Autoimmunity Disorder in Wireless LANs

Biological Systems Vs WLAN Systems: Similarities Immune system foreign bodies Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies Purpose of WLAN system software is to defend against attacks from intruders and hackers Biological systems Wireless LAN systems Built-in Security software Attacker

Autoimmunity Disorder Immune system foreign bodies When immune system mistakenly attacks & destroys healthy body tissues When AP mistakenly attacks and destroys legitimate client connections Biological systems Wireless LAN systems Built-in Security software Attacker

What’s Well Known -- DoS from an External Source It is well known that by sending spoofed De-authentication or Dis-association packets it is possible to break connections. AP Client Attacker DoS Attack Launched on CL DoS Attack launched on AP Connection Breaks Connection Breaks

It is well known that by sending spoofed De-authentication or Dis-association packets it is possible to break connections.

What’s New – Self DoS Triggered by an External Stimulus There exist mal-formed packets whose injection can turn an AP into a connection killing machine AP Client Attacker Stimulus Self DoS

There exist mal-formed packets whose injection can turn an AP into a connection killing machine

Example of Self DoS (1) AP Client Broadcast Disconnection Notification from AP Attacker

Result    Multicast MAC as source  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card  Buffalo Model No-WZR-AG300NH, Firmware ver 1.48 Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3 Linksys Model No WRT350N, Firmware Ver 1.0.3.7  DLink, Model No DIR-655, Firmware Ver 1.1 Broadcast MAC as source

Example of Self DoS (2) AP Client Attributes: Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs …. Disconnection Notification or Response with “Failure” status code Client and AP in Associated State Attacker Stimulus: Req packet with invalid attributes

Attributes: Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs ….

Stimulus Newly introduced reason code in 802.11w 26: Robust management frame policy violation 10,13,14,18,19,20,21,22,23,24,25 ,26,40,44,45,51 6,7,10,11,13,14,15,21,22 Status Codes Reason Codes

Newly introduced reason code in 802.11w

26: Robust management frame policy violation

Result      Authentication    Broadcast MAC as source    Multicast MAC as source    Assoc Request  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card  Buffalo Model No-WZR-AG300NH, Firmware ver 1.48  Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3  Linksys Model No WRT350N, Firmware Ver 1.0.3.7  DLink, Model No DIR-655, Firmware Ver 1.1 Reassoc Req

Is Cisco MFP also vulnerable to Self DoS ? Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant.

Example: MFP (L)AP MFP Client MFP AP Ignore or Honor Assoc Req Packet ? Client ignores unsolicited Association Response AP has an important decision to make !!! Uprotected “Deauth” ignored by Client Client and AP in Associated state Stimulus:Assoc Req, from Client to AP Attacker Assoc Response Data Deauthentication AP and Client in Deadlock

Example: MFP Client MFP Client MFP AP Association dropped at AP Association dropped at Client Client and AP in Associated state Stimulus:Assoc Response, from AP to Client, Status Code Failure Attacker Protected Deauthentication, teardown connection

The Key Point New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software. Even with MFP (11w) protection DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable!

New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software.

Demo

References www.cs.ucsd.edu/users/ savage / papers /UsenixSec03.pdf http://en.wikipedia.org/wiki/IEEE_802.11w http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 ) IEEE P802.11w™/D5.0, February 2008

www.cs.ucsd.edu/users/ savage / papers /UsenixSec03.pdf

http://en.wikipedia.org/wiki/IEEE_802.11w

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml

IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 )

IEEE P802.11w™/D5.0, February 2008

Contact Us Md Sohail Ahmad [email_address] Amit Vartak [email_address] J V R Murthy [email_address]

Md Sohail Ahmad

[email_address]

Amit Vartak

[email_address]

J V R Murthy

[email_address]

Stimulus #1 Input : Class 2 or 3 frame with Source MAC as Broadcast MAC address (FF:FF:FF:FF:FF:FF) and Destination MAC address as AP MAC address Output : Broadcast Deauthentication generated by AP Effect : Associated clients which honor Broadcast Deauthentication packet, disconnect from AP Stimulus #2 Input : Class 2 or 3 frame with Source MAC as Multicast MAC address (01:XX:XX:XX:XX:XX) and Destination MAC address as AP MAC address Output : Multicast Deauthentication generated by AP Effect : Associated clients honor Multicast Deauthentication packet and disconnect from AP

Input : Class 2 or 3 frame with Source MAC as Broadcast

MAC address (FF:FF:FF:FF:FF:FF) and

Destination MAC address as AP MAC address

Output : Broadcast Deauthentication generated by AP

Effect : Associated clients which honor Broadcast

Deauthentication packet, disconnect from AP

Input : Class 2 or 3 frame with Source MAC as Multicast

MAC address (01:XX:XX:XX:XX:XX) and

Destination MAC address as AP MAC address

Output : Multicast Deauthentication generated by AP

Effect : Associated clients honor Multicast Deauthentication

packet and disconnect from AP

Stimulus #3 Input : Reassociation Request frame with Source MAC address as Client’s MAC address and Destination MAC address as APMAC address and current AP MAC as any spoofed non-existent MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet and disconnect from AP Stimulus #4 Input : Association Request frame with spoofed Basic Rate Param and Source MAC address as Client MAC address and Destination MAC address as AP MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet and disconnect from AP

Input : Reassociation Request frame with Source MAC

address as Client’s MAC address and Destination

MAC address as APMAC address and current AP

MAC as any spoofed non-existent MAC address

Output : Unicast Deauthentication generated by AP

Effect : Associated client honor Deauthentication packet

and disconnect from AP

Input : Association Request frame with spoofed Basic

Rate Param and Source MAC address as Client

MAC address and Destination MAC address as AP

MAC address

Output : Unicast Deauthentication generated by AP

Effect : Associated client honor Deauthentication packet

and disconnect from AP

Stimulus #5 Input : 4 MAC address DATA frame with Source MAC as victim’s Client MAC address (or Broadcast MAC) Destination MAC address as AP MAC address Output : Deauthentication Frame generated by AP Effect : Associated client honor Deauthentication packet and disconnect from AP Stimulus #6 Input : Association Request frame with spoofed capabilities field and Source MAC address as Client MAC address and Destination MAC address as AP MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet and disconnect from AP

Input : 4 MAC address DATA frame with Source

MAC as victim’s Client MAC address (or Broadcast

MAC) Destination MAC address as AP MAC

address

Output : Deauthentication Frame generated by AP

Effect : Associated client honor Deauthentication packet

and disconnect from AP

Input : Association Request frame with spoofed

capabilities field and Source MAC address as

Client MAC address and Destination MAC

address as AP MAC address

Output : Unicast Deauthentication generated by AP

Effect : Associated client honor Deauthentication

packet and disconnect from AP

Stimulus #7 Input : Authentication frame with invalid Authentication Algorithm sent to AP with Source MAC as Client’s MAC address and Destination MAC address as AP MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet and disconnect from AP Stimulus #8 Input : Authentication frame with invalid Authentication Transaction sequence number sent to AP with Source MAC as Client’s MAC address and Destination MAC address as AP MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet and disconnect from AP

Input : Authentication frame with invalid Authentication

Algorithm sent to AP with Source MAC as Client’s

MAC address and Destination MAC address as

AP MAC address

Output : Unicast Deauthentication generated by AP

Effect : Associated client honor Deauthentication packet

and disconnect from AP

Input : Authentication frame with invalid Authentication

Transaction sequence number sent to AP with

Source MAC as Client’s MAC address and

Destination MAC address as AP MAC address

Output : Unicast Deauthentication generated by AP

Effect : Associated client honor Deauthentication packet

and disconnect from AP