Attack on WiFi-based Location Services and SSL Using Proxy Servers by Jun Liang Feng A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied Science in Computer Engineering Waterloo, Ontario, Canada, 2013 c Jun Liang Feng 2013 I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii Abstract Wireless LANs, or WiFi, are very common in any household or business today. It allows access to their home or business network and the Internet without using wires. Their wireless nature allows mobility and convenience for the user and that opens up a lot of new possibilities in mobile devices such as smartphones and tablets. One application that makes use of wireless LANs is positioning, which can be used in areas where Global Positioning Systems may have trouble functioning or not at all. However, a drawback of using wireless communication is that it is susceptible to eavesdropping and jamming. Once the wireless signal is jammed, an attacker can set up fake access points on different channels or frequencies to impersonate a legitimate access point. In this thesis, this attack is performed specifically to trick WiFi-based location services that are becoming very popular nowadays, especially for mobile devices. It will be shown that the attack works on Skyhook, Google, Apple and Microsoft location services, four of the major location service providers, and works on dual-band hardware. Some countermeasures to such an attack are also presented. The web is an important part of many people's lives nowadays. People expect that their privacy and confidentiality is preserved when they use the web. Previously, web traffic uses HTTP which meant traffic is all unencrypted so most information is sent in plaintext, which an attacker can intercept and read. This is clearly a security problem so many websites now default to using a more secure protocol, namely HTTPS which uses HTTP with SSL, and will redirect you to the more secure version if you attempt to connect using the non-SSL version of the website. SSL works by exchanging keys between the client and server and the actual data is protected using the key and the cipher suite that is negotiated between the two. However, if a network uses a proxy server, it works slightly different. The SSL connection is broken up into two separate ones and that creates the potential for man-in-the-middle attacks that allow an attacker to intercept the data being transmitted. This thesis analyzes several scenarios in which an adversary can conduct such a man-in-the-middle attack, and potential detection and mitigation methods. iii Acknowledgements I would like to thank my supervisor Professor Guang Gong for her mentorship. She is one of the smartest and kindest person I know and has helped me countless times throughout my Master's career. I would also like to thank everyone in the Communication Security (Comsec) group at the University of Waterloo led by Professor Guang Gong for their friendship, and especially to former member and friend Khizer Kaleem for his help and expertise while I was working on my research, and Kalikinkar Mandal for his help. In addition, I would like to thank my girlfriend Ping He for her love and support while I was completing my Master's degree. Last but not least, I would like to thank my parents for their unconditional love and taking care of me all these years. iv Dedication This thesis is dedicated to my girlfriend and my parents. v Table of Contents List of Tablesx List of Figures xi 1 Introduction1 1.1 Attack on WiFi-based Location Services Using Dual-band Hardware....2 1.2 Attack on SSL Using Proxy Servers......................3 1.3 Outline and Contributions...........................3 2 Preliminaries5 2.1 Background...................................6 2.1.1 Network Infrastructure.........................6 2.1.2 Optional Network Infrastructure Components............ 10 2.1.3 SSL................................... 13 2.1.4 IEEE 802.11............................... 15 2.1.5 WiFi-based Location Services..................... 19 2.2 Related Works on WiFi-based Location Services............... 20 2.2.1 Attack on WLAN-based Positioning Systems on a Single Band... 20 2.2.2 Attack on WLAN-based Positioning Systems Without Jamming.. 20 2.2.3 Portable GPS Spoofer......................... 21 2.2.4 Securing Localization with Hidden and Mobile Base Stations.... 21 vi 2.2.5 Using Localization to Enhance Security and Services in WiFi Networks 22 2.2.6 Denial of Service Attacks on 802.11 Networks............ 23 2.2.7 Mitigating Attacks Against Signal Strength-based Localization Al- gorithms................................. 23 2.3 Related Works on SSL and Proxy Servers................... 24 2.3.1 Practical Attacks Against SSL..................... 24 2.3.2 A Practical Man-in-the-middle Attack Against SSL......... 24 2.3.3 Issues with the Certificate Authority Model............. 25 2.3.4 Implementation Issue in SSL-enabled Applications Opens Applica- tions to Attack............................. 26 2.3.5 Man-in-the-middle Attack on WiFi Clients.............. 26 2.3.6 SSL Session-aware Authentication................... 27 2.3.7 Lucky Thirteen - A Timing Attack Against SSL........... 27 2.3.8 Bias in RC4 Used in SSL........................ 28 2.3.9 Attack Against Tor Network Using HTTP-based Application.... 29 3 Attack on WiFi-based Location Services Using Dual-band Hardware 30 3.1 Vulnerability Analysis of Location Services Providers............ 31 3.2 Adversary Model and Equipment....................... 36 3.3 Implementation of Attack on WiFi-based Location Services......... 38 3.3.1 Attack procedure............................ 38 3.3.2 Results of the Attack.......................... 39 3.4 Impact of Attack on Location Services.................... 42 3.4.1 Photo Geotagging............................ 42 3.4.2 Social Network Geotagging....................... 43 3.4.3 Location-based Weather........................ 43 3.4.4 Locating Friends............................ 43 3.4.5 Device Recovery Services........................ 43 vii 3.4.6 Location-based Wallet Services.................... 44 3.4.7 Location-based Reminders....................... 44 3.4.8 Search.................................. 44 3.4.9 Bluetooth and Bluetooth-based Location Service........... 45 3.5 Impact of Attack on WiFi Infrastructure................... 45 3.6 Countermeasures to Attack.......................... 48 3.6.1 Use multiple bands........................... 48 3.6.2 Use multiple location service technologies............... 49 3.6.3 Fingerprinting.............................. 50 3.6.4 Summary of countermeasures..................... 50 3.7 Summary of Attack on WiFi-based Location Services............ 51 4 Attack on SSL Using Proxy Servers 53 4.1 Internet Proxy Servers............................. 55 4.1.1 Attack Implementation......................... 56 4.1.2 Attack Procedure............................ 56 4.1.3 Notes on Attack............................. 56 4.2 Corporate Proxy Servers............................ 57 4.2.1 Attack Implementation......................... 57 4.2.2 Attack Procedure............................ 58 4.2.3 Notes on Attack............................. 58 4.3 Wireless Hotspots................................ 62 4.3.1 Attack Implementation......................... 62 4.3.2 Attack Procedure............................ 63 4.3.3 Notes on Attack............................. 63 4.4 Captured Data................................. 66 4.5 Detection and Mitigation of Attack on SSL Using Proxy Servers...... 72 4.5.1 Detection................................ 72 4.5.2 Mitigation................................ 74 4.6 Summary of Attack on SSL Using Proxy Servers............... 74 viii 5 Conclusions and Future Work 76 5.1 Contributions.................................. 76 5.2 Future Work................................... 78 5.2.1 Extending Attack on WiFi-based Location Services......... 78 5.2.2 Extending Attack on SSL Using Proxy Servers............ 79 References 80 ix List of Tables 3.1 Summary of countermeasures......................... 51 x List of Figures 2.1 Network infrastructure.............................7 2.2 Proxy server in network infrastructure.................... 11 2.3 SSL Protocol.................................. 14 2.4 All channels in the 2.4 GHz band [22]..................... 15 2.5 Non-overlapping channels in the 2.4 GHz band [22]............. 16 2.6 WiFi channels for the 5 GHz band [33].................... 16 2.7 Location determination process........................ 19 3.1 Skyhook location service query........................ 33 3.2 Google location service query......................... 34 3.3 Apple location service query.......................... 35 3.4 Hardware.................................... 37 3.5 Location services attack procedure...................... 39 3.6 Access point impersonation attack on Google location service........ 40 3.7 Access point impersonation attack on Skyhook location service....... 40 3.8 Access point impersonation attack on Apple location service........ 41 3.9 Access point impersonation attack on Microsoft location service...... 41 3.10 Scan for nearby access points......................... 49 4.1 Using SSL with proxy server.......................... 54 4.2 Setting proxy settings in Group Policy...................