Securing Mobile Services Miguel Ponce de Leon, John Ronan, Jimmy McGibney Telecommunications Software & Systems Group Waterford Institute of Technology Ireland [email_address] Security for the pervasive computing world

Contents Threats to Mobile Networks & Services SEINIT approach Building a “smart” wireless access point Embedded intrusion detection & honeypot

Threats to Mobile Networks & Services

SEINIT approach

Building a “smart” wireless access point

Embedded intrusion detection & honeypot

Security – a difficult problem Internet access is easy and cheap (and fairly anonymous) Lack of policy and implementation of policy Complexity & Scale of systems Technology weaknesses Tendency to develop first & add security afterwards Domination by small number of OSs & apps Find a Windows bug and you have millions of sitting targets Rapid dissemination of exploits among attackers Lack of education of users User mobility Hard to verify security "If it is provably secure, it is probably not“ , L.R. Knudsen

Internet access is easy and cheap (and fairly anonymous)

Lack of policy and implementation of policy

Complexity & Scale of systems

Technology weaknesses

Tendency to develop first & add security afterwards

Domination by small number of OSs & apps

Find a Windows bug and you have millions of sitting targets

Rapid dissemination of exploits among attackers

Lack of education of users

User mobility

Hard to verify security

"If it is provably secure, it is probably not“ , L.R. Knudsen

m-Government Security Very strong requirements for: Privacy Anonymity (in some cases) Authentication Integrity Availability (critical infrastructures…) As well as: Usability Ubiquity Low cost (for citizens) Verification & audit Diverse & “lowest common denominator” technology on user side

Very strong requirements for:

Privacy

Anonymity (in some cases)

Authentication

Integrity

Availability (critical infrastructures…)

As well as:

Usability

Ubiquity

Low cost (for citizens)

Verification & audit

Diverse & “lowest common denominator” technology on user side

General threats & vulnerabilities OS vulnerabilities Application vulnerabilities Protocol weaknesses Sniffing on network Keystroke logging Password cracking Malware – viruses, worms, Trojan horses Social Engineering Non-technological Loss of key personnel, loss of power, lightning, fire, flood, software bugs, vendor bankruptcy, labour unrest, …

OS vulnerabilities

Application vulnerabilities

Protocol weaknesses

Sniffing on network

Keystroke logging

Password cracking

Malware – viruses, worms, Trojan horses

Social Engineering

Non-technological

Loss of key personnel, loss of power, lightning, fire, flood, software bugs, vendor bankruptcy, labour unrest, …

Eavesdropping by a third party Electromagnetic spectrum is available to all Often weak or no encryption Bogus user Poor user authentication with WiFi; SIM cloning; stolen phones Bogus network Base station or access point presenting itself as network to the user, for example to collect user data Denial of service Deliberate jamming of wireless signal Or unintentionally – network congestion, large congregations of users (e.g. at sports event), large downloads hogging bandwidth, etc. Specific Threats to Mobile Services

Eavesdropping by a third party

Electromagnetic spectrum is available to all

Often weak or no encryption

Bogus user

Poor user authentication with WiFi; SIM cloning; stolen phones

Bogus network

Base station or access point presenting itself as network to the user, for example to collect user data

Denial of service

Deliberate jamming of wireless signal

Or unintentionally – network congestion, large congregations of users (e.g. at sports event), large downloads hogging bandwidth, etc.

See www.worldwidewardrive.org Results: 228,537 access points found 82,755 (35%) with default SSID 140,890 (60%) with open system authentication (no key needed) 62,859 (28%) with both – i.e. no security Worldwide War Drive 2004

See www.worldwidewardrive.org

Results:

228,537 access points found

82,755 (35%) with default SSID

140,890 (60%) with open system authentication (no key needed)

62,859 (28%) with both – i.e. no security

Some tips for wireless LAN security Treat wireless as untrusted Similar to public Internet Firewall, etc, between WLAN and rest of network Use higher-layer security e.g. VPN from station to Internet Check for unauthorised access points Audit authorised access points Make difficult to access from outside Use directional antenna to “point” radio signal Protect stations using personal firewalls and intrusion detection

Treat wireless as untrusted

Similar to public Internet

Firewall, etc, between WLAN and rest of network

Use higher-layer security

e.g. VPN from station to Internet

Check for unauthorised access points

Audit authorised access points

Make difficult to access from outside

Use directional antenna to “point” radio signal

Protect stations using personal firewalls and intrusion detection

SEINIT Project S ecurity E xpert Init iative European Union 6 th Framework IST Programme Objective: “Provide a trusted and dependable security framework, ubiquitous , working across multiple devices , heterogeneous networks, organisation independent and centred around an end-user ” Security for the pervasive computing world

S ecurity E xpert Init iative

European Union 6 th Framework IST Programme

Objective: “Provide a trusted and dependable security framework, ubiquitous , working across multiple devices , heterogeneous networks, organisation independent and centred around an end-user ”

SEINIT: conceptual approach Virtualisation of security mGovernment => Government “virtually” anywhere How to secure virtual entities? services, etc, that are user centred devices and network almost irrelevant } Classical security just looks at these layers

Virtualisation of security

mGovernment => Government “virtually” anywhere

How to secure virtual entities?

services, etc, that are user centred

devices and network almost irrelevant

SEINIT: conceptual approach Space / Geography Instantiation Time UMTS Internet Wi-Fi Bluetooth Interface Interface Interface Virtual Virtual Logical Logical Logical

SEINIT: conceptual approach Infosphere Digital space linked more to individual or organisation than to devices or infrastructure Not necessarily under control of user Virtual Security Domain Controlled by individual or organisation Logical Infospheres Security Domains Alice’s personal data Cybercafe Alice’s office Alice’s Bank Alice’s ISP Alice’s Telecom operator Software company – e.g. Microsoft

Infosphere

Digital space linked more to individual or organisation than to devices or infrastructure

Not necessarily under control of user

Virtual

Security Domain

Controlled by individual or organisation

Logical

SEINIT: conceptual approach “ Ambience” discovery To secure mobile, virtual world, context is everything Threat level may depend on: Location Environment (neighbours, etc) Real-time threats IDS & Honeypots provide part of this

“ Ambience” discovery

To secure mobile, virtual world, context is everything

Threat level may depend on:

Location

Environment (neighbours, etc)

Real-time threats

IDS & Honeypots provide part of this

Embedding IDS and Dynamic Honeypot capabilities on a WLAN Access Point SEINIT work in progress

Embedding IDS and Dynamic Honeypot capabilities on a WLAN Access Point

Monitors activity on host or network & raises alerts Rules-based detection (most common) Based on known attacks Statistical anomaly detection Tends to produce too many false alarms Intrusion Detection System (IDS)

Monitors activity on host or network & raises alerts

Rules-based detection (most common)

Based on known attacks

Statistical anomaly detection

Tends to produce too many false alarms

Definition “ A resource whose value lies in being probed, attacked or compromised” System or component with no real-world value, set up to lure attackers By definition, all activity on a honeypot is highly suspect Can catch new attacks Few false alarms Honeypot

Definition

“ A resource whose value lies in being probed, attacked or compromised”

System or component with no real-world value, set up to lure attackers

By definition, all activity on a honeypot is highly suspect

Can catch new attacks

Few false alarms

Common components Data collection Analysis and decision algorithm Action module Main differences Honeypot must be used to be effective IDS operate continuously on the data flow They are complementary: IDS can provide information even if the honeypot is not the target of attacks . When used the honeypot provides more accurate and valuable information. Combining IDS and Honeypots

Common components

Data collection

Analysis and decision algorithm

Action module

Main differences

Honeypot must be used to be effective

IDS operate continuously on the data flow

They are complementary:

IDS can provide information even if the honeypot is not the target of attacks .

When used the honeypot provides more accurate and valuable information.

Collaboration and “reputation”

A network of collaborative access points Exchange security information through a common vehicle Compute a “level of trust” for each host Collaboration and “reputation”

A network of collaborative access points

Exchange security information through a common vehicle

Compute a “level of trust” for each host

Sensors Alert Analysis Action engine Collaboration Data control Architecture 5 main components

Sensors

Alert Analysis

Action engine

Collaboration

Data control

Sensors Collect the data needed to detect malicious activity and provide low-level alerts for aggregation and correlation . Architecture 5 main components

Sensors

Collect the data needed to detect malicious activity and provide low-level alerts for aggregation and correlation .

Architecture 5 main components Alert Analysis Engine Performs a high degree of correlation of various alerts (from sensors and other APs) in order to manage a level of trust for each host.

Alert Analysis Engine

Performs a high degree of correlation of various alerts (from sensors and other APs) in order to manage a level of trust for each host.

Architecture 5 main components Action Engine Manages various actions from sending an alert to triggering a new rule in a firewall. Plugins framework to manage various actions.

Action Engine

Manages various actions from sending an alert to triggering a new rule in a firewall. Plugins framework to manage various actions.

Architecture 5 main components Collaboration Engine Responsible for collaboration with other APs, including AP authentication, etc.

Collaboration Engine

Responsible for collaboration with other APs, including AP authentication, etc.

Architecture 5 main components Data Control Protects AP against threats (DoS, intrusion, IDS evasion, …).

Data Control

Protects AP against threats (DoS, intrusion, IDS evasion, …).

CqureAP a 802.11 wireless AP that runs on linux Prelude-IDS Our core framework: an hybrid IDS Snort Used as a nids and a wireless sensor Honeyd Used to provide various honeypot services Implementation Use available components

CqureAP

a 802.11 wireless AP that runs on linux

Prelude-IDS

Our core framework: an hybrid IDS

Snort

Used as a nids and a wireless sensor

Honeyd

Used to provide various honeypot services

SEINIT: other activities Trials of Mobile IPv6 Concept of return routeability IPv6 address autoconfiguration To provide privacy (avoid having static IP address derived from MAC) Cryptographically Generated Addresses (CGA) Secure association of IPv6 address with a public key Extensible Authentication Protocol (EAP) Flexible authentication framework running on top of link layer Protocol for Carrying Authentication and Network Access (PANA) Link layer agnostic transport for EAP authentication info DNSsec Secure DNS

Trials of

Mobile IPv6

Concept of return routeability

IPv6 address autoconfiguration

To provide privacy (avoid having static IP address derived from MAC)

Cryptographically Generated Addresses (CGA)

Secure association of IPv6 address with a public key

Extensible Authentication Protocol (EAP)

Flexible authentication framework running on top of link layer

Protocol for Carrying Authentication and Network Access (PANA)

Link layer agnostic transport for EAP authentication info

DNSsec

Secure DNS