WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Similar documents
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake

WiFuzz: detecting and exploiting logical flaws in the Wi-Fi cryptographic handshake

Advanced WiFi Attacks Using Commodity Hardware

Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018

WPA-GPG: Wireless authentication using GPG Key

Table of Contents 1 WLAN Security Configuration Commands 1-1

Wireless Network Security Spring 2015

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Wireless Network Security Spring 2016

Chapter 24 Wireless Network Security

Advanced WiFi Attacks Using Commodity Hardware

1 FIVE STAGES OF I.

Wireless LAN Security. Gabriel Clothier

Frequently Asked Questions WPA2 Vulnerability (KRACK)

IEEE i and wireless security

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Configuring Authentication Types

Secure Initial Access Authentication in WLAN

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Exam Questions CWSP-205

Securing a Wireless LAN

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

FAQ on Cisco Aironet Wireless Security

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Wireless Network Security

Wireless Network Security

Chapter 17. Wireless Network Security

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Lab Configure Enterprise Security on AP

Appendix E Wireless Networking Basics

Troubleshooting WLANs (Part 2)

Configuring Cipher Suites and WEP

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

WPA Passive Dictionary Attack Overview

CPSC 467: Cryptography and Computer Security

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Configuring WEP and WEP Features

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Configuring Layer2 Security

Authentication Handshakes

05 - WLAN Encryption and Data Integrity Protocols

Exam Advanced Network Security

Implementing Cryptography: Good Theory vs. Bad Practice

CSC 474/574 Information Systems Security

Configuring a WLAN for Static WEP

Wireless KRACK attack client side workaround and detection

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Physical and Link Layer Attacks

Network Encryption 3 4/20/17

WLAN Roaming and Fast-Secure Roaming on CUWN

Summary on Crypto Primitives and Protocols

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Authentication and Security: IEEE 802.1x and protocols EAP based

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

GETTING THE MOST OUT OF EVIL TWIN

Securing Your Wireless LAN

Security Setup CHAPTER

Security in IEEE Networks

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

What is Eavedropping?

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

Cisco Desktop Collaboration Experience DX650 Security Overview

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

The Launch GDS can be updated via a wireless internet connection as well as by USB or cat5 cable.

Release Notes for Avaya WLAN 9100 Access Point Operating System (AOS) Release

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Real-time protocol. Chapter 16: Real-Time Communication Security

Wireless Security Algorithms

TestsDumps. Latest Test Dumps for IT Exam Certification

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

A Secure Wireless LAN Access Technique for Home Network

Configuring a VAP on the WAP351, WAP131, and WAP371

Network Access Flows APPENDIXB

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Securing Internet Communication: TLS

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Cryptanalysis. Ed Crowley

WarDriving. related fixed line attacks war dialing port scanning

(2½ hours) Total Marks: 75

Viewing Status and Statistics

Cryptography ThreeB. Ed Crowley. Fall 08

Formal Methods for Assuring Security of Computer Networks

Plaintext Recovery Attacks Against WPA/TKIP

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Oct 2007 Version 1.01

Troubleshooting WLANs

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol

Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

HACKING & INFORMATION SECURITY Presents: - With TechNext

Transcription:

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy Vanhoef - @vanhoefm imec-distrinet, KU Leuven Black Hat, 27 July 2017

Introduction More and more Wi-Fi network use encryption: 2010 Most rely on the Wi-Fi handshake to generate session keys 2

How secure is the Wi-Fi handshake? Design: formally analyzed and proven correct (CCS 2005) Security of implementations? Some works fuzz network discovery stage Many stages are not tested, e.g. 4-way handshake. But do not tests for logical implementation bugs Objective: test implementations of the full Wi-Fi handshake for logical vulnerabilities 1 C. He, M. Sundararajan, A. Datta, A Derek, and J. Mitchell. A modular correctness proof of IEEE 802.11i and TLS. 2 M. Vanhoef, D. Schepers, and F. Piessens. Discovering Logical Vulnerabilities in thewi-fi Handshake Using Model-Based Testing. 3

Background: the Wi-Fi handshake Main purposes: Network discovery Mutual authentication & negotiation of pairwise session keys Securely select cipher to encrypt data frames WPA-TKIP Short-term solution that sacrificed some security, so it could run on old WEP-compatible hardware AES-CCMP Long-term solution based on modern cryptographic primitives 4

Wi-Fi handshake (simplified) 5

Wi-Fi handshake (simplified) 6

Wi-Fi handshake (simplified) 7

Wi-Fi handshake (simplified) Defined using EAPOL frames 8

EAPOL frame layout (simplified) header key info replay counter MIC key data P M I S E R C A key info flags message ID key version MD5/RC4 or SHA1/AES 9

How to test implementations? Model-based testing! Test if program behaves according to some abstract model Proved successful against TLS Apply model-based approach on the Wi-Fi handshake 10

Model-based testing: our approach Model: normal handshake Test generation rules: (in)correct modifications Set of test cases A test case defines: 1. Messages to send & expected replies 2. Results in successful connection? Generation rules: Can test various edge cases, allows some creativity Are assumed to be independent (avoid state explosion) 11

Executing test cases For every test case Execute test case unexpected reply Check if connection successful unexpected result All OK Save failed test Reset Afterwards Inspect failed test cases Experts determines impact and exploitability 12

Test generation rules Test generation rules manipulating messages as a whole: 1. Drop a message 2. Inject/repeat a message Test generation rules that modify fields in messages: 1. Wrong selected cipher suite in message 2 2. Bad EAPOL replay counter 3. Bad EAPOL key info flags (used to identify message) 4. Bad EAPOL key version (switch SHA1/AES with MD5/RC4) 5. Bad EAPOL Message Integrity Check (MIC) 6. 13

Evaluation We tested 12 access points: Open source: OpenBSD, Linux s Hostapd Leaked source: Broadcom, MediaTek (home routers) Closed source: Windows, Apple, Telenet Professional equipment: Aerohive, Aironet Discovered several issues! 14

Missing downgrade checks 1. MediaTek & Telenet don t verify selected cipher in message 2 2. MediaTek also ignores supported ciphers in message 3 MediaTek clients can be trivially downgraded 15

Windows 7 targeted DoS Client AP Client 2 16

Windows 7 targeted DoS Client AP Client 2 PoC & Demo github.com/vanhoefm/blackhat17-pocs 17

Broadcom downgrade Broadcom cannot distinguish message 2 and 4 Can be abused to downgrade the AP to TKIP Hence message 4 is essential in preventing downgrade attacks This highlights incorrect claims in the 802.11 standard: While Message 4 serves no cryptographic purpose, it serves as an acknowledgment to Message 3. It is required to ensure reliability and to inform the Authenticator that the Supplicant has installed the PTK and GTK and hence can receive encrypted frames. 18

OpenBSD: DoS against AP Two bugs in OpenBSD: 1. TKIP countermeasures are never stopped TKIP is weak: detects frame forging attempts Possible forge attempt send MIC failure report to AP If ( two MIC failure reports within a minute ) halt all traffic for 1 minute forever 2. MIC failure report accepted before 4-way handshake Combined: unauthenticated permanent DoS 19

OpenBSD: DoS against AP 20

OpenBSD: DoS against AP PoC & Demo github.com/vanhoefm/blackhat17-pocs 21

OpenBSD: client man-in-the-middle Manual inspection of OpenBSD client. State machine missing! Attack possible: 1. Rouge AP: skip 4-way handshake, send Group Message 1 2. Client verifies authenticity of message using all-zero key 3. Message accepted, client now allows normal data traffic Proof of concept and demo! 22

OpenBSD: client man-in-the-middle 23

OpenBSD: client man-in-the-middle PoC & Demo github.com/vanhoefm/blackhat17-pocs 24

Other results: see white paper! Fingerprinting techniques! Permanent DoS attack against Broadcom DoS attack against Windows 10, Broadcom, Aerohive Inconsistent parsing of selected and supported cipher suite(s) 25

Technique (Dis)advantages & Limitations General remaks: Black-box testing mechanism: no source code needed Fairly simple handshake, but still several logical bugs! o But time consuming to implement & requires an expert Limitations: Amount of code coverage is unknown Only used well-formed (albeit invalid) packets Test generation rules applied independently Only tested Access Points (not clients) 26

Conclusion Wi-Fi implementations are less secure than expected New attacks (will) keep popping up Need more advanced tools to detect logical flaws Current testing framework is quite basic Complex bugs currently remain undetected 27

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy Vanhoef - @vanhoefm imec-distrinet, KU Leuven Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback