IPv6 WiFi Internet Security

23-27 May 2016, Bangkok, Thailand

26 May 2016 – Session x

By Ronald van Kleunen (CEO Globeron Pte Ltd)

ronald@globeron.com

International
Telecommunication
Union
Session x: WiFi Internet Security

 Objective: To learn overall topics on implementing security measures in

Wifi networks including its monitoring from IPv4 and IPv6 perspective.

 Demonstration of implementing Wifi security measures

2
Wireless Security Initiatives
by ITU and WiFi Organisations

3
 ITU

 SSC – Smart Sustainable Cities and CyberSecurity

 Integrated Management

 ITU–T Study Group 20 IoT

 ITU-T Focus Group FG-SSC-0090-R7

 An ITU Telecommunication Standardization Sector (ITU–T)

Technical Report on “Cybersecurity, data protection and cyber
resilience in Smart Sustainable Cities” takes a direct approach to
its discussion of the most prominent cyberthreats to smart cities.

4
 WI-FI ORGANIZATIONS

 Consists of member Creates Certifies

individuals Standards Products
 Design and document  Consists of member
network protocols, such organizations –
as: primarily equipment
802.3 Ethernet vendors
802.11 Wi-Fi  Certifies Wi-Fi
802.15 Bluetooth Set Local equipment for
802.16 WiMAX Regulations interoperability
 Promote adoption of
IEEE 802.11 standards
in the market

1.3
WIRELESS TRAINING & EDUCATION - VENDOR NEUTRAL
WIRELESS CERTIFICATION ROADMAP

Expert Level #108

Expert Level
Trainer Level CWNT
Security Analysis Design
Learning Partner Level
1st in APAC since 2005

Certified Wireless Network Administrator

(RF,Antenna, Protocols, Spectrum analysis, Site Survey)

Certified Wireless Technology Specialist

Wireless Communication Layers
in the stacks

7
 PROTOCOLS AT EACH LAYER (TCP/IP VS OSI MODEL)
TCP/IP Model OSI Model

7 Application DNS, DHCP, LDAP, HTTP, FTP, TFTP,

SNMP, SMTP, POP3, IMAP4, SMB
Application 6 Presentation

5 Session

Transport 4 Transport TCP, UDP

(Host-to-host)

Internet 3 Network IPv4, IPv6, ARP,

IGMP, ICMP, IPSec, RIP, OSPF

Link 2 Data Link

(Network Interface or Ethernet, Wi-Fi
Network Access) 1 Physical
 WIRELESS INFRASTRUCTURE OVERVIEW

Wireless – Wireless - Access - Wired - Wired - Wired - Access - Wireless - Wireless

Client Medium Point Medium Bridge/Switch Medium Point Medium Client

9
 WIRELESS COMMUNICATION LAYERS – OSI LAYERS

IPv4 IPv6 IPv4 IPv6

Wireless

Wireless
10
Wireless Tools operate at
OSI layers 1 and 2

11
SPECTRUM ANALYZERS – OSI LAYER 1
OSI LAYER 2 - DISCOVERY / SCANNING
Active Scanning AP Discovery
Passive Scanning
Beacons

Beacons

Beacons

Beacons

Beacon: Status and capability

information that is broadcasted at
a scheduled interval

Probe Request: A request from

a client for most of the same AP
information that is found in a
beacon

Probe Response: A response

from the AP to a client that sent a
correct probe request
OSI LAYER 2 - WLAN PROTOCOL ANALYZERS
OSI LAYER 1 AND 2 - RF SITE SURVEYS AND MONITORING
 WIRELESS INFRASTRUCTURE AND NETWORK ACCESS CONTROL (NAC)

WLAN NAC Directory

RADIUS Services
Controller Appliance

 Ensures all appropriate policies and security

mechanisms are met by endpoints
 Policies are applied to enforce security on a
network
WPA/WPA2 NAC posture  Includes requirements like antivirus software
network assessment and version and scans, OS updates, security patches,
authentication response firewalls, user restrictions, etc.
 Authentication & Authorization
 Posture Assessment
 Quarantine
NAC Endpoint  Remediation
 ENTERPRISE WIPS TOPOLOGY
(WIRELESS INTRUSION PREVENTION SYSTEMS)

WIPS Console WIPS Server

WIPS Sensors WIPS Sensors

Wireless operates at Layer 1 and 2,
why bother about IPv4 and IPv6 ?

18
 IPV4 AND IPV6 RELATIONS TO WIRELESS INFRASTRUCTURES

 Wireless Access Points (AP) are layer 2 devices, but require an IP

address to a wireless LAN or cloud controller for management purposes
The wired side requires a dual stack or NAT (Network Address Translation)
features. Similar for Wireless Routers (Layer 3). Both can setup a tunnel
to centralised management devices.

 Wireless LAN and Cloud controllers and Wireless Network Management

Systems require a dual stack to support adoption of the Wireless access
points and secure communications between them via secure tunnels

 Wireless Sensors (Access Points in “listening” mode) require a dual stack

 Wireless Intrusion Detection/Prevention Systems (WIDPS) require

a dual stack

19
 IPV4 AND IPV6 RELATIONS TO WIRELESS INFRASTRUCTURES

Network related services:

 DHCPv6 (Dynamic Host Configuration Protocol) to support IPv6
addressing to issue IP address to Access Points and Sensors (e.g. large
wireless network deployments) for stateless and statefull auto-
configuration
(IETF RFC 3315, 3319, 3633, 3646, 3736, 5007, 6221)
 ICMPv6 - Internet Control Message Protocol version 6 (IETF RFC 4443)
 Mobile IPv6 or MIPv6 (IETF RFC 6275) to allow mobile device users to
move from one network to another while maintaining a permanent IP
address
 DNS extensions (IETF RFC 3596, 3901, 4472)
 Routing extensions (IETF RFC 6564)
(because of IEEE 802.11ac and 802.11n distributed forwarding designs)
 Enterprise class environments require RADIUS (Remote Access Dial-in
User Services) and related options to include IPv6 addressing
 LDAP (Light weight Directory Access Protocol)

20
Wireless Security Risks

21
 WIRELESS SECURITY RISKS

 Exponential increase of wireless networks (WISP, Hotspot,

Corporate/Home, Neighbours, Ad-Hoc, Direct) and many end-user devices

 Wireless is an extension of the wired network, but wireless propagation

goes further than you think

 Different type of devices on the network, each having their own security
settings (and limitations)

 Many (wireless) freeware tools on the internet to “hack” the network

 Lack of end-user awareness how wireless communications work

 Policy creation (if any) and enforcement

22
 WIRELESS SECURITY RISKS
 Default configurations of wireless equipment

 Limited end-point security

 Unauthorized implementations of wireless networks

(e.g. contractors, employees setting up their own wireless networks)
“Tethering”

 End users not familiar with corporate use policy and limited knowledge
how to recognize / enforce security

 Lack of 24x7 wireless security monitoring and reporting

 No standardization on wireless design and wireless security

but in progress with WiFi industry experts

23
 WIRELESS SECURITY RISKS - AVIATION

 Airline and agreements with telecom providers

 Mobile hotspot with wrong SSID delayed an airplane in Australia

(2nd of May 2016)

 Software Defined Radios (SDR) how many radios are on an airplane

 Boeing 737 – passengers

 A380 – passengers with mobile phones (Cellular, WiFi)

 No standardization on policies
 Some airlines allow mobile devices continuously on some airlines don’t
allow it, but there is no policy enforcement

24
 WIFI – EXAMPLE OF WIRELESS SECURITY ISSUES

Hotspot Phishing
Rogue APs

Hotspot Evil Twin

Hacker Leaking Wired

Traffic & Insertion

Server
Mobile User

AP
INTERNET

INTRANET

Laptop

Desktop

Non-Compliant APs

Municipal Wi-Fi

25
 WIFI - WIRELESS VULNERABILITIES

Type Attacks
 Rogue APs
Reconnaissance  Open/Misconfigured APs
 Ad Hoc stations
 WEP, WPA, LEAP cracking
Sniffing/Eavesdropping  Dictionary attacks / Brute Force / Rainbow Tables
 Leaky APs
 MAC spoofing
Masquerade  HotSpot attacks
 Evil Twin / Wi-Phishing attacks
 Multicast / Broadcast injection
Insertion  Routing cache poisoning
 Man in the Middle attacks (MITM)
 Disassociation
Denial-of-Service  Duration field spoofing
 RF jamming
 MOBILE – EXAMPLE OF WIRELESS SECURITY ISSUES

Vulnerabilities:
• IMEI
• BTS – BSC
• HLR
• VLR

International mobile subscriber identity Visitor Location Register

Home Location Register

Base Transceiver Station

Mobile Station Controller

Base Station Controller
27
International Mobile Station Equipment Identity
 MOBILE - WIRELESS VULNERABILITIES
Type Attacks

Reconnaissance  Baseband Fuzzing (Rogue BTS)

Sniffing/Eavesdropping  (Telco’s Protocol Analysers?)

Masquerade  IMEI spoofing (using MTK/SDK boards)

 IMSI Detach, send multiple Location Update Requests

including spoofed IMSI. Prevent SIM from receiving calls
Insertion
and SMS (only backend HLR is off), but still can call and
SMS
 Request Channel Allocation
(Flood BTS and possible BSC)
Denial-of-Service  RF jamming
 IMSI Flood (pre-authentication) and overload HLR/VLR
 IMSI Detach also disconnects user
 MOBILE DEVICE SECURITY
 iPhone/iPad/iPod
 Android
 Blackberry
 Windows phone

 Tethering / Hotspot using a mobile phone

 Termination by service providers
 Case: hotel USD 600.000 fine by FCC
and public council WiFi provider USD 750.000 fine by FCC

 Naming of hotspots

 http://mashable.com/2016/05/02/qantas-wifi-scare/#P9g.PDs.IGqX

29
 OTHER WIRELESS SECURITY RISKS
 BlueTooth
 Virus / Worms / Malware
 Listening to phone calls (headset) or car audio systems
 Changing languages (“DoS”)
 Car Hacking via Bluetooth (Controlling the car)
 NFC (Near Field Communication)
 Credit Cards with NFC communication
 Transportation cards (“Bus”, “Train”)
 Toll gates using wireless cards
 Hotel Key cards
 ZigBee
 Home Automation equipment
 Floor Controllers
 Thermostats

30
20 March 2014
Snoopy - Drone can steal what's on your phone via WiFi
(kind of a HoneyPot attack)
The research will be presented at the Black Hat Asia cybersecurity conference in
Singapore 25-28 March 2014

http://money.cnn.com/2014/03/20/technology/security/drone-phone/

http://ht3.cdn.turner.com/money/big/technology/2014/03/20/t-drone-steals-phone-
info.cnnmoney_620x348_dl.flv

31
WiFi Security measures Demo

32
 Live Demonstration

Wireless Security and protection

using a
Wireless Intrusion Prevention System
Disclaimer
All demonstrations are done in
compliance with the laws in Thailand
(Thai Computer Crime Misuse Act)
Demonstration:
1. What is Radio Frequency (RF) WiFi ?
2. DoS – Denial of Service attacks
3. Evil Twin and impersonation attacks
4. Rogue clients and
Rogue Access Points (AP) mitigation techniques
4. WiFi Forensic analysis
5. 24x7 Wireless Security Compliance reporting
 Education – Standardization in the organisation
by having certified personnel who understand the wireless
security risks and use the same terminology.
 Skilled wireless professionals Customer
Certified Sales Person Certified Wireless & Cabling Certified Wireless Auditor
Customer Selling Wireless installers and the right wireless +
cabling measurement tools

Certified Wireless
Support teams

Certified Wireless Trainer Certified Wireless Professionals

& Customer

Certified Wireless Designer

and Technical Specialist

Page - 36
 Standardization

Wireless Service Management System (WSMS)

aligned with ISO/IEC 20000 ITSMS standard

Wireless Service Security Management System (WSSMS)

aligned with ISO/IEC 27001 ISMS standard

Note: Wireless = Mobile/Cellular, WiFi and indoor/outdoor mission/business critical wireless technologies

.
Page - 37
End of Session

International
Telecommunication
Union