Thursday, August 27, 2009

WPA not cracked yet

I'll admit, when I heard that WPA, (specifically implementations using TKIP), was cracked, my first reaction was "It's about time." This does not stem from some deep held desire to obtain free internet access from my neighbors, but instead from the fact that TKIP use RC4. It's extremely hard to implement RC4 correctly. So much so, that in general I don't trust any encryption algorithm that uses a stream cipher vs. a block cipher, (for the crypto purists, yes block ciphers essentially become stream ciphers when put in CFB mode, but that's also when problems tend to occur).

I guess what I'm trying to say is I'm inclined to take a dire view of WPA's security. That being said, when headlines like "Wi-Fi Code Cracked in Minute" appears on the front page of Yahoo, (bad grammar and all), I really feel the need to post something. Regardless though, please understand, if you are still using WPA in TKIP mode you should at least start thinking about upgrading to WPA2, or WPA using AES. Even if this particular attack doesn't prove weaponizable, chances are another attack later on down the line will.

So disclaimers aside, and with all the doom and gloom I already posted, what's my problem with the Yahoo article? Well, it's the simple fact that the current attack doesn't break WPA in a practical sense yet. Now I admit, I'm not an expert when it comes to wireless encryption protocols. I consider myself more of a hobbyist, but I did stay at a Holiday Inn last night. I mean I did actually read the academic paper describing the attack details. Also my initial job after graduating from college, (the first time), was attacking wireless networks so this is a topic near and dear to my heart. Oh, and while I'm talking myself up, some of my Master's research involved attacking Ad-hoc networks which tend to use wireless protocols. I guess what I'm trying to say is that while this post may sound like I know what I'm talking about, chances are there are major flaws in my understanding of the attack and it's implications so please feel free to correct me.

The attack described is a refinement of the ChopChop attack applied to WPA that was originally discovered by Martin Beck and Erik Tews. There's a couple of things to note about this attack that limit its usefulness in real world situations.

  1. It doesn't disclose/recover/discover, or whatever word you want to use, the encryption key. What this means is an attacker can't use this attack to figure out your password, hop on your network and start reading your e-mail or download random pictures of scantily clad individuals.

  2. While this attack does allow the attacker to decrypt encrypted packets, even with the refinements proposed, it is not an entirely offline attack. It still needs to use an authorized user, (access point, and/or client), as an oracle. This means an attacker can't just collect the encrypted data, and then go home and spend the next year decrypting it on some botnet/computer in their mom's basement. Essentially they have a limited time window to decrypt the packets, and the limiting factor is not how fast their computer is, but the amount of data that is leaked via error messages sent by the defender. The reason that the original attack took so long was that if an attacker sends more than one packet with a bad Message Integrity Check within 60 seconds, the AP would drop the connection. Thus it would take a minimum of 11 minutes to make 12 submissions to the AP. Those 12 error messages would be enough for the attacker to decode 2 byes of data. Similarly, packet injection takes around 5 minutes to execute, with three of those minutes taken up by submitting four different packets to obtain specific error messages.

  3. Continuing on point #2, in general most implementations of WPA are smart enough to realize that if someone is still trying to submit the same packet after 11 minutes, something is wrong. Or more to the point, WPA uses has a counter, (called the TKIP Sequence Counter or TSC) so when the actual client sends more data, the AP will no longer try to decrypt older packets. Beck and Tews get around this by attacking certain WPA implementations that allow multiple channels for QoS where the WPA implementation isn't smart enough to increment the TSC counter on all of them. One of the main improvements proposed by Ohigashi and Morii is to perform a true MITM attack where the client only talks to the attacker, not to the access point. Thus when the attacker wants to decrypt two bytes from a packet, they simply DoS the client for around 15 minutes. Needless to say, while this may be useful to decode an Arp packet at 3:00am in the morning, employing this attack when a user is online, and you know, sending interesting data, might be noticed. This is further complicated by point #4.

  4. The attacker has to know EVERY byte in the packet they are attacking with the exception of the byte or two of information they are trying to discover. Essentially the attacker conducts a known plaintext attack by constructing every possible packet that could be created by those two unknown bytes of information and then uses the error messages from the Access Point to identify which one is the correct packet. What this means is an attacker can't use this attack to decode the first two bytes of someone's telnet login password since they don't know what the rest of the password is. That's also why you see these papers talk about decoding and injecting Arp packets. Essentially what they are assuming is that they know the first three octets of defender's IP address, (such as 192.168.0.x), and so they are only trying to decode the last octet, (the 'x'), for both the access point and the client. Conveniently that is only two bytes of information. Since it's an Arp packet, the mac address information is already known, (it's not encrypted by WPA), and the attacker can figure out what the rest of the packet will look like. Now from my reading of both the original paper and this new one, there is nothing stopping the attacker from attempting to guess what more than two bytes are. Well, except for the fact that the attack would then require several hours to several years to decrypt 4-5 bytes from a single message. I would expect that after the first week of the DoS attack someone would at least try to reboot the router, not to mention the automatic idle timeouts ;)

  5. Finally, the "1 minute" time everyone is talking about only applies to injecting forged arp packets into the network, (it still takes around 11-15 minutes to decode a packet with the new attack). They achieved a speedup from the 4-5 minutes it took Beck/Tews attack to inject an arp packet by designing a way to forge the packet without having to contact the access point to verify if the packet is valid. Basically, instead of making sure their packet will be accepted, they just say "F*** it! Lets send it anyway. There's a 37 percent chance it will get accepted!). Then there's the fact that I have a hard time coming up with a non-DoS attack that involves injecting an Arp packet when the attacker doesn't have an authorized computer on the network, (otherwise why are they bothering to try and attack WPA in the first place). The only thing I can think of is framing someone else for Arp spoofing. Oh and the DoS attack isn't that useful since in order to pull it off, you have to already be able to perform a DoS attack, (though in all fairness you could perform a DoS attack against some other computer on the same Layer-2 network besides the client you are currently attacking).

Now I want to stress, this is good research that Ohigashi and Morrii are doing, and it almost certainly will lead to more potent attacks. Likewise, their paper is honest about what they are doing and the limitations of their attack. It's just that people see the words "WPA packet injection" and "Less than 1 minute," and automatically assume that WPA is as weak as WEP. Or as the Yahoo article puts it,

"The second generation of Wi-Fi security systems has now been broken as badly as its notoriously insecure predecessor"

It's just not true. As I said at the beginning of the post, if you are using WPA you should change to WPA2, but your neighbor's kid isn't going to be using your wireless anytime soon.

Tuesday, August 18, 2009

Defcon Roundoup Part II

Saturday:
  1. Started out at Hacker vs. Disasters, but I bailed on the first speaker and instead went to the talk by Joe Grand on hacking parking meters. It just further reinforced my belief that society functions because there are not many talented bad guys. Or I should say, the effort to hack these systems outweighs the cost of using them legitimately. Still the ability to frame other people is scary. Also, you can buy ANYTHING on E-Bay.

  2. Then went back to Hacker vs. Disasters to see Renderman talk. Didn't learn much but had a great time. Favorite quote: "Most people will be absolutly useless in a disaster. Actually that's not true. They are mostly made of meat..."

  3. Of course I went to the Mythbusters talk. I was blown away by how good a speaker Adam Savage was, along with the great topic "Failure". Like everything else in his life, Adam's failures truely were epic, and I think they need to show a copy of that speach to every kid in Intermediate/High School. It's an important lesson that failure is normal, and you can bounce back from it.

  4. PLA Information Warefare Development Timeline. Quick disclaimer, I've worked with the person who gave this talk, (and I found it hillarious that he originally used his name but later decided to use his handle instead). The talk itself was jam packed with information, though I had a hard time being engaged by most of it. Quite honestly I'm not shocked that another country would A) Develop military plans to fight the US. and B) Develop information warfare capabilties. It would almost be the height of irresponsability if they didn't. This first half of the talk dealt with the rise of China's IW program, (along with the development of certain kinetic military capabilities). I really would have liked to stay around for the second half, but I needed to see the next talk since it corrolates with some of my research.

  5. Sniff Keystokes With Lasers/Voltmeters: I am in awe of these guys presenting ability. They could talk about the weather and I'd show up. Just check out this video they created to demonstrate one possible use of their research. From a practical standpoint, the ability to read PS/2 keyboards via signal leakage into the ground wire was really scary. It was something that I hadn't even considered before, (and honestly would have gone "That's impossible", if someone would have suggested it). I wouldn't be surprised if the laser exploit gets deployed at next year's Defcon CTF.

  6. I am Walking Through a City Made of Glass: This talk once again focused on the Chinese hacking scene, but was slightly more useful to me since it covered the non-state affiliated Chinese hacker groups. It was refreshing to finally hear someone say that in addition to the attacks coming from home-grown Chinese hacking groups, other countries/groups are buying Chinese botnets/proxies to launch their attacks from.

And that was it for Saturday, (I spent the rest of the day wanding the CTF room, Vendor booths, etc).

Sunday:

I was freaking out about my talk, so I wasn't the best audience member. That being said, here is what I went to

  1. Down the Rabbit Hole: This talk, (or at least the same title), has been given before at several other conferences, but I've always managed to miss it. It was fairly good, though as I said before I had a hard time concentrating.

  2. Hack the Textbook: I feel sorry for the presenters since it's hard to make a website that rates and corrects computer books sound interesting. That being said, this project has the potential to help the secuirty industy more than any of the other talks given this weekend. We need to teach people how to write secure code, and if it takes off, this project has a good chance of helping people do that.

  3. Unmasking You: This was a solid talk, and some of the user fingerprinting was really nasty. I don't know how much these attacks are going to show up in the wild though.

  4. Search and Seizure Explained: A solid talk going over the different search and seizure laws. I hope I will never need to know the legal requirements that need to be met before a body cavity search can be performed on me when I'm crossing the border. Of course, that's one of those pieces of information where you REALLY need to know it if the situation arises.

And that was it for me. The rest of the time I spent in the CTF room and the speaker ready room. As for my talk? I don't remember most of it, though I think it went well. My demo didn't crash which was the big thing ;) I had a real good group of people show up for Q/A afterwards, and I apologize since I was still hyped up on adrenaline from the talk. That's why I have to practice my talk a million times before I give it, but once I get off script, (aka Q/A), pretty much all everyone got was a direct stream of consciousness feed from me laced with a healty dose of profanity.

That was it for Vegas. I had a drink with some of the people, hopped on a cab with one of the Shmoo guys before the closing ceremonies were finished, and then spent the next two weeks googling my name trying to figure out what people thought of the talk ;)

I hope to see everyone at Defcon 18!

Tuesday, August 11, 2009

Blog Spammers

Well, it looks like I've had my first tangle with blog spammers. If I deleted any legitimate posts that offered strong, but completely abstract, praise for this site along with a signature full of links, I apologize.

Monday, August 10, 2009

Defcon 17 Roundup

It hardly seems like Defcon 17 was only a week ago. Right now it alternately feels like I just got back from it, or it happened a million years ago. Ok, I admit it. That link has nothing to do with this post, defcon, or even the idea of "a million years ago", but I stumbled across it in my Google search for something more appropriate and I thought I should share. Librarian hackers: need I say more?

As I was saying, Defcon 17 occurred at some point in the past. I won't detail the parties that went on, though there were a few. The exception I will mention is the Toxic BBQ which was held on Thursday. Having skipped it the last two years due to various reasons, most of which involved the words "108 degrees", "outside", "off-site", and "laziness", I was truly amazed at how fun this event was. It also was the one event where you could relax, drink a few beers, (making sure to drink plenty of water as well - let me reference that 108 degrees again), and talk to people without music blasting in the background. All in all, I'm going to make sure I don't miss it next year.

Now on to the actual talks, which supposedly are the reason why everyone goes to Defcon in the first place.

Thursday:
I arrived too late to see any of these, but I heard good things about "Effective Information Security Career Planning", and "Hardware black Magic - Building Devices with FPGAs". I really wish I could have attended the FPGA talk since as you can imagine there are a few ways that can help my research.

Friday:
Talks I attended:
  1. Beckstrom's Law: I saw Rob Beckstrom speak at last year's Defcon panel "Meet the Feds", and I have to admit that I didn't have a very high opinion of him. Later when reading about his resignation from the post of Cyber-security chief I had to re-examine my previous evaluation as a lot of the points he made were very good. That being said, I managed to sit through about 10 minutes of this talk before I had to walk out. Between him promoting his book, explaining what DNS is, and warning us he might use "math", I realized he must have forgotten that he was giving this talk to Defcon attendees and not your typical office boardroom. That's a shame too since I looked at his slides afterwards, (the ones on the CD, not the ones he used), and there was a lot of good stuff in them. The problem he was covering is extremely important, and I think everyone agrees that the way we currently value networks and computer security falls into "pick some numbers that sound right." That's not acceptable and it's good to see someone trying to do something about it. I think in the future I need to focus on what Beckstrom writes, and skip any of his live talks.
  2. Asymmetric Defense: How to Fight off the NSA Red Team with Five People or Less: As the name implies, this talk detailed how the US Merchant Marine Academy goes about participating in NSA's Cyber Defense Exercise with a limited budget. It was a good talk, and one that I would recommend browsing through when it becomes available online. It also annoyed people from the other service academies to no end which was amusing as well.
  3. More Tricks for Defeating SSL: This was THE talk of Defcon. I'm sure you've heard about it already so I don't need to go into details. What made this talk amazing was not only did Moxie completely break SSL; not only did he do it a way that was totally l33t, (Pascal strings?!); not only did he show some scary attacks with it like completely owning any computer that was running Firefox, but he gave a great presentation as well. When he showed the blurry code segment and asked us to find the bug, (hint it's the part with all the nested If statements), I was blown away by his ability to convey this information to the crowd.
  4. The Year in Computer Crime Cases: Yay EFF. The most interesting part was hearing about the problems they had trying to set up a secure war-room at Defcon last year.
  5. Defcon Security Jam 2: I eventually ditched this talk and went to grab some lunch. I think part of the problem was the general setup of this hybrid talk/panel session. It wasn't bad, but eating food was a better use of my time.
  6. Computer and Internet Security Law - A Year in Review: Of the three "law" talks I went to, this one was the best. It really helped explain some of the reasoning behind certain rulings, such as why the cops can obtain a warrant and force you to open up a keyed safe, but they can't force you to open up a combination safe. In that case, it's all about attribution: aka if you know the combo, the safe is probably yours. With a key though, all the cops can "prove" is you knew where the key was. Yah, laws are weird.
  7. Malware Freak Show: I wasn't able to get into Johnny Long's talk so I went to this one instead. Looking back, it just goes to show that it's good that life doesn't always work out the way you want it to. I always wondered what computer security measures casinos use. Now I have a better idea, and I was shocked to find out that in at least one case the casino did such a poor job.
  8. Fragging Game Servers: I love to hear Bruce Potter talk, so it was entertaining, but he and Logan really needed another two to four months of work before this presentation should have seen the light of day. I feel sympathy for them as I've been in a similar situation myself. Most people don't realize it, but with these talks you need to submit a proposal around four months before the actual conference itself. This means the presenter usually has to make a few educated guesses about where they will be when the conference rolls around. Sometime those guesses don't match up with reality.
  9. Something about Network Security: So of course I had to go to the Kaminsky talk. I originally was going to see the talk by Travis Goodspeed, since I'm just blown away by his work, but with all the craziness of the zf0 hack I wanted to see what Kaminsky's reaction to it was. Pretty much everyone took the view of "but for the grace of god go I", with Dan being hacked. I have to admit, it wouldn't take much to completely 0wn me so reassessing my security setup is certainly on my to-do list when I get back to Tallahassee. The talk itself wasn't his best, but a lot of that can be attributed to Moxie covering much of it earlier. In short, it was a tough week for Dan, though my opinion of him hasn't been diminished at all.
And that was my Friday. I'll leave Saturday and Sunday for a later post.