![5
AP Gone Rogue
● Eavesdrop on un-encryprted traffic
● Man-in-the-middle (MITM) attacks, strip TLS
● CRIME, BEAST, BREACH attack
● Phishing, DNS pharming
● Inject “crafted” signatures in Android [Fahl, CCS '12]
● Prevent or delay updates to desktop and mobile OS
● Privacy concerns
– Identify user behaviour, whereabouts, leak information
● Disturbed botnet](https://image.slidesharecdn.com/safeconfig-151103232500-lva1-app6892/85/Wireless-Spreading-of-WiFi-APs-Infections-Using-WPS-Flaws-5-320.jpg)
![6
WiFi Security
● WEP (1999) as part of IEEE 802.11 standard
● First broken in 2001, [Fluhrer, SAC '01]
● WPA (2003) as an more secure intermediate before WPA2
● WPA2 (2004), secure but not perfect
● WPS (2006), facilitate establishment of secure connections
● In 2011 Stefan Viehböck found flaws in WPS [VU#723755]](https://image.slidesharecdn.com/safeconfig-151103232500-lva1-app6892/85/Wireless-Spreading-of-WiFi-APs-Infections-Using-WPS-Flaws-6-320.jpg)
![22
Countermeasures
● Disable WPS; unfortunately not possible with some vendors
● WPS enabled by default without users knowledge
● APs not wireless ready , high chance of misconfiguration
● Investigate over 540,000 publicly available devices, over 13%
use default root passwords [Cui, ACSAC '10 ]
● Intrusion Detection System that use flow characteristics of WiFi
network, e.g. Kismet
● Use of reliable bootstrap architect5ures and malicious code
detectors [Arbaugh, ACSAC '02; Adelstein SP '97]](https://image.slidesharecdn.com/safeconfig-151103232500-lva1-app6892/85/Wireless-Spreading-of-WiFi-APs-Infections-Using-WPS-Flaws-22-320.jpg)
![23
Suggestions
● More secure and more intuitive authentication
mechanisms [Cassola, Mobisys '11]
● New trend (SDN) and view of the APs [Kim, Comm. Mag. '13]
● Easier management and configuration mechanism
● Incentive for vendors to maintain APs
● Roku, Meraki are good examples of such view](https://image.slidesharecdn.com/safeconfig-151103232500-lva1-app6892/85/Wireless-Spreading-of-WiFi-APs-Infections-Using-WPS-Flaws-23-320.jpg)
Wireless Spreading of WiFi APs Infections Using WPS Flaws
- 1. 1 Wireless Spreading of WiFi APs Infections Using WPS Flaws Amirali Sanatinia, Sashank Narain, Guevara Noubir
- 2. 2 In a Nutshell ● Security flaws in WiFi APs ● Measurement study in Boston ● Network of susceptible APs ● Possibility of an airborne infection ● Compromise one AP, and let the infection spread
- 3. 3 Outline ● Introduction ● WiFi Security ● Data Collection ● Connectivity Analyses ● Spread Analyses ● Countermeasures ● Conclusion
- 4. 4 WiFi APs ● Gateway to home connectivity ● Do not run Anti Virus (AV), no supervision ● No automatic update mechanism, rarely patched ● Wirelessly interconnected ● Can result in DoS attack on Internet and RF spectrum ● Ideal target
- 5. 5 AP Gone Rogue ● Eavesdrop on un-encryprted traffic ● Man-in-the-middle (MITM) attacks, strip TLS ● CRIME, BEAST, BREACH attack ● Phishing, DNS pharming ● Inject “crafted” signatures in Android [Fahl, CCS '12] ● Prevent or delay updates to desktop and mobile OS ● Privacy concerns – Identify user behaviour, whereabouts, leak information ● Disturbed botnet
- 6. 6 WiFi Security ● WEP (1999) as part of IEEE 802.11 standard ● First broken in 2001, [Fluhrer, SAC '01] ● WPA (2003) as an more secure intermediate before WPA2 ● WPA2 (2004), secure but not perfect ● WPS (2006), facilitate establishment of secure connections ● In 2011 Stefan Viehböck found flaws in WPS [VU#723755]
- 8. 8 Data Collection ● War-driving in four neighbourhoods of Boston ● Asus Eee PC 1000 HE ● Three TP-Link TL-WN722N, Alfa 9dBi high gain antennas ● GlobalSat BU-335 USB GPS
- 9. 9 Data Collection ● Passive data collection ● Beacon frames broadcasts, with PPI GPS header ● Channel 1, 6, 11 (orthogonal) ● BSSID, ESSID, signal strength, latitude, longitude, encryption mode
- 10. 10 Neighbourhoods 1) Allston: residential, young population, BU students 2) Back Bay: residential, young professional and families, high income 3) Fenway: home to many schools, mostly students, NEU 4) South Boston: Dense residential area, large working class population
- 12. 12 Basic Statistics Back Bay (32787) Encryption Number of APs Percentage WEP 5369 16% OPEN 5051 15% WPA/WPA2 22367 69% WPS 7809 35% Allston (15422) Encryption Number of APs Percentage WEP 1667 11% OPEN 1598 10% WPA/WPA2 12157 79% WPS 6149 51% South Boston (14756) Encryption Number of APs Percentage WEP 1874 13% OPEN 1110 7% WPA/WPA2 11772 80% WPS 5504 47% Fenway (26306) Encryption Number of APs Percentage WEP 4093 16% OPEN 3427 13% WPA/WPA2 18786 71% WPS 5764 31%
- 13. 13 Connectivity Radius ● Convex hull algorithm to compute a lower bound for R ● Calculated the farthest distance between the points on the convex hull, divided by two; (41 meters)
- 14. 14 Connectivity Graph ● Two APs are connected if they are in R-proximity ● Coordinates of the strongest signal as the location of AP ● Attack can be performed any time during the day ● Higher reach of the wireless signal at quiet and idle times
- 15. 15 Connectivity Graph South Boston WEP Radius Avg. Deg. Conn. Comp. 15 8.34 437 30 12.99 117 50 20.16 15 75 31.52 2 WPS 15 18.38 277 30 33.64 23 50 55.77 1 75 93.36 1 WEP+WPS 15 23.64 223 30 43.36 10 50 72.43 1 75 121.09 1 Back Bay WEP Radius Avg. Deg. Conn. Comp. 15 42.62 216 30 69.85 32 50 115.10 1 75 119.74 1 WPS 15 40.02 124 30 82.36 20 50 157.90 3 75 285.97 1 WEP+WPS 15 65.48 57 30 126.19 11 50 233.73 1 75 420.98 1
- 16. 16 Infection Steps ● Check if AP is vulnerable (WEP/WPS) ● Crack WEP/WPS ● Guess Admin Password ● Infect and re-flash ● Try to compromise other APs
- 17. 17 SIR Compartmental Model ● Models the progress of an epidemic ● Divides population to compartments – Susceptible, Infected, Recovered (SIR) ● Captures characteristics of our model ● Other alternatives, e.g. SEIR
- 19. 19 SIR Parameters ● p1 = 6060% ● p1Stime = 33, 66, 99 hours, p1Ftime = 1010 min ● Many use default configurations, out of the box ➔ q1 = 5050%, u1 =5050% ● t1 =100100%, t1Stime = 2020 min ● r1 = 8080% and s1 = 1010% ● r1Stime = r1Ftime = 6060 min ● s1Stime = s1Ftime = 120120 min
- 20. 20 Infection Spread ● %WPSWPS * (p1 * q1 * r1 + p1 * (1-q1 ) * s1 ) ● %WEPWEP * (t1 * u1 * r1 + t1 * (1-u1 ) * s1 ) ➢ Theoretical average upper bound in a single connected component is 3232% ● R = 50m; 19% to 23%, in 97.1 to 137.5 days ● R = 75m; 33% to 35%, in 109.1 to 194.5 days ● R = 90m; 34% to 35%, in 62.5 to 189.9 day
- 21. 21 Infection Spread 50 M 75 M 90 M
- 22. 22 Countermeasures ● Disable WPS; unfortunately not possible with some vendors ● WPS enabled by default without users knowledge ● APs not wireless ready , high chance of misconfiguration ● Investigate over 540,000 publicly available devices, over 13% use default root passwords [Cui, ACSAC '10 ] ● Intrusion Detection System that use flow characteristics of WiFi network, e.g. Kismet ● Use of reliable bootstrap architect5ures and malicious code detectors [Arbaugh, ACSAC '02; Adelstein SP '97]
- 23. 23 Suggestions ● More secure and more intuitive authentication mechanisms [Cassola, Mobisys '11] ● New trend (SDN) and view of the APs [Kim, Comm. Mag. '13] ● Easier management and configuration mechanism ● Incentive for vendors to maintain APs ● Roku, Meraki are good examples of such view
- 24. 24 Lessons ● Similar infection and spreading characteristics in different neighbourhoods ● WEP is still used, although it's known to be flawed ● WPA/WPA2 are “secure” alternatives, not perfect ● New enhancement (WPS) made it worst