Attack & Defense in Wireless Networks John M. Shea April 22, 2008
Overview Wireless networks fundamentals vulnerabilities WING testbed Demonstration of Denial-of-Service Attack and Defense
Classification: Topology Infrastructure: communication controlled by base station (cellular), access point (WiFi), master (Bluetooth) Ad hoc: nodes communicate directly with peers (currently used for tactical radio networks) Mesh: hybrid of above (option for WiMax wireless municipal area network)
Classification: Frequency Band Licensed: cellular phone, TV, radio, satellite Unlicensed: wireless LAN, bluetooth, cordless phones unlicensed wireless networks use the Industrial, Scientific and Medical (ISM) bands 902 928 MHz (centre frequency 915 MHz) 2.400 2.500 GHz (centre frequency 2.450 GHz) 5.725 5.875 GHz (centre frequency 5.800 GHz)... low spectral mask (limit on power spectral density) to reduce interference
IEEE 802.11 a/b/g/n The IEEE 802.11 a/b/g/n standards are for wireless local are networks (WLANs) Commonly referred to as WiFi 802.11 b/g operates in 2.4 GHz ISM band 802.11 a operates in 5.8 GHz ISM band 802.11 n (draft) operates in either 2.4 GHz or 5.8 GHz bands
Classification: Medium Access Medium access is how the system resources are allocated to the users Frequency Division (analog cellular for users, cellular and WLAN for base stations/access points) Time Division (GSM digital cellular) Code Division (CDMA digital cellular, cdma2000, WCDMA) Space Division reuse frequencies over space (cellular), use directional antennas (cellular)
Medium Access In cellular networks, mobile stations synchronize their clocks closely with the base stations In wireless LANs, this is not the case Frequency division is used to allocate channel among access points
WiFi Channels at 2.4 GHz US 2.4 GHz ISM band divided into 11 overlapping channels: From http://www.moonblinkwifi.com/2point4freq.cfm
Medium Access Distributed protocol (DCF) to allocate time among users Protocol based on carrier-sense multiple access with collision avoidance (CSMA/CA) carrier sense => check if channel is busy before accessing it (same as Ethernet) collision avoidance => use control packets to reserve channel for duration of transmission Ethernet is CSMA/CD, where CD=collision detection. CD is not possible for wireless because radios cannot simultaneously transmit and receive on same channel
!"#"$"%&'())*+,&-+.&/(0())*+,&)1(&234 CSMA/CA $%&'()*+*,-,./(0(-01,2(3)04*('5011(67208*(85*,)(9&:(;,85(85*(,.3<)408,<.()*+*,-*2(,.(85*(=6)08,<.(3,*12(3<)(01 3)04*'(;5*)*(85*(.*;(9&:(-016*(,'(/)*08*)(850.(85*(+6))*.8(9&:(-016*>(*?+*78(85*(9&:('5011(.<8(@*(67208*2 ;5*)*(85*(A&(,'(*B601(8<(85*()*+*,-,./($%&C'(D&E(022)*''F(G7<.()*+*,78(<3(0(H$IH<11(3)04*>(0($%&('501 67208*(,8'(9&:('*88,./'(0'(077)<7),08*(6.2*)(85*(2080()08*('*1*+8,<.()61*'(6',./(0(26)08,<.(-016*(*B601(8<(85* 8,4*>(,.(4,+)<'*+<.2'>()*B6,)*2(8<(8)0.'4,8(<.*(&EJ(3)04*(716'(<.*($KL$(,.8*)-01>(@68(<.1M(;5*.(85*(.*; Sending a packet requires up to 4 different types of transmissions 9&:( -016*(,'( /)*08*)( 850.( 85*( +6))*.8( 9&:( -016*F( K3( 85*( +01+6108*2( 26)08,<.(,.+162*'( 0( 3)0+8,<.0 4,+)<'*+<.2>(8508(-016*(,'()<6.2*2(67(85*(.*?8(5,/5*)(,.8*/*)F(:0),<6'(022,8,<.01(+<.2,8,<.'(40M('*8(<)()*'* 85*(9&:>(0'(2*'+),@*2(,.(NFOF!F!F(P5*.(85*(9&:(,'()*'*8>(0(HQRIEE&AS$S%F)*B6*'8('5011(@*(,''6*2F Each transmission unit is called a frame L,/6)* NIT(,.2,+08*'(85*(9&:(3<)($%&'(8508(40M()*+*,-*(85*(A%$(3)04*>(;5,1*(<85*)($%&'(40M(<.1M()*+*,-* 85*(E%$(3)04*>()*'618,./(,.(85*(1<;*)(9&:(@0)(0'('5<;.(U;,85(85*(*?+*78,<.(<3(85*($%&(8<(;5,+5(85*(A%$(;0' 022)*''*2VF Full CSMA/CA looks like this: RTS = Request to Send ACK=acknowledgment CTS=Clear To Send
85*(9&:>(0'(2*'+),@*2(,.(NFOF!F!F(P5*.(85*(9&:(,'()*'*8>(0(HQRIEE&AS$S%F)*B6*'8('5011(@*(,''6*2F L,/6)* NIT(,.2,+08*'(85*(9&:(3<)($%&'(8508(40M()*+*,-*(85*(A%$(3)04*>(;5,1*(<85*)($%&'(40M(<.1M()*+*,- 85*(E%$(3)04*>()*'618,./(,.(85*(1<;*)(9&:(@0)(0'('5<;.(U;,85(85*(*?+*78,<.(<3(85*($%&(8<(;5,+5(85*(A%$(; 022)*''*2VF CSMA/CA If CTS is not received or ACK is not received, transmitter assumes loss due to collision with other transmissions Backoff timer is started to try to prevent future collisions :*,;/(&!<=>?@'A5@'A.-)-A35B&-+.&234&0())*+, &( $%&( 8508( 6'*2(,.3<)408,<.( 3)<4( 0.( A%$( 3)04*( 0'( 85*( 4<'8( )*+*.8( @0','( 8<( 67208*(,8'( 9&:( '*88,./( 7*)4,88*2(8<()*'*8(,8'(9&:(,3(.<(HQRIAW$%&A%F,.2,+08,<.(,'(2*8*+8*2(3)<4(85*(HQR(26),./(0(7*),<2(;,85 26)08,<.( <3( U!( ( 0$KL$%,4*V( X( UE%$Y%,4*V( X( 0HQRIAWI$%&A%I=*10M( X( U!( ( 0$1<8%,4*V('80)8,./( 08( 85 HQRIAWS9=F,.2,+08,<.( +<))*'7<.2,./( 8<( 85*( 2*8*+8,<.( <3( 85*( A%$( 3)04*F( %5*( ZE%$Y%,4*[( '5011( @
WiFi Vulnerabilities Interference ISM bands are unlicensed many users: microwave ovens cordless phones bluetooth headsets Nearby access points need to be on different nonoverlapping channels Only 3 non-overlapping channels available: 1, 6, 11
WiFi Vulnerabilities Avoiding interference can be hard: Not all base stations advertise their presence (broadcast their SSID) these won t show up on the list your computer displays Use channel monitors (kismet, kismac, netstumbler, istumbler) to detect traffic on all channels Interference from cordless phones can be very intermittent (some phones use frequency hopping)
WiFi Vulnerabilities Controlling access Password-based methods WEP = Wired Equivalent Privacy badly broken, easily hackable even when configured correctly made worse by manufacturers not implementing properly do not use unless you have legacy devices that do not support newer techniques
WiFi Vulnerabilities Controlling access Password-based methods WPA/WPA2 = Wireless Protected Access based on IEEE 802.11i standard much, much harder to hack
WiFi Vulnerabilities Controlling access Hardware access lists Allow only devices with certain hardware (MAC) IDs to access network Most wireless cards allow the MAC address to be changed in software So, this is easy to defeat by an attacker with a little knowledge
!""" #$%&'()*++,)((- WiFi Vulnerabilities!"#"$"%&'())*+,&-+.&/(0())*+,&)1(&234 Denial-of-Service (DoS) attacks Jamming (intentional interference) can be used to shut down wireless communications A smart jammer can shut down communications with minimum energy expenditure Consider the basic protocol:./01.&123&4"56/7/.!512&16"1&2"58/69#:#7"0!;!0&6"<=!6"4"2 $%&'()*+*,-,./(0(-01,2(3)04*('5011(67208*(85*,)(9&:(;,85(85*(,.3<)408,<.()*+*,-*2(,.(85*(=6)08,<.(3,*12(3< 3)04*'(;5*)*(85*(.*;(9&:(-016*(,'(/)*08*)(850.(85*(+6))*.8(9&:(-016*>(*?+*78(85*(9&:('5011(.<8(@*(6720 ;5*)*(85*(A&(,'(*B601(8<(85*()*+*,-,./($%&C'(D&E(022)*''F(G7<.()*+*,78(<3(0(H$IH<11(3)04*>(0($%&(' 67208*(,8'(9&:('*88,./'(0'(077)<7),08*(6.2*)(85*(2080()08*('*1*+8,<.()61*'(6',./(0(26)08,<.(-016*(*B601(8< 8,4*>(,.(4,+)<'*+<.2'>()*B6,)*2(8<(8)0.'4,8(<.*(&EJ(3)04*(716'(<.*($KL$(,.8*)-01>(@68(<.1M(;5*.(85*(. 9&:( -016*(,'( /)*08*)( 850.( 85*( +6))*.8( 9&:( -016*F( K3( 85*( +01+6108*2( 26)08,<.(,.+162*'( 0( 3)0+8,< 4,+)<'*+<.2>(8508(-016*(,'()<6.2*2(67(85*(.*?8(5,/5*)(,.8*/*)F(:0),<6'(022,8,<.01(+<.2,8,<.'(40M('*8(<)() 85*(9&:>(0'(2*'+),@*2(,.(NFOF!F!F(P5*.(85*(9&:(,'()*'*8>(0(HQRIEE&AS$S%F)*B6*'8('5011(@*(,''6*2F L,/6)* NIT(,.2,+08*'(85*(9&:(3<)($%&'(8508(40M()*+*,-*(85*(A%$(3)04*>(;5,1*(<85*)($%&'(40M(<.1M()*+* 85*(E%$(3)04*>()*'618,./(,.(85*(1<;*)(9&:(@0)(0'('5<;.(U;,85(85*(*?+*78,<.(<3(85*($%&(8<(;5,+5(85*(A%$( 022)*''*2VF
!""" #$%&'()*++,)((- WiFi Vulnerabilities./01.&123&4"56/7/.!512&16"1&2"58/69#:#7"0!;!0&6"<=!6"4"!"#"$"%&'())*+,&-+.&/(0())*+,&)1(&234 Denial-of-service attacks $%&'()*+*,-,./(0(-01,2(3)04*('5011(67208*(85*,)(9&:(;,85(85*(,.3<)408,<.()*+*,-*2(,.(85*(=6)08,<.(3,*12(3< 3)04*'(;5*)*(85*(.*;(9&:(-016*(,'(/)*08*)(850.(85*(+6))*.8(9&:(-016*>(*?+*78(85*(9&:('5011(.<8(@*(672 ;5*)*(85*(A&(,'(*B601(8<(85*()*+*,-,./($%&C'(D&E(022)*''F(G7<.()*+*,78(<3(0(H$IH<11(3)04*>(0($%&( 67208*(,8'(9&:('*88,./'(0'(077)<7),08*(6.2*)(85*(2080()08*('*1*+8,<.()61*'(6',./(0(26)08,<.(-016*(*B601(8< 8,4*>(,.(4,+)<'*+<.2'>()*B6,)*2(8<(8)0.'4,8(<.*(&EJ(3)04*(716'(<.*($KL$(,.8*)-01>(@68(<.1M(;5*.(85*( 9&:( -016*(,'( /)*08*)( 850.( 85*( +6))*.8( 9&:( -016*F( K3( 85*( +01+6108*2( 26)08,<.(,.+162*'( 0( 3)0+8, 4,+)<'*+<.2>(8508(-016*(,'()<6.2*2(67(85*(.*?8(5,/5*)(,.8*/*)F(:0),<6'(022,8,<.01(+<.2,8,<.'(40M('*8(<)( 85*(9&:>(0'(2*'+),@*2(,.(NFOF!F!F(P5*.(85*(9&:(,'()*'*8>(0(HQRIEE&AS$S%F)*B6*'8('5011(@*(,''6*2F Smart jammer attacks the ACK to fool transmitter into thinking packet was not successful Full transmission time & energy is wasted L,/6)* NIT(,.2,+08*'(85*(9&:(3<)($%&'(8508(40M()*+*,-*(85*(A%$(3)04*>(;5,1*(<85*)($%&'(40M(<.1M()*+ 85*(E%$(3)04*>()*'618,./(,.(85*(1<;*)(9&:(@0)(0'('5<;.(U;,85(85*(*?+*78,<.(<3(85*($%&(8<(;5,+5(85*(A%$ 022)*''*2VF Transmitter will think collision occured and increase backoff window
WING Testbed Linux/WiFi Machines 10 Fujitsu Lifebook Laptops 20 NETGEAR WGT634U 108 Mbps Wireless Media Routers
Linux/WiFi Machines WING Testbed 15 ZipIt Wireless Instant Messengers http://www.schrankmonster.de/content/binary/zipit-wireless-im-silver.jpg http://karosium.com/index.php?/categories/2-my-hardware-projects
WING Testbed Laptops and routers use Atheros chipsets allow good control of hardware Software development based on open source drivers MadWiFi/Ath5k Perl/TK for user interaction and graphical display
Demo: Capture Current Signal Levels Kernel module that allows access to hardware physical-layer received signal strength indicator (RSSI) Monitor.pl program allows complete control and inspection of capture
Example: Full Protocol in Operation Reduced RTS threshold on my home router Captured during email download -30 Received Signal Strength, Channel 7-40 -50 RTS CTS DATA ACK RTS CTS DATA ACK RTS CTS DATA ACK -60-70 -80 COLLISION -90-100 BACKOFF -110-120 -130-140 -150-160 -170 10.2 10.4 10.6 10.8 11 11.2 11.4 11.6 11.8 12 12.2 12.4 RSSI Data Time (ms)
Defenses Against DoS Attacks Can use the same degrees of freedom that are available for multiple access to defend against DoS attacks: Frequency: change channels to avoid jammer Time: change protocol to prevent jammer from being able to attack so selectively (for instance, attach ACKs to Data packets) Space: use directional antennas to communicate around jammer Coding: spread signal over wider frequency band or add additional error protection
Demo: Defense Against DoS Attacks in Wireless Networks Use cordless phone as jammer (transmits in Channel 1) 2 Linux laptops set to switch channels if they lose too many packets
One More Demo: Multi-path Fading Wireless channels can vary rapidly with small changes in position because of multi-path fading multiple copies of transmitted signal bounce off objects and add together in channel copies can add constructively or destructively
Current & Future Work Implementing smart DoS jammer Implementing better channel-switching techniques Add directional antennas and implement spatial jamming avoidance Develop and implement new protocols to avoid jamming