Vulnerability of technology to identify users in public wi-fi networks
The development of information technology is certainly accompanied by the illegal use of these technologies. The article discusses the study of the security of wireless networks on the example of the Moscow Metro network. The result of the study is to gain access to the Internet without going through the mandatory identification procedure set forth in the regulatory acts of the Russian Federation.
Information technologies today have firmly entered our lives and every day occupy more and more space in it. According to the German analytical company Statista, in our more than 3.7 billion people in the world there is a connection to the global Internet, while more than 2.8 billion use smartphones and other portable devices to access the Internet and perform their daily tasks [1 ].
However, such a rapid and large-scale development of technologies opens up not only additional opportunities for the development of the world community, but also is accompanied by the emergence of a number of new global threats. At the end of the 20th century, a completely new phenomenon emerged in the field of information technologies: computer or cyberterrorism, which uses computers, electronic networks and the latest information technologies to achieve its criminal goals [2]. Cyber-terrorism should first be understood as a set of unlawful actions related to threats to the security of individuals, society and the state, destructive actions in relation to material objects, distortion of objective information or other actions with the aim of obtaining an advantage in solving political, economic or social problems.
Cyberterrorism originated during the Cold War, at the inter-national level, the first cyber attack was carried out by the CIA in 1982 by introducing the Trojan into the control system of the Siberian oil pipeline, which led to a powerful explosion. - March 1, 2005].
')
Nowadays, cyber-terrorism is considered one of the most dangerous threats to humanity and is classified as a crime in the vast majority of countries around the world. For example, one of the provisions of the draft cybersecurity strategy of the Russian Federation is “increased accountability for cybercrime” and “ensuring the safety of critical infrastructure” [3]. In addition, the information security doctrine of the Russian Federation in 2016 emphasizes that “the possibilities of cross-border information exchange are increasingly used to achieve geopolitical, political-political, as well as terrorist, extremist, criminal and other unlawful goals contrary to international law to the detriment of international security and strategic stability ". The doctrine also emphasizes that “various terrorist and extremist organizations widely use mechanisms of informational influence on individual, group and public consciousness in order to fuel interethnic and social tensions, incite ethnic and religious hatred or enmity, propagate extremist ideology, and also attract to the terrorist activities of new supporters ”[4].
Thus, it becomes obvious that the development of information technologies is necessarily accompanied by the unlawful use of these technologies, which means that the responsibility for their unlawful use must be consolidated at the legislative level.
In particular, it is worth paying attention to the increasingly growing development of wireless Wi-Fi networks in the world, and in Russia in particular. For example, in 2014, a wireless network was launched in the Moscow Metro, allowing you to access the Internet while being "underground".
Naturally, widespread free access to the Internet, in order to ensure security and cyber security in particular, had to be regulated, therefore on May 5, 2014, Federal Law No. 97- “On Amendments to the Federal Law“ On Information, Information Technologies and Information "and certain legislative acts of the Russian Federation on streamlining the exchange of information using information and telecommunication networks", and July 31, 2014 - Decree of the Government of the Russian Fed Radio No. 758 “On Amendments to Certain Acts of the Government of the Russian Federation in Connection with the Adoption of the Federal Law“ On Amendments to the Federal Law “On Information, Information Technologies and Information Protection” and certain legislative acts of the Russian Federation on streamlining the exchange of information using information and telecommunication networks. These laws, firstly, defined the concept of “organizer of information dissemination on the Internet”, and secondly, spelled out his duties to store information about “facts of reception, transmission, delivery and (or) processing of voice information, written text, images , sounds or other electronic messages of Internet users. ”
In 2015, the network began to “grow” - access points began to appear at land transport stops [5], in 2017. Almatel won the tender to ensure, by the end of 2018, access to the wi-fi network of all the parks in Moscow.
In addition, the laws clearly stated the need to identify users who use points of collective access to the Internet. The primary purpose of adopting these laws was, above all, to increase security, since, otherwise, an anonymous connection to the Internet in public places would allow illegal actions to be carried out with impunity [6, 7].
However, ensuring the unambiguous identification of more than 1.5 million users who use, for example, free wireless Internet access in the Moscow metro is not an easy task. It is even more difficult to associate a specific device used to access the Internet with a specific user.
Currently, the popular “captive portal” technology is used to identify users of the Moscow Metro wireless network. Its essence lies in the fact that the user is required to perform a certain number of actions to gain access to the Internet. A simplified diagram of network interaction using this technology is shown in Fig. one.
For example, in the Moscow metro, user identification is carried out through identity verification through a mobile phone number, or through a single portal of state services of the Russian Federation. At the same time, the first method is the most popular among users, primarily because of its simplicity.
Fig. 1. Using captive portal technology to identify users on the Internet.
The following equipment was used in the study: Lenovo Thinkpad t440s laptop with linux debian 9.0.2 operating system, tcpdump 4.9.2, Wireshark 2.2.6, Aircrack-ng 1.2. Package, Redmi 4 smartphone running Android 6.0. The experiment was conducted in the Moscow metro.
The essence of the study was to identify the parameters controlled by the identification system. It was assumed that if we identify the parameters controlled by the system, it will turn out to impose false information about the connected system to the identification system, that is, to connect to the Internet without identification.
The purpose of the study is to find a vulnerability in the system of identification of users of the Moscow Metro wireless network.
Objectives of the study:
When analyzing the system, a black box testing strategy or behavioral testing was chosen.
The object of the study is the system of wireless access to the Internet, the object is the identification system.
Wearable mobile devices contain several unique parameters on the basis of which you can build an identification system. The first parameter is the international mobile equipment identifier (IMEI), a number (usually 15-bit in decimal representation), unique for each device using it. It is used in cellular phones networks according to GSM, WCDMA and IDEN standards. This parameter is not quite suitable for identification in public Wi-Fi networks, due to the fact that not all devices have it.
The second unique parameter regulated by the IEEE 802.11 standard is Media Access Control (MAC) —a unique identifier assigned to each piece of active equipment or some of their interfaces on computer Ethernet networks. This parameter is more suitable for the unique identification of users, since It is present in all mobile devices that have a Wi-Fi connection.
The following parameters were identified as input parameters for the system: a device from which you need to access the Internet and its MAC address.
At the exit from the system, the user either has access to the Internet, or is requested to confirm his identity.
Thus, the task of the study was reduced to a change in the input parameters (mac addresses and device models) in order to gain access to the Internet without passing identification (see Fig. 2).
Fig. 2. Black box strategy in research of user identification system in public wifi networks.
The next stage of the study, in accordance with the applied black box method, was to change one of the input parameters of the system. It was decided to change the physical address of the device on which you want to access the network to the address of such a device, access to the network on which you already have. Since the technology of wireless networks Wi-Fi uses a radio channel for data transmission, for this purpose a software package was used to assess the security of wireless networks aircrack-ng.
Using the airmon-ng utility, the wireless network card of the device was switched to monitoring mode (that is, the capture of all network data packets in the radius accessible to the network card). Then, using the tcpdump utility, a number of network packets were captured by the access point exchanged in the subway car and all the devices connected to it at the moment.
From the collected network data packets, the physical addresses of the connected user devices were extracted, after which the MAC address of the device on which you want to access the network was changed to one of the previously received ones and an attempt was made to connect to the Moscow Metro wireless network. As a result, the identification system identified the device as already authenticated, and did not require entering a phone number.
Thus, as a result of the study, it was found that the direct identification of the user with a request for personal data from him is made only during the first connection, and the subsequent identification uses the physical address (MAC address) of the device for identification, which is recorded in the database and mapped to the specified user personal data when you first connect to the network.
A simplified algorithm of the system for identifying users of the Moscow Metro wireless network is shown in Fig. 3
Fig. 3. Simplified algorithm of the system of identification of users of the Moscow Metro wireless network
Thus, it was concluded that the physical address (MAC address) of the device is the only parameter affecting the state of the system.
In addition, it should be noted that among the two hundred MAC addresses obtained from data packets circulating on the network, there were two such, which, when connected to the network, did not require confirmation of user activity, which is required by the system every 20 minutes. These addresses were revealed by running the following script with superuser rights:
Based on the experiment, a final algorithm was developed for attacking the system of identification of users of the Moscow Metro wireless access network. The algorithm is shown in Figure 4.
Figure 4 - the final algorithm for the attack on the identification system
Summing up, we can talk about the fulfillment of the research goal, namely, obtaining anonymous (from the attacker's point of view) access to the Internet, since the device that received access to the network has a physical address associated with the device and personal data (in this case, the mobile phone number). phone) of another user.
Obviously, this method can be easily used for unlawful purposes by almost anyone. The ease of use of the method in conjunction with the resulting anonymous access to the Internet can pose a threat to both the security of an individual, the security of society and the state, therefore, under the worst possible circumstances, we can talk about an act of cyber-terrorism with all the ensuing consequences.
That is why, in order to ensure the safe and reliable identification of wireless users and the requirements of the previously mentioned federal laws, it is necessary to develop a new, more reliable and secure method of identifying users.
git
The article is a joint work with Sergey Dmitriyevich Volkov - a graduate student of the department of information security of FSBEI IN MGLU
This study is exclusively a scientific and technical experiment.
Introduction
Information technologies today have firmly entered our lives and every day occupy more and more space in it. According to the German analytical company Statista, in our more than 3.7 billion people in the world there is a connection to the global Internet, while more than 2.8 billion use smartphones and other portable devices to access the Internet and perform their daily tasks [1 ].
However, such a rapid and large-scale development of technologies opens up not only additional opportunities for the development of the world community, but also is accompanied by the emergence of a number of new global threats. At the end of the 20th century, a completely new phenomenon emerged in the field of information technologies: computer or cyberterrorism, which uses computers, electronic networks and the latest information technologies to achieve its criminal goals [2]. Cyber-terrorism should first be understood as a set of unlawful actions related to threats to the security of individuals, society and the state, destructive actions in relation to material objects, distortion of objective information or other actions with the aim of obtaining an advantage in solving political, economic or social problems.
A bit of history
Cyberterrorism originated during the Cold War, at the inter-national level, the first cyber attack was carried out by the CIA in 1982 by introducing the Trojan into the control system of the Siberian oil pipeline, which led to a powerful explosion. - March 1, 2005].
')
Nowadays, cyber-terrorism is considered one of the most dangerous threats to humanity and is classified as a crime in the vast majority of countries around the world. For example, one of the provisions of the draft cybersecurity strategy of the Russian Federation is “increased accountability for cybercrime” and “ensuring the safety of critical infrastructure” [3]. In addition, the information security doctrine of the Russian Federation in 2016 emphasizes that “the possibilities of cross-border information exchange are increasingly used to achieve geopolitical, political-political, as well as terrorist, extremist, criminal and other unlawful goals contrary to international law to the detriment of international security and strategic stability ". The doctrine also emphasizes that “various terrorist and extremist organizations widely use mechanisms of informational influence on individual, group and public consciousness in order to fuel interethnic and social tensions, incite ethnic and religious hatred or enmity, propagate extremist ideology, and also attract to the terrorist activities of new supporters ”[4].
Thus, it becomes obvious that the development of information technologies is necessarily accompanied by the unlawful use of these technologies, which means that the responsibility for their unlawful use must be consolidated at the legislative level.
In particular, it is worth paying attention to the increasingly growing development of wireless Wi-Fi networks in the world, and in Russia in particular. For example, in 2014, a wireless network was launched in the Moscow Metro, allowing you to access the Internet while being "underground".
Naturally, widespread free access to the Internet, in order to ensure security and cyber security in particular, had to be regulated, therefore on May 5, 2014, Federal Law No. 97- “On Amendments to the Federal Law“ On Information, Information Technologies and Information "and certain legislative acts of the Russian Federation on streamlining the exchange of information using information and telecommunication networks", and July 31, 2014 - Decree of the Government of the Russian Fed Radio No. 758 “On Amendments to Certain Acts of the Government of the Russian Federation in Connection with the Adoption of the Federal Law“ On Amendments to the Federal Law “On Information, Information Technologies and Information Protection” and certain legislative acts of the Russian Federation on streamlining the exchange of information using information and telecommunication networks. These laws, firstly, defined the concept of “organizer of information dissemination on the Internet”, and secondly, spelled out his duties to store information about “facts of reception, transmission, delivery and (or) processing of voice information, written text, images , sounds or other electronic messages of Internet users. ”
In 2015, the network began to “grow” - access points began to appear at land transport stops [5], in 2017. Almatel won the tender to ensure, by the end of 2018, access to the wi-fi network of all the parks in Moscow.
In addition, the laws clearly stated the need to identify users who use points of collective access to the Internet. The primary purpose of adopting these laws was, above all, to increase security, since, otherwise, an anonymous connection to the Internet in public places would allow illegal actions to be carried out with impunity [6, 7].
However, ensuring the unambiguous identification of more than 1.5 million users who use, for example, free wireless Internet access in the Moscow metro is not an easy task. It is even more difficult to associate a specific device used to access the Internet with a specific user.
Formulation of the problem
Currently, the popular “captive portal” technology is used to identify users of the Moscow Metro wireless network. Its essence lies in the fact that the user is required to perform a certain number of actions to gain access to the Internet. A simplified diagram of network interaction using this technology is shown in Fig. one.
For example, in the Moscow metro, user identification is carried out through identity verification through a mobile phone number, or through a single portal of state services of the Russian Federation. At the same time, the first method is the most popular among users, primarily because of its simplicity.
Fig. 1. Using captive portal technology to identify users on the Internet.
The following equipment was used in the study: Lenovo Thinkpad t440s laptop with linux debian 9.0.2 operating system, tcpdump 4.9.2, Wireshark 2.2.6, Aircrack-ng 1.2. Package, Redmi 4 smartphone running Android 6.0. The experiment was conducted in the Moscow metro.
The essence of the study was to identify the parameters controlled by the identification system. It was assumed that if we identify the parameters controlled by the system, it will turn out to impose false information about the connected system to the identification system, that is, to connect to the Internet without identification.
The purpose of the study is to find a vulnerability in the system of identification of users of the Moscow Metro wireless network.
Objectives of the study:
- Identification of critical connection parameters assessed by the system.
- Evaluation of the impact of changes in the obtained critical parameters on the behavior of the system.
- Identification of the algorithm of the Moscow Metro identification system.
- Development of the final algorithm for obtaining unauthorized access to the Moscow Metro wireless network.
When analyzing the system, a black box testing strategy or behavioral testing was chosen.
The object of the study is the system of wireless access to the Internet, the object is the identification system.
Wearable mobile devices contain several unique parameters on the basis of which you can build an identification system. The first parameter is the international mobile equipment identifier (IMEI), a number (usually 15-bit in decimal representation), unique for each device using it. It is used in cellular phones networks according to GSM, WCDMA and IDEN standards. This parameter is not quite suitable for identification in public Wi-Fi networks, due to the fact that not all devices have it.
The second unique parameter regulated by the IEEE 802.11 standard is Media Access Control (MAC) —a unique identifier assigned to each piece of active equipment or some of their interfaces on computer Ethernet networks. This parameter is more suitable for the unique identification of users, since It is present in all mobile devices that have a Wi-Fi connection.
The following parameters were identified as input parameters for the system: a device from which you need to access the Internet and its MAC address.
At the exit from the system, the user either has access to the Internet, or is requested to confirm his identity.
Thus, the task of the study was reduced to a change in the input parameters (mac addresses and device models) in order to gain access to the Internet without passing identification (see Fig. 2).
Fig. 2. Black box strategy in research of user identification system in public wifi networks.
The methodology of the experiment
The next stage of the study, in accordance with the applied black box method, was to change one of the input parameters of the system. It was decided to change the physical address of the device on which you want to access the network to the address of such a device, access to the network on which you already have. Since the technology of wireless networks Wi-Fi uses a radio channel for data transmission, for this purpose a software package was used to assess the security of wireless networks aircrack-ng.
Using the airmon-ng utility, the wireless network card of the device was switched to monitoring mode (that is, the capture of all network data packets in the radius accessible to the network card). Then, using the tcpdump utility, a number of network packets were captured by the access point exchanged in the subway car and all the devices connected to it at the moment.
From the collected network data packets, the physical addresses of the connected user devices were extracted, after which the MAC address of the device on which you want to access the network was changed to one of the previously received ones and an attempt was made to connect to the Moscow Metro wireless network. As a result, the identification system identified the device as already authenticated, and did not require entering a phone number.
Experimental results
| Experiment No. | X1 | X2 | Note |
|---|---|---|---|
| one | Lenovo Thinkpad t440s Laptop | da: a1: 19: 20: bb: 6 | Authentication in the wireless access network by an authorized method was completed (confirmation of identity through sending sms) |
| 2 | Xiomi redmi 4 | da: a1: 19: 20: bb: 6f | The device that was not authenticated on the network was set to the mac address of the authenticated device. |
| 3 | Lenovo Thinkpad t440s Laptop | aa: aa: aa: aa: aa: aa | On the device that passed identification, a randomly generated mac address was set. |
| four | Xiomi redmi 4 | aa: aa: aa: aa: aa: aa | A device that was not authenticated on the network was set up with a randomly generated mac address. |
| five | Xiomi redmi 4 | b2: 3d: 8a: 60: 4f: 7d | The device that was not authenticated on the network was set to the mac address obtained from the packets circulating on the network via tcpdump and the network card in monitor mode. |
| 6 | Xiomi redmi 4 | 80: ea: 96: c3: 52: 91 | The device that was not authenticated on the network was set to the mac address obtained from the packets circulating on the network via tcpdump and the network card in monitor mode. |
| Experiment No. | Y1 | Note |
|---|---|---|
| one | Access is | Identification passed in the authorized way. |
| 2 | Access is | Access to the network obtained in an unauthorized way (without identification of the device) |
| 3 | No access | Network access not received (authentication required) |
| four | No access | Network access not received (authentication required) |
| five | Access is | Access to the network obtained in an unauthorized way (without identification of the device) |
| 6 | Access is | Access to the network obtained in an unauthorized way (without identification of the device) |
Analysis of the results
Thus, as a result of the study, it was found that the direct identification of the user with a request for personal data from him is made only during the first connection, and the subsequent identification uses the physical address (MAC address) of the device for identification, which is recorded in the database and mapped to the specified user personal data when you first connect to the network.
A simplified algorithm of the system for identifying users of the Moscow Metro wireless network is shown in Fig. 3
Fig. 3. Simplified algorithm of the system of identification of users of the Moscow Metro wireless network
Thus, it was concluded that the physical address (MAC address) of the device is the only parameter affecting the state of the system.
In addition, it should be noted that among the two hundred MAC addresses obtained from data packets circulating on the network, there were two such, which, when connected to the network, did not require confirmation of user activity, which is required by the system every 20 minutes. These addresses were revealed by running the following script with superuser rights:
while IFS= read -r line do sudo service NetworkManager stop ip link set wlp3s0 down ip link set wlp3s0 address "$line" ip link set wlp3s0 up service NetworkManager start sleep 12 list=`sudo ping -i 0.1 -s 1 -w 1 -c 5 ya.ru | grep ttl` if [ "$list" != "" ]; then echo "$line" else echo Not found fi done <"$file" Based on the experiment, a final algorithm was developed for attacking the system of identification of users of the Moscow Metro wireless access network. The algorithm is shown in Figure 4.
Figure 4 - the final algorithm for the attack on the identification system
Conclusion
Summing up, we can talk about the fulfillment of the research goal, namely, obtaining anonymous (from the attacker's point of view) access to the Internet, since the device that received access to the network has a physical address associated with the device and personal data (in this case, the mobile phone number). phone) of another user.
Obviously, this method can be easily used for unlawful purposes by almost anyone. The ease of use of the method in conjunction with the resulting anonymous access to the Internet can pose a threat to both the security of an individual, the security of society and the state, therefore, under the worst possible circumstances, we can talk about an act of cyber-terrorism with all the ensuing consequences.
That is why, in order to ensure the safe and reliable identification of wireless users and the requirements of the previously mentioned federal laws, it is necessary to develop a new, more reliable and secure method of identifying users.
git
The article is a joint work with Sergey Dmitriyevich Volkov - a graduate student of the department of information security of FSBEI IN MGLU
List of sources
1. Number of smartphone users worldwide from 2014 to 2020 (in billions). Internet resource. Access mode: www.statista.com/statistics/330695/number-of-smartphone-users-worldwide (contact date 05/11/2017)
2. Ivanov S.M., Tomilo O.G. "Cyberterrorism: a threat to national and international security." Internet resource. Access mode: www.arms-expo.ru/news/archive/kiberterrorizm-ugroza-nacional-noy-i-mezhdunarodnoy-bezopasnosti14-03-2013-18-35-00 (the date of circulation 05.11.2017)
3. Draft Concepts for Cybersecurity Strategy of the Russian Federation. Internet resource. Access mode: council.gov.ru/media/files/41d4b3dfbdb25cea8a73.pdf (access date 06.11.2017)
4. Decree of the President of the Russian Federation of 05.12.2016, â„– 646 "On approval of the Doctrine of Information Security of the Russian Federation". Internet resource. Access mode: kremlin.ru/acts/bank/41460 (application date 06.11.2017)
5. In the metro and on ground transportation, a single Wi-Fi network has been launched. Internet resource. Access mode: www.mos.ru/news/item/16803073 (the date of appeal 06.11.2017)
6. Federal Law of 05.05.2014 N 97-FZ (as amended on 07.29.2017) “On Amendments to the Federal Law“ On Information, Information Technologies and Information Protection ”and certain legislative acts of the Russian Federation on streamlining the exchange of information with using information and telecommunication networks. " Internet resource. Access mode: www.consultant.ru/document/cons_doc_LAW_162586 (the date of appeal 06.11.2017)
7. Resolution of the Government of the Russian Federation of July 31, 2014 N 758 “On Amendments to Certain Acts of the Government of the Russian Federation in Connection with the Adoption of the Federal Law“ On Amendments to the Federal Law “On Information, Information Technologies and Information Security” and certain legislative acts of the Russian Federation Federation for streamlining the exchange of information using information and telecommunication networks ". Internet resource. Access mode: www.consultant.ru/document/cons_doc_LAW_166893 (the date of appeal 06.11.2017)
2. Ivanov S.M., Tomilo O.G. "Cyberterrorism: a threat to national and international security." Internet resource. Access mode: www.arms-expo.ru/news/archive/kiberterrorizm-ugroza-nacional-noy-i-mezhdunarodnoy-bezopasnosti14-03-2013-18-35-00 (the date of circulation 05.11.2017)
3. Draft Concepts for Cybersecurity Strategy of the Russian Federation. Internet resource. Access mode: council.gov.ru/media/files/41d4b3dfbdb25cea8a73.pdf (access date 06.11.2017)
4. Decree of the President of the Russian Federation of 05.12.2016, â„– 646 "On approval of the Doctrine of Information Security of the Russian Federation". Internet resource. Access mode: kremlin.ru/acts/bank/41460 (application date 06.11.2017)
5. In the metro and on ground transportation, a single Wi-Fi network has been launched. Internet resource. Access mode: www.mos.ru/news/item/16803073 (the date of appeal 06.11.2017)
6. Federal Law of 05.05.2014 N 97-FZ (as amended on 07.29.2017) “On Amendments to the Federal Law“ On Information, Information Technologies and Information Protection ”and certain legislative acts of the Russian Federation on streamlining the exchange of information with using information and telecommunication networks. " Internet resource. Access mode: www.consultant.ru/document/cons_doc_LAW_162586 (the date of appeal 06.11.2017)
7. Resolution of the Government of the Russian Federation of July 31, 2014 N 758 “On Amendments to Certain Acts of the Government of the Russian Federation in Connection with the Adoption of the Federal Law“ On Amendments to the Federal Law “On Information, Information Technologies and Information Security” and certain legislative acts of the Russian Federation Federation for streamlining the exchange of information using information and telecommunication networks ". Internet resource. Access mode: www.consultant.ru/document/cons_doc_LAW_166893 (the date of appeal 06.11.2017)
Source: https://habr.com/ru/post/349966/
All Articles