sowa-hackfest2011-111109210300-phpapp02
Transcript of sowa-hackfest2011-111109210300-phpapp02
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
1/19
Wi-Fi: Open orSecureMaking the best out of both...
Presented by Franois ProulxAt the HackFest 2011
Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
2/19
Who am I ?
Franois Proulx Jack of all trade, master of none RFCs junkie
Specialized in mobile development (iOS)
Been into Wi-Fi (in)security for a while Founding member ofle Sans Fil
Started the WiFiDog captive portal
Studied 802.11 specs in more depth while working on
a Wi-Fi based location system - iFIND @ MITWednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
3/19
The take-away message for this talk
We need to fix the insecurity of Wi-Fi hotspot We already have all the building blocks we need
Theres a simple and elegant solution andit is entirely software based
Its called Secure Open Wireless Access
We, as security pundits, need to advocate so that theindustry makes the necessary changes
Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
4/19
But lets rewind for a moment
A brief recap of the state of 802.11 1999 - IEEE 802.11b (the one we know and love)
Open System Authentication
Shared Key Authentication (i.e. WEP) 2001 - 2005
WEP proved utterly insecure (WEP cracking as a sport)
In the meantime... Starbucks sells outrageously expensive latts+ Wi-Fi to poser kids surfing the Interwebson theirshiny MacBook Pro
Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
5/19
The state of 802.11 continued...
At home We tell everybody to secure their home router by
using WPA2 with an unguessable passphrase
In public Wi-Fi hotspots
It is still the far west (MITM, Firesheep, SSLStrip, etc.) The majority of hotspots are Open Wi-Fi APs Weknow the dangers, so we behave accordingly
Use SSL for all sensitive traffic Or VPN out to a safer place
Meanwhile, the latt-sipping poser kids have lots offun browsing the Interwebs... at our expense ;-)
Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
6/19
What can we do about it?
We want robust and yet usable security WPA2 + scan-click-and-connectusability
We have very strong building blocks available
802.11i brought us 802.1X over wireless (EAPoW) Most of us dont use 802.1X at home
On the enterprise side, though... EAP is a way for deploying secure and robust setups
Many EAP authentication methods exist (> 40)
LEAP, EAP-TLS, EAP-TTLS, EAP-SIM, EAP-AKA...Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
7/19
How can we leverage EAPfor the good of public Wi-Fi hotspots?
Enter Secure Open Wireless Access (SOWA) A simple technique relying on WPA2 with EAP-TLS
Typically, EAP-TLS requires server and client side certs.
Efficiently distributing certificates to clientscan be a pain in the b*tt Good! Thats the part we throw aside for SOWA
Works just like the good old Web (HTTPS) You type in an address (ex. https://www.paypal.com),
establish an SSL connection (one-way auth.)
With SOWA you pick the SSID and do anon. EAP-TLS
Wednesday, 9 November, 11
https://www.paypal.com/https://www.paypal.com/ -
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
8/19
Briefrecapo
fEAP-
TLS
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png
Wednesday, 9 November, 11
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pnghttp://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png -
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
9/19
Briefrecapo
fEAP-
TLS
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png
Wednesday, 9 November, 11
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pnghttp://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png -
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
10/19
Briefrecapo
fEAP-
TLS
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png
Wednesday, 9 November, 11
http://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.pnghttp://commons.wikimedia.org/wiki/File:EAP-TLS_handshake.png -
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
11/19
Wait! Is that compliant with the spec?
Actually, yes it is!
RFC5216 (latest version of EAP-TLS) defines thecertificate_requestmessage as optional The auth. server (RADIUS) can skip that message
(most implementations already behave correctly)
The idea was that APs could be used anonymouslyfor emergency services
http://tools.ietf.org/html/rfc5216http://tools.ietf.org/html/draft-ietf-ecrit-unauthenticated-access-03
Wednesday, 9 November, 11
http://tools.ietf.org/html/rfc5216http://tools.ietf.org/html/draft-ietf-ecrit-unauthenticated-access-03http://tools.ietf.org/html/draft-ietf-ecrit-unauthenticated-access-03http://tools.ietf.org/html/rfc5216http://tools.ietf.org/html/rfc5216 -
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
12/19
What do we need to deploy it?
Note the secure.expensivecafe.com stringin both the SSID and the certifcate common name (CN)
They need to match to provide authentication
Protecting the user against rogue access pointsWednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
13/19
But... its not that easy
1. Operating Systems patches
Network selection GUI (to allow connection without a client cert.)
Supplicant (so that is matches the SSID with the CN in the X.509 cert)2. RADIUS server patches (FreeRadius patches exist)
Allowing anonymous EAP-TLS
3. APs should use the RSN caps field (802.11 beacon)to differentiate from other EAP-TLS SSID(NOT mandatory for SOWA to work, but helps usability)
Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
14/19
But... its not that easy
1. Operating Systems patches
Network selection GUI (to allow connection without a client cert.)
Supplicant (so that is matches the SSID with the CN in the X.509 cert)2. RADIUS server patches (FreeRadius patches exist)
Allowing anonymous EAP-TLS
3. APs should use the RSN caps field (802.11 beacon)to differentiate from other EAP-TLS SSID(NOT mandatory for SOWA to work, but helps usability)
Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
15/19
Food for thought...
What kind of iconography should we use to differentiate Open Secure and Authenticated Secure Open
Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
16/19
Food for thought...
What kind of iconography should we use to differentiate Open Secure and Authenticated Secure Open
Wednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
17/19
Please, help us spread the word
Thanks to Chris Byrd and IBM X-Force for inventing thetechnique and presenting it at BlackHat 2011http://blogs.iss.net/archive/SownCode.html
Theres still a long way to go before SOWA can be used
by actual users, but play with it and spread the word
Wednesday, 9 November, 11
http://blogs.iss.net/archive/SownCode.htmlhttp://blogs.iss.net/archive/SownCode.htmlhttp://blogs.iss.net/archive/SownCode.html -
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
18/19
Q&A+
DemoWednesday, 9 November, 11
-
8/3/2019 sowa-hackfest2011-111109210300-phpapp02
19/19
Q&A+
Demo