Cracks in the air
Justice security expert shows how easy it can be to defeat wireless security
Why would you connect to a Bluetooth headset? There's no reason for it. ' Mischel Kwon, Justice Department
Justice Department information technology security specialist Mischel Kwon gave a sobering assessment last week of some of the security risks in today's environment of ubiquitous, promiscuous unwired communications.
'The days of no-wireless policies are gone,' Kwon said at the CIO Council's quarterly IT forum in Washington. Wireless local-area networks are a fact, she said. Workers create ad hoc personal networks with Bluetooth devices, and radio frequency identification is mandated for passports and government IDs. And 'with more use comes more hacking.'
Vulnerabilities in the 802.11 family of Wi-Fi standards are well-known: Rogue access points can make control difficult, signals are easy to detect, the Wired Equivalent Privacy standard is easy to crack and Wi-Fi Protected Access is vulnerable, if not equally easy to crack. But many users are less aware of the security holes that can be opened by Bluetooth-enabled devices ranging in size from handheld BlackBerrys to wireless-equipped cars.
'Why would you connect to a Bluetooth headset?' Kwon asked. 'There's no reason for it.'
And assurances from the State Department aside, she is no fan of the RFID chips in new passports. Physical and software protections incorporated into the documents are not adequate, she said. 'If you have an e-passport, protect it' with additional shielding, she said. 'If that is stolen, you are stolen.'
Kwon's lectures, complete with hands-on demonstrations, have become popular with government audiences. She is enthusiastic about the give-and-take battle of wireless attack and defense, and she has something of an antenna fetish ' although bigger is not always better in antennas, she said. Rob Del Gaizo, a computer science student at George Washington University, assisted with demonstrations of hacking techniques.
Cracking the WEP encryption scheme took only a few minutes after capturing relatively few packets. Breaking the Advanced Encryption Standard encryption used in WPA/2 is much more difficult, so Del Gaizo attacked the passphrase exchange
during the connection process instead.
'All I need is a four-way handshake, and then I can walk away' to run a dictionary attack against it, he said.
'All of these can be subverted in some way,' Kwon said. But even with weaknesses, some security is better than none because it can discourage the casual hacker.
She advised users who set up wireless networks at home to separate the wired and wireless segments with a firewall and avoid anything involving sensitive information on the wireless side. 'Just don't do it on wireless,' she said. That side of your network should be used for entertainment.
Bluetooth is a growing threat because it is becoming so common for hands-off cell phone communications and even the on-board computers in cars.
'It is very easy to crack,' Kwon said. The default personal identification number is almost always 0000 or 1234, and users seldom change it. Keys are based on Media Access Control addresses, and enabled devices are in discovery mode by default.
Kwon and Del Gaizo demonstrated a Bluetooth hack intercepting a cell phone call. 'It's a little man-in-the-middle attack on the headphone,' she said. Similar attacks can allow data on any enabled device to be stolen, and a modem command in Bluetooth can allow a stranger to control your cell phone.
Her advice: 'Turn off your Bluetooth, and don't use it. And uninstall the drivers.'
Defense Department employees using government-issued BlackBerrys must use Bluetooth Common Access Card readers to access their e-mail. The CAC readers are approved as secure by the National Security Agency, but the Bluetooth-enabled BlackBerrys are wide open, Kwon said.
'If you absolutely must use your headset or your CAC reader,' do not leave the devices in discoverable mode, and update the firmware and the operating system regularly, she said.Open passports
The State Department says each new e-passport, which has the owner's data on an RFID chip, is secure because it uses basic-access control that requires an access key. But Kwon said that code is based partly on such discoverable or guessable elements as birth dates and expiration dates, which makes them vulnerable. She described an experiment in which a hacker was able to break the code in a matter of hours and gain complete access to the data. Then 'all you have to do is sit very close to that person and take their info.'
Kwon said the e-passports come with a little protection, but she advised using additional foil shielding.