Introduction to Wireless Hackingcse.iitkgp.ac.in/.../Introduction_to_Wireless_Hacking.pdfAP -Access...
Transcript of Introduction to Wireless Hackingcse.iitkgp.ac.in/.../Introduction_to_Wireless_Hacking.pdfAP -Access...
Speaker: Vidya Govindan
Research Assistant
IOT LAB, CSE DEPT.,
IIT Kharagpur
24/10/2016
Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
AP -Access Point
MAC-Media Access Control
NIC(Network Interface Card) or Wireless Adapter
BSSID- Access Point’s MAC Address : 54:B8:0A:7E:CA:92
ESSID- Access Point’s Broadcast Name : dlink_DWR…
Antennas( Directional or Omnidirectional)- Generate and propagate radio frequency waves into air
Physical Frequency of Transmissions : Channels , Wireless Standard
Transmission power- regulated by Country
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
Type Range Applications Standards
Personal area
network (PAN)
Within reach of
a person
Cable replacement for
peripherals
Bluetooth, ZigBee,
NFC
Local area network
(LAN)
Within a
building or
campus
Wireless extension of
wired network IEEE 802.11 (WiFi)
Metropolitan area
network (MAN) Within a city
Wireless inter-network
connectivity IEEE 802.15 (WiMAX)
Wide area network
(WAN) Worldwide Wireless network access
Cellular (UMTS, LTE,
etc.)
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
WiFi Alliance – IEEE 802.11 Standards –specifies a link-layer protocol
Mainly using 2.4 Ghz (12 cm) and 5 Ghz (6 cm) radio bands
Access modes : Ad hoc (client-client, without AP) and Infrastructure( via AP, BSS,ESS) mode
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
Uses IEEE 802.15.4
2.4 GHz ISM,16 channels, 5 MHz separation, Max frame size 127 bytes
ZigBee touches the kinetic world more than any other wireless packet technology
WiFi does not control water spill gates at a dam
Bluetooth does not control lighting, HVAC and appliances in your office or home
WiFi is bloated and transceivers are too expensive. Bluetooth uses too much power, too complex
ZigBee comes in at low-cost, low-speed, low-power
Connects lightweight embedded technology
FFDs(network coordinators) and RFDs(end devices)
ZC, ZR and ZEC
Star, Mesh and Cluster tree topologies
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
Packet – an amount of data transferred in a network.
Frame – a container which the packet is transferred within
Frame Header: Source and Destination
Ether Type (What Protocol)
Frames: Simply Data Packets Typically made up of:
Header,
Payload,
Integrity Check (CRC)
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
Types of Frames Management frames- Beacon, probes,
associations, authentications
Control frames- RTS,CTS, ACK
Data frames
Protocols ARP
MAC
IP
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
WEP- Wired Equivalent Privacy
RC4 Encryption
Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24-bit initialization vector (IV) to form the RC4 key.
64-bit or128-bit systems
Authentication: Open System and Shared key
WPA – WiFi Protected Access
TKIP-Temporal key integrity protocol
CRC
WPA2 AES CCMP-Counter Mode Cipher Block
Chaining Message Authentication Code Protocol
WPS –WiFi Protected Setup-PIN and Push button method
ZigBee security is based on symmetric keys and both originator and recipient of a protected transaction need to share the same key Key distribution schemes : Pre-installation,
Transport, Establishment
Three key types : Master, Link ,Network
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
Unauthorized access - Password sharing, guessing and capturing
Disclosure of data, Access Confidential data, Alter confidential data
Unauthorized modification
Disable Functionality
Disclosure of Network traffic
Spoofing of Network traffic
Improperly configured networks can make internal appliances Internet accessible
Vendors target ease of use and therefore have functionality enabled out of the box with a default password or are wide open.
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
WEP RC4 is a stream cipher and same key should not be used twice! 24bit IV is not long enough to ensure this on a busy
network.
Open system -Any client, regardless of its WEP keys, can authenticate itself with the AP and then attempt to associate. No authentication
Shared key -Four way handshake, less secure because it allows the attacker to get IVs using the challenge through response mechanism!
WPA TKIP Built upon WEP, devices simply upgraded to WPA, is crackable with more effort
The process is as follows :
Send a De-Auth to AP
AP Re-Auth the Client
Capture the Handshake
Brute force on the Handshake
WPA2 AES and WPS It is possible to crack WPA2 with very high chances of success.But it depends on the length and complexity of the
password.
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
ZigBee Security is based on the assumption that keys are securely stored, and devices are pre-loaded with symmetric keys so they have never to be transmitted unencrypted
If a nonpreconfigured device joins a network, a single key may be sent unprotected and enable
encrypted communication.
Safekeeping of encryption keys is difficult and prone to key interception using jamming
techniques
Embedded Web Server vulnerabilities Web based command line interface without password protection
Can be Leveraged to completely reconfigure device or obtain configuration information
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
World’s most dangerous search engine Shodan
Web Camera and Office device vulnerability
Some google search examples:
intitle:Axis 2400 video
inurl /view/index.shtml??
intitle:”Live View / – AXIS
inurl:viewerframe?mode=
inurl:axis-cgi/jpg
intitle:”i-Catcher Console – Web Monitor”
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
Angry IP Scanner
Kali Linux
Aircrack-ng Suite
Ettercap
Driftnet
WiFi Pineapple
Wireshark
Intel Edison and Logitech UVC Camera
Phillips Hue Lighting System
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
Wireless Network Basics
Vulnerabilities
Attacks
Demos
Arranged after Lunch at IOT Lab,
CSE Department
Demo 1: Eavesdropping attack on
Phillips Hue Wireless Lighting
System
Demo 2: Man-In-Middle attack on
Wireless Surveillance System
24/10/2016
Hacking Wireless Exposed, Third Edition by Joshua Wright and Johnny Cache
WEP & WPA Attacks
Wikipedia_IEEE_802.11
Kali Documentation
Webcam Google Search
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur
24/10/2016Security of Internet of Things Workshop- IIT Kharagpur