Wireless Security Why Swiss-Cheese Security Isn’t Enough David

Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley

Wireless Networking is Here Internet 802.11 wireless networking is on the rise installed base: 15 million users currently a 1 billion/year industry

The Problem: Security Wireless networking is just radio communications Hence anyone with a radio can eavesdrop, inject traffic

The Security Risk: RF Leakage

The Risk of Attack From Afar

Why You Should Care

More Motivation

Overview of the Talk In this talk: The history: WEP, and its (in)security Where we stand today Future directions

WEP (encrypted traffic) The industry’s solution: WEP (Wired Equivalent Privacy) Share a single cryptographic key among all devices Encrypt all packets sent over the air, using the shared key

Early History of WEP 1997 Mar 2000 802.11 WEP standard released Simon, Aboba, Moore: some weaknesses Walker: Unsafe at any key size Oct 2000 Jan 30, 2001 Feb 5, 2001 NY Times, WSJ break the story Borisov, Goldberg, Wagner: 7 serious attacks on WEP

WEP - A Little More Detail IV, P RC4(K, IV) WEP uses the RC4 stream cipher to encrypt a TCP/IP packet (P) by xor-ing it with keystream (RC4(K, IV))

A Property of RC4 Keystream leaks, under known-plaintext attack Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext P Let Z RC4(K, IV) be the RC4 keystream Since C P Z, we can derive the RC4 keystream Z by P C P (P Z) Z This is not a problem . unless keystream is reused!

A Risk of Keystream Reuse IV, P RC4(K, IV) IV, P’ RC4(K, IV) If IV’s repeat, confidentiality is at risk If we send two ciphertexts (C, C’) using the same IV, then the xor of plaintexts leaks (P P’ C C’), which might reveal both plaintexts Lesson: If RC4 isn’t used carefully, it becomes insecure

Attack #1: Keystream Reuse WEP didn’t use RC4 carefully The problem: IV’s frequently repeat The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV’s, so after intercepting enough packets, there are sure to be repeats Attackers can eavesdrop on 802.11 traffic An eavesdropper can decrypt intercepted ciphertexts even without knowing the key

WEP -- Even More Detail IV original unencrypted packet key IV RC4 encrypted packet checksum

Attack #2: Spoofed Packets Attackers can inject forged 802.11 traffic Learn RC4(K, IV) using previous attack Since the checksum is unkeyed, you can then create valid ciphertexts that will be accepted by the receiver Attackers can bypass 802.11 access control All computers attached to wireless net are exposed

Attack #3: Reaction Attacks P RC4(K) P RC4(K) 0x0101 ACK TCP ACKnowledgement appears TCP checksum on received (modified) packet is valid P & 0x0101 has exactly 1 bit set Attacker can recover plaintext (P) without breaking RC4

Summary So Far None of WEP’s goals are achieved Confidentiality, integrity, access control: all insecure

Subsequent Events Jan 2001 Mar 2001 May 2001 Jun 2001 Aug 2001 Borisov, Goldberg, Wagner Arbaugh: Your 802.11 network has no clothes Arbaugh: more attacks Newsham: dictionary attacks on WEP keys Fluhrer, Mantin, Shamir: efficient attack on way WEP uses RC4 Arbaugh, Mishra: still more attacks Feb 2002

War Driving To find wireless nets: Load laptop, 802.11 card, and GPS in car Drive While you drive: Attack software listens and builds map of all 802.11 networks found

War Driving: Chapel Hill

Driving from LA to San Diego

Wireless Networks in LA

Silicon Valley

San Francisco

Toys for Hackers

A Dual-Use Product

Problems With 802.11 WEP WEP cannot be trusted for security Attacks are serious in practice Attackers can eavesdrop, spoof wireless traffic Also can break the key with a few minutes of traffic Attack tools are available for download on the Net And: WEP is often not used anyway High administrative costs (WEP punts on key mgmt) WEP is turned off by default

History Repeats Itself cellphones wireless security: not just 802.11 1980analog cellphones: AMPS analog cloning, scanners fraud pervasive & costly digital: TDMA, GSM wireless networks 1999 802.11, WEP 1990 TDMA eavesdropping [Bar] more TDMA flaws [WSK] GSM cloneable [BGW] GSM eavesdropping [BSW,BGW] 2000 Future: 3rd gen.: 3GPP, sensor networks 2000 2001 WEP broken [BGW] Berkeley motes WEP badly broken [FMS] 2002 attacks pervasive 2002 TinyOS 1.0, TinySec 2003 WPA Future: 802.11i 2003 Future: ?

Conclusions The bad news: 802.11 is insecure, both in theory & in practice 802.11 encryption is readily breakable, and 50-70% of networks never even turn on encryption Hackers are exploiting these weaknesses in the field The good news: Fixes (WPA, 802.11i) are on the way!