Advanced High-tech Security Tracking and recovering a stolen iPhone… Steven Branigan, President [email protected] Author of…

Advanced High-tech Securityhtt

p:/

/ww

w.c

yanlin

e.c

om Tracking and

recovering a stolen iPhone…

Steven Branigan, President

[email protected]

Author of…


p:/

/ww

w.c

yanlin

e.c

om

Copyright (c) 2009, CyanLine LLC. All rights reserved.

2

Who am I?

• Former…– Bell Labs Researcher, Bellcore Engineer, Cop

• Author of High Tech Crimes Revealed.– Observed that insiders are more dangerous than

outsiders.

• My company, CyanLine handles– Wireless security products.– Network auditing and consulting.– Devising new tools for technical investigations.


p:/

/ww

w.c

yanlin

e.c

om


3

The glossary for today

• The glossary• 3GThe term used to describe the next generation of mobile network infrastructure that supports high-speed, high-bandwidth wireless services

for advanced applications. • 802.11A family of wireless Local Area Network specifications also known as "Wi-Fi." The three main standards are 802.11a, 802.11b and

802.11g. • 802.11a5GHz; 5 times faster than 802.11b; fewer interference issues because of 5GHz spectrum; not backwards compatible; 54 Mbps max

link rate; 8 radio channels • 802.11b2.4 GHz; Transfers data at 11 Mbps up to 300 ft; Shares spectrum with cordless phone, microwaves; 11Mbps max link rate; 3 radio

channels • 802.11g2.4GHz; 5 times faster than 802.11b; more secure; backwards compatible with 802.11b; 54 Mbps max link rate; 3 radio channels • AMPS(Advanced Mobile Phone Service) The analog cellular air interface standard used in the United States and other countries. • AES(Advanced Encryption Standard) Federal information-coding protocol that ensures privacy via 128-, 192-, and 256-bit keys. AES is part of

the forthcoming 802.11i specification. • AP(Access Point) A hardware device or a computer's software that acts as a communication hub for users of a wireless device to connect to a

wired LAN. • Bluetooth A short-range wireless networking technology with a range of about 30 feet and a raw data transmission rate of 1Mbps. It's

designed primarily as a cable replacement.• Bluetooth SIG(Special Interest Group) A trade association comprised of industry leaders and some volunteers who are promoting the

development of Bluetooth-enabled products. • Broadband Using a wide-bandwidth channel for voice, data and/or video services • Backhaul Getting data to a point from which it can be distributed over a network. • CDMA(Code Division Multiple Access) A technology used to send digital transmissions between a mobile phone and a radio base station. It

allows for multiple transmissions to be carried simultaneously on a single wireless channel. • CDPD(Cellular Digital Packet Data) A technology that allows telecommunications companies to transfer data over existing cellular networks to

users. • Cell site The location where the wireless antenna and network communications equipment is placed. • DMZ(Demilitarized Zone) A small network inserted as a neutral area between a company's private network and the outside public network. It

provides indirect access to internal resources. • DHCP(Dynamic Host Configuration Protocol) A standard that enables individual computers on an IP network to retrieve their IP addresses and

other settings from a server on demand. • Decibel A unit used to express relative difference in power or intensity, usually between two acoustic or electric signals, equal to ten times the

common logarithm of the ratio of the two levels. • EDGE(Enhanced Data for GSM Evolution) A faster technology for GSM and TDMA networks that may offer transfer rates up to 384 Kbps• Fresnel Zone The area around the visual line-of-sight that radio waves spread out into after they leave the antenna. This area must be clear

or else signal strength will weaken • Full-Duplex The radio term applied to transmissions such as telephone calls or wireless data that allow talking and listening at the same time

by using two frequencies to create one channel. Each frequency is used solely for either transmitting or receiving. • GPRS(General Packet Radio Service) A 2.5G technology being implemented in GSM networks. It is an "always on" technology with data

transfer speeds up to 114 Kbps • GSM(Global Systems for Mobile Communication) A digital cellular or PCS standard for how data is coded and transferred through the wireless

spectrum. It is the 2G wireless standard throughout the world - except in the United States. GSM is an alternative to CDMA. • GHz(Gigahertz) One billion radio waves, or cycles, per second. Equal to 1,000 megahertz. • GPS(Global Positioning System) A satellite-based navigation system made up of a network of 24 satellites placed into orbit by the U.S.

Department of Defense. • Hot Spots Wireless access points that are found in public places such as airports, conventions centers, hotels and coffee shops • Hz(Hertz) A unit of measurement of one cycle per second, or one radio wave passing one point in one second of time. • ISP(Internet Service Provider) Company which resells internet access • LAN(Local Area Network) A system that links together electronic office equipment, such as computers and word processors, and forms a

network within an office or building. • MMS(Multimedia Messaging Service) A method for transmitting graphics, video clips, sound files and short text messages over wireless

networks using the WAP protocol. • MHz(Megahertz) One million radio waves, or cycles, per second. Equal to one thousand Kilohertz. • MAC(Media-Access Control) A hard-coded or permanent address applied to hardware at the factory. • NAT(Network Address Translation) A security technique—generally applied by a router—that makes many different IP addresses on an

internal network appear to the Internet as a single address • Ping(Packet Information Groper) A protocol that sends a message to another computer and waits for acknowledgment, often used to check if

another computer on a network is reachable. • Point-to-Point Method of transporting IP packets over a serial link between the user and the ISP. • Point-to-Multipoint A communications network that provides a path from one location to multiple locations (from one to many).• RFID(Radio Frequency Identification) An analog-to-digital conversion technology that uses radio frequency waves to transfer data between a

moveable item and a reader to identify, track or locate that item.• SID(System Identification) A five digit number that indicates which service area the phone is in. Most carriers have one SID assigned to their

service area. • SSID(Service Set Identifier) A unique 32-character password that is assigned to every WLAN device and detected when one device sends

data packets to another. • TDMA(Time Division Multiple Access) A wireless technology that allows for digital transmission of radio signals between a mobile device and a

fixed radio base station. It allows for increased bandwidth over digital cellular networks. • TCP/IP(Transmission Control Protocol / Internet Protocol) Internet protocol suite developed by the US Department of Defense in the 1970s.

TCP governs the exchange of sequential data. IP routes outgoing and recognizes incoming messages. • VoIP(Voice over Internet Protocol) Any technology providing voice telephony services over IP, including CODECs, streaming protocols and

session control. • VHG(Very High Frequency) Referring to radio channels in the 30 to 300 MHz band • WAP(Wireless Application Protocol) A technology for wideband digital radio communications in Internet, multimedia, video and other capacity-

demanding applications. It provides a data rate of 2Mbps • WEP(Wired Equivalent Privacy) A feature used to encrypt and decrypt data signals transmitted between WLAN devices • Wi-Fi Short for wireless fidelity -- used generically when referring of any type of 802.11 network, including 802.11b, 802.11a, 802.11g • WAN(Wide Area Network) A communications network that uses such devices as telephone lines, satellite dishes, or radio waves to span a

larger geographic area than can be covered by a LAN • WISP(Wireless Internet Service Provider) See ISP • Zulu Time Synonymous with Greenwich Meridian Time, a time designation used in satellite systems


p:/

/ww

w.c

yanlin

e.c

om


4

Terms…

• Wireless networking issues…– Rogue Access Points– Hotspots– WEP/WPA– Probing clients– SSIDs– Wi-Fi vs Wi-Max– Piggybacking…

)(4/)100( rssimwDist


p:/

/ww

w.c

yanlin

e.c

om

WiFi Issues

• Sniffing network traffic– Traffic can be intercepted in clear text.

• Stealing network access– Unauthorized people getting on my network. – Anonymous access

• Denial of service• Employees using unauthorized networks.• A laptop joining unexpectedly joining with an AP.• Employees/contractors bypassing filters and accessing

inappropriate content in the office.


5


p:/

/ww

w.c

yanlin

e.c

om


6

WiFi network issues

• #1 Piggybacking & the near miss search warrant

• #2 Anonymous threats• #3 Network storage devices.• #4 Why these cases are more challenging

than cellular based wireless.


p:/

/ww

w.c

yanlin

e.c

om


7

What if scenarios

• What if the suspect traffic is coming from an apartment building?

• What if the suspect traffic is tracked back to a corporate café’s hotspot?

• What if your jurisdiction has municipal wireless networking?


p:/

/ww

w.c

yanlin

e.c

om


8

Test time 1. Can multiple wireless networks co-exist in the same room on

the same channel? YES

2. Can multiple wireless networks co-exist in the same room on the same channel with the same SSID name?

YES

3. Do users have the ability to control which wireless networks they use?

YES

4. Can you remotely detect which wireless network a computer is attached to?

YES

5. Can a wireless access point control which laptops connect to it?

YES


p:/

/ww

w.c

yanlin

e.c

om

Test time (2)6. Can a wireless access point control which wireless networks a

laptop connects to? NO

7. Can a laptop be remotely disconnected from a wireless network?

YES

8. Does WEP encryption protect the MAC address? NO

9. Does WPA encryption protect the MAC address while in transit?

NO 10.Do freeware solutions exist to find wireless networks?

YES


9


p:/

/ww

w.c

yanlin

e.c

om

Test time (3)11. If my wireless card is not attached to any network – will it

still search for networks I have attached to in the past? YES

12.Do freeware solutions exist to find hidden networks? YES

13.Do freeware solutions to defeat wireless encryption? YES

14.Can a laptop be attached to both a wired and wireless network at the same time?

YES 15.Can a stolen laptop be tracked by wireless?

YES


10


p:/

/ww

w.c

yanlin

e.c

om


11

Law Enforcement Issues

• Does house have wireless AP?• Is suspect actually accessing network from someone

else’s wireless network?• Does the house have wireless disk drives?• Check passively?• Are non-standard cards being used?• a vs. b vs. g networks?• MIMO and other range extenders?• Signal strength as a piece of forensic data?• Others?


p:/

/ww

w.c

yanlin

e.c

om

Case start

• iPhone left in a movie theater (after Sherlock Homes no less)

• popcorn guy didn’t turn the phone in• he tried a research app that uses GPS• I disabled phone access• He deleted my email• I disabled email access• Located with GPS, WiFi (FIOS) IP accesses to• my email server, and WiFi sniffing• phone recovered, case pending


12


p:/

/ww

w.c

yanlin

e.c

om • Lost/Stolen iphone

– iPhones are 3G and WiFi capable.

• Typical owner response?– Turn off cell service.

• Well, iPhone can still be used on WiFi networks, right?


13


p:/

/ww

w.c

yanlin

e.c

om

Still being used

• Case changed from lost to stolen iPhone when owner noticed that he emails were deleted.

• The phone also had a research application called airgrafiti that collected GPS coordinates.

• Could this phone be found?


14


p:/

/ww

w.c

yanlin

e.c

om


15


p:/

/ww

w.c

yanlin

e.c

om


16


p:/

/ww

w.c

yanlin

e.c

om

Cellular aside

• AT&T store says a lot are stolen• No provision offered to blacklist the phone

– I believe this is done in Europe

• AT&T should be able to locate the phone– Has ESN/MIN pair registration data and tower

data.


17


p:/

/ww

w.c

yanlin

e.c

om • AGPS data and tower interaction

– Tower positioning data

• National MAC address registry? – Useful in WiFi cases especially


18


p:/

/ww

w.c

yanlin

e.c

om • Expectation of privacy with stolen

iPhone?– None in NJ


19


p:/

/ww

w.c

yanlin

e.c

om

Mac address

• The owner had the MAC address for the wireless card.– MAC addresses should be unique.– MAC addresses can be spoofed, but we

thought unlikely with an iPhone.

• Just listen for the MAC address.


20


p:/

/ww

w.c

yanlin

e.c

om

APFinder4

• We have been working on AP-Finder, and this seemed like a perfect opportunity to exercise it in the wild.

• Taking the GPS data, drove around the neighborhood looking for the MAC address.

• Remember, we are looking for the MAC address of the client, not of the Access Point.


21


p:/

/ww

w.c

yanlin

e.c

om

Mac search


22


p:/

/ww

w.c

yanlin

e.c

om


23

The basics on wireless

• IEEE 802.11 (b) and (g)– 2.4 GHz– 11 channels in US, 14 in other places– 11Mbits to 54Mbits

• IEEE 802.11(a) – 5 GHz– 16 channels– 54 Mbits

• Signals can travel far, as long as you have a good receive antenna.


p:/

/ww

w.c

yanlin

e.c

om


24

Network types

• “Managed” networks– Clients talk to an access point.– Very common type of network.– Easy to set up.

• Peer-to-peer networks– Computers talk to each other directly.– Usually more difficult to set up.


p:/

/ww

w.c

yanlin

e.c

om

04/19/23Copyright (c) 2006, CyanLine LLC. All rights reserved.

25

Signal strength issues

• Good for distance “estimation”

• Not good for triangulation


p:/

/ww

w.c

yanlin

e.c

om


26

The theory

• Signal emanates from transmission source spherically with a specific power, say 100 mW.

• With time, the sphere gets larger


p:/

/ww

w.c

yanlin

e.c

om


27

Conversation of power

• The power per unit of area gets smaller as the sphere gets larger.

• This gives us a simple formula for distance based upon signal strength.

24)()(Dist

transmitPowerreceivedPower

)(4/)( receivedPowertransmitPowerDist


p:/

/ww

w.c

yanlin

e.c

om


28

Signal reflection

Steel Wall

AP

Receiver

= blocked signal

= primary signal

= secondary signal

= strongest signal

= medium signal

= weakest signal

Legend


p:/

/ww

w.c

yanlin

e.c

om


29

Wireless conversations

• A pairing of an Access Point with a wireless client.– Can be viewed in realtime– Can be discovered “forensically”.


p:/

/ww

w.c

yanlin

e.c

om

Probing client


30


p:/

/ww

w.c

yanlin

e.c

om


31


p:/

/ww

w.c

yanlin

e.c

om • House located…

• And it was not the one identified by GPS.


32


p:/

/ww

w.c

yanlin

e.c

om

Result…

• Charged with fourth degree theft, and third

degree computer crime.


33


p:/

/ww

w.c

yanlin

e.c

om

Other options?

• Subpoena carrier for location information.– Would have worked. In fact, we used to

confirm data.– Only useful if you have the IP address

access, which we had because the owner was running his own email.


34


p:/

/ww

w.c

yanlin

e.c

om


35

Access the router

• Most all of these routers do not contain permanent disk storage.– Therefore, you need to access it while it is

still powered.– The storage is volatile, so you need to

move quickly.– For the very skilled, you can access it

remotely…


p:/

/ww

w.c

yanlin

e.c

om


36

Access the router

• If you can gain access, be prepared to make screen snapshots.– Get the DHCP/MAC table, including expiration

times.– Get the External IP address, including the last

update/expiration time.– Get the permanent NAT address translation

information.

• Unfortunately, it is different for each vendor.


p:/

/ww

w.c

yanlin

e.c

om


37

A little test

• It’s about user behavior

• Set it up and they shall come…


p:/

/ww

w.c

yanlin

e.c

om


38

Forensic challenges

• What can be spoofed.

• What can be cracked.– WEP keys

• What can not be spoofed?– Power levels

• MIMO technology and implications.

• Info in wireless connector


p:/

/ww

w.c

yanlin

e.c

om


39

Open Issues

• Can wireless be monitored passively?

• Can wireless be monitored legally?

• Which tools to use?

• Which tools to avoid?


p:/

/ww

w.c

yanlin

e.c

om


40

Freeware Wireless Tools…

• Sniffers– Tcpdump– Wireshark

• Break encryption– WEPcrack– Asleap

• APtools– Hostap– Fakeap– APhopper

• Network discovery– Kismet– Netstumbler (windows)


p:/

/ww

w.c

yanlin

e.c

om


41

Wireless Encryption

• If you have the key, you can listen to all the traffic on the network.– So, WEP/WPA give you a little privacy, but

not a lot.


p:/

/ww

w.c

yanlin

e.c

om


42

Some more existing tools

• Mac address changing– Using MacAddressChanger.exe– Using TMAC

• Cracking WEP keys.– aircrack-ptw can crack WEP in less than a minute.

• Traffic monitoring– Wireless sniffing

• Karma– Allows a user to set up there own base station on

their laptop.

Advanced High-tech Security Tracking and recovering a stolen iPhone… Steven Branigan, President [email protected] Author of…

Documents

ip network

small network

network auditing

wireless device

wireless security products

wireless antenna

mbps max link rate

companys private network