Judge correctly rules WiFi sniffing legal

A court has ruled that sniffing WiFi at hotspots is legal. Is this a good ruling? Legal expert Orin Kerr says “no”, that such sniffing is illegal. He is wrong, as I will show below.

GENERALLY ACCESSIBLE

First, we need to discuss how WiFi technically works. All WiFi devices sniff all traffic all the time. It’s just that they quickly discard the traffic that doesn’t belong to them. This means your neighbor’s WiFi passes through your iPhone. What we mean by “WiFi sniffing” means “no longer discarding it”.

The judge cites a $200 Airpcap as evidence that WiFi traffic can easily be captured, but he’s wrong, because it’s even easier. No special hardware is needed. For Windows, you might use the free “Winpcap” or “Netmon” software. For MacOSX you might use “Kismac”. For Linux, there are too many popular programs to list, but any such list would start with “tcpdump”. All are free. All use the fact that your laptop already has the WiFi traffic and all they need do is save it to disk rather than discard it.

This technical point is crucial when interpreting the statute, which says that it’s not unlawful to intercept communication that is “readily accessible to the general public”. Since nearby traffic is already going through your laptop or mobile phone or Kindle reader, and all you need is something that saves it to the disk. It’s hard to argue that this traffic isn’t “generally accessible”.


WPA ENCRYPTION

If you don’t want your traffic to be generally accessible, all you need do is turn on WPA encryption. This feature really works. If you choose a strong password, nobody can eavesdrop on your traffic, not your neighbor’s teenage kid, and not even the NSA with all their encryption-busting super-computers. All they will get is a random jumble of meaningless bits. Evildoers in countries like Iran are perfectly safe from drones flying overhead monitoring their WiFi (as long as they choose a secure password).

When you connect to an unencrypted WiFi network, such as your local Starbucks, your Windows laptop will warn you that anybody can eavesdrop. You have to confirm that yes, this is indeed what you want to do. In other words, you made the explicit choice for your traffic to be “generally accessible to the public”. Orin Kerr points to court rulings saying that eavesdropping on cordless telephones was illegal – but those are cases where consumers had no choice, and never explicitly made that decision.

At the nearest Starbucks to my house there is a bar next door. That bar also provides free WiFi, but they encrypt it with WPA. The password is just their phone number. Starbucks could easily do the same. Instead of providing an open hotspot, WiFi could just tell everyone the password is “starbucks”. It’s not terrible difficult for hackers to bypass, but it means that content is no longer “generally accessible”, and would trigger other provisions of the law banning interception of encrypted traffic.


CHILLING EFFECT

It’s not just your own device that sniffs then discards, traffic. There is a broad swath of technology that wants to eavesdrop on network traffic, but without any intent on capturing private data.

Google’s StreetView cars are one example. They eavesdropped on as much as they could in order to map WiFi “access points”, so that devices could use WiFi to locate themselves without GPS.

Another example are WiFi “intrusion detection systems” or “IDS”. These devices detect hackers trying to break into a WiFi network. By their very nature, they must eavesdrop on all the WiFi traffic near them, which includes traffic that from their neighbors that doesn’t belong to them. These systems will record suspicious activity, which sometimes means recording innocent traffic from their neighbors. Some have the ability to record the last several days worth of traffic, for investigating attacks.

None of these benign activities care if the traffic is encrypted. In fact, they’d prefer it that way. No intrusion analyst wants to analyze a suspected hacker incident only to find their neighbor is surfing porn. Google got a lot of bad publicity for over-capturing data that people could’ve just made private by turning on encryption.

Something as simply as having Starbucks encrypt their WiFi access points with the password “starbucks” would greatly help such things. It means individual packets are secure from being decrypted. They can only be decrypted if you’ve also captured the connection sequence, and can crack the password. An intrusion detection system triggering on suspicious events wouldn’t have that. Neither would a Google StreetView car driving nearby. Yes, these things might capture individual packets, but no, they would be powerless to decrypt them, even when the password is something well-known like “starbucks”. Only a hacker sitting at the hotspot for a long time capturing the connection sequence would be able to decrypt the packets.


PRECEDENT

Judges ruling on old laws applied to new technology set precedent. In effect, they create new law. They have a choice. One choice means writing new law as they do their best to fairly apply ill-fitting concepts. The other choice is to punt it back to the legislators, telling them in effect that if you want this new thing to be illegal, you need to clearly spell it out.

We see this principle in effect here. Ruled one way, the judge can make all WiFi illegal, since all devices capture traffic that doesn’t belong to them. Ruled another way, the judge allows benign activity like intrusion-detection and StreetView, but also allows hackers to eavesdrop at the local Starbucks (while still barring capture of encrypted traffic).

I prefer the second choice. I think the law is clear, and this is the better better interpretation. But even if the law were unclear, this should still be the choice, because judges should err on this side. If "hackers at Starbucks" needs to be solved, then either Starbucks should solve it themselves by turning on encryption, or legislators should pass laws explicitly barring such sniffing.

Free (as in beer) wireless pentesting class

As a contribution to the incredibly awesome Security B-Sides unconference in Atlanta, the gang at Errata Security has put together a free training class based on our techniques for completing a professional wireless penetration test. We'll be going over the 5 basic areas of the "gold standard" wireless security assessment, as we do from time to time for a living.

To see what prerequisite knowledge is required to participate, and to register for the class (only a few spots left!), please

Technical details of the Street View WiFi payload controversy

The latest privacy controversy with Google is that while scanning for WiFi access-points in their Street View cars, they may have inadvertently captured data payloads containing private information (URLs, fragments of e-mails, and so on).

Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for WiFi scanning means it's easy to inadvertently capture too much information, and be unaware of it.

This article discusses technically how such scanning works.

Windows 7 includes soft-ap

Follow @ErrataRob
All Windows 7 machines can become a wifi access-point, routing the connections over Ethernet or even over a client station connection on the same wifi adapter. This Slashdot article mentions this, but gets the facts slightly wrong (claiming that it's incomplete and that you need extra software). Instructions for doing this are below.

This is going to be bad, causing rogue access-points to proliferate in companies.

CONTEXT

Technically, this isn't really new. You could always setup ad-hoc wifi and connection-sharing, which is almost he same thing. Also, it's already possible on Mac OS X, Linux, Windows Mobile, and iPhones.

Yet, a full "access-point" sucks less than "ad-hoc" networking. Also, it can work over the same WiFi adapter. Thus, while you are connected to "gogoinflight" on the airplane, your friend can log onto your "buddy" access-point on your computer and share your connection.

And there is increasing reason to do this. On my last flight, I wanted to sync both my iPhone and use my notebook. I only had to pay "gogoinflight" once, but I had to keep logging in again each time I switched from one device to the other. I totally would've just enabled this feature on my notebook and synced my iPhone through a virtual access-point instead.

Note: It only supports WPA, therefore you can't make "evil twin" access-points out of this (although I bet there is a way to hack it to turn WPA off).

HOW IT WORKS

Windows 7 can create "virtual" wifi adapters based on the real adapters, with a unique MAC address and everything. This is similar to VAPs on Linux, which allows you to create one virtual adapter for logging onto an access-point, and another for running a soft-ap. The difference with Windows 7 is that it creates only a single virtual adapter for "hosted" mode -- no matter how many actual adapters you have in the system. It's called "Microsoft Virtual WiFi Miniport Adapter", with the same MAC address decremented by one.

Making it work is simply a matter of (1) configuring the SSID and WPA password, (2) configuring Internet Connection Sharing to bridge it with the network, and (3) turning it on.

WHY IT WORKS

Zune, and stuff like it.

Microsoft wants you to be able to transfer music/video from your computer to your Zune easily. This makes it easier.

It's not just soft-ap. Windows 7 allows a lot of other low-level functionality. For example, you can write applications that add custom "information elements" to the beacon and association packets sent when new wifi connection is setup. Thus, your desktop becomes not simply an "access-point", but a "media access-point".

Finally, by mandating this low-level functionality in wifi hardware drivers now, it means Windows 7 should seamlessly work with "Wi-Fi Direct" bluetooth-like functionality whenever that standard becomes solidified.

INSTRUCTIONS

STEP 0: Open a command-prompt with administrator privileges.

Click on Start menu, All Programs, Accessories, right-click on Command Prompt, select "Run as administrator"). Type in:

STEP 1: Configure the "hosted" interface:

netsh wlan set hostednetwork mode=allow ssid=Test key=letmein9

This example creates an access-point with an SSID of "Test", with a WPA password of "letmein9".

STEP 2: Configure Internet Connection Sharing (ICS)

Open up the networking control panel. Select the interface that currently has Internet connection (like your Ethernet or normal wifi), enable "Sharing", and then select the special "hosted" interface.

STEP 3: Start it

netsh wlan start hostednetwork

STEP 4: Enjoy

On your other devices (say, iPhone), connect to "Test" and give the WPA password of "letmein9".

---

Links:

• http://superuser.com/questions/305188/full-speed-802-11n-connection-between-two-laptops-without-an-access-point
  

Hon Hai = Foxconn

In wireless scanning, you often see "Hon Hair Precision Industry Co., Ltd." show up as the name for the manufacturer of the wireless devices. I've always wondered who the heck they were. I finally got around to Googling the company name and found the easy answer: Foxconn.

All WiFi (and Ethernet) adapters contain a 24-bit manufacturer ID. These are registered with the IEEE. You can look up any ID to find out the manufacturer at the site http://standards.ieee.org/regauth/oui/.

Most of the names are obvious, such as Apple or IBM. However, some are more obscure, such as Hon Hai Precision. While Hon Hai seems to be a popular manufacturer of WiFi equipped computers, I have never heard of them.

As this Wikipedia article explains, Hon Hai is the company better known as "Foxconn", which by a recent estimate is the #132 largest company in the world. It is big contract manufacturer of computer equipment. Some is sold under their own names, such as Foxconn motherboards or Leadtek graphics cards, but they mostly manufacture stuff for other companies. Currently, they build the MacBook, iPhone, Palm Pre, and the Amazon Kindle. They make the PlayStation 3, Wii, and XBox 360. They are one of the largest notebook manufacturers that are sold under brand names of other companies like HP. (This blog post was written on a MacBook Air, made by Foxconn, and posted while tethered through an iPhone, made by Foxconn).

Many of the notebooks made by Foxconn will contain the "Hon Hai" manufacturer ID. However, a company such as Apple has tighter control over it's branding: all the MacBooks and iPods Foxconn makes contain the Apple manufacturer ID.

So, in summary, when you see in your wireless scanner "Hon Hai Precision", think "Foxconn", or more specifically "a Windows notebook manufactured by Foxconn for a different brand company like HP".

Graphics cards are for cracking

I finally got around to testing Elcomsoft's WPA password cracking. If you'll remember, Elcomsoft announced last month that they could use the graphic card to crack WPA passwords 100 times faster than with a normal processor. I found it’s not 100 times faster, but the acceleration is significant enough that if you do WiFi pentesting, you should probably get a graphics card to speed this up.

I ran their software on a number of systems. A screen shot of the results are below:
The systems are:

• "Core2Duo-GT260" is a nVidia GT260 GPU, w/ Core 2 Duo 3.0-GHz
  
• "Core2Quad" is a Core 2 quad 2.4-GHz.
  
• "EEE901" is an an Intel Atom 1.6-GHz dual-threaded.
  
• "MacBookAir" is using the nVidia 9400m GPU, w/ Core 2 Duo 1.86-GHz
  
• "Pentium3-400MHz" is using Intel Pentium III 400MHz single core CPU

Using the nVidia GT260 graphics card, the system could test roughly 10-thousand password hashes-per-second. A cheap quad-core CPU can only do about 1-thousand password hashes-per-second. This is not the 100-fold speed-up promised, but it is an impressive 10-fold speed-up.

I tried out some other processors as well. Intel has shipped a new extremely-mobile processor (intended for cell-phones) called the "Atom". It has roughly a tenth the CPU power of the desktop processor.

A tested the MacBook Air. Its graphics accelerator is actually slower than the built-in processor. Its 9400m GPU only does 178 hashes-per-second, but the Core 2 Duo could do around 400 hashes-per-second.

Graphics cards work by having a lot of tiny/simple processors. Here is a breakdown of some typical processors:

In theory, the speed of the cracking software should correlate with the frequency multiplied by the number of cores. The card to get right now is probably the 9800 GX2. I just ordered one from Newegg for $274. It puts two chips together on a single card, which should make it faster (as well as cheaper) than the GT260. I spent another $200 to get a system to go around it.

Elcomsoft currently cannot handle different cards. Therefore, when cracking software on a MacBook Pro (which has a 9400m and a 9600m), you won’t be able to use both simultaneously.

WPA is NOT obsolete

Elcomsoft, a company that produces password cracking software, has recently announced an upgrade to that product that uses the computer's graphics processor (GPU) to crack Wi-Fi passwords 100 times faster than before. In response to this, one so-called expert has claimed this means that WPA/WPA2 is obsolete, and that you must use VPNs to secure Wi-Fi networks.

Not quite.

At worst, all this really means is that you have to add one extra character to your WPA password to achieve the same level of security. Password cracking is exponential. Each additional character in a password makes it 100 times more difficult to crack (assuming you use upper and lower case, numbers, and symbols).

The claim of 100 times is a little hyped. It's comparing the most expensive graphics card solution costing $1000 (dual GT280s) compared to a cheap CPU. On my system with a cheaper graphics card (Nvidia 8800GT), the GPU is likely to be only 5x faster than my CPU. If you are going to invest a lot of money in password cracking, you should probably invest in FPGAs (such as those from Pico Computing) instead.

You can only crack WPA passwords when everyone on the same network uses the same password (using "pre-shared keys" or PSK). Companies that give out different passwords to different people (using a RADIUS server and EAP) are not vulnerable to this sort of cracking. If home users are paranoid, then can install a RADIUS server.

Password crackers are good at figuring out the way people choose passwords. If you choose something like "Aardvark*Zebra", your password will be cracked quickly. Your WPA password needs to be both long AND complex.

The true danger of cracking tools like Elcomsoft's isn't the GPU, but the fact that it also uses distributed computing. You can grab all the computers in a small business and have them collaborate on cracking a single WPA password. Few people are going to invest in hardware for the purpose of cracking password, but lots of companies have "unused cycles" they can harness. If somebody were to release an open source program with GPU accelerated WPA cracking, then we'd have something more to worry about.

EDIT: George Ou also has an nice post debunking this idea.

The Perfect NetBook: Eee 701 2G Surf

The Register has a review of netbooks (mini notebook computers).

For security professionals, the best netbook I've found is the original one, the Eee PC 701 (aka. Eee PC 2G Surf). The thing that makes it perfect is the Atheros WiFi card in the computer and the $250 price tag.

WiFi hacking/pen-testing requires a card that can both receive packets in monitor mode and send/inject inject raw packets.

WiFi was designed with the idea that the chip should include it's own low-power microprocessor to take care of all the management traffic. In this way, the host machine can be asleep saving power. The consequence of this is that the host machine is typically unable to see the raw packets nor send raw packets of its own.

Atheros designed its chips to be more open. The "madwifi" project was able to create Linux drivers for Atheros chips that allow full control over packets.

Other chips allow a subset of these abilities. There are several others that allow "monitor mode" to receive packets. Few, though, allow the ability to send every type of packet. They will overwrite the sequence numbers, for example, or prevent fragmentation. Others will refuse to send corrupt packets.

When doing WiFi fuzzing, you need to be able to craft every type of packet, including corrupt packets (indeed, that's the point of fuzzing -- to see how a system handles corrupt packets).

The easiest method for WEP cracking is to replay encrypted ARP packets (identified by their size and broadcast address) over and over to generate encrypted responses. After about 40,000 response packets, the 128-bit WEP can be cracked in just a few seconds. I cracked my home WEP test network in about 15-minutes.

For cracking WPA, you need to be able to send deauth packets to force stations to re-authenticate. You then grab this information and hope they've chosen an easily guessable password that can be dictionary cracked.

The best thing about the Atheros chipset is that there exists full access-point software. That means you can setup the Eee PC as a full access-point. For pen-testing, you can also set it up as an "evil twin" -- so that users log onto your access-point instead of their intended one (allows you to intercept their traffic as they surf the Internet).

The Eee PC models contain Ralink chips for 802.11n. Right now, there are no driver for either monitor mode or transmit for these chips. (Note that the Wikipedia article on Eee PC claims that all models use Atheros WiFi chips -- this is wrong). You can, however, buy $33 mini-pci cards and replace the WiFi if you want.

Another important feature is the SD slot within the Eee PC. At NewEgg, 4GB cards are $10 and 16GB cards $40. It's pretty easy to install BackTrack distro and boot from these cards. You could replace the existing OS, but I'm to lazy and boot distros like BackTrack and Knoppix from SD cards.

Errata goes to the races...

Today I spent time in the pits of the NASCAR truck series. It was a fun day, there was a minor accident, but the most surprising was the wireless access.

There were open wifi access points all over the pits. From Direct TV to access points used by reporters, it was ripe for credential theft not to mention people still using unencrypted pop3. Below are some screen shots from my iPhone running stumbler. These were collected just walking up and down the track. Sometimes people need to remember that although people who do security for a living know about these types of problems, the general public doesn't.

We should have a hamster and ferret package for the iPhone available soon.

Wireless NAC != Wireless IPS: AirTight...Leaks...

Rob Graham and I came in contact with some Airtight boxes. In case you don't know they are a maker of wireless IDS technology. Since we know a thing or two about wireless we wanted to look and see how these boxes work and if the perform as advertised. If you don't want to read the entire blog post the short answer is: not completely. In our quick peek we found 3 problems. If we were doing a real assessment we would have pulled out the screw drivers and, ICE gear, and disassembler but instead we looked at this from a blackbox remote perspective.

Problem 1: Protection relies on you being a good citizen.

One of the most touted features is the ability to shutdown rogue access points and give administrators the ability to control who has access points and who doesn't and which ones are legitimate and which ones are not. This is done by detecting the access point, determining if it is legitimate and then flooding it with deauthentication packets if it isn't. It does this by spoofing deauthentication packets in both directions from the user to the access point and from the access point to the user (Packet caps of this to the right). These packets are in the standard and are basically there to say "go away, I am not interested in working with you". So I am sure you are curious what happens if you modify you driver and an access point to ignore these types of packets? Nothing, you can just keep humming away and do whatever it is you want to. Now the argument we heard when we originally mentioned this to people is that these types of devices are not designed to stop determined attackers, just a clueless guy who plugs in a Linksys in accounting and those guys don't use custom wifi drivers. To bad, we do, and this company would have failed a penetration test. Relying on a remote attacker to adhere to a standard for your security too to work is crazy, that's as bad as the Cisco Security Agent API hooking that relied on you executing jumps to its analysis engine to work properly. In the Cisco case and the Airtight case you can just ignore the spec and the security breaks down.

Problem 2: Slowdown

We looked at how these devices would detect new access points. I thought at first it would be done via a combination of beacon and probe response to verify they were real access points but we noticed something. The device would detect the access point from what appear to be probe response packets and then one of their sensors would spoof a packet to be transmitted through the access point to itself. If it received the packet then it would know the access point is indeed on the network. So what happens if you generate hundreds of thousands of fake probe responses? There is such a slow down in responding to them that you could actually go about your normal business of plugging in a rogue access point and letting people external to your offices have access to you network before the sensors will actually detect it and start blocking it. Saturating it with about 10,000 fake probe responses meant that we would have between 1:30 minutes and 3:30 minutes before Airtight realized our access point had appeared. This may not seem like a lot but if you are trying to copy things out unseen or quickly infect a company with a worm, that all the time you need. We didn’t spoof for very long, but it appeared that if we left it running, we’d eventually fill up the database and take down the system.

Problem 3: It really does leak
In problem 2 it was noted to verify that an access point is actually on the network a sensor would spoof a packet to be transmitted through the access point and if it was received by the sensor the containment process would begin by generating fake deauthentication messages. This is a problem because it leaks information about your internal network. This method of determining whether or not an access point is on the network means that UDP packets are being generated with the internal IP address of not just the sensor sending the spoofed packets but also the management console and sending them over sniffable wireless access for all to see and capture. So even if you are not on the network and just sniffing the channel the AP is on you can get information on that company's internal network information like addressing scheme and layout; you could even write a snort rule to detect just these types of packets.. Thank you very much! With the work that has been done on Ferret we have become hyper sensitive to unintentional information leaks and this is definitely one.

Verdict: Great for clueless folks but will not keep out a skilled attacker

While these boxes may keep Bob from accounting from buying an access point at lunch and sharing your network to the world, they will not stop and in some cases aid a determined attacker in compromising your enterprise. They should not be labeled either "intrusion detection" or "intrusion prevention". These devices have no ability to stop a driver level attack like the ones we have previously discussed.

Also I hate recreating other peoples work. After we found these problems I was pointed to the paper below that contains information about the deauth problems. It has a far more in-depth review of the weaknesses and why most of these products just don't add up.http://802.11ninja.net/~jwright/802/papers/wlan-sess-cont.pdf

Its V-A day....

In a few hours I’ll be taking the stage at Blackhat DC to give a Device Drivers 2.0 talk. This is an updated version of the material from Blackhat Vegas as well as new information about how to find and exploit wireless device driver vulnerabilities. The last 20 minutes of the presentation are devoted to Apple. Since I am no longer gagged I will finally, publicly refute the statements Apple made concerning never sharing anything with them. I will go through the timeline of what was shared, when, and what vulnerability it will point to. I am unfortunately unable to present any material sent to my email address at my former employer, but what I can share definitely destroys the claims that Jon and I were irresponsible, frauds, and shared nothing with Apple.

Bluetooth vuln...Nobody said anything about a Bluetooth vuln...

UPDATE: It was just mentioined to me how funny it is that the book I co-wrote about this here tells you how to findthese vulns. I guess my pundits didn't feel the drive to try it...

The new Uninformed is out

http://www.uninformed.org/?v=6

This issue has articles on subverting Patchguard, Packer technology and (my personal favorite) auditing wireless device drivers. This is the best source for original information on topics like reverse engineering and exploitation techniques.