2014 © Dino Security S.L.
All rights reserved. Todos los derechos reservados.
w w w. d i n o s e c . c o m
@ d i n o s e c
Protección de comunicaciones en
dispositivos móviles
(NFC, Bluetooth & Wi-Fi)
Raúl Siles
@raulsiles
3 abril 2014 – TASSI
Escenarios de ataque
2014 © Dino Security S.L.
All rights reserved. Todos los derechos reservados.
w w w. d i n o s e c . c o m
@ d i n o s e c
Mobile Devices Communications
Protection
(NFC, Bluetooth & Wi-Fi)
Raúl Siles
@raulsiles
April 3, 2014 – TASSI
Attack Scenarios
3 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Outline
• Introduction
• NFC
• Bluetooth
• Wi-Fi
• References
Crypt4You: “Lección 4. Protección de
comunicaciones en dispositivos móviles” (ES)
http://www.criptored.upm.es/crypt4you/temas/privacidad-
proteccion/leccion4/leccion4.html
4 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Introduction
5 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Mobile Security Challenges
Nowadays?
6 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Market Share
Sep 4, 2013:
• Android: 75,3%
• iOS: 16,9%
• WP: 3,9%
• BB: 2,7%
• Others: 1,2%
6
Reference: http://www.idc.com/getdoc.jsp?containerId=prUS24302813
7 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Security Threats
• Device discovery
– Clients & “infrastructure”
• Communications interception
– Voice & data
• Communications manipulation
• Device impersonation
• Unauthorized access
– Devices, services (capabilities) & data
Mobile devices: personal & corporate (privacy)
8 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
9 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
NFC (Near Field Communication)
• NFC technologies
– Short distance, 13,56Mhz, 106-424 Kbps
– Active (energy) or passive modes (tag)
– Most mobile devices except iOS…
• Multiple usage scenarios
– Proximity and micro payments
– Establish secure communications
• Pairing & key exchange
• Bluetooth or Wi-Fi Direct (data exchange)
– E.g. Android Beam or Samsung-Beam
10 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
NFC (Near Field Communication)
• Store NFC payment information
– SE: Secure Element
• Mobile device (integrated smartcard chip), UICC
(SIM card) or advanced SD card (ASSD)… or SW
– Applications: applets or cardlets
– E.g. (Android) Google Wallet, (BlackBerry
7.1+) BlackBerry Tag, (WP8) Wallet Hub
• Vulnerabilities in Android implementations
– BH US 2012 & EuSecWest 2012-09
• Access user data, malware download, RCE…
11 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
12 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Bluetooth
• Bluetooth technologies
– 802.15.1, 2,4Ghz (79), FHSS, specs & classes
– Piconet & profiles
– Hopping pattern
– BD_ADDR
– Two modes
– Phases: inquiry, paging & SDP
– Security
• Authentication, authorization & encryption
13 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Discovering the Undiscoverable
• Hidden devices: BD_ADDR
– Guessing, pairing, mixing wireless
technologies, brute force (248)…
– Traffic capture (partially: LAP)
• How?
USRP (1 freq.)
GNU-Radio
gr-bluetooth
• Security by obscurity
– Known default & fixed PIN
14 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Obtaining the LAP…
LSB Bluetooth Frame MSB
72 bits 54 bits 0- 2745 bits
Access code Baseband header Message data
LSB Bluetooth Access Code (72 bits) MSB
4 bits 64 bits 4 bits
Preamble Sync Word Finalization
Syncronization (1) Piconet identification (1)
Master LAP
(Last 3 bytes from BD_ADDR)
https://www.usenix.org/legacy/event/woot07/tech/full_papers/spill/spill.pdf
15 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Obtaining the BD_ADDR
• Once we know the LAP…
• ... we need to get the rest: NAP+UAP
• Optimized brute force techniques
– Multiple Bluetooth devices
– Reduce the address range: OUI’s (IEEE)
• BNAP-BNAP project (Joshua Wright)
• ≈70 OUI’s
– BTScanner: LAP patch (1-10 mins)
http://bnap.opensecurityresearch.com/code.html
16 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Reanalyzing the BD_ADDR
• BD_ADDR: libbtbb
– LAP: Lower (Address Part)
• Access Code
– UAP: Upper (Address Part)
• HEC & CRC
– NAP: Non-significant (Address Part)
• 00:00:…?
17 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Ubertooth One
• Michael Ossmann ($120) - 2011
– Kickstarter, Great Scott Gadgets, HakShop
• Open-source Bluetooth sniffer: LAP + UAP
– ≈ Wi-Fi adapters (RFMON) (…10 years)
– 2,4 Ghz + injection + spectrum analyzer
– ≈ Class 1 (Basic Rate + LE)
• Follow devices…
• Kismet, Wireshark… http://ubertooth.sourceforge.net
18 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Real & Personal Bluetooth Threats
• Trustwave advisory: August 2013 – https://www3.trustwave.com/spiderlabs/advisories/
TWSL2013-020.txt
• Inax's Satis automatic toilet • http://www.inax-usa.com/technology/satis/
– Remote control via Bluetooth
• Android app: “My Satis”
– Bluetooth PIN (default): 0000 (hardcoded)
BluetoothDevice localBluetoothDevice =
BluetoothManager.getInstance().execPairing(paramString, "0000")
• Download app and … use its functions:
Repeatedly flush the toilet, unexpectedly open/close the
lid, activate bidet or air-dry functions (discomfort to user)
http://arstechnica.com/security/2013/08/holy-sht-smart-toilet-hack-attack/
19 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Security Recommendations (1/2)
• Turn it off! Save the planet!
• Hidden (or non-visible) device
• Enable just the required profiles (?)
• Enable authentication & authorization (?)
• Change default values: name
– Vendor & model, owner, etc.
• Software & firmware updates
• Corporate security policy
20 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Security Recommendations (2/2)
• Usage in “dangerous” environments
– Initial pairing process
• PIN selection (16 chars) & renewal
• Unsolicited pairing/connect requests
– Proximity marketing (user awareness)
• Management of the pairing DB
– Remove those not used
21 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
22 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi
• Wi-Fi challenges nowadays
• Wi-Fi (mobile) clients behavior
– The PNL
• Wi-Fi network impersonation
– Attacking Wi-Fi enterprise clients
• Wi-Fi clients security recommendations
23 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Challenges Nowadays?
24 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Challenges Nowadays?
http://www.huffingtonpost.com/vala-afshar/50-incredible-wifi-tech-s_b_4775837.html
25 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Security Challenges
Nowadays?
Super Bowl Security Command Center 2014: Broadcast on TV
26 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi (Mobile) Clients Behavior
27 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
How Wi-Fi Clients Work?
• Users connect to Wi-Fi networks by…
1. Selecting them from the list of currently
available networks in the area of coverage
2. Adding them manually to the Wi-Fi client
• Security settings are mandatory (if any)
– Open, WEP, WPA(2)-Personal & WPA(2)-
Enterprise
• Networks are remembered and stored for future
connections: list of known networks
The Preferred Network List (PNL)
28 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
How Wi-Fi Clients Discover
Available Wi-Fi Networks?
• Passive scan
– Beacons
– Every 100ms (10 frames/sec)
• SSID?
• Active scan
– Probe request / response
– (Wildcard or broadcast) SSID?
29 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Hidden Wi-Fi Networks
• Hidden Wi-Fi networks (cloaked or non-broadcast) – Still today a very common security best practice…
– … with relevant security implications for the Wi-Fi clients
– Beacon frames do not contain the SSID (empty)
• Visible (or broadcast) Wi-Fi networks include the SSID in their beacon frames – Wi-Fi clients need to know the SSID to connect to the network
• So how Wi-Fi clients connect to hidden Wi-Fi networks? – Wi-Fi clients have various networks (SSIDs) in their PNL
• Wi-Fi clients have to specifically ask for the hidden Wi-Fi networks in their PNL by sending probe requests containing the SSID – As a result they have to disclose their PNL !!
PNL was disclosed by Wi-Fi clients in the past (2005; Win XP fix in 2007)
30 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Security Risks of Disclosing the
PNL
31 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
• An attacker can impersonate the
various Wi-Fi networks available in
the PNL
– Different methods based on the security
settings
• People didn’t pay enough attention to
this because…
– …there was no name for it!
Security Risks of Disclosing the PNL
War Standing or War “Statuing” (Statue)
32 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
War Standing Risks
33 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation
34 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation (1/2)
• When entries in the PNL are disclosed by Wi-Fi
clients… someone can force the victims to
(silently) connect to the attacker’s Wi-Fi network
– Karma-like attacks (since 2004)
– AP impersonation (or fake AP): anywhere in the world
– Evil-twin: area of coverage of the legitimate network
• Strongest signal wins (or less battery drawing network)
• The victim shares the network with the attacker
– Full network connectivity at layer 1&2 and above
– MitM: Man-in-the-Middle attacks
35 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation (2/2)
• Fully impersonate the Wi-Fi network…
– 802.11 AP, DHCP server, DNS server, routing and
NAT capabilities, RADIUS server…
• Two prerequisites
– SSID (Wi-Fi network name)
• Disclosed from the PNL
– Wi-Fi network security type
• Security type requirements
– Open, WEP & WPA(2)-Personal, WPA(2)-Enterprise
36 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Open Wi-Fi Networks…
37 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Attacking Wi-Fi Clients: Open
“Nobody never ever connects to an open Wi-Fi network!” Right?
38 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
WPA(2)-Enterprise Wi-Fi Networks
39 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Networks
• How to verify the RADIUS server
certificate?
– CN, CA, expiration + revocation & purpose
• There is no URL like in the web browsers (X.509 CN)
• Wi-Fi client, access point (AP),
and RADIUS server
• Multiple user credentials
allowed (802.1X/EAP types)
40 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
FreeRADIUS-WPE
• FreeRADIUS-Wireless Pwnage Edition (WPE) – SchmooCon 2008: Joshua Wright & Brad Antoniewicz
• Attacker impersonates the full Wi-Fi network
infrastructure (AP + RADIUS server + …)
• PEAP & TTLS – Inner authentication: MS-CHAPv2 (or others)
– Username + Challenge/Response (hash)
– Mutual authentication
http://www.shmoocon.org/2008/presentations/PEAP_Antoniewicz.pdf
http://www.willhackforsushi.com/?page_id=37
http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html
https://github.com/brad-anton/freeradius-wpe
41 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
MS-CHAPv2 Cracking
• asleap (+v2.1) - Joshua Wright – Crack challenge (-C) and response (-R)
• http://www.willhackforsushi.com/Asleap.html
– Dictionary attack (DES x 3)
• genkeys – Precomputed MD4 hashes (indexed list of passwords)
• Indexed by the last two bytes of MD4 hash (brute force) – Challenge (8-byte) & MD4 hash (16-byte) ≈ Response (24-bytes)
• MS-CHAPv2 cloud cracking – Defcon 20 (2012): Moxie Marlinspike & David Hulton
• https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
– Brute force attack (256 ≈ DES) – FPGA box: ~ 12-24h • www.cloudcracker.com & chapcrack (100% success rate = $200)
Strength of user passphrase... not any more!
42 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
FreeRADIUS-WPE in Action
43 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
SANS SEC575
(FreeRADIUS) EAP Dumb-Down
• Multiple EAP types available
– Mobile devices seem to prefer to use PEAP
(MS-CHAPv2) by default
• But in reality they use the preferred EAP
method set by the RADIUS server
– GTC-PAP: Log credentials in cleartext
• Username and passphrase
• Additionally it might allow automatic full
Wi-Fi network impersonation (MitM)
Strength of the user passphrase is irrelevant
44 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
EAP Dumb-Down in Action
45 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Mobile Devices Behavior Against
FreeRADIUS-WPE & EAP Dumb-Down
• FreeRADIUS-WPE
– iOS: UI & configuration profile
– Android
– WP 7.x & 8
– BlackBerry 7.x
• EAP Dumb-Down
– iOS: UI & configuration profile
– Android
– WP 7.x & 8
– BlackBerry 7.x
"Why iOS (Android & others) Fail inexplicably"
User creddentials (not
just the Wi-Fi secret):
Other corporate
services?
Full MitM connectivity
46 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Full Wi-Fi Network Impersonation For Fun & Profit by Example
47 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation Exploitation
For Fun
http://www.ex-parrot.com/pete/upside-down-ternet.html
48 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
• iOS update to 7.0.6 (Feb 21, 2014)
– 6.1.6 (iPhone 3GS & iPod Touch 4th)
– OS X 10.9 “Mavericks” (no patch)
• Lack of proper certificate validation
– DHE & ECDHE (CVE-2014-1266)
– https://www.imperialviolet.org:1266
– https://www.gotofail.com
https://www.imperialviolet.org/2014/02/22/applebug.html
Wi-Fi Network Impersonation Exploitation
For Profit - Goto Fail
49 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Clients Security
Recommendations
50 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Clients Configuration
Recommendations
• Turn off the Wi-Fi interface if not in use
• Do not configure Wi-Fi networks as hidden
• Do not add Wi-Fi networks manually to
mobile devices (= hidden network)
• Manage & clean-up the PNL periodically • Individually and enterprise level (MDM)
• Wi-Fi policy: What type of networks…?
• Properly add Wi-Fi enterprise networks…
51 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Recommendations
(1/2)
• Wi-Fi supplicants must always…
– Trust only the specific CA used for the Wi-Fi network
• Not a good idea to use the full list of public trusted CAs
• A private CA is a better option than a public CA assuming an
attacker cannot get a legitimate certificate from it
– Define the specific (set of) RADIUS server(s) name(s)
used (X.509 CN)
• Do not provide options to disable certificate validation
– Define and force the specific EAP type used
• Define the inner authentication method (e.g. MS-CHAPv2)
• Do not downgrade to other EAP types (EAP dumb-down)
52 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Recommendations
(2/2)
• WPA2-Enterprise: Full Wi-Fi network validation
– Do not ask the user!
• Wi-Fi Enterprise is inherently “broken”
– How to add a new RADIUS server?
• Modify the config of all Wi-Fi clients in the organization
• User credentials strength
– Passphrase
• EAP/TLS: client digital certificates + PKI
• WIDS (evil-twin)
53 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
References
54 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
References
• Crypt4You: “Lección 4. Protección de
comunicaciones en dispositivos móviles”
– http://www.criptored.upm.es/crypt4you/temas/privacidad
-proteccion/leccion4/leccion4.html
• TASSI
– http://www.lpsi.eui.upm.es/GANLESI/GANLESI.htm
• DinoSec Lab – Publications – http://www.dinosec.com/en/lab.html
• DinoSec Security Advisories – http://blog.dinosec.com/p/security-advisories.html
“You think that’s air
you’re breathing now?”
Morpheus to Neo during the scene when he was teaching him in the
virtual dojo on board the ship The Nebuchadnezzer
56 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Questions
w w w. d i n o s e c . c o m
@ d i n o s e c
R a ú l S i l e s
r a u l @ d i n o s e c . c o m
@ r a u l s i l e s
Top Related