@dinosec Protección de comunicaciones en … · 2014 © Dino Security S.L. All rights reserved.

2014 © Dino Security S.L.

All rights reserved. Todos los derechos reservados.

w w w. d i n o s e c . c o m

@ d i n o s e c

Protección de comunicaciones en

dispositivos móviles

(NFC, Bluetooth & Wi-Fi)

Raúl Siles

[email protected]

@raulsiles

3 abril 2014 – TASSI

Escenarios de ataque

2014 © Dino Security S.L.

All rights reserved. Todos los derechos reservados.


@ d i n o s e c

Mobile Devices Communications

Protection

(NFC, Bluetooth & Wi-Fi)

Raúl Siles

[email protected]

@raulsiles

April 3, 2014 – TASSI

Attack Scenarios

3 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Outline

• Introduction

• NFC

• Bluetooth

• Wi-Fi

• References

Crypt4You: “Lección 4. Protección de

comunicaciones en dispositivos móviles” (ES)

http://www.criptored.upm.es/crypt4you/temas/privacidad-

proteccion/leccion4/leccion4.html


Introduction


Mobile Security Challenges

Nowadays?


Market Share

Sep 4, 2013:

• Android: 75,3%

• iOS: 16,9%

• WP: 3,9%

• BB: 2,7%

• Others: 1,2%

6

Reference: http://www.idc.com/getdoc.jsp?containerId=prUS24302813


Security Threats

• Device discovery

– Clients & “infrastructure”

• Communications interception

– Voice & data

• Communications manipulation

• Device impersonation

• Unauthorized access

– Devices, services (capabilities) & data

Mobile devices: personal & corporate (privacy)


NFC (Near Field Communication)

• NFC technologies

– Short distance, 13,56Mhz, 106-424 Kbps

– Active (energy) or passive modes (tag)

– Most mobile devices except iOS…

• Multiple usage scenarios

– Proximity and micro payments

– Establish secure communications

• Pairing & key exchange

• Bluetooth or Wi-Fi Direct (data exchange)

– E.g. Android Beam or Samsung-Beam


NFC (Near Field Communication)

• Store NFC payment information

– SE: Secure Element

• Mobile device (integrated smartcard chip), UICC

(SIM card) or advanced SD card (ASSD)… or SW

– Applications: applets or cardlets

– E.g. (Android) Google Wallet, (BlackBerry

7.1+) BlackBerry Tag, (WP8) Wallet Hub

• Vulnerabilities in Android implementations

– BH US 2012 & EuSecWest 2012-09

• Access user data, malware download, RCE…


Bluetooth

• Bluetooth technologies

– 802.15.1, 2,4Ghz (79), FHSS, specs & classes

– Piconet & profiles

– Hopping pattern

– BD_ADDR

– Two modes

– Phases: inquiry, paging & SDP

– Security

• Authentication, authorization & encryption


Discovering the Undiscoverable

• Hidden devices: BD_ADDR

– Guessing, pairing, mixing wireless

technologies, brute force (248)…

– Traffic capture (partially: LAP)

• How?

USRP (1 freq.)

GNU-Radio

gr-bluetooth

• Security by obscurity

– Known default & fixed PIN


Obtaining the LAP…

LSB Bluetooth Frame MSB

72 bits 54 bits 0- 2745 bits

Access code Baseband header Message data

LSB Bluetooth Access Code (72 bits) MSB

4 bits 64 bits 4 bits

Preamble Sync Word Finalization

Syncronization (1) Piconet identification (1)

Master LAP

(Last 3 bytes from BD_ADDR)

https://www.usenix.org/legacy/event/woot07/tech/full_papers/spill/spill.pdf


Obtaining the BD_ADDR

• Once we know the LAP…

• ... we need to get the rest: NAP+UAP

• Optimized brute force techniques

– Multiple Bluetooth devices

– Reduce the address range: OUI’s (IEEE)

• BNAP-BNAP project (Joshua Wright)

• ≈70 OUI’s

– BTScanner: LAP patch (1-10 mins)

http://bnap.opensecurityresearch.com/code.html


Reanalyzing the BD_ADDR

• BD_ADDR: libbtbb

– LAP: Lower (Address Part)

• Access Code

– UAP: Upper (Address Part)

• HEC & CRC

– NAP: Non-significant (Address Part)

• 00:00:…?


Ubertooth One

• Michael Ossmann ($120) - 2011

– Kickstarter, Great Scott Gadgets, HakShop

• Open-source Bluetooth sniffer: LAP + UAP

– ≈ Wi-Fi adapters (RFMON) (…10 years)

– 2,4 Ghz + injection + spectrum analyzer

– ≈ Class 1 (Basic Rate + LE)

• Follow devices…

• Kismet, Wireshark… http://ubertooth.sourceforge.net


Real & Personal Bluetooth Threats

• Trustwave advisory: August 2013 – https://www3.trustwave.com/spiderlabs/advisories/

TWSL2013-020.txt

• Inax's Satis automatic toilet • http://www.inax-usa.com/technology/satis/

– Remote control via Bluetooth

• Android app: “My Satis”

– Bluetooth PIN (default): 0000 (hardcoded)

BluetoothDevice localBluetoothDevice =

BluetoothManager.getInstance().execPairing(paramString, "0000")

• Download app and … use its functions:

Repeatedly flush the toilet, unexpectedly open/close the

lid, activate bidet or air-dry functions (discomfort to user)

http://arstechnica.com/security/2013/08/holy-sht-smart-toilet-hack-attack/


Security Recommendations (1/2)

• Turn it off! Save the planet!

• Hidden (or non-visible) device

• Enable just the required profiles (?)

• Enable authentication & authorization (?)

• Change default values: name

– Vendor & model, owner, etc.

• Software & firmware updates

• Corporate security policy


Security Recommendations (2/2)

• Usage in “dangerous” environments

– Initial pairing process

• PIN selection (16 chars) & renewal

• Unsolicited pairing/connect requests

– Proximity marketing (user awareness)

• Management of the pairing DB

– Remove those not used


Wi-Fi

• Wi-Fi challenges nowadays

• Wi-Fi (mobile) clients behavior

– The PNL

• Wi-Fi network impersonation

– Attacking Wi-Fi enterprise clients

• Wi-Fi clients security recommendations


Wi-Fi Challenges Nowadays?


Wi-Fi Challenges Nowadays?

http://www.huffingtonpost.com/vala-afshar/50-incredible-wifi-tech-s_b_4775837.html


Wi-Fi Security Challenges

Nowadays?

Super Bowl Security Command Center 2014: Broadcast on TV


Wi-Fi (Mobile) Clients Behavior


How Wi-Fi Clients Work?

• Users connect to Wi-Fi networks by…

1. Selecting them from the list of currently

available networks in the area of coverage

2. Adding them manually to the Wi-Fi client

• Security settings are mandatory (if any)

– Open, WEP, WPA(2)-Personal & WPA(2)-

Enterprise

• Networks are remembered and stored for future

connections: list of known networks

The Preferred Network List (PNL)


How Wi-Fi Clients Discover

Available Wi-Fi Networks?

• Passive scan

– Beacons

– Every 100ms (10 frames/sec)

• SSID?

• Active scan

– Probe request / response

– (Wildcard or broadcast) SSID?


Hidden Wi-Fi Networks

• Hidden Wi-Fi networks (cloaked or non-broadcast) – Still today a very common security best practice…

– … with relevant security implications for the Wi-Fi clients

– Beacon frames do not contain the SSID (empty)

• Visible (or broadcast) Wi-Fi networks include the SSID in their beacon frames – Wi-Fi clients need to know the SSID to connect to the network

• So how Wi-Fi clients connect to hidden Wi-Fi networks? – Wi-Fi clients have various networks (SSIDs) in their PNL

• Wi-Fi clients have to specifically ask for the hidden Wi-Fi networks in their PNL by sending probe requests containing the SSID – As a result they have to disclose their PNL !!

PNL was disclosed by Wi-Fi clients in the past (2005; Win XP fix in 2007)


Security Risks of Disclosing the

PNL


• An attacker can impersonate the

various Wi-Fi networks available in

the PNL

– Different methods based on the security

settings

• People didn’t pay enough attention to

this because…

– …there was no name for it!

Security Risks of Disclosing the PNL

War Standing or War “Statuing” (Statue)


War Standing Risks


Wi-Fi Network Impersonation


Wi-Fi Network Impersonation (1/2)

• When entries in the PNL are disclosed by Wi-Fi

clients… someone can force the victims to

(silently) connect to the attacker’s Wi-Fi network

– Karma-like attacks (since 2004)

– AP impersonation (or fake AP): anywhere in the world

– Evil-twin: area of coverage of the legitimate network

• Strongest signal wins (or less battery drawing network)

• The victim shares the network with the attacker

– Full network connectivity at layer 1&2 and above

– MitM: Man-in-the-Middle attacks


Wi-Fi Network Impersonation (2/2)

• Fully impersonate the Wi-Fi network…

– 802.11 AP, DHCP server, DNS server, routing and

NAT capabilities, RADIUS server…

• Two prerequisites

– SSID (Wi-Fi network name)

• Disclosed from the PNL

– Wi-Fi network security type

• Security type requirements

– Open, WEP & WPA(2)-Personal, WPA(2)-Enterprise


Open Wi-Fi Networks…


Attacking Wi-Fi Clients: Open

“Nobody never ever connects to an open Wi-Fi network!” Right?


WPA(2)-Enterprise Wi-Fi Networks


Wi-Fi Enterprise Networks

• How to verify the RADIUS server

certificate?

– CN, CA, expiration + revocation & purpose

• There is no URL like in the web browsers (X.509 CN)

• Wi-Fi client, access point (AP),

and RADIUS server

• Multiple user credentials

allowed (802.1X/EAP types)


FreeRADIUS-WPE

• FreeRADIUS-Wireless Pwnage Edition (WPE) – SchmooCon 2008: Joshua Wright & Brad Antoniewicz

• Attacker impersonates the full Wi-Fi network

infrastructure (AP + RADIUS server + …)

• PEAP & TTLS – Inner authentication: MS-CHAPv2 (or others)

– Username + Challenge/Response (hash)

– Mutual authentication

http://www.shmoocon.org/2008/presentations/PEAP_Antoniewicz.pdf

http://www.willhackforsushi.com/?page_id=37

http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html

https://github.com/brad-anton/freeradius-wpe


MS-CHAPv2 Cracking

• asleap (+v2.1) - Joshua Wright – Crack challenge (-C) and response (-R)

• http://www.willhackforsushi.com/Asleap.html

– Dictionary attack (DES x 3)

• genkeys – Precomputed MD4 hashes (indexed list of passwords)

• Indexed by the last two bytes of MD4 hash (brute force) – Challenge (8-byte) & MD4 hash (16-byte) ≈ Response (24-bytes)

• MS-CHAPv2 cloud cracking – Defcon 20 (2012): Moxie Marlinspike & David Hulton

• https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

– Brute force attack (256 ≈ DES) – FPGA box: ~ 12-24h • www.cloudcracker.com & chapcrack (100% success rate = $200)

Strength of user passphrase... not any more!


FreeRADIUS-WPE in Action


SANS SEC575

(FreeRADIUS) EAP Dumb-Down

• Multiple EAP types available

– Mobile devices seem to prefer to use PEAP

(MS-CHAPv2) by default

• But in reality they use the preferred EAP

method set by the RADIUS server

– GTC-PAP: Log credentials in cleartext

• Username and passphrase

• Additionally it might allow automatic full

Wi-Fi network impersonation (MitM)

Strength of the user passphrase is irrelevant


EAP Dumb-Down in Action


Mobile Devices Behavior Against

FreeRADIUS-WPE & EAP Dumb-Down

• FreeRADIUS-WPE

– iOS: UI & configuration profile

– Android

– WP 7.x & 8

– BlackBerry 7.x

• EAP Dumb-Down

– iOS: UI & configuration profile

– Android

– WP 7.x & 8

– BlackBerry 7.x

"Why iOS (Android & others) Fail inexplicably"

User creddentials (not

just the Wi-Fi secret):

Other corporate

services?

Full MitM connectivity


Full Wi-Fi Network Impersonation For Fun & Profit by Example


Wi-Fi Network Impersonation Exploitation

For Fun

http://www.ex-parrot.com/pete/upside-down-ternet.html


• iOS update to 7.0.6 (Feb 21, 2014)

– 6.1.6 (iPhone 3GS & iPod Touch 4th)

– OS X 10.9 “Mavericks” (no patch)

• Lack of proper certificate validation

– DHE & ECDHE (CVE-2014-1266)

– https://www.imperialviolet.org:1266

– https://www.gotofail.com

https://www.imperialviolet.org/2014/02/22/applebug.html

Wi-Fi Network Impersonation Exploitation

For Profit - Goto Fail


Wi-Fi Clients Security

Recommendations


Wi-Fi Clients Configuration

Recommendations

• Turn off the Wi-Fi interface if not in use

• Do not configure Wi-Fi networks as hidden

• Do not add Wi-Fi networks manually to

mobile devices (= hidden network)

• Manage & clean-up the PNL periodically • Individually and enterprise level (MDM)

• Wi-Fi policy: What type of networks…?

• Properly add Wi-Fi enterprise networks…


Wi-Fi Enterprise Recommendations

(1/2)

• Wi-Fi supplicants must always…

– Trust only the specific CA used for the Wi-Fi network

• Not a good idea to use the full list of public trusted CAs

• A private CA is a better option than a public CA assuming an

attacker cannot get a legitimate certificate from it

– Define the specific (set of) RADIUS server(s) name(s)

used (X.509 CN)

• Do not provide options to disable certificate validation

– Define and force the specific EAP type used

• Define the inner authentication method (e.g. MS-CHAPv2)

• Do not downgrade to other EAP types (EAP dumb-down)


Wi-Fi Enterprise Recommendations

(2/2)

• WPA2-Enterprise: Full Wi-Fi network validation

– Do not ask the user!

• Wi-Fi Enterprise is inherently “broken”

– How to add a new RADIUS server?

• Modify the config of all Wi-Fi clients in the organization

• User credentials strength

– Passphrase

• EAP/TLS: client digital certificates + PKI

• WIDS (evil-twin)


References


References

• Crypt4You: “Lección 4. Protección de

comunicaciones en dispositivos móviles”

– http://www.criptored.upm.es/crypt4you/temas/privacidad

-proteccion/leccion4/leccion4.html

• TASSI

– http://www.lpsi.eui.upm.es/GANLESI/GANLESI.htm

• DinoSec Lab – Publications – http://www.dinosec.com/en/lab.html

• DinoSec Security Advisories – http://blog.dinosec.com/p/security-advisories.html

“You think that’s air

you’re breathing now?”

Morpheus to Neo during the scene when he was teaching him in the

virtual dojo on board the ship The Nebuchadnezzer


Questions


@ d i n o s e c

R a ú l S i l e s

r a u l @ d i n o s e c . c o m

@ r a u l s i l e s

@dinosec Protección de comunicaciones en … · 2014 © Dino Security S.L. All rights reserved.

Documents

Transcript of @dinosec Protección de comunicaciones en … · 2014 © Dino Security S.L. All rights reserved.