Overcoming wireless encryption

The main drawback for the forensic examiner is not being able to obtain the key used by the suspect to encrypt/decrypt the wireless traffic; this key is required to analyze the traffic contents, so it is a crucial aspect of the forensic process.

The wireless 802.11 standards define multiple types of data encryption. From the insecure unencrypted mode, where all traffic travels in the clear, to the secure 802.11i specification, that uses advanced encryption algorithms, such as AES. The current state-of-the-art to bypass wireless encryption is summarized in Table 1 and described below.

By collecting enough wireless traffic, it is always possible to obtain the WEP key [1]. WEP, and its derivatives (WEP+, DWEP...), are insecure encryption mechanisms that can be defeated in multiple ways, with tools like the Aircrack-ng suite [ref 13].

The level of security in Table 1 for WPA/PSK is mainly based on the strength of the pre-shared key [2]. If the key is not long enough and/or is based on dictionary words (or can be derived from them) a dictionary attack could guess the encryption key. The forensic examiner can also consider the usage of pre-calculated keys (aka Rainbow tables) to speed up the process of discovering the network key. Tools like Aircrack-ng or CoWPAtty [ref 14] can be used to audit the security of WPA/PSK networks. A new version of CoWPAtty [ref 15] was released during the last DefCon conference to audit the security of WPA2/PSK networks. Once the key has been obtained, the traffic can be decrypted using Wireshark [ref 5] for WEP or airdecap-ng [ref 13] for WEP or TKIP (WPA).

The WPA(2)/Enterprise mode encryption keys [3] are randomly generated by the RADIUS server, therefore, it is not possible to launch a dictionary attack against them. The main weakness associated to this mode of operation is in the authentication mechanism used by the corresponding EAP type. To simplify, we’ll consider it secure enough not to be feasible to gather the key in a reasonable amount of time without using brute force techniques.

To sum up, only WPA or WPA2 personal mode with robust pre-shared keys (PSK), more than 20 characters in length (as recommended by the IEEE 802.11i specification [ref 16], Annex H4.1) and not based on dictionary words, or enterprise mode through robust EAP protocols, such as PEAP or EAP/TLS, could be considered unbreakable. In these scenarios, the forensic examiner would require other methods to access to the traffic contents, such as getting the encryption keys or material from the access points, wireless clients, RADIUS server or backend user authentication database.

Finally, it is very common nowadays to find wireless deployments where encryption is used at higher levels (layer 3 or upper protocols), such as VPN solutions based on IPSec, SSL or SSH. These scenarios, although not only related to wireless but also wired networks, present new and complex challenges for the forensic examiner. The next section describes advanced traffic analysis techniques and tools that can be applied in these situations. However, if the suspect is illegally using a third party wireless network (a very frequent scenario), this means he had to overcome the same encryption constraints pointed out above for the forensic examiner, and therefore most probably he is using an open network, WEP-based or WPA-PSK with a discoverable pre-shared key.

Advanced traffic analysis and fingerprinting techniques

Unfortunately, in this scenario, the IP header information (layer 3) is not available to provide details about the connection end-points, that is, who the suspect is communicating with and vice-versa. This is not the case with wired networks where typically there are no layer 2 encryption mechanisms in place.

Tools like fl0p [ref 17] can be very useful for this type of encrypted traffic analysis. Fl0p is a flow-analyzing passive layer 7 fingerprinting tool that works by examining the sequence of client-server exchanges, their relative payload sizes and transmission intervals. This information is matched against a database of traffic pattern signatures to infer interesting facts about the encrypted sessions, such as login failures, discriminate between human and automated actions - even deducing specific security settings and the existence of user prompts - based on timing conditions, or identify evasion techniques, anomalies and protocols used.

Additionally, in a wireless network, it is trivial for an unauthorized user to impersonate a valid user when basic MAC address authentication mechanisms are used. The suspect can access and exchange data in the network by spoofing the MAC address of a valid client. In this scenario, the main forensic examiner challenge is to differentiate between the traffic generated by the suspect and by the valid user.

Through passive traffic analysis and fingerprinting methods, it could be feasible to differentiate between several stations at the OS and at the wireless stack level. In order to succeed, the unauthorized and the authorized users should not be using the same access device, that is, operating system version, wireless network card and drivers.

Passive OS fingerprinting can be performed using passive tools like p0f [ref 18]. For reasons already stated in this paper, it is recommended from a forensic perspective not to use active OS fingerprinting tools like nmap or sinFP (although the later also has passive capabilities). All these tools base their results in the analysis of layer 3 and 4 (TCP/IP) specific OS idiosyncrasies; therefore, if the wireless traffic is encrypted at layer 2, they won’t be able to bring any conclusion.

Wireless stack fingerprinting (at the chipset and device driver levels), can help to overcome the encryption constraint. This technique is applied through advance passive and active analysis techniques on 802.11 traffic, some of which have been implemented in the lib802finger tool [ref 19].

Wireless anti-forensic techniques

In the same way as there are multiple techniques and tools in computer forensics whose main goal is to thwart a forensic investigation, once wireless forensics techniques will be widely adopted, new wireless anti-forensic methods will appear. The information provided in this section can help to assist forensic investigators in understanding what they may be up against.

Anti-forensics is the science of evading forensic analysis. In the wireless field, this is commonly accomplished through basic methods, such as the usage of illegal channels, like channel 14 in US and Europe, or using strong layer-2 encryption (as previously covered).

However, there are advanced stealth wireless techniques that, although they were not designed for anti-forensic purposes, could bring advantage to the suspect if the forensic examiner is not aware of them, such as covert channels and the modification of the 802.11 specification.

Raw Covert [ref 20] is a proof of concept tool that uses the raw injection capabilities of current Linux drivers in monitor mode to embed information in 802.11 control frames. Specifically, the data is encoded in the receiver address (RA) field of ACK frames, so this method provides a very stealthy communication channel because wireless monitoring tools do not tend to inspect ACK frames. The same concept could be implemented using other fields and controls frames, such as CTS, RTS or PS-Poll frames, or even in the 802.11 management, data or invalid frames.

WiFi Advanced Stealth Patches [ref 21] are some proof of concept patches for the Linux madwifi-ng driver, associated to the Atheros chipset, that implement a stealth new “proprietary” protocol tweaking the 802.11 MAC layer. The technique is based on implementing a modified 802.11 network stack that can communicate only with another modified stack. In particular, this tool provides two patches, one modifies the 802.11 protocol field and another modifies the type of frame field. Although it uses the standard 802.11 PHY (physical) layer, that is the 802.11 frequency bands, the wireless sniffers and IDS are not capable of identifying this proprietary traffic.

From a forensic perspective, it is necessary to be aware of these tools, and similar future techniques, to be able to analyze in-depth the wireless communications associated to a given case.

Legal considerations

It’s not required that one be a lawyer to identify that some of the tasks the wireless forensic analyst must perform could be considered illegal, or at least, within a grey line from a legal perspective. These tasks include capturing the network traffic, breaking the network encryption key or, obviously, active tasks such as traffic injection to speed-up the WEP key acquisition process.

In general, it is illegal in both the U.S. and most European countries to intercept wireless traffic without the consent of at least one (and sometimes both/all) of the parties to a communication, subject to certain exceptions provided by the applicable law, such as interception by law enforcement with a warrant under a court order, or interception by the network operator or service provider in order to manage its business.

Monitoring or scanning wireless traffic simply to identify networks in the area, due to the fact it is an activity that does not involve capture of the message content or traffic data for specific communications (an area where the legal restrictions become really strict), could well be legal in most countries.

The traffic acquisition activities must be accomplished after receiving proper authorization, typically in the form of a search warrant (or other legal process), and are mainly regulated in the U.S. by the Communications Assistance for Law Enforcement Act (CALEA) of 1995 [ref 22] and in Europe by the European Council Resolution of 17 January 1995 on the Lawful Interception of Telecommunications (Official Journal C 329) [ref 23].

Three U.S. federal statutes govern the interception, accessing, use, disclosure and privacy protections of electronic and wire communications. The U.S. Electronic Communications Privacy Act (ECPA, 18 U.S.C. §§ 2701-2712) of 1986 [ref 24] covers stored communications. Real-time interception, as in wireless networks, is covered by the Pen/Trap Statute, 18 U.S.C. §§ 3121-3127 [ref 24], centered in addressing information (like 802.11 protocol headers), and by the Wiretap Statute ("Title III"), 18 U.S.C. §§ 2510-2522 [ref 24], centered in the contents of communication.

Similar laws apply worldwide, for example, at the European level, the resolutions of the “Convention on Cybercrime” [ref 25] establish the interception without right by any mean as a criminal offense in Chapter II - Section 1 - Article 3 - Illegal interception. Besides, Article 13 determines that each EU country should adopt the legislative sanctions and measures against these punishable acts, that can include deprivation of liberty as well as other dissuasive sanctions.

At the country level, particular EU Member States laws apply, and for example, the Spanish law, similar in this respect to the U.S. Code (Title 18 2511(1)), prohibits the eavesdropping, use and disclosure of other’s communications (including electronic ones) in “Article 197.1 - Second paragraph” [ref 26]. Other EU countries apply similar statues, such as Section 1 of the Regulation of Investigatory Powers Act 2000 (RIPA) in UK [ref 27] or Section 206 of the Criminal Code [ref 28] or Section 89 of the Telecommunications Act in Germany [ref 29], to cite some examples.

All these laws prohibits unlawful monitoring and disclosure of the content of communications, and mandates law enforcement to follow proper procedures to review electronic communications, such as the search and seizure electronic evidence procedures detailed in the “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations” [ref 24] document by the US DoJ, specifically sections III and IV, focused on electronic communications and surveillance.

The wireless forensic examiner should perform lawful interception (LI) to monitor the communications. Apart from following the laws and regulations enacted in the country the case is taking place, some technology groups, such as the IETF or ETSI, have created technical specifications to define appropriate LI procedures and solutions, like the RFC 3924 [ref 30] and Eve(™) [ref 31] respectively.

Finally, when dealing with legal issues related to wireless technologies, it is important to consider not only the legal details for data acquisition, but also other legal aspects, such as the fact that the liability of the wireless owner can be called into question for having inadequate security. This was suggested by a case decided by the Hamburg State Court in Germany in July 2006 [ref 33], in which an unsecured open wireless connection was used for trading of copyrighted music with P2P software. Although the owner of the connection denied responsibility, the court found liability because the connection had not been protected. In a similar digital rights related case in Sweden, the suspect was consider innocent because he declared to have an unsecured wireless network; as the expert witness declared, it’s trivial to break into this type of wireless network, so anyone could potentially have downloaded the copyrighted content [ref 32]. Therefore, everyone sharing their Internet connection through an open wireless network is in a legal grey area.

Concluding part two

In the first article of the series, the main technical challenges and best practices for wireless traffic acquisition and tools were described. In this second article, we continued by focusing on the technical challenges for wireless traffic analysis, described advance scenarios where anti-forensic techniques could be used, and covered wireless forensics related laws for both, US and Europe. Wireless technologies in legal cases are still today a brand new field to explore, and, remember, attackers don't follow the laws.

Most of the challenges, technical considerations, and best practices covered along this article can also be applied to other wireless security-related fields, such as wireless IDS or wireless honeypots, and can be extended to other wireless data technologies, such as Bluetooh and WiMAX.

References

[ref 1] Sandstorm NetIntercept. http://www.sandstorm.net/products/netintercept/
[ref 2] Niksun NetVCR. http://www.niksun.com/Products_NetVCR.htm
[ref 3] eTrust Network Forensics. http://www3.ca.com/solutions/Product.aspx?ID=4856
[ref 4] “Summary of tools commonly used to support network forensic investigations”. http://searchsecurity.techtarget.com/searchSecurity/
downloads/NetworkForensicToolsSidebar.pdf
[ref 5] Wireshark & tshark. http://www.wireshark.org
[ref 6] ngrep (network grep). http://ngrep.sourceforge.net
[ref 7] tcpdump. http://www.tcpdump.org
[ref 8] “Pcap files containing a roaming VoIP session”. http://www.raulsiles.com/downloads/VoIP_roaming_session.zip
[ref 9] “Two attacks against VoIP”. Peter Thermos. April 2006. http://www.securityfocus.com/print/infocus/1862
[ref 10] “Pcap file containing traffic from multiple channels and captured from a single channel, 9”. http://www.raulsiles.com/downloads/multi_channel_beacons.pcap
[ref 11] “Wireshark & Ethereal Network Protocol Analyzer Toolkit”. Angela Orebaugh, Gilbert Ramirez, Jay Beale (Series Editor). Syngress. ISBN: 1597490733. Chapter 5 – “Filters”: http://www.syngress.com/book_catalog/377_Eth_2e/sample.pdf
[ref 12] Honeysnap. The Honeynet Project. 2006. http://www.honeynet.org/tools/honeysnap/
[ref 13] Aircrack-ng. Christophe Devine (aircrack) et al (ng). http://www.aircrack-ng.org
[ref 14] CoWPAtty version 3.0. Joshua Wright. http://cowpatty.sourceforge.net
[ref 15] CoWPAtty version 4.0 (includes WPA2/PSK support). Church of WiFi. August 2006. http://www.churchofwifi.org/FileLib/9-cowpatty-4.0.zip
[ref 16] “802.11i. Amendment 6: Medium Access Control (MAC) Security Enhancements”. IEEE. July 2004. http://standards.ieee.org/getieee802/download/802.11i-2004.pdf
[ref 17] “Fl0P: a passive L7 flow fingerprinter”. Michal Zalewski. December 2006. http://lcamtuf.coredump.cx/soft/fl0p-devel.tgz
[ref 18] “P0f v2: a versatile passive OS fingerprinting tool”. Michal Zalewski. September 2006. http://lcamtuf.coredump.cx/p0f.shtml
[ref 19] “lib802finger: 802.11 implementation fingerprinting“. Johnny Cache. September 2006. http://www.802.11mercenary.net/lib802finger/ and http://www.802.11mercenary.net/~johnycsh/publications/06Sep_Ellch.pdf and http://www.uninformed.org/?v=5&a=1&t=sumry
[ref 20] Raw Covert. Laurent Butti. 2006. http://rfakeap.tuxfamily.org/#Raw_Covert and http://www.shmoocon.org/2006/presentations/Shmoo2006-Butti-Veysset-WiFi-1.pdf
[ref 21] WiFi Advanced Stealth Patches. Laurent Butti and Franck Veysset. 2006. http://rfakeap.tuxfamily.org/#WiFi_Advanced_Stealth_Patches and http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Veyssett.pdf
[ref 22] “Communications Assistance for Law Enforcement Act (CALEA). Pub. L. No. 103-414, 108 Stat. 4279”. USA. 1994. http://www.askcalea.com
[ref 23] “European Council Resolution of 17 January 1995 on the Lawful Interception of Telecommunications (Official Journal C 329)”. Europe. 1995. http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:31996G1104:EN:HTML
[ref 24] “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations”. Computer Crime and Intellectual Property Section. Criminal Division. United States Department of Justice (US DoJ). July 2002. http://www.cybercrime.gov/s&smanual2002.htm
[ref 25] “Convention on Cybercrime”. Budapest, 23.XI.2001. Council of Europe (COE). http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm and http://www.coe.int/T/E/Com/Files/Themes/Cybercrime/default.asp
[ref 26] “Artículos del Código Penal Español referentes a Delitos Informáticos”. Ley-Orgánica 10/1995, de 23 de Noviembre. BOE número 281, de 24 de Noviembre de 1.995.Artículo 197. http://delitosinformaticos.com/legislacion/espana.shtml
[ref 27] “Regulation of Investigatory Powers Act 2000 (RIPA)”. Chapter 23. Crown. 2000. UK. http://www.opsi.gov.uk/Acts/acts2000/20000023.htm
[ref 28] “Section 206 of the German Criminal Code”. Federal Ministry of Justice. 13 November 1998. Germany. http://www.iuscomp.org/gla/statutes/StGB.htm#206
[ref 29] “Section 89 of the German Telecommunications Act”. Federal Regulatory Authority for Telecommunications and Posts. 25 July 1996. Germany. http://www.iuscomp.org/gla/statutes/TKG.htm#89
[ref 30] “Cisco Architecture for Lawful Intercept in IP Networks”. RFC3924. IETF. October 2004.
[ref 31] “The EVE™ Lawful Interception Solution”. TIIT & ETSI. http://www.lawfulinterception.com/products.php
[ref 32] “Expert witness frees suspect sharing files under trial”. Stockholm. Sweden. October 2006. http://www.bitcopy.se/gfx/DOM_Mal_B8799-05.pdf (in Swedish)
[ref 33] “Unencrypted WLAN can become expensive!”. German court case 308 O 407 / 06. Landgericht Hamburg. http://www.lampmannbehn.de/wlan.html (in German)

About the author

Reprints or translations

© 2007 SecurityFocus

Comments?