Now we have a small network up and running with WAPs and VLANs we are going to take a look at the security around these. One major concern has been that many home automation devices that are off the shelf rely on existing home networking technologies. If these are misconfigured or use weak encryption and passwords, then your home automation devices can quickly become a target. This is in addition to any flaws that may exist in the product itself.
Therefore this post will include:
- Discuss some of the security issues around WAP including:
- MAC white lists
Let’s start with looking at wireless security.
Wireless security and our WAP
The 802.11b standard offers us two security services, those being Authentication and Encryption. Authentication is handled through shared key authentication and encryption through WEP.
As you will see WEP was a weak implementation and has later been replaced. You should not use WEP but the WPA2 option in your AP.
Shared Key Autherntication
When a device (known as a station) wishes to authenticate with a WAP a shared key is used. Initially however there is a process in place to communicate what the shared key will be.
|Send a random number to the station|
|Encrypt random number using RC4 with a 40-bit shared secret ket and a non-secret 24-bit Initialization Value (IV)|
|Send encrypted random number|
|Decrypt received message using RC4, 40-bit shared secret key and 24-bit IV|
|Compare decrypted random number to transmitted one|
|If the two numbers match, then both station and WAP use same shared key|
So this is the basic steps for authenticating a user, however the traffic between the WAP and device also needs to be encrypted. The older and less secure mechanism for doing this was WEP (Wired Equivalence Privacy).
WEP – how it works and why you shouldn’t use it
WEP in a nutshell works as follows:
|Computes the ICV (integrity check vector). This is a 32-bit cyclic redundancy check|
|Append to message to create the plaintext|
|Use RC4, 40-bit secret key with 24-bit IV to create 64-bit key|
|Encrypt plaintext using RC4 by XORing with a key stream of pseudo-random bits|
|IV is concatenated with the ciphertext|
|Cipher text and the IV are sent to the station|
|Cipher text and the IV are received by the device|
|RC4 algorithm uses a 40-bit secret key and 24-bit IV as 64-bit key|
|The cipher text is decrypted by RC4 by XORing with key stream of pseudo-random bits|
|Separate ICV from message|
|Compute ICV for message|
|If received ICV matches the computed ICV then the message integrity is retained.|
So looking at this, you may notice that only 40-bits of this key are truly secret – and you’d be right. This of course is a problem.
As we can see the IV is sent in the clear as it is concatenated with the cipher text. Calculating what the next IV is can also be a massive security issue as some NICs:
- Use a pseudo-random IV – likelihood of the same IV being generated is very high in a shirt window due to only 24-bits being used
- Use an ascending counter for each IV – at only 24-bits this will reset after a few hours
- Use a combination of ascending/descending counter – same as above, eventually the sequence will reset
Thus by capturing two messages with identical IV’s an attacked can attempt to crack the encryption. This is due to the fact both messages while having a different plaintext have been created from the same IV and key.
XORing the two cipher texts results in: plaintext 1 XOR key stream XOR plaintext2 XOR key stream. However the key streams cancel each other out. The result of this is the plaintext’s XOR’d together. These can then be attacked via statistical methods to ascertain the two separate plain texts.
If this wasn’t problem enough our 40-bit encryption key can be weakened further by poor WEP key entry implementation in the WAP.
The root of this is that a user using a weak password/limited alphanumeric character set passphrase, shrinks the set of possible keys considerably. A passphrase will therefore only generate 21-bits of entropy – yes that means the key strength which could be 40-bits is now only 21-bits. And what of the remaining 19 bits – these unfortunately predictable.
Thus the number of passwords possible is somewhere in the region of 2 million. This may sound like a lot, but in fact can be brute forced in seconds.
Even a 40-bit WEP key is crackable within a few hours, so some companies are now using 128-bit keys (104-bit key and 24-bit IV) which an unfeasible to crack with current technologies.
It doesn’t end here though. WEP has two other known weaknesses such as weak keys leaking into the key stream and partially exposed keys allow the whole key to be determined (called the IV weakness).
WPS – Don’t use it
WPS standards for WiFi Protected Setup (protocol). Some AP’s contains a button you can press which and the request a connection from your station. Following this an 8 digit code is used to authenticate. 8 digits only allows for 11,000 possible combinations which can be cracked within 4 hours.
If your WAP has WPS disable it. if you can’t disable it, it might be time to buy a new device.
WPA, WPA2 and WPA-TKS
The WPA protocol/security certificate program is a replacement for WEP and was put in place to bridge the gap until the full 802.11i standard was rolled out.
WPA stands for WiFi Protected Access. You will see WPA and WPA2 as common security options on modern WAPs, where it is encouraged to be used instead of WEP. For example WPA replaced the flawed cyclic redundancy check was saw in WEP.
An extension to WPA was the Temporal Key Integrity Protocol. This was designed to allow WPA to accommodate older NICs that do not support WPA. Unfortunately it uses RC4 which introduced a weakness into the protocol. A weak PSK (Pre-Shared Key) passphrase can therefore be attacked by tools such as Cowpatty.
Typically you will see home WAP’s use WPA2-Personal aka WPA-PSK. For the moment will will use this, however later posts will provide the option to switch to WPA2-Enterprise mode.
Now is a good time to consider changing the SSID of your wireless network if you used a default one and also strengthening the password. For the WAP being used for Home Automation devices you should consider using an extremely strong passphrase. Typically you will only be registering devices with this WAP when you add them (as opposed to having guests etc. connect regularly/randomly).
Having looked at some of the security issues around wireless protocols we will now look at how we can use white lists on AP’s so in theory only certain devices can connect.
MAC whitelist (ACL)
A whitelist (access control list) is literally a list of devices permitted to connect to the AP. A device whose MAC is in the list is permitted to join the network, those who aren’t are blocked. Essentially you filter out devices who aren’t in the list by MAC.
Login to your second WAP and look for a white listing option if it exists. Once you understand how to add devices to the list, new Home Automation devices should be enabled here.
If you are using UniFI you may need a later copy of the controller to find this feature.
Of course this is not a full proof system. MAC spoofing would allow an unauthorized device, which has also cracked your WPA key to access the network. However it adds an extra hurdle.
In this post we covered the basics of WiFi protocols to get you thinking about security. As this series of posts progresses we will look at further methods of hardening our home automation network.
Also in later posts we will look at Kerberos as a tickets granting system and how 802.1x EAP protocol can be used with RADIUS.
In the next post we will return to pfSense and review the security at the firewall level.