The WLAN can be compared to the human body in its complexity. Similar methodology which is used to study the phenomenon in humans can be applied to study wireless systems when they are invaded by intruders such as foreign clients or malicious code. The purpose of the human immune system is to defend against attacks from germs, viruses & foreign bodies. Likewise, the purpose of access point security software is to defend against attacks from intruders and hackers. But when the immune system fails to distinguish between healthy cells and foreign bodies, it mistakenly attacks and destroys healthy cells. This is called an autoimmunity disorder. AirTight security researchers have discovered a similar autoimmunity disorder in select open source and commercial 802.11 AP implementations. This presentation for DEFCON16 demonstrates how this vulnerability provides an open door through which DoS attacks can still be launched.

1. Autoimmunity Disorder in Wireless LANs

2. Biological Systems Vs WLAN Systems: Similarities Immune system foreign bodies Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies Purpose of WLAN system software is to defend against attacks from intruders and hackers Biological systems Wireless LAN systems Built-in Security software Attacker

3. Autoimmunity Disorder Immune system foreign bodies When immune system mistakenly attacks & destroys healthy body tissues When AP mistakenly attacks and destroys legitimate client connections Biological systems Wireless LAN systems Built-in Security software Attacker

6. Example of Self DoS (1) AP Client Broadcast Disconnection Notification from AP Attacker

7. Result    Multicast MAC as source  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card  Buffalo Model No-WZR-AG300NH, Firmware ver 1.48 Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3 Linksys Model No WRT350N, Firmware Ver 1.0.3.7  DLink, Model No DIR-655, Firmware Ver 1.1 Broadcast MAC as source

10. Result      Authentication    Broadcast MAC as source    Multicast MAC as source    Assoc Request  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card  Buffalo Model No-WZR-AG300NH, Firmware ver 1.48  Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3  Linksys Model No WRT350N, Firmware Ver 1.0.3.7  DLink, Model No DIR-655, Firmware Ver 1.1 Reassoc Req

11. Is Cisco MFP also vulnerable to Self DoS ? Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant.

12. Example: MFP (L)AP MFP Client MFP AP Ignore or Honor Assoc Req Packet ? Client ignores unsolicited Association Response AP has an important decision to make !!! Uprotected “Deauth” ignored by Client Client and AP in Associated state Stimulus:Assoc Req, from Client to AP Attacker Assoc Response Data Deauthentication AP and Client in Deadlock

13. Example: MFP Client MFP Client MFP AP Association dropped at AP Association dropped at Client Client and AP in Associated state Stimulus:Assoc Response, from AP to Client, Status Code Failure Attacker Protected Deauthentication, teardown connection

15. Demo