T
E A M
F L Y
Team-Fly® Wireless Security Essentials Defending Mobile Systems from Data Piracy
Russell Dean Vines
Wiley Publishing, Inc. Publisher: Robert Ipsen Editor: Margaret Eldridge Assistant Editor: Adaobi Obi Managing Editor: Micheline Frederick New Media Editor: Brian Snapp Text Design & Composition: Wiley Composition Services Designations used by companies to distinguish their products are often claimed as trade- marks. In all instances where Wiley Publishing, Inc., is aware of a claim, the product names appear in initial capital or ALL CAPITAL LETTERS. Readers, however, should contact the appro- priate companies for more complete information regarding trademarks and registration. This book is printed on acid-free paper. ∞ Copyright © 2002 by Russell Dean Vines. All rights reserved. Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copy- right Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspointe Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-mail: [email protected]. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data: ISBN: 0-471-20936-8 Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1 This book is dedicated to the heroes of 9/11/01, common people who performed uncommon deeds when the time required it.
And especially to my friend Lingard Knutson, who helped lead her Port Authority co-workers down 62 flights of stairs from Tower 1 to safety. We should all have such angels. Contents
Preface xiii Introduction xvii Origin and Rationale xviii Organization xix What’s on the website xxi Part I Technology Essentials 1 Chapter 1 Computing Technology 3 Computer Basics 4 CPU 4 Bus 4 Memory 5 Operating Systems and Software 7 Software 7 Network Technologies 8 Analog versus Digital 8 Local Area Networking 9 LAN Topology 10 LAN Cabling 13 LAN Network Devices 14 Wide Area Networking 19 Circuit-Switched versus Packet-Switched Networks 19 Packet-Switched Technologies 21 Private Circuit Technologies 22 Virtual Private Networking (VPNs) 22 VPN Communications Standards 23
v vi Contents
Firewalls 23 Packet-Filtering Firewall 24 Application-Level Firewalls 24 Stateful Inspection Firewall 24 Protocols 25 Open Systems Interconnect (OSI) Model 25 Transmission Control Protocol/ Internet Protocol (TCP/IP) Model 27 TCP/IP Protocols 28 The Wireless Application Protocol 29 Chapter 2 Wireless Theory 33 A Painless History of Wireless Technology 33 The Cellular Phone Network 34 Worldwide Cellular via LEO Satellites 35 Cellular Network Elements 35 The Call Process 36 Wireless Cellular Technologies 36 Wireless Transmission Systems 37 Advanced Mobile Phone System 37 Time Division Multiple Access 38 Code Division Multiple Access 38 Global System for Mobile Communications 39 Cellular Digital Packet Data 39 Nordic Mobile Telephone 39 Total Access Communication System 39 Personal Digital Cellular 40 Short Message Service 40 The Generation Gap 40 2.5G Technologies 41 3G Technologies 42 Wireless Data Networking Technologies 44 Spread Spectrum Technology 44 Direct Sequence Spread Spectrum (DSSS) 44 Frequency-Hopping Spread Spectrum (FHSS) 45 Orthogonal Frequency Division Multiplexing 46 IEEE 802.11 Specifications for Wireless LANS 47 Original IEEE 802.11 LAN Standard 48 IEEE 802.11b 48 IEEE 802.11a 49 IEEE 802.11g 50 IEEE 802.11e 51 802.11 Wireless Network Operational Modes 51 Ad Hoc Mode 51 Infrastructure Mode 52 Bluetooth 54 Bluetooth Advantages and Disadvantages 55 Contents vii
HomeRF 55 HomeRF Technology Overview 56 HomeRF and Shared Wireless Application Protocol 58 High-Performance Radio LANs 59 HiperLAN/1 59 HiperLAN/2 59 Wireless Application Protocol 61 WAP Layers 62 Application Layer 63 Session Layer 63 Transaction Layer 64 Security Layer 64 Transport Layer 64 Chapter 3 Wireless Reality 65 Wireless Standards and Technologies 65 802.11 66 Benefits of WLAN 66 802.11b Encryption 66 Other Notable IEEE 802 Wireless Standards and Drafts 67 802.1x Port-Based Network Access Control 67 802.15 Wireless Personal Area Networks 68 802.16 Broadband Wireless Access 69 802.11g 69 Nonwireless IEEE Standards 69 802.1v VLAN Classification by Protocol and Port 69 802.17 Resilient Packet Ring Access Protocol 70 Other Standards Working Groups 70 HomeRF 71 Comparing 802.11b to HomeRF 73 HomeRF Security 73 Bluetooth 73 System Architecture Features 74 The Piconet 75 Bluetooth Hardware Elements 76 Battery Conservation 78 Bluetooth Versions 79 Common Bluetooth Applications 80 Bluetooth Security 81 Wireless Personal Area Network 82 Infrared Data Association (IrDA) 82 Comparing Bluetooth to IrDA 84 Directionality 84 Other Comparisons 84 Wireless Hardware and Devices 85 Personal Electronic Devices 85 viii Contents
PDAs 85 The Palm OS 86 Windows Handhelds 87 Other PDA Devices 88 Internet-Enabled Cell Phones 88 WAP-Enabled Phones 89 Symbian OS 89 Nokia 90 Ericsson R380e 92 Motorola i90c iDEN 93 BlackBerry 96 BlackBerry Internet Edition 96 BlackBerry Enterprise Edition 96 BlackBerry ISPs 97 Wireless Applications 98 Wireless Technologies in the Home 98 Wireless Technologies in the Office 99 Wireless Technologies in Public Spaces 99 Part II Security Essentials 101 Chapter 4 Security Concepts and Methodologies 103 The Concepts of C.I.A. 105 Confidentiality 105 Integrity 106 Availability 107 Threats, Vulnerabilities, and Risk 107 Certification and Accreditation 107 Policies and Procedures 108 Business Continuity and Disaster Recovery 109 Alternative Processing Sites 110 Wireless Disaster Recovery 111 Information Classification Concepts 111 The Ten Domains of the International Information Systems Security Certification Consortium 112 TCSEC and the Common Criteria 113 The Orange Book 113 The Red Book 114 The Common Criteria 114 DITSCAP and NIACAP 115 DITSCAP 116 NIACAP 116 INFOSEC Assessment Methodology (IAM) 117 The IAM Process 118 BS7799 119 Contents ix
A Short History of Cryptography 120 The Early Days of Secret Writing 120 Early Disk Use 121 The 1920s 122 Rotor Systems 122 Identification and Authorization 123 Identification and Authentication 123 Passwords 124 Access Control Models 125 Mandatory Access Control 125 Discretionary Access Control 125 Nondiscretionary Access Control 126 Controls 126 Accountability 127 Chapter 5 Security Technologies 129 Cryptographic Technologies and Public Key Infrastructure 129 Secret Key Cryptography (Symmetric Key) 130 Data Encryption Standard 130 Advanced Encryption Standard 131 Public (Asymmetric) Key Cryptosystems 131 One-Way Function 132 Public Key Algorithms 132 Public Key Infrastructure 133 Department of Defense Wireless PKI Initiative 134 Wired Equivalent Privacy 135 WEP Encryption 136 WEP Decryption 137 WEP RC4 137 WEP Authentication Methods 138 Open System Authentication 138 Shared Key Authentication 138 WEP Key Management 140 Wireless Application Protocol Security 141 Wireless Transport Layer Security 142 End-to-End Security via the WAP Gateway 144 Bluetooth Security Architecture 146 The Security Manager 146 Link-Level Security Features 147 Mode 2: Service-Level Security 147 Mode 3: Link-Level Security 148 Other Bluetooth Security Architecture Features 149 Wireless Tools 150 Wireless VPNs 150 movianVPN 151
x Contents
Wireless Packet Sniffers 152 AiroPeek 152 Cisco Systems’ Wireless Products 154 Aironet 350 Features 154 Aironet 350 Management Options 155 Security Monitoring and Testing 156 Intrusion Detection Systems 157 Network-Based IDS 158 Host-Based IDS 158 IDS Detection Methods 159 Signature-Based ID 159 Statistical Anomaly-Based ID 160 Penetration Testing 160
Chapter 6 Threats and Solutions 163 Security Threats to Personal Electronic Devices 163 Vulnerability of PDA Operating Systems 164 PDA Vulnerability Caused by Physical Loss 165 Identification and Authentication 166 Catching PDA Viruses 166 Phage.963 167 Vapor.741 167 LibertyCrack 167 Tapping Infrared Vulnerabilities 168 Opening PED Network Backdoors 168 PDA Transmission Interception 169 Wireless Network Threats 169 802.11 Vulnerabilities 170 WEP Weaknesses 170 Service Set IdentifierT Problems 172 Eavesdropping 173 Transmission AlterationE and Manipulation 175 Denial-of-Service Attacks 175 War Driving A 176 Going through WLAN NetworkM Backdoors 177 Insertion Attacks 178 Uncontrolled Access Points F 178 Standards and Policy Solutions L 179 PDA Security Policies 181 User Security Awareness Y 182 Network Solutions 183 802.1x 183 MAC Address Filtering 183 MAC Spoofing 184 SSID Solutions 185 Antenna Selection 185
Team-Fly® Contents xi
Virtual LANS 186 RADIUS Authentication Servers 187 Virtual Private Networks 187 VPN Products 188 WAP Security 189 Dynamic WEP Keys 190 Denial-of-Service Solutions 191 Monitoring and Intrusion Detection Systems 191 Access Point Security 192 AP Mode Use 193 Software Solutions 194 Encryption Technologies 194 WEP Encryption Workarounds 195 PED Data Encryption 195 PED Security Software 196 movianCrypt 197 Sentry 2020 for PocketPC 197 Pretty Good Protection (PGP) Wireless 198 F-Secure 198 PED Antivirus Software 199 VirusScan Wireless 200 F-Secure 200 Trend Micro PC-cillin for Wireless 202 IS/Complete’s PDA Restrictor v1.0 203 Physical Hardware Security 203 BIOS Passwords 204 Biometrics and Smart Cards 204 Smart Cards 205 BlackBerry Security 205 Recommendations 206 Conclusion 207 Appendix A Glossary 209 Appendix B A WLAN Exploitation Guide 273 WLAN Configurations 274 The IEEE 802.11 Physical (PHY) Layer 276 Direct Sequence Spread Spectrum 276 Regulatory Requirements 276 IEEE 802.11 Media Access Control Frame Formats 277 General Frame Format 277 IEEE 802.11 Management Frame Type 277 Beacon Frame 278 Probe Request and Probe Response Frames 278 Association Request 278 Reassociation Request 279 xii Contents
Systematic Exploitation of an 802.11b WLAN 279 802.11b Exploitation Software: AiroPeek 279 AiroPeek: Getting Started 280 Systematic Exploitation 281 Step 1: Reconnaissance 281 Step 2: Analysis 284 Step 3: Access 288 Wired Equivalent Privacy (WEP) 293 WEP Key Details 294 Open Source WEP Decryption Scripts 295 Required Gear 296 Required Packages 296 Installation Procedures 296 Test Equipment Specifications 299 The Demo Version of AiroPeek 302 Appendix C Using the Fluhrer, Mantin, and Shamir Attack to Break WEP 305 Abstract 305 1 Introduction 306 2 Overview of the WEP Attack 307 2.1 The Known IV Attack of Fluhrer, Mantin, and Shamir 307 3 Implementation 308 3.1 Simulating the Attack 308 3.2 Capturing the Packets 309 3.3 Mounting the Attack 310 4 Improving the Attack 311 4.1 Choosing IVs 311 4.2 Guessing Early Key Bytes 312 4.3 Special Resolved Cases 312 4.4 Combining the Optimizations 313 5 Discussion 313 5.1 IV Selection 314 5.2 Key Selection 314 5.3 RC4 315 6 Conclusions and Recommendations 315 Acknowledgments 316 Appendix D NASA White Paper on the Wireless Firewall Gateway 317 1 Introduction 317 2 Design Objectives 317 3 Internals 318 Dynamic Host Configuration Protocol (DHCP) Server 318 IP Filtering 318 Web Authentication 319 Security 320 Appendix E Referenced Documents and URLs 321 Index 337 Preface
Each morning when I write, various birds from the neighborhood feed outside my window, searching the rain gutters for bugs. They occasionally watch me between bites, perhaps to ensure I’m not up to something they won’t like; or perhaps the sight of me is odd to them. The birds vary in size and breed, but they are generally small; the large birds tend to shy away from close contact with the house. Often, I notice in particular a small, young cardinal pecking through the debris, keeping an eye on me at the same time he keeps an eye out for his breakfast. Perhaps some will think it’s a stretch to analogize bird-feeding behavior to information systems security, but the connection is clear to me: Security cannot be an all-consuming activity for the enterprise but must be as transparent, effi- cient, and effective as possible. (In the same way that IT systems are services to the enterprise, not an end in and of themselves.) Managing protections must not consume so much internal and external resources as to make the enterprise dysfunctional. To continue the analogy, the cardinal cannot stop feeding entirely in the effort to feel secure in its environment. It must be secure enough to facilitate its feeding, grooming, and breeding behaviors, by creating a protective zone around itself so that it can be assured of completing its life- preserving tasks. If at any time while watching the bird, I stand up or make a sudden move- ment or gesture that startles the bird, he will fly off. At that point, all of his resources become dedicated to and focused on security; feeding is abandoned, because the cost/benefit ratio of the activity is gone; that is, protecting against a perceived threat consumes all of his available resources. Better to cut and fly and stay alive (i.e., profitable).
xiii xiv Preface
For information systems to remain viable, security must balance effective- ness with transparency. The Internet will never reach its full potential without the big three: Reliability Performance Security Though security is a fundamental building block of IT and the enterprise, it can’t consume too much of the enterprise’s resources or it ceases to be useful. This is why distributed denial-of-service (DDoS) attacks are so damaging to an organization. They instantly create a resource drain on the organization and turn all IT personnel into security personnel for the duration of the event. A DDoS is a very effective tool for creating a diversion for other, more serious intrusions, as the DDoS attack siphons off the attention of a majority of the IT personnel into a number of other functions: detective, sys admin, reconfigur- ing the firewalls or routers, working with the web host or co-locating service to find/stop the source of the attacks (if the service provider will even respond on a timely basis). A DDoS attack (using zombie, IRC bots, or some other type of unknowing accomplices to launch from multiple sources) today constitutes the greatest threat to maturity of the Internet. The major effect on computing of the recent Code Red worm and its variants’ was to create a DoS, as it consumed resources and bandwidth. So though economic espionage, disgruntled employee sabotage, and opera- tor error, can all pose serious threats to a system’s confidentiality, integrity, and availability (the C.I.A.), DDoS attacks are probably the greatest threats of all, as they confound security professionals more than any others in their attempts to stop them. Preventing a single person, or a small group of persons, from clog- ging the Internet, almost at will, is today incredibly difficult. In contrast, with traditional brick-and-mortar business, if customers have trouble getting to your store because of, say, increased traffic congestion, usually several other options are available: widen the street, increase parking access, move to a loca- tion with better public transportation, and so on. And overcrowding due to demand was a rare (and good) thing; and although crowd control could be an issue for a short period (recall the Cabbage Patch doll and Tickle-Me Elmo crazes, for example), such events meant good sales overall, and sold-out shelves certainly made distributors happy. In the electronic world, however, such control issues do not help sales, as they’re not reactions to market conditions or to a popular product or sale, or based on some crowd demographic. Rather, a DDoS is a malicious (and almost always successful) attempt to suspend an organization’s ability to conduct business on the Web, or in the case of government or political Web sites, to limit speech freedoms. Preface xv
The Internet service providers, web-hosting services, co-locating services, and so on, are largely complicit in this scenario. Security, privacy, and service guarantees are latecomers to the Internet ball, and too often are given lip ser- vice, then largely ignored. Moreover, the attitude that security is the end-user’s concern continues to be prevalent. That said, as more state attorneys general become involved in sorting out this dilemma, in the future, attempts to com- pensate or reimburse users for service outages may become more common, and we may soon see the first class-action suits against ISPs that don’t take due care or perform due diligence in providing a secure computing environment. Furthermore, the concept that computing hardware or communications lines are the primary goods supplied to the user is an old telecomm concept: orga- nizations and users will demand secure, private Internet pathways. And since September 11, 2001, the issue of security has come out of the shad- ows and into a very bright light. The simple fact is, all the good that the Internet has to offer won’t come to fruition until security and privacy are guaranteed. Introduction
Wireless is one of the newest communications technology frontiers. Offering the possibility of always-on, instant mobile communications, the potential of this technology appears to be limitless. This potential now is within our reach and is revolutionizing the computing world. Of course, as with any new tech- nology, wireless sets some technological hurdles we must overcome. These hurdles, however, are less daunting than the vulnerabilities inherent to wireless computing; it is these vulnerabilities—to eavesdropping, session hijacking, data alteration and manipulation, in conjunction with an overall lack of privacy—that are hindering widespread adoption of the technology. To help address, and increase understanding of, the challenges to the widespread deployment of wireless technologies, this book, Wireless Security Essentials, offers a snapshot of the current state of wireless security. A compila- tion of material from many sources, it attempts to give the reader an overview of the challenges posed by wireless technologies and the inherent security vulnerabilities. Typically, when a new technology emerges, standards are created and a rush commences to develop the technology without a thorough security vetting. This has been the case with wireless, too. The result is that much work is now devoted to retrofitting security into the existing models and protocols, and designing new models and protocols with better security features. Fortunately, progress is being made, as apparent in such standards as 802.1x and newer versions of WAP. Network infrastructure design, such as implementation of VPNs and RADIUS, also can help create secure pipes for wireless sessions. Hopefully, these developments will help to fill the holes access points punch in the network.
xvii xviii Introduction
On the contrary, still lacking in organizational implementations of wireless nets is the adoption of fundamental security methodologies, such as standard policies, internal and external testing, auditing, intrusion detection, and response. One of the objectives of Wireless Security Essentials is to address all these issues.
Origin and Rationale
Initially, the idea for this book came as a result of my work with an arm of the Department of Defense, to certify and accredit a wireless technology solution, which used Xybernaut wearable computers1, Symbol 802.11b wireless adapters and access points2, and Blue Ridge VPN crypto servers and clients3, the details of which I cannot divulge here. The idea was further propelled by the rapid proliferation of mobile IP devices and their impact on the basic tenets of information systems security. Finally, after the events of September 11, 2001, which clarified the vital role of cell phones, the idea was cemented. When I began writing Wireless Security Essentials, I was concerned about the lack of research material to draw from. But in a short time, the problem was reversed: suddenly there was so much material available on wireless that the problem became, what to leave out? To prevent this book growing to 900 pages, I decided to make it a compilation of technology research and reviews from many sources, which are listed in Appendix E. I need to stress an important point here: This book is a compilation of the state of wireless technology and security current at the time of this writing. Wireless technology is among the most dynamic and changeable of the current computing technologies, so by the time Wireless Security Essentials is on the shelves, no doubt much will already be different. As just one example, strides in the use of 802.1x in hardening wireless networks were reported in a January 2002 issue of Information Security Magazine (see the article “Wireless Insecuri- ties”). As another example, InfoWorld has reported that a University of Mary- land professor and his graduate assistant cracked 802.1x. In their paper, “An Initial Security Analysis of the IEEE 802.1X Standard,” funded by the National Institute of Standards (NIST), Professor William Arbaugh and Arunesh Mishra reveal serious weaknesses in 802.1x they have uncovered.4
1www.xybernaut.com 2www.symbol.com 3www.blueridgenetworks.com 4You can read their paper in its entirety at: www.infoworld.com/articles/hn/xml/02/02/ 14/020214hnwifispec.xml. Introduction xix
It’s also quite possible that by the time this book is published the world itself will be substantially different from today. It has changed since I started writing, due to the more restrictive atmosphere imposed by wartime regulations. The pub- lic may have less, not more, access to cryptographic solutions than they do today; we may go back to the old days of cryptography being classified as a “weapon.” Whatever the state of the world, as I’ve already said, the technology will have definitely changed by the time this book is published. Trying to get wire- less to sit still long enough to enable a static review is like changing a tire on a speeding vehicle. This then raises the question: If the technology is so fluid, how can this book be useful? The book’s value lies in the fact that it addresses the important issue of security where other books have not. It’s rare to find any book on networking or wireless today that contains more than two or three pages on security. This is a major oversight, because effective security is the most important element missing from wireless networks. And though the technology is dynamic, the basic tenets of confidentiality, availability, and integrity are immutable. That is, though the wireless environment is excep- tionally quick-paced and dynamic, the fundamental concepts of security and basic computing technology have not changed and will not, in the short term, change significantly.
Organization
The purpose of this book is threefold: one, to provide the reader with a simple background in computer technologies and standards; two, to give the reader a solid grounding in common security concepts and methodologies; and three, to identify the threats to and vulnerabilities of wireless communications. This book is organized into two parts, “Technology Essentials” and “Security Essentials.” Part I, is designed as a primer on computer, network, and wireless technologies. It comprises three chapters, which cover this material as follows: Chapter 1, “Computing Technology.” Covers the basics of computer hard- ware, software, and networking technologies, including: Essential terminology, such as the CPU, memory, operating systems, and software Foundation in network technologies, such as LANs, WANs, VPNs, firewalls, and protocols Chapter 2, “Wireless Theory.” Provides background on wireless and cellular technologies, then examines the fundamental concepts of wireless networking, including: A brief history of wireless Discussions on wireless cellular technologies, wireless data networking technologies, and the Wireless Application Protocol (WAP)
xx Introduction
Chapter 3, “Wireless Reality.” Begins an examination of the various ways wireless is implemented, through various wireless networking standards, devices, and applications, with sections on: Wireless standards and technologies