(s)
used (X.509 CN)
• Do not provide options to disable certificate validation
– Define and force the specific EAP type used
• Define the inner authentication method (e.g. MS-CHAPv2)
• Do not downgrade to other EAP types (EAP dumb-down)
36 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Recommendations
(2/2)
• WPA2-Enterprise: Full Wi-Fi network validation
– Do not ask the user!
• Wi-Fi Enterprise is inherently “broken”
– How to add a new RADIUS server?
• Modify the config of all Wi-Fi clients in the organization
• User credentials strength
– Passphrase
• EAP/TLS: client digital certificates + PKI
• WIDS (evil-twin)
37 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
References
38 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
References
• "Why iOS (Android & others) Fail inexplicably" – http://www.dinosec.com/docs/RootedCON2013_Taddong_Raul
Siles-WiFi.pdf
– http://vimeo.com/70718776
• DinoSec Security Advisories – http://blog.dinosec.com/p/security-advisories.html
• "Wi-Fi (In)Security - All Your Air Are Belong To..." – http://www.dinosec.com/docs/Wi-Fi_(In)Security_GOVCERT-
2010_RaulSiles_Taddong_v1.0_2pages.pdf
• DinoSec Lab – Publications – http://www.dinosec.com/en/lab.html
• DinoSec Lab – Tools: iStupid – http://www.dinosec.com/tools/iStupid_1.0.tgz
“You think that’s air
you’re breathing now?”
Morpheus to Neo during the scene when he was teaching him in the
virtual dojo on board the ship The Nebuchadnezzer
40 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Questions
w w w. d i n o s e c . c o m
@ d i n o s e c
R a ú l S i l e s
r a u l @ d i n o s e c . c o m
@ r a u l s i l e s