Advanced WiFi Attacks Using Commodity Hardware

Similar documents
Advanced WiFi Attacks Using Commodity Hardware

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

CWNP PW Certified Wireless Analysis Professional. Download Full Version :

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Physical and Link Layer Attacks

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Wireless technology Principles of Security

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Configuring a VAP on the WAP351, WAP131, and WAP371

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Attacks on WLAN Alessandro Redondi

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Wireless Security Security problems in Wireless Networks

CWNA Exam PW0-100 certified wireless network administrator(cwna) Version: 5.0 [ Total Questions: 120 ]

Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake

Table of Contents 1 WLAN Security Configuration Commands 1-1

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.


transmitting on the same channel or adjacent channels

Troubleshooting WLANs (Part 2)

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

Chapter 24 Wireless Network Security

Wireless Router at Home

Basic Wireless Settings on the CVR100W VPN Router

How Insecure is Wireless LAN?

Wireless Attacks and Countermeasures

Wireless Network Security Spring 2012

Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems

Security of WiFi networks MARCIN TUNIA

Viewing Status and Statistics

Wireless Network Security Spring 2014

Wireless Network Security Spring 2013

Welcome to my presentation: Message Denial and Alteration on IEEE Low- Power Radio Networks.

CSCD 433 Network Programming Fall Lecture 7 Ethernet and Wireless

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Appendix E Wireless Networking Basics

Wireless Network Security Spring 2015

Mobile Security Fall 2013

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

PowerStation2 LiteStation2 LiteStation5 User s Guide

3.1. Introduction to WLAN IEEE

Skywave User Manual. Version 1.1 (05/10/2015) Pro Range 95 User Manual 1.1 Page 1 of 31

6.9 Summary. 11/20/2013 Wireless and Mobile Networks (SSL) 6-1. Characteristics of selected wireless link standards a, g point-to-point

Wireless Networking based on Chapter 15 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Security SSID Selection: Broadcast SSID:

IEEE a/ac/n/b/g Outdoor Stand-Alone Access Point. Management Guide. ECWO Series. Software Release v1.0.1.

802.11ac Wireless Access Point Model WAC104

Data and Computer Communications. Chapter 13 Wireless LANs

HACKING & INFORMATION SECURITY Presents: - With TechNext

User Guide. For TP-Link Auranet Access Points

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Overview : Computer Networking. Spectrum Use Comments. Spectrum Allocation in US Link layer challenges and WiFi WiFi

Securing a Wireless LAN

Configuring Cipher Suites and WEP

LESSON 12: WI FI NETWORKS SECURITY

The Wi-Fi Boom. Dr. Malik Audeh Tropos Networks March 13, 2004

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Wireless LANs. ITS 413 Internet Technologies and Applications

ENH900EXT N Dual Radio Concurrent AP. 2.4GHz/5GHz 900Mbps a/b/g/n Flexible Application

802.11g PC Card/USB Wireless Adapter

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Wireless and WiFi. Daniel Zappala. CS 460 Computer Networking Brigham Young University

4.3 IEEE Physical Layer IEEE IEEE b IEEE a IEEE g IEEE n IEEE 802.

Attack & Defense in Wireless Networks

Wireless# Guide to Wireless Communications. Objectives

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

LiteStation2 LiteStation5 User s Guide

802.11b+g Wireless LAN USB Adapter. User Manual

WarDriving. related fixed line attacks war dialing port scanning

Enterprise WiFi System. Datasheet. Models: UAP, UAP-LR, UAP-Pro, UAP-Outdoor, UAP-Outdoor5

Wireless Networking. Chapter The McGraw-Hill Companies, Inc. All rights reserved

Figure 35: Active Directory Screen 6. Select the Group Policy tab, choose Default Domain Policy then click Edit.

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

Configuring the Wireless Parameters (CPE and WBS)

4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions

WL-5420AP. User s Guide

Wireless Access Point

Oct 2007 Version 1.01

Wireless Network Security Spring 2013

What you will learn. Summary Question and Answer

MULTIPLE ACCESS PROTOCOLS 2. 1

Configuring the EAPs Globally via Omada Controller

Wireless MAXg Technology

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

Introduction to the EX2

Wireless Network Security Spring 2016

Quick Installation Guide

CITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule

Wireless Networking Basics. Ed Crowley

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Wireless Network Security Spring 2011

Transcription:

Advanced WiFi Attacks Using Commodity Hardware Mathy Vanhoef (@vanhoefm), KU Leuven BruCON 2015

Background WiFi assumes each station acts fairly With special hardware this isn t the case Continuous jamming (channel unusable) Selective jamming (block specific packets) 2

Background WiFi assumes each station acts fairly >$4000 With special hardware this isn t the case Continuous jamming (channel unusable) Selective jamming (block specific packets) 3

Also with cheap hardware! Small 15$ USB sufficient to: Testing selfish behavior in practice Continuous & selective jamming Reliable manipulation of encrypted traffic 4

Also with cheap hardware! >$4000 ~$15 Attacks are cheaper than expected Should be able to detect them. 5

Selfish Behavior Selfish behavior in practice? Implement & Test!

Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN Backoff Packet 2 1. SIFS: let hardware process the frame 2. AIFSN: depends on priority of frame 3. Random backoff: avoid collisions 4. Send the packet

Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN Backoff Packet 2 Manipulate by modifying Atheros firmware: Disable backoff Reducing AIFSN Reducing SIFS

Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN Backoff Packet 2 Manipulate by modifying Atheros firmware: Disable backoff Reducing AIFSN Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput

Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN Backoff Packet 2 Manipulate by modifying Atheros firmware: Disable backoff Reducing AIFSN Reducing SIFS Optimal strategy: Upload! From 14 to 37 Mbps Reduces throughput

How to control radio chip? Using memory mapped registers Disable backoff: int *GBL_IFS_MISC = (int*)0x10f0; *GBL_IFS_MISC = IGNORE_BACKOFF; Reset AIFSN and SIFS: int *AR_DLCL_IFS = (int*)0x1040; *AR_DLCL_IFS = 0; 11

Location of this code? Main machine Userspace Operating System Driver USB WiFi Dongle CPU radio chip Code runs on CPU of dongle Firmware control needed 12

Countermeasures DOMINO defense system reliably detects selfish behavior [1]. More on this later! 13

Selfish Behavior What if there are multiple selfish stations? In a collision, both frames are lost. Capture effect: in a collision, frame with the best signal and lowest bitrate is decoded. Similar to FM radio Demo: The Queen station generally wins the collision with others.

FM Radio Demo

Selfish Behavior Attacker can abuse capture effect Selfish clients will lower their bitrate to beat other selfish stations! Until this gives no more advantage. To increase throughput, bitrate is lowered! Other station = background noise 16

Continuous Jammer Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: radio chip Frame 1 Frame 2 17

Continuous Jammer Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: radio chip Frame 1 Frame 2 Infinite list! 18

Continuous Jammer Experiments Only first packet visible in monitor mode! Other devices are silenced. Default antenna gives range of ~80 meters. Amplifier gives range of ~120 meters 19

Demo: Continuous Jammer Ideally done in a shielded room but we can try it here as well To prevent harm, only active for a few seconds. 20

Raspberry Pi Supported! 21

Practical Implications Devices in 2.4 and 5 GHz bands? Home automation Industrial control Internet of Things Can easily be jammed! 22

Practical Implications Devices in 2.4 and 5 GHz bands? 23

Practical Implications Devices in 2.4 and 5 GHz bands? 24

Not just wild speculation jammers are already used by thieves! $45 Chinese jammer to prevent cars from being locked [6] GPS jammer to disable anti-theft tracking devices in stolen cars [7] Disable mobile phone service after cutting phone and alarm cables [8] 25

Selective Jammer Decides, based on the header, whether to jam the frame. 26

How does it work? 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Physical packet Detect Init Jam

How does it work? 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Hard Easy Physical packet Detect Init Jam

Detecting frame headers? radio chip Decodes physical WiFi signals Internal CPU DMA RAM while(recvbuff[0] == 0): pass Can read header of frames still in the air.

In practice 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Poll memory until data is being written: Timeout Detect incoming packet 30

In practice 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Probe request or beacon? buff + 10: sender of packet source : target MAC address 31

In practice 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Set specific bit in register 32

In practice 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Pointer to dummy packet TXE: Transmit (TX) enable (E) 33

Selective Jammer: Reliability Jammed beacons with many devices/positions How fast can it react? Position of first mangled byte? 1 Mpbs beacon in 2.4 GHz: position 52 6 Mpbs beacon in 5 GHz: position 88 Context: MAC header is 34 bytes 34

Selective Jammer: Reliability Jammed beacons with many devices/positions Conclusion 100% reliable selective jammer not possible Medium to large packets can be jammed Surprising this is possible with a limited API! 35

DOMINO defense system Also capable of detecting selective jammers Assumes MAC header is still valid. Attacker has low #(corrupted frames) Thrown of the network Unfortunately it s flawed Jammed (corrupted) frames are not authenticated, we can forge them. Pretend that a client is jamming others. 36

Demo: Selective Jammer Avoiding harmful interference: Target is in (unused?) 5 GHz channel Will only run for a few seconds If you do more extensive tests 37

Code is online! modwifi.bitbucket.org ( github.com/vanhoefm/modwifi ) Scenarios where (selective) jammers are useful? 38

1. Attack WiFi geolocation Location determined by nearby SSIDs. Geolocation attack [9] Inject SSIDs present at other location Can only spoof location having more APs Solution: selectively jam nearby APs Never blindly trust WiFi geolocation! 39

2. As defense system Turn the tables around: Use jamming to protect a network Selectively jam rouge APs Wearable shield to protect medical implants that constantly sends jamming signal. [10]. (active research topic) 40

2. As defense system May not be legal? Blocking personal hotspots: Done by Marriott and Smart City Holdings Complaint was filled to the FCC Settled for fine of $600,000 and $750,000 Is blocking malicious or rogue hotspots legal? 41

Impact on higher-layers What about higherlayer protocols? 42

Impact on higher-layers What if we could reliably manipulate encrypted traffic? not decrypt! We could attack WPA-TKIP! 43

Reliably Intercepting Traffic! Channel-based MiTM attack Works against any encrypted network Can reliably manipulate encrypted traffic. 44

Strawman: different MAC Cloned MAC addresses different from target? Attacker AP Client 45

Strawman: different MAC Cloned MAC addresses different from target? Attacker AP Client Handshake verifies MAC addresses and fails. 46

Strawman: different MAC Same MAC addresses (as AP and client)? Attacker AP Client 47

Strawman: different MAC Same MAC addresses (as AP and client)? Attacker AP Channel 1 Client AP and client directly communicate. 48

Solution: channel-based Same addresses, rouge AP on different channel Attacker AP Handshake will succeed Intercept traffic! Client 49

Example 1: attacking TKIP It would allow us to attack TKIP. But why research TKIP? Isn t it dead? 1999 2002 2004 WEP TKIP AES-CCMP 50

Example 1: attacking TKIP It would allow us to attack TKIP. But why research TKIP? Isn t it dead? 1999 2002 2004 WEP TKIP AES-CCMP Not used Not used? Mainly used 51

Example 1: attacking TKIP It would allow us to attack TKIP. But why research TKIP? Isn t it dead? 1999 2002 2004 WEP TKIP AES-CCMP Not used Not used? Used!! Mainly used 52

Why research TKIP? Network can allow both TKIP and CCMP: New devices uses CCMP Unicast traffic Old devices uses TKIP Broadcast traffic: Old devices must be able to decrypt it 53

Why research TKIP? If a network supports TKIP, all broadcast traffic is encrypted using it. 54

TKIP Usage (2014) Found ~6000 networks 7% support only TKIP 67% support TKIP TKIP is still widely used! 55

Quick Background How are packets sent/received? Data MIC Encrypted 1. Add Message Integrity Check (MIC) 2. Encrypt using RC4 Bad! See rc4nomore.com 56

MIC Countermeasures Data MIC If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP 57

MIC Countermeasures Data MIC If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP Abuse to decrypt last byte(s) [3] 58

TKIP Group Cipher For broadcast, all clients send a MIC failure. Use channel-based MiTM and drop them Avoids MIC countermeasures Resulting attack Can obtain MIC key within 7 minutes. Inject & decrypt some packets [3,4] Only allow AES-CCMP! 59

Firmware vs. driver Main machine Userspace Operating System Driver USB PCI WiFi Dongle CPU radio chip radio chip Internal Chip Only driver control needed! 60

FCC Security Proposal How to mitigate low-layer attacks? Secure either hardware or software Relevant FCC proposal: only software that has been approved with a particular radio can be loaded into that radio Device will only run signed software 61

Goal: prevent interference Weather radar example: Operate in 5 GHz band WiFi can interfere with them FCC had to deal with several cases of intentional interference Software control of frequency, transmit power, Prevent operation outside allowed ranges 62

Reason for concern The proposed rule is too strict Requires signed software, no alternatives No definition of radio or device is given! Better proposal: implement security features so the device never operates outside radio parameters for which the device was certified Unclear how to best prevent our attacks cheap triangulators?? 63

Reason for concern The proposed rule is too strict Requires signed software, no alternatives No definition of radio or device is given! See A case for open Better proposal: radio firmware implement security features so the device never operates outside radio parameters for which the device was certified Unclear how to best prevent our attacks cheap triangulators?? 64

@vanhoefm modwifi.bitbucket.com Questions?

References 1. M. Raya, J.-P. Hubaux, and I. Aad. DOMINO: a system to detect greedy behavior in EEE 802.11 hotspots. In MobiSys, 2004. 2. A. Cassola, W. Robertson, E. Kirda, and G. Noubir. A practical, targeted, and stealthy attack against wpa enterprise authentication. In NDSS, Apr. 2013. 3. M. Vanhoef and F. Piessens. Practical verification of wpa-tkip vulnerabilities. In ASIACCS, 2013. 4. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC, 2014. 5. J. Robertson and M. Riley. Mysterious 08 Turkey Pipeline Blast Opened New Cyberwar. In Bloomberg, 2014. 6. C. Cox. Hi-tech car thieves hit the streets with 30 jamming devices bought over the internet. In Manchester Evening News, 2014. 66

References 7. C. Arthur. Car thieves using GPS 'jammers'. In The Guardian, 2010. 8. J. Weiner. High-tech thieves used phone-jammer in $74k sunglass heist, cops say. In Orlando Sentinel, 2011. 9. P. Dandumont. Don t trust geolocation! Retrieved 5 October, 2015, from journaldulapin.com/2013/08/26/dont-trust-geolocation/ 10.Gollakota et al. They can hear your heartbeats: non-invasive security for implantable medical devices. In SIGCOMM, 2011. 67

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback