SlideShare a Scribd company logo
1 of 33
Download to read offline
Advanced WiFi Attacks Using Commodity Hardware 
Mathy Vanhoef and Frank Piessens (KU Leuven) 
ACSAC 2014
WiFi assumes each station acts fairly 
With special hardware this isn’t the case 
Continuous jamming (channel unusable) 
Selective jamming (block specific packets) 
Background 
2
WiFi assumes each station acts fairly 
With special hardware this isn’t the case 
Continuous jamming (channel unusable) 
Selective jamming (block specific packets) 
Background 
3 
>$4000
Our Contributions 
4 
A small 15$ USB allows: 
Study of selfish behavior 
Continuous & selective jamming 
Reliable manipulation of encrypted traffic
Selfish Behavior 
Implement & study 
selfish behavior
Selfish Behavior 
Steps taken to transmit a frame: 
1.SIFS: let hardware process the frame 
2.AIFSN: depends on priority of frame 
3.Random backoff: avoid collisions 
4.Send the packet 
In use 
SIFS 
AIFSN 
Backoff 
Packet 2
Selfish Behavior 
Steps taken to transmit a frame: 
Manipulate by modifying Atheros firmware: 
Disable backoff 
Reducing AIFSN 
Reducing SIFS 
In use 
SIFS 
AIFSN 
Backoff 
Packet 2
Selfish Behavior 
Steps taken to transmit a frame: 
Manipulate by modifying Atheros firmware: 
Disable backoff 
Reducing AIFSN 
Reducing SIFS 
Optimal strategy: 
From 14 to 37 Mbps 
Reduces throughput 
In use 
SIFS 
AIFSN 
Backoff 
Packet 2
Countermeasure 
9 
DOMINO defense system [MobiSys ‘04] 
detects this selfish behavior. 
More on this later!
Selfish Behavior 
What if there are multiple selfish stations? 
In a collision, both frames are lost. 
Capture effect: in a collision, frame with the best signal and lowest bitrate is decoded. 
Result: 
Selfish clients will lower their bitrate to beat other selfish stations! 
Until this gives no more gain.
Continuous Jammer 
11 
Want to build a continuous jammer 
1.Instant transmit: disable carrier sense 
2.No interruptions: queue infinite #packets 
Frames to be transmitted are in a linked list: 
Frame 1 
PHY core 
… 
Frame 2
Continuous Jammer 
12 
Frame 1 
PHY core 
… 
Frame 2 
Want to build a continuous jammer 
1.Instant transmit: disable carrier sense 
2.No interruptions: queue infinite #packets 
Frames to be transmitted are in a linked list: 
Infinite list!
Continuous Jammer 
13 
Experiments 
No packets visible in monitor mode! 
Other devices are silenced. 
Default antenna gives range of ~80 meters. 
Amplifier gives range of ~120 meters
Selective Jammer 
14 
Decides, based on the header, whether to jam the frame.
How does it work? 
Physical packet 
Detect 
Init 
Jam 
1.Detect and decode header 
2.Abort receiving current frame 
3.Inject dummy packet 
Easy 
Hard
Detecting frame headers? 
RAM 
DMA 
Internal CPU 
while(recvbuff[0] == 0): pass 
PHY core 
Decodes physical WiFi signals 
 Can read header of frames still in the air.
Selective Jammer: Reliability 
17 
Jammed beacons with many devices/positions 
How fast can it react? 
Position of first mangled byte? 
1 Mpbs beacon in 2.4 GHz: position 52 
6 Mpbs beacon in 5 GHz: position 88 
Context: 
MAC header is 34 bytes
Selective Jammer: Reliability 
18 
Jammed beacons with many devices/positions 
Conclusion 
100% reliable selective jammer not possible 
Medium to large packets can be jammed 
Surprising this is possible with a limited API!
Countermeasures 
19 
DOMINO defense system [MobiSys ‘04]: 
Assumes MAC header is still valid. 
Attacker has low #(corrupted frames) 
Thrown of the network 
Unfortunately it’s flawed 
Jammed (corrupted) frames are not authenticated, we can forge them. 
Pretend that a client is jamming others.
Impact on higher-layers 
20 
What about higher- layer protocols?
Impact on higher-layers 
21 
What if we could reliably manipulate encrypted traffic?
Impact on higher-layers 
22 
What if we could reliably manipulate encrypted traffic? 
We could attack TKIP! 
not decrypt!
Reliably Intercepting Traffic! 
23 
Channel-based MiTM attack 
Works against encrypted networks 
Can reliably manipulate encrypted traffic.
Reliably Intercepting Traffic? 
24 
Create rogue AP with MAC address … 
≠ AP  handshake fails 
= AP  devices communicate directly 
Same MAC address but different channel 
We forward frames between channels 
Handshake OK, all traffic via rogue AP 
Jammers will force clients to our rogue AP
Example: attacking TKIP 
25 
1999 
2002 
2004 
WEP 
Not used 
TKIP Not used? 
AES-CCMP Mainly used 
It would allow us to attack TKIP. 
But why research TKIP? Isn’t it dead?
Example: attacking TKIP 
26 
1999 
2002 
2004 
WEP Not used 
TKIP Not used? 
AES-CCMP Mainly used 
Used!! 
It would allow us to attack TKIP. 
But why research TKIP? Isn’t it dead?
Why research TKIP? 
27 
Network can allow both TKIP and CCMP: 
New devices uses CCMP 
Old devices uses TKIP 
Broadcast traffic: 
Old devices must be able to decrypt it … 
Unicast traffic
Why research TKIP? 
28 
If a network supports TKIP, all broadcast traffic is encrypted using TKIP.
TKIP Usage (2014) 
Found ~6000 networks 
7% support only TKIP 
67% support TKIP 
29 
TKIP is still widely used!
Quick Background 
1.Add Message Integrity Check (MIC) 
2.Encrypt using RC4 
MIC 
Data 
Encrypted 
How are packets sent/received? 
30 
MIC key
MIC Countermeasures 
31 
MIC 
Data 
If decrypted, reveals MIC key. 
If ( two MIC failures within a minute) 
halt all traffic for 1 minute 
Oracle to decrypt last byte [WiSec ‘09]
TKIP Group Cipher 
32 
For broadcast, all clients send a MIC failure. 
Use channel-based MiTM and drop them 
Avoids MIC countermeasures 
Results 
Can obtain MIC key within 7 minutes. 
Inject/decrypt some packets [AsiaCCS ‘13] 
Use only AES-CCMP!
Questions?

More Related Content

What's hot

Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
Kunal Thakur
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
Marrion Kujinga
 

What's hot (20)

[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
 
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
 
Hardware Trojans By - Anupam Tiwari
Hardware Trojans By - Anupam TiwariHardware Trojans By - Anupam Tiwari
Hardware Trojans By - Anupam Tiwari
 
3.Network
3.Network3.Network
3.Network
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
 
Best!
Best!Best!
Best!
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
 
Stream Ciphers
Stream CiphersStream Ciphers
Stream Ciphers
 
Hardware trojan detection technique using side channel analysis for hardware ...
Hardware trojan detection technique using side channel analysis for hardware ...Hardware trojan detection technique using side channel analysis for hardware ...
Hardware trojan detection technique using side channel analysis for hardware ...
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and security
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Hardware Trojans
Hardware TrojansHardware Trojans
Hardware Trojans
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 

Similar to Advanced WiFi Attacks Using Commodity Hardware

Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
YuChianWu
 
Impact of Malicious Nodes on Throughput, Packets Dropped and Average Latency ...
Impact of Malicious Nodes on Throughput, Packets Dropped and Average Latency ...Impact of Malicious Nodes on Throughput, Packets Dropped and Average Latency ...
Impact of Malicious Nodes on Throughput, Packets Dropped and Average Latency ...
iosrjce
 

Similar to Advanced WiFi Attacks Using Commodity Hardware (20)

Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 Switches
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigation
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of view
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh Jadon
 
Synacktiv mobile communications attacks
Synacktiv mobile communications attacksSynacktiv mobile communications attacks
Synacktiv mobile communications attacks
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
 
Impact of Malicious Nodes on Throughput, Packets Dropped and Average Latency ...
Impact of Malicious Nodes on Throughput, Packets Dropped and Average Latency ...Impact of Malicious Nodes on Throughput, Packets Dropped and Average Latency ...
Impact of Malicious Nodes on Throughput, Packets Dropped and Average Latency ...
 
H017615563
H017615563H017615563
H017615563
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
802.11i
802.11i802.11i
802.11i
 
5 ghz electronic warfare part i
5 ghz electronic warfare   part i5 ghz electronic warfare   part i
5 ghz electronic warfare part i
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
 
L2 Attacks.pdf
L2 Attacks.pdfL2 Attacks.pdf
L2 Attacks.pdf
 
Datalink control(framing,protocols)
Datalink control(framing,protocols)Datalink control(framing,protocols)
Datalink control(framing,protocols)
 

Advanced WiFi Attacks Using Commodity Hardware

  • 1. Advanced WiFi Attacks Using Commodity Hardware Mathy Vanhoef and Frank Piessens (KU Leuven) ACSAC 2014
  • 2. WiFi assumes each station acts fairly With special hardware this isn’t the case Continuous jamming (channel unusable) Selective jamming (block specific packets) Background 2
  • 3. WiFi assumes each station acts fairly With special hardware this isn’t the case Continuous jamming (channel unusable) Selective jamming (block specific packets) Background 3 >$4000
  • 4. Our Contributions 4 A small 15$ USB allows: Study of selfish behavior Continuous & selective jamming Reliable manipulation of encrypted traffic
  • 5. Selfish Behavior Implement & study selfish behavior
  • 6. Selfish Behavior Steps taken to transmit a frame: 1.SIFS: let hardware process the frame 2.AIFSN: depends on priority of frame 3.Random backoff: avoid collisions 4.Send the packet In use SIFS AIFSN Backoff Packet 2
  • 7. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: Disable backoff Reducing AIFSN Reducing SIFS In use SIFS AIFSN Backoff Packet 2
  • 8. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: Disable backoff Reducing AIFSN Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2
  • 9. Countermeasure 9 DOMINO defense system [MobiSys ‘04] detects this selfish behavior. More on this later!
  • 10. Selfish Behavior What if there are multiple selfish stations? In a collision, both frames are lost. Capture effect: in a collision, frame with the best signal and lowest bitrate is decoded. Result: Selfish clients will lower their bitrate to beat other selfish stations! Until this gives no more gain.
  • 11. Continuous Jammer 11 Want to build a continuous jammer 1.Instant transmit: disable carrier sense 2.No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Frame 1 PHY core … Frame 2
  • 12. Continuous Jammer 12 Frame 1 PHY core … Frame 2 Want to build a continuous jammer 1.Instant transmit: disable carrier sense 2.No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Infinite list!
  • 13. Continuous Jammer 13 Experiments No packets visible in monitor mode! Other devices are silenced. Default antenna gives range of ~80 meters. Amplifier gives range of ~120 meters
  • 14. Selective Jammer 14 Decides, based on the header, whether to jam the frame.
  • 15. How does it work? Physical packet Detect Init Jam 1.Detect and decode header 2.Abort receiving current frame 3.Inject dummy packet Easy Hard
  • 16. Detecting frame headers? RAM DMA Internal CPU while(recvbuff[0] == 0): pass PHY core Decodes physical WiFi signals  Can read header of frames still in the air.
  • 17. Selective Jammer: Reliability 17 Jammed beacons with many devices/positions How fast can it react? Position of first mangled byte? 1 Mpbs beacon in 2.4 GHz: position 52 6 Mpbs beacon in 5 GHz: position 88 Context: MAC header is 34 bytes
  • 18. Selective Jammer: Reliability 18 Jammed beacons with many devices/positions Conclusion 100% reliable selective jammer not possible Medium to large packets can be jammed Surprising this is possible with a limited API!
  • 19. Countermeasures 19 DOMINO defense system [MobiSys ‘04]: Assumes MAC header is still valid. Attacker has low #(corrupted frames) Thrown of the network Unfortunately it’s flawed Jammed (corrupted) frames are not authenticated, we can forge them. Pretend that a client is jamming others.
  • 20. Impact on higher-layers 20 What about higher- layer protocols?
  • 21. Impact on higher-layers 21 What if we could reliably manipulate encrypted traffic?
  • 22. Impact on higher-layers 22 What if we could reliably manipulate encrypted traffic? We could attack TKIP! not decrypt!
  • 23. Reliably Intercepting Traffic! 23 Channel-based MiTM attack Works against encrypted networks Can reliably manipulate encrypted traffic.
  • 24. Reliably Intercepting Traffic? 24 Create rogue AP with MAC address … ≠ AP  handshake fails = AP  devices communicate directly Same MAC address but different channel We forward frames between channels Handshake OK, all traffic via rogue AP Jammers will force clients to our rogue AP
  • 25. Example: attacking TKIP 25 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used It would allow us to attack TKIP. But why research TKIP? Isn’t it dead?
  • 26. Example: attacking TKIP 26 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used Used!! It would allow us to attack TKIP. But why research TKIP? Isn’t it dead?
  • 27. Why research TKIP? 27 Network can allow both TKIP and CCMP: New devices uses CCMP Old devices uses TKIP Broadcast traffic: Old devices must be able to decrypt it … Unicast traffic
  • 28. Why research TKIP? 28 If a network supports TKIP, all broadcast traffic is encrypted using TKIP.
  • 29. TKIP Usage (2014) Found ~6000 networks 7% support only TKIP 67% support TKIP 29 TKIP is still widely used!
  • 30. Quick Background 1.Add Message Integrity Check (MIC) 2.Encrypt using RC4 MIC Data Encrypted How are packets sent/received? 30 MIC key
  • 31. MIC Countermeasures 31 MIC Data If decrypted, reveals MIC key. If ( two MIC failures within a minute) halt all traffic for 1 minute Oracle to decrypt last byte [WiSec ‘09]
  • 32. TKIP Group Cipher 32 For broadcast, all clients send a MIC failure. Use channel-based MiTM and drop them Avoids MIC countermeasures Results Can obtain MIC key within 7 minutes. Inject/decrypt some packets [AsiaCCS ‘13] Use only AES-CCMP!