![Page 1: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/1.jpg)
2014 © Dino Security S.L.
All rights reserved. Todos los derechos reservados.
w w w. d i n o s e c . c o m
@ d i n o s e c
Vulnerabilidades Wi-Fi de dispositivos
móviles en redes empresariales
802.1x/EAP
Raúl Siles
@raulsiles
12 marzo 2014 - UCLM
Ciclo de conferencias de Seguridad Informática
![Page 2: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/2.jpg)
2014 © Dino Security S.L.
All rights reserved. Todos los derechos reservados.
w w w. d i n o s e c . c o m
@ d i n o s e c
Mobile Devices Wi-Fi Vulnerabilities in
802.1x/EAP Enterprise Networks
Raúl Siles
@raulsiles
March 12, 2014 - UCLM
Ciclo de conferencias de Seguridad Informática
![Page 3: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/3.jpg)
3 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Outline
• Wi-Fi challenges nowadays
• Wi-Fi (mobile) clients behavior
– The PNL
• Wi-Fi network impersonation
– Attacking Wi-Fi enterprise clients
• Wi-Fi clients security recommendations
• References
![Page 4: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/4.jpg)
4 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Challenges Nowadays?
![Page 5: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/5.jpg)
5 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Challenges Nowadays?
http://www.huffingtonpost.com/vala-afshar/50-incredible-wifi-tech-s_b_4775837.html
![Page 6: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/6.jpg)
6 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Security Challenges
Nowadays?
Super Bowl Security Command Center 2014: Broadcast on TV
![Page 7: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/7.jpg)
7 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Security Challenges
Nowadays?
Target: Wi-Fi Infrastructure vs. Wi-Fi Clients
![Page 8: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/8.jpg)
8 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi (Mobile) Clients Behavior
![Page 9: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/9.jpg)
9 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
How Wi-Fi Clients Work?
• Users connect to Wi-Fi networks by…
1. Selecting them from the list of currently
available networks in the area of coverage
2. Adding them manually to the Wi-Fi client
• Security settings are mandatory (if any)
– Open, WEP, WPA(2)-Personal & WPA(2)-
Enterprise
• Networks are remembered and stored for future
connections: list of known networks
The Preferred Network List (PNL)
![Page 10: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/10.jpg)
10 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
The Preferred Network List (PNL)
![Page 11: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/11.jpg)
11 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Disclosing the PNL
• How Wi-Fi clients discover available Wi-Fi networks?
• Do Wi-Fi clients really disclose their PNL?
– By default
• Hardware, firmware, Wi-Fi drivers & supplicant (SW)
– Hidden Wi-Fi networks
– Do mobile devices really disclose their PNL?
• Manually adding Wi-Fi networks
– Is Android constantly scanning for Wi-Fi networks?
– iOS 5.x case study
– Weird and difficult to reproduce scenarios…
![Page 12: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/12.jpg)
12 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
How Wi-Fi Clients Discover
Available Wi-Fi Networks?
• Passive scan
– Beacons
– Every 100ms (10 frames/sec)
• SSID?
• Active scan
– Probe request / response
– (Wildcard or broadcast) SSID?
![Page 13: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/13.jpg)
13 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Hidden Wi-Fi Networks
• Hidden Wi-Fi networks (cloaked or non-broadcast) – Still today a very common security best practice…
– … with relevant security implications for the Wi-Fi clients
– Beacon frames do not contain the SSID (empty)
• Visible (or broadcast) Wi-Fi networks include the SSID in their beacon frames – Wi-Fi clients need to know the SSID to connect to the network
• So how Wi-Fi clients connect to hidden Wi-Fi networks? – Wi-Fi clients have various networks (SSIDs) in their PNL
• Wi-Fi clients have to specifically ask for the hidden Wi-Fi networks in their PNL by sending probe requests containing the SSID – As a result they have to disclose their PNL !!
PNL was disclosed by Wi-Fi clients in the past (2005; Win XP fix in 2007)
![Page 14: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/14.jpg)
14 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Security Risks of Disclosing the
PNL
![Page 15: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/15.jpg)
15 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
• An attacker can impersonate the
various Wi-Fi networks available in
the PNL
– Different methods based on the security
settings
• People didn’t pay enough attention to
this because…
– …there was no name for it!
Security Risks of Disclosing the PNL
War Standing or War “Statuing” (Statue)
![Page 16: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/16.jpg)
16 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
War Standing Risks
![Page 17: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/17.jpg)
17 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation
![Page 18: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/18.jpg)
18 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation (1/2)
• When entries in the PNL are disclosed by Wi-Fi
clients… someone can force the victims to
(silently) connect to the attacker’s Wi-Fi network
– Karma-like attacks (since 2004)
– AP impersonation (or fake AP): anywhere in the world
– Evil-twin: area of coverage of the legitimate network
• Strongest signal wins (or less battery drawing network)
• The victim shares the network with the attacker
– Full network connectivity at layer 1&2 and above
– MitM: Man-in-the-Middle attacks
![Page 19: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/19.jpg)
19 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation (2/2)
• Fully impersonate the Wi-Fi network…
– 802.11 AP, DHCP server, DNS server, routing and
NAT capabilities, RADIUS server…
• Two prerequisites
– SSID (Wi-Fi network name)
• Disclosed from the PNL
– Wi-Fi network security type
• Security type requirements
– Open, WEP & WPA(2)-Personal, WPA(2)-Enterprise
![Page 20: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/20.jpg)
20 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Open Wi-Fi Networks…
![Page 21: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/21.jpg)
21 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Attacking Wi-Fi Clients: Open
“Nobody never ever connects to an open Wi-Fi network!” Right?
![Page 22: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/22.jpg)
22 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
WPA(2)-Enterprise Wi-Fi Networks
![Page 23: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/23.jpg)
23 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Networks
• How to verify the RADIUS server
certificate?
– CN, CA, expiration + revocation & purpose
• There is no URL like in the web browsers (X.509 CN)
• Wi-Fi client, access point (AP),
and RADIUS server
• Multiple user credentials
allowed (802.1X/EAP types)
![Page 24: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/24.jpg)
24 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
FreeRADIUS-WPE
• FreeRADIUS-Wireless Pwnage Edition (WPE) – SchmooCon 2008: Joshua Wright & Brad Antoniewicz
• Attacker impersonates the full Wi-Fi network
infrastructure (AP + RADIUS server + …)
• PEAP & TTLS – Inner authentication: MS-CHAPv2 (or others)
– Username + Challenge/Response (hash)
– Mutual authentication
http://www.shmoocon.org/2008/presentations/PEAP_Antoniewicz.pdf
http://www.willhackforsushi.com/?page_id=37
http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html
https://github.com/brad-anton/freeradius-wpe
![Page 25: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/25.jpg)
25 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
MS-CHAPv2 Cracking
• asleap (+v2.1) - Joshua Wright – Crack challenge (-C) and response (-R)
• http://www.willhackforsushi.com/Asleap.html
– Dictionary attack (DES x 3)
• genkeys – Precomputed MD4 hashes (indexed list of passwords)
• Indexed by the last two bytes of MD4 hash (brute force) – Challenge (8-byte) & MD4 hash (16-byte) ≈ Response (24-bytes)
• MS-CHAPv2 cloud cracking – Defcon 20 (2012): Moxie Marlinspike & David Hulton
• https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
– Brute force attack (256 ≈ DES) – FPGA box: ~ 12-24h • www.cloudcracker.com & chapcrack (100% success rate = $200)
Strength of user passphrase... not any more!
![Page 26: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/26.jpg)
26 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
FreeRADIUS-WPE in Action
![Page 27: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/27.jpg)
27 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
SANS SEC575
(FreeRADIUS) EAP Dumb-Down
• Multiple EAP types available
– Mobile devices seem to prefer to use PEAP
(MS-CHAPv2) by default
• But in reality they use the preferred EAP
method set by the RADIUS server
– GTC-PAP: Log credentials in cleartext
• Username and passphrase
• Additionally it might allow automatic full
Wi-Fi network impersonation (MitM)
Strength of the user passphrase is irrelevant
![Page 28: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/28.jpg)
28 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
EAP Dumb-Down in Action
![Page 29: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/29.jpg)
29 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Mobile Devices Behavior Against
FreeRADIUS-WPE & EAP Dumb-Down
• FreeRADIUS-WPE
– iOS: UI & configuration profile
– Android
– WP 7.x & 8
– BlackBerry 7.x
• EAP Dumb-Down
– iOS: UI & configuration profile
– Android
– WP 7.x & 8
– BlackBerry 7.x
"Why iOS (Android & others) Fail inexplicably"
User creddentials (not
just the Wi-Fi secret):
Other corporate
services?
Full MitM connectivity
![Page 30: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/30.jpg)
30 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Full Wi-Fi Network Impersonation For Fun & Profit by Example
![Page 31: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/31.jpg)
31 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Network Impersonation Exploitation
For Fun
http://www.ex-parrot.com/pete/upside-down-ternet.html
![Page 32: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/32.jpg)
32 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
• iOS update to 7.0.6 (Feb 21, 2014)
– 6.1.6 (iPhone 3GS & iPod Touch 4th)
– OS X 10.9 “Mavericks” (no patch)
• Lack of proper certificate validation
– DHE & ECDHE (CVE-2014-1266)
– https://www.imperialviolet.org:1266
– https://www.gotofail.com
https://www.imperialviolet.org/2014/02/22/applebug.html
Wi-Fi Network Impersonation Exploitation
For Profit - Goto Fail
![Page 33: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/33.jpg)
33 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Clients Security
Recommendations
![Page 34: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/34.jpg)
34 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Clients Configuration
Recommendations
• Turn off the Wi-Fi interface if not in use
• Do not configure Wi-Fi networks as hidden
• Do not add Wi-Fi networks manually to
mobile devices (= hidden network)
• Manage & clean-up the PNL periodically • Individually and enterprise level (MDM)
• Wi-Fi policy: What type of networks…?
• Properly add Wi-Fi enterprise networks…
![Page 35: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/35.jpg)
35 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Recommendations
(1/2)
• Wi-Fi supplicants must always…
– Trust only the specific CA used for the Wi-Fi network
• Not a good idea to use the full list of public trusted CAs
• A private CA is a better option than a public CA assuming an
attacker cannot get a legitimate certificate from it
– Define the specific (set of) RADIUS server(s) name(s)
used (X.509 CN)
• Do not provide options to disable certificate validation
– Define and force the specific EAP type used
• Define the inner authentication method (e.g. MS-CHAPv2)
• Do not downgrade to other EAP types (EAP dumb-down)
![Page 36: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/36.jpg)
36 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Wi-Fi Enterprise Recommendations
(2/2)
• WPA2-Enterprise: Full Wi-Fi network validation
– Do not ask the user!
• Wi-Fi Enterprise is inherently “broken”
– How to add a new RADIUS server?
• Modify the config of all Wi-Fi clients in the organization
• User credentials strength
– Passphrase
• EAP/TLS: client digital certificates + PKI
• WIDS (evil-twin)
![Page 37: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/37.jpg)
37 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
References
![Page 38: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/38.jpg)
38 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
References
• "Why iOS (Android & others) Fail inexplicably" – http://www.dinosec.com/docs/RootedCON2013_Taddong_Raul
Siles-WiFi.pdf
– http://vimeo.com/70718776
• DinoSec Security Advisories – http://blog.dinosec.com/p/security-advisories.html
• "Wi-Fi (In)Security - All Your Air Are Belong To..." – http://www.dinosec.com/docs/Wi-Fi_(In)Security_GOVCERT-
2010_RaulSiles_Taddong_v1.0_2pages.pdf
• DinoSec Lab – Publications – http://www.dinosec.com/en/lab.html
• DinoSec Lab – Tools: iStupid – http://www.dinosec.com/tools/iStupid_1.0.tgz
![Page 39: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/39.jpg)
“You think that’s air
you’re breathing now?”
Morpheus to Neo during the scene when he was teaching him in the
virtual dojo on board the ship The Nebuchadnezzer
![Page 40: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/40.jpg)
40 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Questions
![Page 41: @dinosec Vulnerabilidades Wi-Fi de … · 2014-03-23 · Vulnerabilidades Wi-Fi de dispositivos móviles en redes empresariales 802.1x/EAP Raúl Siles raul@dinosec.com ... •But](https://reader030.vdocuments.co/reader030/viewer/2022040917/5e91938c094d33113f2e9fc0/html5/thumbnails/41.jpg)
w w w. d i n o s e c . c o m
@ d i n o s e c
R a ú l S i l e s
r a u l @ d i n o s e c . c o m
@ r a u l s i l e s