SlideShare a Scribd company logo
1 of 69
W hy
                       i OS (Android & others)
                       F ail
                       i nexplicably?

                               Raúl Siles
                               raul@taddong.com
w w w.t a d d o n g . c o m    March 9, 2013
@taddong
Wi-Fi Challenges Today?




Copyright © 2013 Taddong S.L.                1
Outline




                                                                       Pen-test:
• Wi-Fi ((mobile) client) security
• Wi-Fi mobile clients behavior & The PNL




                                                                       Mapping
      – iOS recent Wi-Fi updates
• Wi-Fi network impersonation




                                                                       Exploitation
      – Attacking Wi-Fi (personal) clients
      – Attacking Wi-Fi enterprise clients
• Post-MitM Wi-Fi exploitation




                                                                       Post-…
• Conclusions & References
    Mainly iOS & Android (+90% market share Feb’2013), but others...
Copyright © 2013 Taddong S.L.                                                         2
Wi-Fi Security
              State-of-the-Art During the Last Decade (or More…)
                                                           PTW
                                                        (< 60 secs)
                                                        2007-04-01
                                  •WPA-PSK                     •WEP cloacking
                                  •Sophisticated               •WPA(2)-PSK cracking
                                  attack tools                 improvements           EAP
                                  •WEP chop-chop               •TKIP chop-chop attack fingerprinting
                                                               •TKIP QoS (WMM) DoS
                    Attack tools             Defcon 13: WiFi                               MS-CHAPv2
                   improvements              Shootout                 Cloud WPA(2)-PSK
                                                                      cracking services     cracking
                                   LEAP                                                   WPS
            Early WEP             attacks            Client                 WPA2 Hole     PIN
802.11a      attacks                                attacks                   196
802.11b


 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

                         Target: Wi-Fi Infrastructure vs. Wi-Fi Clients
  Copyright © 2013 Taddong S.L.                                                                        3
Wi-Fi Clients Security
                                                              My last Wi-Fi presentation was
                                                              in late 2010, so… what has
                                                              changed after 2.5 years?…
                                                                  •Firesheep
                                                                  •Airpwn-MSF
                                                                  •AP-less WPA(2)-
                                               Wi-Fi driver       PSK cracking
                                                fuzzing &
                                               exploitation
                                                                            MS-CHAPv2
                                                 •Caffe-Latte (WEP)          cracking
                                       Karma     •Anonymity attacks
                                            Client             •ippon                DoS
802.11a                                    attacks            •sslstrip
                                  airpwn                                             (CVE-2012-2619)
802.11b


 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

       “Wi-Fi (In)Security” (Raul Siles, GOVCERT & CCN-CERT, Nov 2010)
  Copyright © 2013 Taddong S.L.                                                                        4
Wi-Fi Mobile Clients Behavior


Copyright © 2013 Taddong S.L.       5
How Wi-Fi Clients Work?
• Users connect to Wi-Fi networks by…
      1. Selecting them from the list of currently
         available networks in the area of coverage
      2. Adding them manually to the Wi-Fi client
• Security settings are mandatory (if any)
      – Open, WEP, WPA(2)-Personal & WPA(2)-Enterprise
• Networks are remembered and stored for
  future connections: list of known networks
                                The Preferred Network List (PNL)
Copyright © 2013 Taddong S.L.                                      6
Mobile Clients Standard Behavior to
       Connect to Wi-Fi Networks
• Automatically connect to known Wi-Fi networks
      – Cannot be disabled or configured per network easily
             • E.g. iOS configuration profile (if “Auto join” is disabled)
• If multiple known Wi-Fi networks are available…
      –    iOS connects to the last-used network
      –    Android: supplicant, driver, API… (e.g. Wi-Fi Ruler)
      –    Windows Phone: signal strength?
      –    BlackBerry: priority based on the list order (PNL)
• Network identification is based on…
      – SSID (network name) and security settings
Copyright © 2013 Taddong S.L.                                                7
What Type of Network Are You Connecting To?
         Find the diffs…




                                • Add the network manually to be
                                  able to verify and set all the
                                  security settings, but…
                                   It has a lock, so it must be secure! 
Copyright © 2013 Taddong S.L.                                               8
Steve Jobs’ (Apple) Minimalism




Copyright © 2013 Taddong S.L.           9
Managing the PNL in Mobile Clients
• Why the user cannot manually select the priority
  for each network in the PNL? (except in BB)
      – As in the traditional clients (e.g. Windows 7 & 8)
• Can the user view the list of known networks?
• Can the user manage (add, delete, edit…) the list
  of known networks?
             •   Android 4.x (from the live network list – turn on Wi-Fi first)
             •   BlackBerry 7.x (“Saved Wi-Fi Networks”)
             •   Windows Phone 7.x & 8.x (“Advanced – Known networks”)
             •   iOS minimalism…


Copyright © 2013 Taddong S.L.                                                     10
Managing the PNL in iOS
                             Reality
• Wi-Fi networks are easily added to the PNL…
      – … but cannot be easily removed from the PNL
• “Forget this Network” is only available when
  the Wi-Fi network is in range
      – User needs to be in the area of
        coverage of the Wi-Fi network
             • WTF (Without Traveling Faraway)
                    – Good excuse to travel for business reasons: “I have to improve
                      the security of our Wi-Fi network and mobile devices…”
          There is even a CVE-2011-4003 (check my preso from 2010)
Copyright © 2013 Taddong S.L.             (http://www.logicallysecure.com/about/apple-ios-wireless-advisory/)   11
Managing the PNL in iOS
                            Solutions
• We thought about publishing a new iOS app
      – Show PNL entries
             • SSID, BSSID, security, hidden, channel, current network…
      – Manage the PNL (add, delete, edit… entries)
• iOS SDK API
      – Apple removed from AppStore all stumbler-like apps (in 2010)
      – Public API: “You can only get the SSID of the network your
        device is currently connected to” 
      – Private API: Apple80211 framework –> MobileWiFi framework
• Jailbroken devices (Cydia):
      – “WiFi Passwords”: View networks and passwords in the PNL
      – “NetworkKnowledge” ($0.99): Delete networks in the PNL
      – /private/var/Keychains/keychain-2.db
             • Only SSID and password (not for open networks)
Copyright © 2013 Taddong S.L.                                             12
Managing the PNL in iOS
                             iStupid
• iStupid (v0.9)
      – indescreet SSID Tool (for the) Unknown PNL (on) iOS
        Devices
• Generates beacons frames for one or multiple
  SSIDS (dictionary and brute force - future)
      – Multiple configuration options
             • Canal, SSID, BSSID, interval, rates, security settings…
• Allows to select the security settings
      – Open, WEP, WPA(2)-Personal & WPA(2)-Enterprise
             • WPA or WPA2 & TKIP or AES-CCMP (not relevant for iOS)
      – Loop

Copyright © 2013 Taddong S.L.                                            13
iStupid in Action




Copyright © 2013 Taddong S.L.                       14
Disclosing the PNL for Free
• Hidden Wi-Fi networks (cloaked or non-broadcast)
      – Still today a very common security best practice…
      – … with relevant security implications for the Wi-Fi clients
      – Beacon frames do not contain the SSID (empty)
• Visible (or broadcast) Wi-Fi networks include the SSID in
  their beacon frames
      – Wi-Fi clients need to know the SSID to connect to the network
• So how Wi-Fi clients connect to hidden Wi-Fi networks?
      – Wi-Fi clients have various networks (SSIDs) in their PNL
• Wi-Fi clients have to specifically ask for the hidden Wi-Fi
  networks in their PNL by sending probe requests containing
  the SSID
   – As a result they disclose their PNL !!
PNL was disclosed by Wi-Fi client in the past (2005; Win XP fix in 2007)
Copyright © 2013 Taddong S.L.                                              15
Do Mobile Devices Disclose the PNL?
• Always (not in Windows Phone 7.x or 8)
      – Windows Mobile 6.5 (TAD-2010-003)                                  TAKE 1

• When networks are manually added (hidden)
      – Android 2.x – 4.x (TAD-2011-003) Not Fixed Yet
      – iOS ?.x – 6.x (TAD-2013-001) NEW
      – BlackBerry 7.x (TAD-2013-002) NEW
             • Can be changed afterwards through advanced settings:
• Why there is no option to indicate if a network in
  the PNL is hidden or not? (except in BB)
      – As in the traditional clients           (e.g. Windows XP-8)
           “That’s one small step for a user, a giant leap for security”
Copyright © 2013 Taddong S.L.                                                   16
Security Risks of Disclosing the PNL
• An attacker can impersonate
  the various Wi-Fi networks
  in the PNL
      – Different methods based on
        the security settings
• People didn’t pay enough
  attention to this…
      – … because there was no
        name for it!

    War Standing or War “Statuing” (Statue)
Copyright © 2013 Taddong S.L.                 17
War Standing Risks




Copyright © 2013 Taddong S.L.                    18
Tools for War Standing Activities
• Significant limitations on current Wi-Fi security,
  hacking, and pen-testing tools
      – Network or AP focused
      – Very limited client details
• Examples
      – Kismet(-ng)
             • Probe Networks
             • Autogroup Probe
      – Airodump-ng
             • Look at the bottom, if you can…
      – Stumbler-like tools ignore clients…
           (wlan.fc.type_subtype == 0x04) && !(wlan_mgt.ssid == "")
Copyright © 2013 Taddong S.L.                                         19
“Faltan las Palabras”


       problemón                 m. Un problema relevante o de notable
                                     importancia.

       probremón                 m. Un problema relevante o de notable
                                     importancia, que se repite a lo largo del
                                     tiempo.
             probremon.py
              – probe                                            “Yo propongo…”
              – request
              – monitor
                                La letra pequeña (Luis Piedrahita)
Copyright © 2013 Taddong S.L.        (http://www.antena3.com/programas/el-hormiguero/secciones/faltan-palabras/)   20
probremon.py




Ask the Tarasco Bro’s (Tarlogic) for GUI: “Wireless Auditing Framework”
Copyright © 2013 Taddong S.L.                                             21
SSID Selection & Contradictions
• Change the default SSID and select a unique one
      – WPA cracking
             • PMK = PBKDF2(PSK, SSID + length, 4096 hmac-sha1)
      – AP impersonation
             • Avoid guessing, dictionary, or brute force attacks on SSID
                    – Top SSIDs, Top Wi-Fi Hotspots, WiGLE…
• Identifying a unique (set of) SSID(s) allows…
      – Associate network name to location (WiGLE…)
      – Anonymity attacks (personal privacy implications)
      – Targeted attacks (unique client fingerprint)

Copyright © 2013 Taddong S.L.                                               22
Wi-Fi PNL Conclusions
• Vendors do not read Taddong’s Security Blog
      – Adding Wi-Fi networks manually == hidden network
• Why don’t why make hidden Wi-Fi networks
  disappear in 802.11_ technologies?
• AP shouldn’t provide an option to configure the
  Wi-Fi network as hidden
• Wi-Fi clients should never allow users to add a
  Wi-Fi network as hidden
      – No need then to have an option to indicate if a
        network in the PNL is hidden or not (minimalism)
                  Wi-Fi clients would not disclose their PNL... Right?
Copyright © 2013 Taddong S.L.                                            23
Do Mobile Devices Disclose the PNL?

                                                                     TAKE 2




                                                  iStupid




                       Difficult to consistently reproduce them… 
Copyright © 2013 Taddong S.L.                                             24
The full PNL of iOS is disclosed in iOS 5.x & ?.x (sometimes…)

    iOS Recent Wi-Fi Updates: Analysis


Copyright © 2013 Taddong S.L.                                        25
iOS 6 & 6.0.1
     Software (SW) vs. Security (SE) Updates
• iOS 6: (Sep 19, 2012)
      – SW: http://support.apple.com/kb/DL1578
      – SE: http://support.apple.com/kb/HT5503
             • 197 security fixes
                    – Wi-Fi: iOS discloses MAC of hosts of previous networks (DNAv4)

• iOS 6.0.1: (Nov 1, 2012)
      – SW: http://support.apple.com/kb/DL1606
             • “Improves reliability of iPhone 5 and iPod touch (5th
               generation) when connected to encrypted WPA2 Wi-Fi nets”
      – SE: http://support.apple.com/kb/HT5567 (4 CVEs)
Copyright © 2013 Taddong S.L.                                                          26
iOS 6.0.2 (Dec 18, 2012)
• SW: http://support.apple.com/kb/DL1621




                                “Fixes a bug.”
                                Security Update?
Forums speculations:
“iOS prioritizing open networks over secure networks…”
         http://blog.taddong.com/2013/01/apples-skimpy-software-
                               update.html
Copyright © 2013 Taddong S.L.                                      27
iOS 6.1
• iOS 6.1: (Jan 28, 2013)
      – SW: http://support.apple.com/kb/DL1624
      – SE: http://support.apple.com/kb/HT5642
             • 27 CVEs + root CA’s updates
             • CVE-2012-2619: “A remote attacker on the same WiFi
               network may be able to temporarily disable WiFi”
             • DoS condition (CVE-2012-2619 )
                    – October 2012 (Ekoparty - CoreLabs)
                    – Broadcom Wi-Fi chipsets (iOS and others)
                    – iPad 1 (iOS 5.1.1)


Copyright © 2013 Taddong S.L.                                       28
iOS 6.1.1 (Feb 11, 2013)
• SW: http://support.apple.com/kb/DL1631




                                        Security Update?

                            http://support.apple.com/kb/HT1222
Copyright © 2013 Taddong S.L.                                    29
HT1222 up to iOS 6.1.2




   Apple consistent and uniform updates are something from the past
Copyright © 2013 Taddong S.L.                                         30
Conclusions




                 Apple

Copyright © 2013 Taddong S.L.                 31
Wi-Fi Network Impersonation
    (MitM)

Copyright © 2013 Taddong S.L.     32
Attacker’s Main Goal
• When some entries in the PNL are disclosed by Wi-Fi
  clients…
• … force the victims to (silently) connect to the
  attacker’s Wi-Fi network (Karma-like attacks)
      – AP impersonation (or fake AP): anywhere in the world
      – Evil-twin: area of coverage of the legitimate network
             • Strongest signal wins (or less battery drawing network)
• Prerequisites
      – Open: None
      – WEP & WPA(2)-PSK: Pre-shared key
      – WPA(2)-Enterprise: Certificates or… none
             • Additionally you can obtain valid user credentials


Copyright © 2013 Taddong S.L.                                            33
Attacking Wi-Fi (Personal) Clients


Copyright © 2013 Taddong S.L.            34
Attacking Wi-Fi Clients                        A book in Spanish
                                                                      is coming soon…

• Create a fake AP using airbase-ng
      – Impersonate the legitimate network
             • SSID & security settings
             • Obtain the pre-shared key
      – Setup full network connectivity & MitM
• “BackTrack 5 Wireless Penetration Testing
  Beginner’s Guide” (Vivek Ramachandran)
      – Chapter 6: “Attacking the Client” (2011-09)
             • http://www.packtpub.com/article/backtrack-5-attacking-the-client

 http://www.packtpub.com/backtrack-5-wireless-penetration-testing-
             beginners-guide/book (Sample Chapter: 6)
Copyright © 2013 Taddong S.L.                                                        35
Attacking Wi-Fi Clients: Open




         “I never, ever, connect to an open Wi-Fi network!” Right? 
Copyright © 2013 Taddong S.L.                                          36
Attacking Wi-Fi Clients: WEP
 • Caffe Latte (ToorCon 2007)
       – Broadcast ARP request & flip bits & ICV
              • http://www.aircrack-ng.org/doku.php?id=airbase-ng#how_does_the_caffe_latte_attack_work

# airbase-ng -c 1 -a 00:01:02:0a:0b:0c -e “Taddong" -W 1 -L mon0
# airodump-ng -c 1 --bssid 00:01:02:0a:0b:0c --write CaffeLatte mon0


 • Hirte (2008)
       – Fragmentation attack
              • http://www.aircrack-ng.org/doku.php?id=airbase-ng#how_does_the_hirte_attack_work

# airbase-ng -c 1 -a 00:01:02:0a:0b:0c -e “Taddong" -W 1 -N mon0
# airodump-ng -c 1 --bssid 00:01:02:0a:0b:0c --write Hirte mon0

                                 Strength of WEP key is irrelevant
 Copyright © 2013 Taddong S.L.                                                                           37
Attacking Wi-Fi Clients: WPA(2)-PSK
• AP-less WPA(2)-PSK
  cracking
      – Out of the range of
        the target network
      – Only requires the
        first two frames of
        the 4-way WPA(2) handshake
             • E.g. cowpatty (+v4.5): “-2”
                 • http://www.willhackforsushi.com/?p=284
       PMK = PBKDF2(PSK, SSID + length, 4096 hmac-sha1)
       PTK = PRF-512(PMK, text, AP@, STA@, anonce, snonce)
Copyright © 2013 Taddong S.L.                                38
airbase-ng
• airbase-ng
      – http://www.aircrack-ng.org/doku.php?id=airbase-ng
      – WEP (-W1): set the privacy bit
             • SKA: Shared Key Authentication (-s)
      – WPA (-z) & WPA2 (-Z)
      – TKIP (2) & AES (4)
             •   WPA/TKIP (-z 2)
             •   WPA/AES (-z 4)
             •   WPA2/TKIP (-Z 2)
             •   WPA2/AES (-Z 4)
                 Strength of the WPA(2) PSK – 63 random characters
Copyright © 2013 Taddong S.L.                                        39
Attacking Wi-Fi Enterprise Clients


Copyright © 2013 Taddong S.L.            40
Wi-Fi Enterprise Networks
• Wi-Fi client, access point (AP), and RADIUS server
• Multiple user credentials
  allowed (802.1X/EAP types)
• How to verify the RADIUS
  server certificate?
      – CN, CA, expiration,
        revocation & purpose
             • There is no URL like in the web browsers  (X.509 CN)
                    – SSID (max. 32 chars) vs DNS hostname
             • Revocation (CRL & OCSP): no connection yet…
                    – OCSP Stapling & 802.11u & Open Secure Wireless (OSW) & Secure
                      Open Wireless Networking (SOWA – SOWN, e.g. XSSID)
Copyright © 2013 Taddong S.L.                                                         41
FreeRADIUS-WPE
• FreeRADIUS-Wireless Pwnage Edition (WPE)
      – SchmooCon 2008: Joshua Wright & Brad Antoniewicz
• Attacker impersonates the full Wi-Fi network
  infrastructure (AP + RADIUS server)
• PEAP & TTLS
      – Inner authentication: MS-CHAPv2 (or others)
      – Username + Challenge/Response
         http://www.shmoocon.org/2008/presentations/PEAP_Antoniewicz.pdf
                     http://www.willhackforsushi.com/?page_id=37
      http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html
                     https://github.com/brad-anton/freeradius-wpe
Copyright © 2013 Taddong S.L.                                                    42
MS-CHAPv2 Cracking
• asleap (+v2.1) - Joshua Wright
      – Crack challenge (-C) and response (-R)
             • http://www.willhackforsushi.com/Asleap.html
      – Dictionary attack (DES x 3)
• genkeys
      – Precomputed MD4 hashes (indexed list of passwords)
             • Indexed by the last two bytes of MD4 hash (brute force)
                    – Challenge (8-byte) & MD4 hash (16-byte) ≈ Response (24-bytes)
• MS-CHAPv2 cloud cracking
      – Defcon 20 (2012): Moxie Marlinspike & David Hulton
             • https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
      – Brute force attack (256 ≈ DES) – FPGA box: ~ 12-24h
             • www.cloudcracker.com & chapcrack (100% success rate = $200)
                     Strength of user passphrase... not any more 
Copyright © 2013 Taddong S.L.                                                         43
Attack Opportunities
• If the CA is not verified by the Wi-Fi client…
      – Attacker can build his own private CA…
             • Issue a certificate to impersonate target network
                    – Both CA and server certs can mimic all fields from legitimate certs
                      except fingerprint
                    – Not needed most times: Wi-Fi client warnings?
• If the CA is verified by the Wi-Fi client…
      – Purchase a valid certificate from a public CA
             • Silently accepted by Wi-Fi client without extra checks
      – If the RADIUS server name (or subject) is verified, or if
        a private CA is used … attack will fail
               Are mobile clients vulnerable to FreeRADIUS-WPE?...
Copyright © 2013 Taddong S.L.                                                               44
FreeRADIUS-WPE in Action




Copyright © 2013 Taddong S.L.            45
iOS & FreeRADIUS-WPE
                          User Interface (UI)
• iOS 5.0 - 6.1.2 (iOS ?.x)
• Default CA: None
      – Prompts user to validate certificate at first connect
             • Both to legitimate and attacker’s Wi-Fi Enterprise networks
      – Does not validate CA or server certificate
• Default server name: None
• Extra (minimalism)
      – Security mode: …
             • Advanced Wi-Fi settings?
• Attack
      – Successful (except if user rejects to connect)
                           “Security in the hands of the end-user”
Copyright © 2013 Taddong S.L.                                                46
iOS & FreeRADIUS-WPE
                          Configuration Profile
• iOS 5.0 - 6.1.2 (iOS ?.x)
• Default CA: Undefined (optional)
      – Full list of public trusted CA’s available or import other CA’s
• Default server name: Undefined (optional)
• Extra (advanced settings)
      – Attacker might need to obtain a valid cert from same CA
      – No user warnings
• Attack
      – Successful (except if private CA
        or the server name is defined)

Copyright © 2013 Taddong S.L.                                             47
Android & FreeRADIUS-WPE
• Android 2.x & 4.1-4.2.2 (Android ?.x)
• Default CA: Undefined (optional)
      – CA have to be imported manually
             • Good to avoid the full list of trusted CA’s (if you know what you are
               really doing)
             • Bad as it is optional (and will end up empty most of the time)
• Default server name: None
      – Cannot be defined 
• Extra (advanced settings)
      – No user warnings
• Attack
      – Successful (except if private CA)

Copyright © 2013 Taddong S.L.                                                          48
WP 7.x & FreeRADIUS-WPE
•    Windows Phone 7.5
•    Default CA: None
•    Default server name: None
•    Extra (consumer device)
      – Lack of advanced settings: CA, server, EAP type…
      – First time it connects (to the legitimate Wi-Fi
        Enterprise network) it generates a warning 
             • Location: Legitimate area of coverage?
             • Not afterwards, when it connects to the attacker’s network
• Attack
      – Successful (worst case scenario for WPE)

Copyright © 2013 Taddong S.L.                                               49
WP 8 & FreeRADIUS-WPE
• Windows Phone 8
• Default CA: Off (“Validate server certificate”)
      – Full list of public trusted CA’s available or import other CA’s
• Default server name: None
• Extra (corporate device)
      –    Attacker might need to obtain a valid cert from same CA
      –    Lack of advanced settings: server name, EAP type…
      –    Same warning as WP 7.x (location)
      –    A single authentication failure generates an
           unstable client state (self imposed DoS?)
• Attack
      – Successful (except if private CA)


Copyright © 2013 Taddong S.L.                                             50
BlackBerry & FreeRADIUS-WPE
• BlackBerry 7.1.x
• Default CA: Undefined (mandatory)
      – Has to be set to be able to create the Wi-Fi profile
             • Full list of public trusted CA’s available or import other CA’s
• Default server name: Undefined (optional)
• Extra (advanced settings)
      – Attacker has to obtain a valid cert from same CA
      – No user warnings
      – “Disable Server Certificate Validation”
• Attack
      – Successful (except if private CA or
        the server name is defined)

Copyright © 2013 Taddong S.L.                                                    51
(FreeRADIUS) EAP Dumb-Down
                                                           SANS SEC575
• Multiple EAP types available
      – Mobile devices seem to prefer to use PEAP (MS-
        CHAPv2) by default
• But in reality they use the preferred EAP
  method set by the RADIUS server
      – GTC-PAP: Log credentials in cleartext
             • Username and passphrase
• Additionally it might allow full Wi-Fi
  network impersonation (MitM)
               Strength of user passphrase is irrelevant
Copyright © 2013 Taddong S.L.                                        52
EAP Dumb-Down in Action




Copyright © 2013 Taddong S.L.            53
iOS & EAP Dumb-Down
• Default EAP type
      – Cannot be set from the UI: “unknown”
             • None, WEP, WPA(2), WPA(2) Enterprise
      – Can be set via a configuration profile: PEAP
• Extra (configuration profile)
      – It is ignored, even if PEAP is the only EAP type set
• Attack
      – Same scenarios as in FreeRADIUS-WPE

Copyright © 2013 Taddong S.L.                                  54
Android & EAP Dumb-Down
• Default EAP type: PEAP
      – Can be set from the UI:
             • PEAP, TLS, TTLS, PWD
• Extra
      – Can set “Phase 2 auth” (inner)
        in the profile
             • MS-CHAPv2 vs. None (default)
• Attack
      – Same scenarios as in FreeRADIUS-WPE
             • Except when “Phase 2 auth” is set: Not vulnerable
Copyright © 2013 Taddong S.L.                                      55
WP & EAP Dumb-Down
• Default EAP type: PEAP (Microsoft)
      – Cannot be set from the UI
      – PEAP is really enforced!
• Attack
      – WP 7.5 & 8 are not vulnerable by default 
             • Best case scenario for EAP dumb-down




Copyright © 2013 Taddong S.L.                         56
BlackBerry & EAP Dumb-Down
• Default EAP type: PEAP
      – Can be set from the UI:
             • PEAP, LEAP, EAP-TLS, EAP-FAST, EAP-TTLS…
• Extra
      – Can set “Inner link security” in the profile
             • EAP-MS-CHAP v2 vs. AUTO (default)
• Attack
      – Same scenarios as in FreeRADIUS-WPE
             • Except when “Inner link security” is set: Not vulnerable


Copyright © 2013 Taddong S.L.                                             57
Wi-Fi Enterprise Clients
                              Conclusions
• Wi-Fi Enterprise is inherently “broken”
      – How to add a new RADIUS server?
             • Modify the config of all Wi-Fi clients in the organization
• Wi-Fi supplicants must always…
      – Trust only the specific CA used for the Wi-Fi network
             • Not a good idea to use the full list of public trusted CA’s
             • Private CA’s are a better option assuming an attacker cannot get a
               legitimate certificate from them
      – Define the specific (set of) RADIUS server(s) used (X.509 CN)
             • Do not provide options to disable certificate validation
      – Define and force the specific EAP type used
             • Define the inner authentication method (e.g. MS-CHAPv2)
             • Do not downgrade to other EAP types (dumb-down)
      All vendors have been notified about the EAP dumb-down vulns
Copyright © 2013 Taddong S.L.                                                       58
Wi-Fi Enterprise Clients
WPE & Dumb-Down Countermeasures
• iOS
      – Create a very strict and narrow configuration profile
             • Still “vulnerable” to EAP dumb-down (not if server is defined)
                    – Still the standard UI allows adding Wi-Fi Enterpise networks
• Android
      – Import and define CA, and set inner authentication
             • Still vulnerable to WPE (server cannot be defined)
• Windows Phone
      – WP7: Fully vulnerable to WPE (not to EAP dumb-down)
      – WP8: Define CA (still vulnerable to WPE & DoS?)
• BlackBerry (manually or BES)
      – Define CA and server, and set inner authentication
      Why are they vulnerable to WPE & EAP dumb-down by default?
Copyright © 2013 Taddong S.L.                                                        59
Wi-Fi Enterprise Clients
                           iOS Suggestions
• iOS options: minimalism vs. advanced settings
      – Disable adding Wi-Fi Enterprise networks through
        the standard UI completely (minimalism)
      – Add full advanced settings for Wi-Fi Enterprise
        networks through UI (mandatory config profiles)




Copyright © 2013 Taddong S.L.                              60
Post-MitM Wi-Fi Exploitation


Copyright © 2013 Taddong S.L.      61
Post-MitM Wi-Fi Exploitation
                        For Fun




Copyright © 2013 Taddong S.L.   http://www.ex-parrot.com/pete/upside-down-ternet.html   62
Post-MitM Wi-Fi Exploitation
• Wi-Fi driver vulnerabilities (if full connection state)
      – Remote code execution (ring 0) or DoS
• Mobile device fingerprinting
      – Traffic fingerprinting
      – Open ports (TCP/UDP) fingerprinting
• Traffic interception (Layer 2 and above)
      – HTTP (e.g. Firesheep, airpwn(-MSF), and others)
      – HTTPS (e.g. iOS untrusted certificate binding)
      – Other protocols
• Mobile client vulnerabilities
      – Karmetasploit
  Impersonate any service (DHCP, DNS, mail...) and the whole Internet
Copyright © 2013 Taddong S.L.                                           63
Traffic Interception: HTTPS
• HTTPS & iOS untrusted certificate binding
      – Untrusted certs that are accepted by the user
        once, will remain on iOS forever (Safari Mobile)
             • RADIUS certificates? (1st time only)
      – Digital certificates cannot be managed
             • Configuration profile: Restrictions
                    – Apple knows about it at least since iOS 5.x




    Attacker’s certificate is trusted by iOS forever after user accepts it
Copyright © 2013 Taddong S.L.                                                64
“You think that’s air you’re
      breathing now?”




Morpheus to Neo during the scene when he was teaching him in the virtual
               dojo on board the ship The Nebuchadnezzer
Thanks To…
• RootƏdCON
• Joshua Wright
      – FreeRADIUS-WPE
      – SANS SEC575: Mobile Device Security and Ethical Hacking
           https://www.sans.org/course/mobile-device-security-ethical-hacking
•    Mónica (testing, ideas & inspiration)
•    Jorge Ortiz (iOS SDK APIs)
•    Siletes & Tuno (WP 7.x)
•    Mariana (BB)
•    @omarbv (WP 8)
•    David & José (challenges)
•    Those who left us & Those that still are here
            To all the vendors in advance for fixing all these things 
Copyright © 2013 Taddong S.L.                                                   66
References
• “Wi-Fi (In)Security: All Your Air Are Belong To…”
      – http://www.taddong.com/docs/Wi-Fi_(In)Security_GOVCERT-
        2010_RaulSiles_Taddong_v1.0_2pages.pdf
• Taddong Security Advisories
      – http://blog.taddong.com/p/security-advisories.html
• Taddong’s Security Blog & Lab
      – blog.taddong.com & www.taddong.com/en/lab.html
• Raul Siles’ Wi-Fi Security
      – http://www.raulsiles.com/resources/wifi.html
• OWISAM (Tarlogic): www.owisam.org
      – OWISAM-TR-009, OWISAM-DI, OWISAM-CT…
 Check advisories & tools publication on Taddong’s Security Blog & Lab
Copyright © 2013 Taddong S.L.                                            67
Thank You




                                w w w.t a d d o n g . c o m
                                @taddong
Copyright © 2013 Taddong S.L.                            68

More Related Content

What's hot

What's hot (20)

KRACK attack
KRACK attackKRACK attack
KRACK attack
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm Ccm
 
Aircrack
AircrackAircrack
Aircrack
 
Ethical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolsEthical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and tools
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptography
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentesting
 
10 tk3193-ids
10 tk3193-ids10 tk3193-ids
10 tk3193-ids
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Diffie Hellman Key Exchange
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
Diffie Hellman Key Exchange
 

Similar to Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted CON 2013]

Aerohive - The death of the controller
Aerohive - The death of the controllerAerohive - The death of the controller
Aerohive - The death of the controller
ppuichaud
 
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Yury Chemerkin
 
AFCEA West Demonstration
AFCEA West DemonstrationAFCEA West Demonstration
AFCEA West Demonstration
Jon Marcy
 
Ixia anue maximum roi from your existing toolsets
Ixia anue   maximum roi from your existing toolsetsIxia anue   maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
responsedatacomms
 
Ixia anue maximum roi from your existing toolsets
Ixia anue   maximum roi from your existing toolsetsIxia anue   maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
responsedatacomms
 

Similar to Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted CON 2013] (20)

Aerohive - The death of the controller
Aerohive - The death of the controllerAerohive - The death of the controller
Aerohive - The death of the controller
 
S series presentation
S series presentationS series presentation
S series presentation
 
Radisys offloading 10412_final
Radisys offloading 10412_finalRadisys offloading 10412_final
Radisys offloading 10412_final
 
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
 
AFCEA West Demonstration
AFCEA West DemonstrationAFCEA West Demonstration
AFCEA West Demonstration
 
End-to-End and IPv6
End-to-End and IPv6End-to-End and IPv6
End-to-End and IPv6
 
Monetizing the Enterprise: Borderless Networks
Monetizing the Enterprise: Borderless NetworksMonetizing the Enterprise: Borderless Networks
Monetizing the Enterprise: Borderless Networks
 
Bapinger Network Security
Bapinger Network SecurityBapinger Network Security
Bapinger Network Security
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
 
Ixia anue maximum roi from your existing toolsets
Ixia anue   maximum roi from your existing toolsetsIxia anue   maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
Ixia anue maximum roi from your existing toolsets
Ixia anue   maximum roi from your existing toolsetsIxia anue   maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
WPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP ExploitWPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP Exploit
 
10 fn s18
10 fn s1810 fn s18
10 fn s18
 
10 fn s18
10 fn s1810 fn s18
10 fn s18
 
Building a Digital Telco
Building a Digital TelcoBuilding a Digital Telco
Building a Digital Telco
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi security
 
Airheads vail 2011 pci 2.0 compliance
Airheads vail 2011   pci 2.0 complianceAirheads vail 2011   pci 2.0 compliance
Airheads vail 2011 pci 2.0 compliance
 
Lecture03 H
Lecture03 HLecture03 H
Lecture03 H
 
Meraki MR12
Meraki MR12Meraki MR12
Meraki MR12
 

More from RootedCON

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
Overkill Security
 

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 

Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted CON 2013]

  • 1. W hy i OS (Android & others) F ail i nexplicably? Raúl Siles raul@taddong.com w w w.t a d d o n g . c o m March 9, 2013 @taddong
  • 2. Wi-Fi Challenges Today? Copyright © 2013 Taddong S.L. 1
  • 3. Outline Pen-test: • Wi-Fi ((mobile) client) security • Wi-Fi mobile clients behavior & The PNL Mapping – iOS recent Wi-Fi updates • Wi-Fi network impersonation Exploitation – Attacking Wi-Fi (personal) clients – Attacking Wi-Fi enterprise clients • Post-MitM Wi-Fi exploitation Post-… • Conclusions & References Mainly iOS & Android (+90% market share Feb’2013), but others... Copyright © 2013 Taddong S.L. 2
  • 4. Wi-Fi Security State-of-the-Art During the Last Decade (or More…) PTW (< 60 secs) 2007-04-01 •WPA-PSK •WEP cloacking •Sophisticated •WPA(2)-PSK cracking attack tools improvements EAP •WEP chop-chop •TKIP chop-chop attack fingerprinting •TKIP QoS (WMM) DoS Attack tools Defcon 13: WiFi MS-CHAPv2 improvements Shootout Cloud WPA(2)-PSK cracking services cracking LEAP WPS Early WEP attacks Client WPA2 Hole PIN 802.11a attacks attacks 196 802.11b 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Target: Wi-Fi Infrastructure vs. Wi-Fi Clients Copyright © 2013 Taddong S.L. 3
  • 5. Wi-Fi Clients Security My last Wi-Fi presentation was in late 2010, so… what has changed after 2.5 years?… •Firesheep •Airpwn-MSF •AP-less WPA(2)- Wi-Fi driver PSK cracking fuzzing & exploitation MS-CHAPv2 •Caffe-Latte (WEP) cracking Karma •Anonymity attacks Client •ippon DoS 802.11a attacks •sslstrip airpwn (CVE-2012-2619) 802.11b 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 “Wi-Fi (In)Security” (Raul Siles, GOVCERT & CCN-CERT, Nov 2010) Copyright © 2013 Taddong S.L. 4
  • 6. Wi-Fi Mobile Clients Behavior Copyright © 2013 Taddong S.L. 5
  • 7. How Wi-Fi Clients Work? • Users connect to Wi-Fi networks by… 1. Selecting them from the list of currently available networks in the area of coverage 2. Adding them manually to the Wi-Fi client • Security settings are mandatory (if any) – Open, WEP, WPA(2)-Personal & WPA(2)-Enterprise • Networks are remembered and stored for future connections: list of known networks The Preferred Network List (PNL) Copyright © 2013 Taddong S.L. 6
  • 8. Mobile Clients Standard Behavior to Connect to Wi-Fi Networks • Automatically connect to known Wi-Fi networks – Cannot be disabled or configured per network easily • E.g. iOS configuration profile (if “Auto join” is disabled) • If multiple known Wi-Fi networks are available… – iOS connects to the last-used network – Android: supplicant, driver, API… (e.g. Wi-Fi Ruler) – Windows Phone: signal strength? – BlackBerry: priority based on the list order (PNL) • Network identification is based on… – SSID (network name) and security settings Copyright © 2013 Taddong S.L. 7
  • 9. What Type of Network Are You Connecting To? Find the diffs… • Add the network manually to be able to verify and set all the security settings, but… It has a lock, so it must be secure!  Copyright © 2013 Taddong S.L. 8
  • 10. Steve Jobs’ (Apple) Minimalism Copyright © 2013 Taddong S.L. 9
  • 11. Managing the PNL in Mobile Clients • Why the user cannot manually select the priority for each network in the PNL? (except in BB) – As in the traditional clients (e.g. Windows 7 & 8) • Can the user view the list of known networks? • Can the user manage (add, delete, edit…) the list of known networks? • Android 4.x (from the live network list – turn on Wi-Fi first) • BlackBerry 7.x (“Saved Wi-Fi Networks”) • Windows Phone 7.x & 8.x (“Advanced – Known networks”) • iOS minimalism… Copyright © 2013 Taddong S.L. 10
  • 12. Managing the PNL in iOS Reality • Wi-Fi networks are easily added to the PNL… – … but cannot be easily removed from the PNL • “Forget this Network” is only available when the Wi-Fi network is in range – User needs to be in the area of coverage of the Wi-Fi network • WTF (Without Traveling Faraway) – Good excuse to travel for business reasons: “I have to improve the security of our Wi-Fi network and mobile devices…” There is even a CVE-2011-4003 (check my preso from 2010) Copyright © 2013 Taddong S.L. (http://www.logicallysecure.com/about/apple-ios-wireless-advisory/) 11
  • 13. Managing the PNL in iOS Solutions • We thought about publishing a new iOS app – Show PNL entries • SSID, BSSID, security, hidden, channel, current network… – Manage the PNL (add, delete, edit… entries) • iOS SDK API – Apple removed from AppStore all stumbler-like apps (in 2010) – Public API: “You can only get the SSID of the network your device is currently connected to”  – Private API: Apple80211 framework –> MobileWiFi framework • Jailbroken devices (Cydia): – “WiFi Passwords”: View networks and passwords in the PNL – “NetworkKnowledge” ($0.99): Delete networks in the PNL – /private/var/Keychains/keychain-2.db • Only SSID and password (not for open networks) Copyright © 2013 Taddong S.L. 12
  • 14. Managing the PNL in iOS iStupid • iStupid (v0.9) – indescreet SSID Tool (for the) Unknown PNL (on) iOS Devices • Generates beacons frames for one or multiple SSIDS (dictionary and brute force - future) – Multiple configuration options • Canal, SSID, BSSID, interval, rates, security settings… • Allows to select the security settings – Open, WEP, WPA(2)-Personal & WPA(2)-Enterprise • WPA or WPA2 & TKIP or AES-CCMP (not relevant for iOS) – Loop Copyright © 2013 Taddong S.L. 13
  • 15. iStupid in Action Copyright © 2013 Taddong S.L. 14
  • 16. Disclosing the PNL for Free • Hidden Wi-Fi networks (cloaked or non-broadcast) – Still today a very common security best practice… – … with relevant security implications for the Wi-Fi clients – Beacon frames do not contain the SSID (empty) • Visible (or broadcast) Wi-Fi networks include the SSID in their beacon frames – Wi-Fi clients need to know the SSID to connect to the network • So how Wi-Fi clients connect to hidden Wi-Fi networks? – Wi-Fi clients have various networks (SSIDs) in their PNL • Wi-Fi clients have to specifically ask for the hidden Wi-Fi networks in their PNL by sending probe requests containing the SSID – As a result they disclose their PNL !! PNL was disclosed by Wi-Fi client in the past (2005; Win XP fix in 2007) Copyright © 2013 Taddong S.L. 15
  • 17. Do Mobile Devices Disclose the PNL? • Always (not in Windows Phone 7.x or 8) – Windows Mobile 6.5 (TAD-2010-003) TAKE 1 • When networks are manually added (hidden) – Android 2.x – 4.x (TAD-2011-003) Not Fixed Yet – iOS ?.x – 6.x (TAD-2013-001) NEW – BlackBerry 7.x (TAD-2013-002) NEW • Can be changed afterwards through advanced settings: • Why there is no option to indicate if a network in the PNL is hidden or not? (except in BB) – As in the traditional clients (e.g. Windows XP-8) “That’s one small step for a user, a giant leap for security” Copyright © 2013 Taddong S.L. 16
  • 18. Security Risks of Disclosing the PNL • An attacker can impersonate the various Wi-Fi networks in the PNL – Different methods based on the security settings • People didn’t pay enough attention to this… – … because there was no name for it! War Standing or War “Statuing” (Statue) Copyright © 2013 Taddong S.L. 17
  • 19. War Standing Risks Copyright © 2013 Taddong S.L. 18
  • 20. Tools for War Standing Activities • Significant limitations on current Wi-Fi security, hacking, and pen-testing tools – Network or AP focused – Very limited client details • Examples – Kismet(-ng) • Probe Networks • Autogroup Probe – Airodump-ng • Look at the bottom, if you can… – Stumbler-like tools ignore clients… (wlan.fc.type_subtype == 0x04) && !(wlan_mgt.ssid == "") Copyright © 2013 Taddong S.L. 19
  • 21. “Faltan las Palabras” problemón m. Un problema relevante o de notable importancia. probremón m. Un problema relevante o de notable importancia, que se repite a lo largo del tiempo. probremon.py – probe “Yo propongo…” – request – monitor La letra pequeña (Luis Piedrahita) Copyright © 2013 Taddong S.L. (http://www.antena3.com/programas/el-hormiguero/secciones/faltan-palabras/) 20
  • 22. probremon.py Ask the Tarasco Bro’s (Tarlogic) for GUI: “Wireless Auditing Framework” Copyright © 2013 Taddong S.L. 21
  • 23. SSID Selection & Contradictions • Change the default SSID and select a unique one – WPA cracking • PMK = PBKDF2(PSK, SSID + length, 4096 hmac-sha1) – AP impersonation • Avoid guessing, dictionary, or brute force attacks on SSID – Top SSIDs, Top Wi-Fi Hotspots, WiGLE… • Identifying a unique (set of) SSID(s) allows… – Associate network name to location (WiGLE…) – Anonymity attacks (personal privacy implications) – Targeted attacks (unique client fingerprint) Copyright © 2013 Taddong S.L. 22
  • 24. Wi-Fi PNL Conclusions • Vendors do not read Taddong’s Security Blog – Adding Wi-Fi networks manually == hidden network • Why don’t why make hidden Wi-Fi networks disappear in 802.11_ technologies? • AP shouldn’t provide an option to configure the Wi-Fi network as hidden • Wi-Fi clients should never allow users to add a Wi-Fi network as hidden – No need then to have an option to indicate if a network in the PNL is hidden or not (minimalism) Wi-Fi clients would not disclose their PNL... Right? Copyright © 2013 Taddong S.L. 23
  • 25. Do Mobile Devices Disclose the PNL? TAKE 2 iStupid Difficult to consistently reproduce them…  Copyright © 2013 Taddong S.L. 24
  • 26. The full PNL of iOS is disclosed in iOS 5.x & ?.x (sometimes…) iOS Recent Wi-Fi Updates: Analysis Copyright © 2013 Taddong S.L. 25
  • 27. iOS 6 & 6.0.1 Software (SW) vs. Security (SE) Updates • iOS 6: (Sep 19, 2012) – SW: http://support.apple.com/kb/DL1578 – SE: http://support.apple.com/kb/HT5503 • 197 security fixes – Wi-Fi: iOS discloses MAC of hosts of previous networks (DNAv4) • iOS 6.0.1: (Nov 1, 2012) – SW: http://support.apple.com/kb/DL1606 • “Improves reliability of iPhone 5 and iPod touch (5th generation) when connected to encrypted WPA2 Wi-Fi nets” – SE: http://support.apple.com/kb/HT5567 (4 CVEs) Copyright © 2013 Taddong S.L. 26
  • 28. iOS 6.0.2 (Dec 18, 2012) • SW: http://support.apple.com/kb/DL1621 “Fixes a bug.” Security Update? Forums speculations: “iOS prioritizing open networks over secure networks…” http://blog.taddong.com/2013/01/apples-skimpy-software- update.html Copyright © 2013 Taddong S.L. 27
  • 29. iOS 6.1 • iOS 6.1: (Jan 28, 2013) – SW: http://support.apple.com/kb/DL1624 – SE: http://support.apple.com/kb/HT5642 • 27 CVEs + root CA’s updates • CVE-2012-2619: “A remote attacker on the same WiFi network may be able to temporarily disable WiFi” • DoS condition (CVE-2012-2619 ) – October 2012 (Ekoparty - CoreLabs) – Broadcom Wi-Fi chipsets (iOS and others) – iPad 1 (iOS 5.1.1) Copyright © 2013 Taddong S.L. 28
  • 30. iOS 6.1.1 (Feb 11, 2013) • SW: http://support.apple.com/kb/DL1631 Security Update? http://support.apple.com/kb/HT1222 Copyright © 2013 Taddong S.L. 29
  • 31. HT1222 up to iOS 6.1.2 Apple consistent and uniform updates are something from the past Copyright © 2013 Taddong S.L. 30
  • 32. Conclusions Apple Copyright © 2013 Taddong S.L. 31
  • 33. Wi-Fi Network Impersonation (MitM) Copyright © 2013 Taddong S.L. 32
  • 34. Attacker’s Main Goal • When some entries in the PNL are disclosed by Wi-Fi clients… • … force the victims to (silently) connect to the attacker’s Wi-Fi network (Karma-like attacks) – AP impersonation (or fake AP): anywhere in the world – Evil-twin: area of coverage of the legitimate network • Strongest signal wins (or less battery drawing network) • Prerequisites – Open: None – WEP & WPA(2)-PSK: Pre-shared key – WPA(2)-Enterprise: Certificates or… none • Additionally you can obtain valid user credentials Copyright © 2013 Taddong S.L. 33
  • 35. Attacking Wi-Fi (Personal) Clients Copyright © 2013 Taddong S.L. 34
  • 36. Attacking Wi-Fi Clients A book in Spanish is coming soon… • Create a fake AP using airbase-ng – Impersonate the legitimate network • SSID & security settings • Obtain the pre-shared key – Setup full network connectivity & MitM • “BackTrack 5 Wireless Penetration Testing Beginner’s Guide” (Vivek Ramachandran) – Chapter 6: “Attacking the Client” (2011-09) • http://www.packtpub.com/article/backtrack-5-attacking-the-client http://www.packtpub.com/backtrack-5-wireless-penetration-testing- beginners-guide/book (Sample Chapter: 6) Copyright © 2013 Taddong S.L. 35
  • 37. Attacking Wi-Fi Clients: Open “I never, ever, connect to an open Wi-Fi network!” Right?  Copyright © 2013 Taddong S.L. 36
  • 38. Attacking Wi-Fi Clients: WEP • Caffe Latte (ToorCon 2007) – Broadcast ARP request & flip bits & ICV • http://www.aircrack-ng.org/doku.php?id=airbase-ng#how_does_the_caffe_latte_attack_work # airbase-ng -c 1 -a 00:01:02:0a:0b:0c -e “Taddong" -W 1 -L mon0 # airodump-ng -c 1 --bssid 00:01:02:0a:0b:0c --write CaffeLatte mon0 • Hirte (2008) – Fragmentation attack • http://www.aircrack-ng.org/doku.php?id=airbase-ng#how_does_the_hirte_attack_work # airbase-ng -c 1 -a 00:01:02:0a:0b:0c -e “Taddong" -W 1 -N mon0 # airodump-ng -c 1 --bssid 00:01:02:0a:0b:0c --write Hirte mon0 Strength of WEP key is irrelevant Copyright © 2013 Taddong S.L. 37
  • 39. Attacking Wi-Fi Clients: WPA(2)-PSK • AP-less WPA(2)-PSK cracking – Out of the range of the target network – Only requires the first two frames of the 4-way WPA(2) handshake • E.g. cowpatty (+v4.5): “-2” • http://www.willhackforsushi.com/?p=284 PMK = PBKDF2(PSK, SSID + length, 4096 hmac-sha1) PTK = PRF-512(PMK, text, AP@, STA@, anonce, snonce) Copyright © 2013 Taddong S.L. 38
  • 40. airbase-ng • airbase-ng – http://www.aircrack-ng.org/doku.php?id=airbase-ng – WEP (-W1): set the privacy bit • SKA: Shared Key Authentication (-s) – WPA (-z) & WPA2 (-Z) – TKIP (2) & AES (4) • WPA/TKIP (-z 2) • WPA/AES (-z 4) • WPA2/TKIP (-Z 2) • WPA2/AES (-Z 4) Strength of the WPA(2) PSK – 63 random characters Copyright © 2013 Taddong S.L. 39
  • 41. Attacking Wi-Fi Enterprise Clients Copyright © 2013 Taddong S.L. 40
  • 42. Wi-Fi Enterprise Networks • Wi-Fi client, access point (AP), and RADIUS server • Multiple user credentials allowed (802.1X/EAP types) • How to verify the RADIUS server certificate? – CN, CA, expiration, revocation & purpose • There is no URL like in the web browsers  (X.509 CN) – SSID (max. 32 chars) vs DNS hostname • Revocation (CRL & OCSP): no connection yet… – OCSP Stapling & 802.11u & Open Secure Wireless (OSW) & Secure Open Wireless Networking (SOWA – SOWN, e.g. XSSID) Copyright © 2013 Taddong S.L. 41
  • 43. FreeRADIUS-WPE • FreeRADIUS-Wireless Pwnage Edition (WPE) – SchmooCon 2008: Joshua Wright & Brad Antoniewicz • Attacker impersonates the full Wi-Fi network infrastructure (AP + RADIUS server) • PEAP & TTLS – Inner authentication: MS-CHAPv2 (or others) – Username + Challenge/Response http://www.shmoocon.org/2008/presentations/PEAP_Antoniewicz.pdf http://www.willhackforsushi.com/?page_id=37 http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html https://github.com/brad-anton/freeradius-wpe Copyright © 2013 Taddong S.L. 42
  • 44. MS-CHAPv2 Cracking • asleap (+v2.1) - Joshua Wright – Crack challenge (-C) and response (-R) • http://www.willhackforsushi.com/Asleap.html – Dictionary attack (DES x 3) • genkeys – Precomputed MD4 hashes (indexed list of passwords) • Indexed by the last two bytes of MD4 hash (brute force) – Challenge (8-byte) & MD4 hash (16-byte) ≈ Response (24-bytes) • MS-CHAPv2 cloud cracking – Defcon 20 (2012): Moxie Marlinspike & David Hulton • https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ – Brute force attack (256 ≈ DES) – FPGA box: ~ 12-24h • www.cloudcracker.com & chapcrack (100% success rate = $200) Strength of user passphrase... not any more  Copyright © 2013 Taddong S.L. 43
  • 45. Attack Opportunities • If the CA is not verified by the Wi-Fi client… – Attacker can build his own private CA… • Issue a certificate to impersonate target network – Both CA and server certs can mimic all fields from legitimate certs except fingerprint – Not needed most times: Wi-Fi client warnings? • If the CA is verified by the Wi-Fi client… – Purchase a valid certificate from a public CA • Silently accepted by Wi-Fi client without extra checks – If the RADIUS server name (or subject) is verified, or if a private CA is used … attack will fail Are mobile clients vulnerable to FreeRADIUS-WPE?... Copyright © 2013 Taddong S.L. 44
  • 46. FreeRADIUS-WPE in Action Copyright © 2013 Taddong S.L. 45
  • 47. iOS & FreeRADIUS-WPE User Interface (UI) • iOS 5.0 - 6.1.2 (iOS ?.x) • Default CA: None – Prompts user to validate certificate at first connect • Both to legitimate and attacker’s Wi-Fi Enterprise networks – Does not validate CA or server certificate • Default server name: None • Extra (minimalism) – Security mode: … • Advanced Wi-Fi settings? • Attack – Successful (except if user rejects to connect) “Security in the hands of the end-user” Copyright © 2013 Taddong S.L. 46
  • 48. iOS & FreeRADIUS-WPE Configuration Profile • iOS 5.0 - 6.1.2 (iOS ?.x) • Default CA: Undefined (optional) – Full list of public trusted CA’s available or import other CA’s • Default server name: Undefined (optional) • Extra (advanced settings) – Attacker might need to obtain a valid cert from same CA – No user warnings • Attack – Successful (except if private CA or the server name is defined) Copyright © 2013 Taddong S.L. 47
  • 49. Android & FreeRADIUS-WPE • Android 2.x & 4.1-4.2.2 (Android ?.x) • Default CA: Undefined (optional) – CA have to be imported manually • Good to avoid the full list of trusted CA’s (if you know what you are really doing) • Bad as it is optional (and will end up empty most of the time) • Default server name: None – Cannot be defined  • Extra (advanced settings) – No user warnings • Attack – Successful (except if private CA) Copyright © 2013 Taddong S.L. 48
  • 50. WP 7.x & FreeRADIUS-WPE • Windows Phone 7.5 • Default CA: None • Default server name: None • Extra (consumer device) – Lack of advanced settings: CA, server, EAP type… – First time it connects (to the legitimate Wi-Fi Enterprise network) it generates a warning  • Location: Legitimate area of coverage? • Not afterwards, when it connects to the attacker’s network • Attack – Successful (worst case scenario for WPE) Copyright © 2013 Taddong S.L. 49
  • 51. WP 8 & FreeRADIUS-WPE • Windows Phone 8 • Default CA: Off (“Validate server certificate”) – Full list of public trusted CA’s available or import other CA’s • Default server name: None • Extra (corporate device) – Attacker might need to obtain a valid cert from same CA – Lack of advanced settings: server name, EAP type… – Same warning as WP 7.x (location) – A single authentication failure generates an unstable client state (self imposed DoS?) • Attack – Successful (except if private CA) Copyright © 2013 Taddong S.L. 50
  • 52. BlackBerry & FreeRADIUS-WPE • BlackBerry 7.1.x • Default CA: Undefined (mandatory) – Has to be set to be able to create the Wi-Fi profile • Full list of public trusted CA’s available or import other CA’s • Default server name: Undefined (optional) • Extra (advanced settings) – Attacker has to obtain a valid cert from same CA – No user warnings – “Disable Server Certificate Validation” • Attack – Successful (except if private CA or the server name is defined) Copyright © 2013 Taddong S.L. 51
  • 53. (FreeRADIUS) EAP Dumb-Down SANS SEC575 • Multiple EAP types available – Mobile devices seem to prefer to use PEAP (MS- CHAPv2) by default • But in reality they use the preferred EAP method set by the RADIUS server – GTC-PAP: Log credentials in cleartext • Username and passphrase • Additionally it might allow full Wi-Fi network impersonation (MitM) Strength of user passphrase is irrelevant Copyright © 2013 Taddong S.L. 52
  • 54. EAP Dumb-Down in Action Copyright © 2013 Taddong S.L. 53
  • 55. iOS & EAP Dumb-Down • Default EAP type – Cannot be set from the UI: “unknown” • None, WEP, WPA(2), WPA(2) Enterprise – Can be set via a configuration profile: PEAP • Extra (configuration profile) – It is ignored, even if PEAP is the only EAP type set • Attack – Same scenarios as in FreeRADIUS-WPE Copyright © 2013 Taddong S.L. 54
  • 56. Android & EAP Dumb-Down • Default EAP type: PEAP – Can be set from the UI: • PEAP, TLS, TTLS, PWD • Extra – Can set “Phase 2 auth” (inner) in the profile • MS-CHAPv2 vs. None (default) • Attack – Same scenarios as in FreeRADIUS-WPE • Except when “Phase 2 auth” is set: Not vulnerable Copyright © 2013 Taddong S.L. 55
  • 57. WP & EAP Dumb-Down • Default EAP type: PEAP (Microsoft) – Cannot be set from the UI – PEAP is really enforced! • Attack – WP 7.5 & 8 are not vulnerable by default  • Best case scenario for EAP dumb-down Copyright © 2013 Taddong S.L. 56
  • 58. BlackBerry & EAP Dumb-Down • Default EAP type: PEAP – Can be set from the UI: • PEAP, LEAP, EAP-TLS, EAP-FAST, EAP-TTLS… • Extra – Can set “Inner link security” in the profile • EAP-MS-CHAP v2 vs. AUTO (default) • Attack – Same scenarios as in FreeRADIUS-WPE • Except when “Inner link security” is set: Not vulnerable Copyright © 2013 Taddong S.L. 57
  • 59. Wi-Fi Enterprise Clients Conclusions • Wi-Fi Enterprise is inherently “broken” – How to add a new RADIUS server? • Modify the config of all Wi-Fi clients in the organization • Wi-Fi supplicants must always… – Trust only the specific CA used for the Wi-Fi network • Not a good idea to use the full list of public trusted CA’s • Private CA’s are a better option assuming an attacker cannot get a legitimate certificate from them – Define the specific (set of) RADIUS server(s) used (X.509 CN) • Do not provide options to disable certificate validation – Define and force the specific EAP type used • Define the inner authentication method (e.g. MS-CHAPv2) • Do not downgrade to other EAP types (dumb-down) All vendors have been notified about the EAP dumb-down vulns Copyright © 2013 Taddong S.L. 58
  • 60. Wi-Fi Enterprise Clients WPE & Dumb-Down Countermeasures • iOS – Create a very strict and narrow configuration profile • Still “vulnerable” to EAP dumb-down (not if server is defined) – Still the standard UI allows adding Wi-Fi Enterpise networks • Android – Import and define CA, and set inner authentication • Still vulnerable to WPE (server cannot be defined) • Windows Phone – WP7: Fully vulnerable to WPE (not to EAP dumb-down) – WP8: Define CA (still vulnerable to WPE & DoS?) • BlackBerry (manually or BES) – Define CA and server, and set inner authentication Why are they vulnerable to WPE & EAP dumb-down by default? Copyright © 2013 Taddong S.L. 59
  • 61. Wi-Fi Enterprise Clients iOS Suggestions • iOS options: minimalism vs. advanced settings – Disable adding Wi-Fi Enterprise networks through the standard UI completely (minimalism) – Add full advanced settings for Wi-Fi Enterprise networks through UI (mandatory config profiles) Copyright © 2013 Taddong S.L. 60
  • 62. Post-MitM Wi-Fi Exploitation Copyright © 2013 Taddong S.L. 61
  • 63. Post-MitM Wi-Fi Exploitation For Fun Copyright © 2013 Taddong S.L. http://www.ex-parrot.com/pete/upside-down-ternet.html 62
  • 64. Post-MitM Wi-Fi Exploitation • Wi-Fi driver vulnerabilities (if full connection state) – Remote code execution (ring 0) or DoS • Mobile device fingerprinting – Traffic fingerprinting – Open ports (TCP/UDP) fingerprinting • Traffic interception (Layer 2 and above) – HTTP (e.g. Firesheep, airpwn(-MSF), and others) – HTTPS (e.g. iOS untrusted certificate binding) – Other protocols • Mobile client vulnerabilities – Karmetasploit Impersonate any service (DHCP, DNS, mail...) and the whole Internet Copyright © 2013 Taddong S.L. 63
  • 65. Traffic Interception: HTTPS • HTTPS & iOS untrusted certificate binding – Untrusted certs that are accepted by the user once, will remain on iOS forever (Safari Mobile) • RADIUS certificates? (1st time only) – Digital certificates cannot be managed • Configuration profile: Restrictions – Apple knows about it at least since iOS 5.x Attacker’s certificate is trusted by iOS forever after user accepts it Copyright © 2013 Taddong S.L. 64
  • 66. “You think that’s air you’re breathing now?” Morpheus to Neo during the scene when he was teaching him in the virtual dojo on board the ship The Nebuchadnezzer
  • 67. Thanks To… • RootƏdCON • Joshua Wright – FreeRADIUS-WPE – SANS SEC575: Mobile Device Security and Ethical Hacking https://www.sans.org/course/mobile-device-security-ethical-hacking • Mónica (testing, ideas & inspiration) • Jorge Ortiz (iOS SDK APIs) • Siletes & Tuno (WP 7.x) • Mariana (BB) • @omarbv (WP 8) • David & José (challenges) • Those who left us & Those that still are here To all the vendors in advance for fixing all these things  Copyright © 2013 Taddong S.L. 66
  • 68. References • “Wi-Fi (In)Security: All Your Air Are Belong To…” – http://www.taddong.com/docs/Wi-Fi_(In)Security_GOVCERT- 2010_RaulSiles_Taddong_v1.0_2pages.pdf • Taddong Security Advisories – http://blog.taddong.com/p/security-advisories.html • Taddong’s Security Blog & Lab – blog.taddong.com & www.taddong.com/en/lab.html • Raul Siles’ Wi-Fi Security – http://www.raulsiles.com/resources/wifi.html • OWISAM (Tarlogic): www.owisam.org – OWISAM-TR-009, OWISAM-DI, OWISAM-CT… Check advisories & tools publication on Taddong’s Security Blog & Lab Copyright © 2013 Taddong S.L. 67
  • 69. Thank You w w w.t a d d o n g . c o m @taddong Copyright © 2013 Taddong S.L. 68