Mar 27

The Changing Wireless Attack Landscape

I’m en-route to the SANS Orlando 2011 conference, getting ready to teach SEC617 Ethical Hacking Wireless.  I’m really excited about some new material and a changing focus on the SEC617 course.

Over the past couple of years we’ve seen a definite change in wireless hacking techniques and tools.  While we are still seeing attacks against weak deployments of WPA/WPA2 and EAP-based authentication protocols, more and more wireless attacks are targeting “other” wireless protocols.

ZigBee

For the past year I’ve been spending a good deal of time working on the KillerBee suite of tools, designed to target weaknesses in IEEE 802.15.4 and ZigBee networks.  This has been a lot of fun, and interestingly has spawned other projects taking the KillerBee framework and extending it to new tools, such as the ZigBee-Security project, as well as upcoming integrated tools in the KillerBee repository (special thanks to Ryan Speers and Ricky Melgares for their awesome work!).  In addition, a recent project published at Blackhat Europe aims to develop some additional IEEE 802.15.4 attack techniques with a useful GUI interface and extensible interface through the SenSys project.

ZigBee/IEEE 802.15.4 hacking is interesting because:

  1. It isn’t WiFi and there is a serious lack of security knowledge and analysis tools available to help people understand the threats and attack techniques;
  2. It interfaces with devices that often control kinetic systems, such as heating/cooling, mechanical systems, door lock controls and other juicy targets.
  3. Did I mention that it isn’t WiFi?

Interest in attacking ZigBee is going to continue with its vital involvement in Smart Grid efforts, home and business automation, medical devices and more.  On top of that, hacking ZigBee and IEEE 802.15.4 is a lot of fun, and is reminiscent of early WiFi security deployments.

Bluetooth

Ubertooth OneOn top of that, Bluetooth hacking is seeing a new significant supporter in the form of Mike Ossmann’s Ubertooth project.  For many years, Bluetooth hacking has been very limited despite numerous vulnerabilities in the base specification and vendor implementations.  The problem has always been the lack of a flexible hardware platform with which to sniff and transmit arbitrary packets on a Bluetooth network.  With the custom and cost-effective hardware in Ubertooth however, we are going to see a new deluge of attack techniques against the Bluetooth networks that for years have been vulnerable without a big motivator to improve Bluetooth security.

Proprietary Wireless Attacks

In addition to attacks against ZigBee/IEEE 802.15.4 and Bluetooth, we are seeing lots of interesting attacks against proprietary wireless protocols, either through the use of Software Defined Radio tools such as the USRP, or through hardware hacking techniques.  The concept here is that we leverage simple hardware devices to build our own attack tools, or re-purpose existing hardware for our own attack purposes.

Sometimes the tools we use come in funny colors.  I call to your attention the IM-ME.  Through the efforts of Dave’s Hacks, Travis Goodspeed and Mike Ossmann, we can take this Girl Power toy and turn it into a customized wireless hacking tool.  The picture below shows its use in sniffing a 475 MHz project I’m working on with a colleague that we’ll debut sometime soon.

The picture of the left is my IM-ME interfacing with a GoodFET from Travis Goodspeed.  The GoodFET provides a very flexible interface to interact with various circuits and components as well as a framework in Python controlling devices.  Included in the GoodFET sources are scripts such as “goodfet.nrf”, which allows you to use the Nordic 2401L transceiver to interact with a bunch of interesting devices.

The Changing Wireless Attack Landscape

The bottom line is that, while WEP deployments are drying up as easy targets, wireless hacking is not slowing down.  It’s not a good idea to rest with the security achievements of EAP/TLS and your Wireless IDS system, when attack techniques move to other areas where monitoring systems are nonexistent.

We can respond to the changing wireless attack landscape in several ways:

  • Understand the risks: Make sure people in your organization understand the risks associated with various wireless technologies.  All wireless systems, from the presentation remotes used by executives to wireless keyboards to connected HVAC systems should be evaluated;
  • Build skills in hardware: Since a lot of emerging wireless attacks builds on the ability to repurpose hardware systems, it’s a very good idea to build some skills with hardware attacks using tools such as the GoodFET, bus sniffing tools such as the TotalPhase Beagle, logic analyzers, etc.  More and more, attacks will start with customized hardware when targeting proprietary systems.
  • Participate in emerging projects: Keep an eye on projects such as KillerBee, UberTooth and GoodFET.  We’ll continue to see interesting attacks and new techniques using these tools against non-WiFi systems.
  • Grow your analysis skills: Make sure you can adapt your analysis skills to wireless technology beyond WiFi including protocol analysis, exploiting cryptographic failures, data decoding and analysis, authentication failures and more.

If you are interested in picking up skills like this, a great way to pick up them up is in  the upcoming SANS vLive! session for SEC617, starting April 19.  From 7-10pm ET two days a week for 6 weeks I’m live teaching the course with all the demos, interaction and hands-on lab exercises you get from a conference event.  For another few weeks when you sign up with the registration code “WISPY_VL” you’ll get a free WiSpy DBx spectrum analyzer as well, a must-have for any wireless geek.

Wireless attacks are changing, and we know that attackers are leveraging wireless creatively beyond exploiting weak WiFi networks.  Don’t miss the chance to be at the forefront of this changing landscape.

-Josh

Aug 03

Reflections on “hole196”

Last week at BlackHat, AirTight Networks security analyst Md Sohail Ahmad presented his findings on a vulnerability dubbed “hole196”. Affecting WPA/WPA2 Enterprise networks, this issue allows an authenticated user to manipulate other clients on the network to establish ARP spoofing attacks, to impersonate data frames from the AP or to create a DoS attack against other users. This is all through leveraging a key shared among all of the authorized clients in a wireless LAN known as the Group Temporal Key (GTK). The “hole196” bit refers to page 196 of the IEEE 802.11-2007 specification indicating that the GTK does not prevent packet forgery attacks (from an insider).

The BlackHat presentation slides were distributed on the BlackHat conference CD, and since the slides lack any kind of a copyright notice, I think it’s OK for me to mirror them here.

Initially, this flaw had some people concerned, since an early article published by Network World and Joanie Wexler indicated:

Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt, Ahmad explains.

If this attack could get a client to reveal their PTK, even requiring that the attack start from an insider perspective, then I’d be coding up an exploit tool instead of writing this post. This, however, appears to be a misquote by Wexler, or a misunderstanding by Ahmad. No-one has clarified this quote as far as I have seen.

The truth behind this issue is that, well, it’s a non-issue for most organizations. Instead of mounting an ARP spoofing attack to implement a man-in-the-middle (which a wired IDS could detect), it can be done using this technique within the encrypted wireless network, evading network IDS detection. The best way to detect this attack is through a wireless IDS, of which AirTight is a leading vendor (“Yay, Capitalism!”).

When significant wireless attacks emerge, I call my customers to remind them that I do get let out of my cave every now and then, and to help them understand their exposure to the attack. I don’t believe “hole196” falls into the category of significant wireless attack, so it’s back to the cave I go.

For a 2nd perspective, and an excellent technical write-up, please see Glenn Fleishman’s article over at Ars Technica. In the meantime, contact me with any questions/concerns/comments.

-Josh

Jun 07

WiMAX Network Scanning Work-in-Progress

I’m in Baltimore this week teaching Ethical Hacking Wireless. We’re having a lot of fun, and since we’re in Baltimore, it’s a good opportunity to spend some time with WiMAX and the Clear (Sprint) network here.

Motorola Clear CPEi-725

I stopped off at Best Buy a few hours ago and picked up a Motorola WiMAX Clear modem (CPEi 725) for US$90. A little while later, I whipped up a tool to use it for scanning WiMAX networks in the area, shown below.

C:\dev>python wimax-scanner.py
BS ID                   RSSI    Sector ID       NAP ID  Freq.
 0x000002012136          -86     0x36            0x02    2.56150 GHz
 0x000002000034          -75     0x34            0x02    2.54150 GHz
 0x0000020000e4          -76     0xe4            0x02    2.54150 GHz

C:\dev>python wimax-scanner.py
BS ID                   RSSI    Sector ID       NAP ID  Freq.
 0x000002011ca5          -85     0xa5            0x02    2.65700 GHz
 0x000002000034          -72     0x34            0x02    2.54150 GHz
 0x000002000014          -84     0x14            0x02    2.56150 GHz
 0x000002000088          -90     0x88            0x02    2.55150 GHz
 0x0000020000e4          -76     0xe4            0x02    2.54150 GHz
 0x000002000094          -86     0x94            0x02    2.65700 GHz
 0x0000020000b2          -87     0xb2            0x02    2.66700 GHz

More to come.

-Josh

Dec 03

QuahogCon: We should have a raw bar.

QuahogCon is the first hacker conference to hit Rhode Island, April 23-25, 2010. Held in the fancy Hotel Providence in downtown Providence, this conference is 1/2 infosec and 1/2 hardware hacking and DIY electronics.  I’ve submitted a proposal to talk about my research on ZigBee technology which will nicely bridge both the infosec and hackware hacking side of the conference.

I’m friendly with a lot of the folks putting on this conference, and I’m looking forward to the talks and events like badge hacking.  Take a look at the QuahogCon website and consider submitting a talk. I hope to see you there!

-Josh