SlideShare a Scribd company logo
Advanced WiFi Attacks Using
Commodity Hardware
Mathy Vanhoef (@vanhoefm), KU Leuven
BruCON 2015
 WiFi assumes each station acts fairly
 With special hardware this isn’t the case
 Continuous jamming (channel unusable)
 Selective jamming (block specific packets)
Background
2
 WiFi assumes each station acts fairly
 With special hardware this isn’t the case
 Continuous jamming (channel unusable)
 Selective jamming (block specific packets)
Background
3
>$4000
Also with cheap hardware!
4
Small 15$ USB sufficient to:
 Testing selfish behavior in practice
 Continuous & selective jamming
 Reliable manipulation of encrypted traffic
Also with cheap hardware!
5
Attacks are cheaper than expected
 Should be able to detect them.
>$4000 ~$15
Selfish Behavior
Selfish behavior in practice?
Implement & Test!
Selfish Behavior
Steps taken to transmit a frame:
1. SIFS: let hardware process the frame
2. AIFSN: depends on priority of frame
3. Random backoff: avoid collisions
4. Send the packet
In use SIFS AIFSN Backoff Packet 2
Selfish Behavior
Steps taken to transmit a frame:
Manipulate by modifying Atheros firmware:
 Disable backoff
 Reducing AIFSN
 Reducing SIFS
In use SIFS AIFSN Backoff Packet 2
Selfish Behavior
Steps taken to transmit a frame:
Manipulate by modifying Atheros firmware:
 Disable backoff
 Reducing AIFSN
 Reducing SIFS
Optimal strategy:
From 14 to 37 Mbps
Reduces throughput
In use SIFS AIFSN Backoff Packet 2
Selfish Behavior
Steps taken to transmit a frame:
Manipulate by modifying Atheros firmware:
 Disable backoff
 Reducing AIFSN
 Reducing SIFS
Optimal strategy:
From 14 to 37 Mbps
Reduces throughput
In use SIFS AIFSN Backoff Packet 2
Upload!
How to control radio chip?
11
Using memory mapped registers
 Disable backoff:
int *GBL_IFS_MISC = (int*)0x10F0;
*GBL_IFS_MISC |= IGNORE_BACKOFF;
 Reset AIFSN and SIFS:
int *AR_DLCL_IFS = (int*)0x1040;
*AR_DLCL_IFS = 0;
Location of this code?
12
WiFi Dongle
CPU
radio
chip
Main machine
Userspace
Operating
System
Driver
Code runs on CPU of dongle
 Firmware control needed
USB
Countermeasures
13
DOMINO defense system reliably
detects selfish behavior [1].
More on this later!
Selfish Behavior
What if there are multiple selfish stations?
 In a collision, both frames are lost.
 Capture effect: in a collision, frame with the
best signal and lowest bitrate is decoded.
Similar to FM radio
Demo: The Queen station generally
“wins” the collision with others.
FM Radio Demo
Selfish Behavior
16
Attacker can abuse capture effect
 Selfish clients will lower their bitrate to beat
other selfish stations!
 Until this gives no more advantage.
To increase throughput, bitrate is lowered!
 Other station = background noise
Continuous Jammer
17
Want to build a continuous jammer
1. Instant transmit: disable carrier sense
2. No interruptions: queue infinite #packets
Frames to be transmitted are in a linked list:
Frame 1
radio
chip
…Frame 2
Continuous Jammer
18
Frame 1
radio
chip
…Frame 2
Want to build a continuous jammer
1. Instant transmit: disable carrier sense
2. No interruptions: queue infinite #packets
Frames to be transmitted are in a linked list:
Infinite list!
Continuous Jammer
19
Experiments
 Only first packet visible in monitor mode!
 Other devices are silenced.
Default antenna gives
range of ~80 meters.
Amplifier gives range
of ~120 meters
Demo: Continuous Jammer
20
Ideally done in a shielded room …
… but we can try it here as well 
To prevent harm, only active for a few seconds.
Raspberry Pi Supported!
21
Practical Implications
22
Devices in 2.4 and 5 GHz bands?
 Home automation
 Industrial control
 Internet of Things
 …
Can easily be jammed!
Practical Implications
23
Devices in 2.4 and 5 GHz bands?
Practical Implications
24
Devices in 2.4 and 5 GHz bands?
Not just wild speculation …
25
… jammers are already used by thieves!
$45 Chinese jammer to prevent
cars from being locked [6]
GPS jammer to disable anti-theft
tracking devices in stolen cars [7]
Disable mobile phone service after
cutting phone and alarm cables [8]
Selective Jammer
26
Decides, based on the header,
whether to jam the frame.
How does it work?
Physical packet
Detect Init Jam
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
How does it work?
Physical packet
Detect Init Jam
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
Easy
Hard
Detecting frame headers?
RAM
DMA
Internal
CPU
while(recvbuff[0] == 0): pass
radio
chip
Decodes physical
WiFi signals
 Can read header of frames still in the air.
In practice
30
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
Timeout Detect incoming packet
Poll memory until data is being written:
In practice
31
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
Probe request or beacon?
buff + 10: sender of packet
source : target MAC address
In practice
32
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
Set specific bit in register
In practice
33
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
TXE: Transmit (TX) enable (E)
Pointer to dummy packet
Selective Jammer: Reliability
34
Jammed beacons with many devices/positions
How fast can it react?
 Position of first mangled byte?
 1 Mpbs beacon in 2.4 GHz: position 52
 6 Mpbs beacon in 5 GHz: position 88
Context:
 MAC header is 34 bytes
Selective Jammer: Reliability
35
Jammed beacons with many devices/positions
Conclusion
 100% reliable selective jammer not possible
 Medium to large packets can be jammed
 Surprising this is possible with a limited API!
DOMINO defense system
36
Also capable of detecting selective jammers
 Assumes MAC header is still valid.
 Attacker has low #(corrupted frames)
 Thrown of the network
Unfortunately it’s flawed
 Jammed (corrupted) frames are not
authenticated, we can forge them.
 Pretend that a client is jamming others.
Demo: Selective Jammer
37
Avoiding harmful interference:
 Target is in (unused?) 5 GHz channel
 Will only run for a few seconds
If you do more extensive tests …
Code is online!
38
modwifi.bitbucket.org
( github.com/vanhoefm/modwifi )
Scenarios where (selective)
jammers are useful?
1. Attack WiFi geolocation
39
Location determined by nearby SSIDs.
Geolocation attack [9]
 Inject SSIDs present at other location
 Can only spoof location having more APs
 Solution: selectively jam nearby APs
 Never blindly trust WiFi geolocation!
2. As defense system
40
Turn the tables around:
Use jamming to protect a network
 Selectively jam rouge APs
 Wearable shield to protect medical implants
that constantly sends jamming signal. [10]
 …. (active research topic)
2. As defense system
41
May not be legal?
Blocking personal hotspots:
 Done by Marriott and Smart City Holdings
 Complaint was filled to the FCC
 Settled for fine of $600,000 and $750,000
Is blocking malicious or
rogue hotspots legal?
Impact on higher-layers
42
What about higher-
layer protocols?
Impact on higher-layers
43
What if we could
reliably manipulate
encrypted traffic?
We could attack WPA-TKIP!
not decrypt!
Reliably Intercepting Traffic!
44
Channel-based MiTM attack
 Works against any encrypted network
 Can reliably manipulate encrypted traffic.
Strawman: different MAC
45
Cloned MAC addresses different from target?
AP Client
Attacker
Strawman: different MAC
46
Cloned MAC addresses different from target?
AP Client
Handshake verifies MAC addresses and fails.
Attacker
Strawman: different MAC
47
Same MAC addresses (as AP and client)?
AP Client
Attacker
Strawman: different MAC
48
Same MAC addresses (as AP and client)?
AP Client
AP and client directly communicate.
Attacker
Channel 1
Solution: channel-based
49
Same addresses, rouge AP on different channel
AP Client
Handshake will succeed
 Intercept traffic!
Attacker
Example 1: attacking TKIP
 It would allow us to attack TKIP.
 But why research TKIP? Isn’t it dead?
50
1999 2002 2004
WEP TKIP AES-CCMP
Example 1: attacking TKIP
51
1999 2002 2004
WEP
Not used
TKIP
Not used?
AES-CCMP
Mainly used
 It would allow us to attack TKIP.
 But why research TKIP? Isn’t it dead?
Example 1: attacking TKIP
52
1999 2002 2004
WEP
Not used
TKIP
Not used?
AES-CCMP
Mainly used
Used!!
 It would allow us to attack TKIP.
 But why research TKIP? Isn’t it dead?
Why research TKIP?
53
Network can allow both TKIP and CCMP:
 New devices uses CCMP
 Old devices uses TKIP
Broadcast traffic:
 Old devices must be able to decrypt it …
Unicast traffic
Why research TKIP?
54
If a network supports TKIP, all
broadcast traffic is encrypted
using it.
TKIP Usage (2014)
Found ~6000 networks
7% support only TKIP
67% support TKIP
55
TKIP is still widely used!
Quick Background
1. Add Message Integrity Check (MIC)
2. Encrypt using RC4
MICData
Encrypted
How are packets sent/received?
56
Bad! See rc4nomore.com
MIC Countermeasures
57
MICData
If decrypted, reveals MIC key.
If ( two MIC failures within a minute)
AP halts all traffic for 1 minute
Client sends MIC failure report to AP
MIC Countermeasures
58
MICData
If decrypted, reveals MIC key.
If ( two MIC failures within a minute)
AP halts all traffic for 1 minute
Client sends MIC failure report to AP
Abuse to decrypt last byte(s) [3]
TKIP Group Cipher
59
For broadcast, all clients send a MIC failure.
 Use channel-based MiTM and drop them
 Avoids MIC countermeasures
Resulting attack
 Can obtain MIC key within 7 minutes.
 Inject & decrypt some packets [3,4]
 Only allow AES-CCMP!
Firmware vs. driver
60
WiFi Dongle
CPU
radio
chip
Main machine
Userspace
Operating
System
Driver
USB
radio
chipPCI
Only driver
control
needed!
Internal Chip
FCC Security Proposal
61
How to mitigate low-layer attacks?
 Secure either hardware or software
Relevant FCC proposal:
“only software that has
been approved with a
particular radio can be
loaded into that radio”
 Device will only run signed software
Goal: prevent interference
62
Weather radar example:
 Operate in 5 GHz band
 WiFi can interfere with them
 FCC had to deal with several
cases of intentional interference
Software control of frequency, transmit power,…
 Prevent operation outside allowed ranges
Reason for concern
63
The proposed rule is too strict
 Requires signed software, no alternatives
 No definition of “radio” or “device” is given!
Better proposal:
 “implement security features so the device
never operates outside radio parameters
for which the device was certified”
Unclear how to best prevent our attacks …
… cheap triangulators??
Reason for concern
64
The proposed rule is too strict
 Requires signed software, no alternatives
 No definition of “radio” or “device” is given!
Better proposal:
 “implement security features so the device
never operates outside radio parameters
for which the device was certified”
See “A case for open
radio firmware”
Unclear how to best prevent our attacks …
… cheap triangulators??
@vanhoefm
modwifi.bitbucket.com
Questions?
References
66
1. M. Raya, J.-P. Hubaux, and I. Aad. DOMINO: a system to detect
greedy behavior in EEE 802.11 hotspots. In MobiSys, 2004.
2. A. Cassola, W. Robertson, E. Kirda, and G. Noubir. A practical,
targeted, and stealthy attack against wpa enterprise authentication.
In NDSS, Apr. 2013.
3. M. Vanhoef and F. Piessens. Practical verification of wpa-tkip
vulnerabilities. In ASIACCS, 2013.
4. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using
commodity hardware. In ACSAC, 2014.
5. J. Robertson and M. Riley. Mysterious ’08 Turkey Pipeline Blast
Opened New Cyberwar. In Bloomberg, 2014.
6. C. Cox. Hi-tech car thieves hit the streets with £30 jamming devices
bought over the internet. In Manchester Evening News, 2014.
References
67
7. C. Arthur. Car thieves using GPS 'jammers'. In The Guardian, 2010.
8. J. Weiner. High-tech thieves used phone-jammer in $74k sunglass
heist, cops say. In Orlando Sentinel, 2011.
9. P. Dandumont. Don’t trust geolocation! Retrieved 5 October, 2015,
from journaldulapin.com/2013/08/26/dont-trust-geolocation/
10.Gollakota et al. They can hear your heartbeats: non-invasive
security for implantable medical devices. In SIGCOMM, 2011.

More Related Content

What's hot

DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher32
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devices
Erez Metula
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
amiable_indian
 
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
System ID Warehouse
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
Hariraj Rathod
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
vilss
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Packet sniffing & ARP Poisoning
 Packet sniffing & ARP Poisoning  Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
Viren Rao
 
Acid
AcidAcid
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
Kunal Thakur
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
dkaya
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Tanmay 'Unsinkable'
 
3.Network
3.Network3.Network
3.Network
phanleson
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
Chris Hammond-Thrasher
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
jemtallon
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
Snort
SnortSnort
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversScreaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Priyanka Aash
 

What's hot (20)

DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devices
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
 
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Packet sniffing & ARP Poisoning
 Packet sniffing & ARP Poisoning  Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 
Acid
AcidAcid
Acid
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
3.Network
3.Network3.Network
3.Network
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
Snort
SnortSnort
Snort
 
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversScreaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
 

Viewers also liked

Drone Jammer
Drone JammerDrone Jammer
Cell phone jammer presentation
Cell phone jammer presentationCell phone jammer presentation
Cell phone jammer presentation
Manikandan Jeeva
 
защита от перехЗащита от перехвата GSM сигналавата Gsm сигнала
защита от перехЗащита от перехвата GSM сигналавата Gsm сигналазащита от перехЗащита от перехвата GSM сигналавата Gsm сигнала
защита от перехЗащита от перехвата GSM сигналавата Gsm сигнала
Positive Hack Days
 
Cellphone Jammer
Cellphone JammerCellphone Jammer
Cellphone Jammer
Ronson Fernandes
 
Secure your public WiFi
Secure your public WiFiSecure your public WiFi
Secure your public WiFi
Martin Keg
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheep
antitree
 
05 wi fi network security
05 wi fi network security05 wi fi network security
05 wi fi network security
Ministry of Education Malaysia
 
Packet-Hiding Methods: To Prevent Selective Jamming Attacks
Packet-Hiding Methods: To Prevent Selective Jamming AttacksPacket-Hiding Methods: To Prevent Selective Jamming Attacks
Packet-Hiding Methods: To Prevent Selective Jamming Attacks
Swapnil Salunke
 
Cell phone detector & jammer
Cell phone detector & jammerCell phone detector & jammer
Cell phone detector & jammer
Amar Raj
 
Ppt
PptPpt
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
Don Anto
 
Offline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected SetupOffline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected Setup
0xcite
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
VIKAS SINGH BHADOURIA
 
cell phone jammer report
cell phone jammer reportcell phone jammer report
cell phone jammer report
Sameer Gupta
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Cell phone jammer ppt
Cell phone jammer pptCell phone jammer ppt
Cell phone jammer ppt
Shishu Priya Darshi
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
Surachai Chatchalermpun
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Prakashchand Suthar
 
Mobile jammer
Mobile jammerMobile jammer
Mobile jammer
Avay Minni
 

Viewers also liked (20)

Drone Jammer
Drone JammerDrone Jammer
Drone Jammer
 
Cell phone jammer presentation
Cell phone jammer presentationCell phone jammer presentation
Cell phone jammer presentation
 
защита от перехЗащита от перехвата GSM сигналавата Gsm сигнала
защита от перехЗащита от перехвата GSM сигналавата Gsm сигналазащита от перехЗащита от перехвата GSM сигналавата Gsm сигнала
защита от перехЗащита от перехвата GSM сигналавата Gsm сигнала
 
Cellphone Jammer
Cellphone JammerCellphone Jammer
Cellphone Jammer
 
Secure your public WiFi
Secure your public WiFiSecure your public WiFi
Secure your public WiFi
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheep
 
05 wi fi network security
05 wi fi network security05 wi fi network security
05 wi fi network security
 
Packet-Hiding Methods: To Prevent Selective Jamming Attacks
Packet-Hiding Methods: To Prevent Selective Jamming AttacksPacket-Hiding Methods: To Prevent Selective Jamming Attacks
Packet-Hiding Methods: To Prevent Selective Jamming Attacks
 
Cell phone detector & jammer
Cell phone detector & jammerCell phone detector & jammer
Cell phone detector & jammer
 
Ppt
PptPpt
Ppt
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
 
Offline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected SetupOffline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected Setup
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 
cell phone jammer report
cell phone jammer reportcell phone jammer report
cell phone jammer report
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
Cell phone jammer ppt
Cell phone jammer pptCell phone jammer ppt
Cell phone jammer ppt
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
 
Mobile jammer
Mobile jammerMobile jammer
Mobile jammer
 

Similar to Advanced WiFi Attacks Using Commodity Hardware

5 ghz electronic warfare part i
5 ghz electronic warfare   part i5 ghz electronic warfare   part i
5 ghz electronic warfare part i
Digital Silence
 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
📡 Sebastien Dudek
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
📡 Sebastien Dudek
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
Abdessamad TEMMAR
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)
Mandeep Jadon
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh Jadon
OWASP Delhi
 
Synacktiv mobile communications attacks
Synacktiv mobile communications attacksSynacktiv mobile communications attacks
Synacktiv mobile communications attacks
📡 Sebastien Dudek
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
Thierry Zoller
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
Thierry Zoller
 
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
CODE BLUE
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking
📡 Sebastien Dudek
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks
📡 Sebastien Dudek
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of view
brouer
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
erick4chitsime
 
I2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security SolutionI2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security Solution
ramsharma
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
YuChianWu
 
Best!
Best!Best!
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
Faelix Ltd
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
Sreekanth GS
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
guestd7b627
 

Similar to Advanced WiFi Attacks Using Commodity Hardware (20)

5 ghz electronic warfare part i
5 ghz electronic warfare   part i5 ghz electronic warfare   part i
5 ghz electronic warfare part i
 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh Jadon
 
Synacktiv mobile communications attacks
Synacktiv mobile communications attacksSynacktiv mobile communications attacks
Synacktiv mobile communications attacks
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
 
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of view
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
 
I2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security SolutionI2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security Solution
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
 
Best!
Best!Best!
Best!
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
 

Recently uploaded

Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 

Recently uploaded (20)

Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 

Advanced WiFi Attacks Using Commodity Hardware

  • 1. Advanced WiFi Attacks Using Commodity Hardware Mathy Vanhoef (@vanhoefm), KU Leuven BruCON 2015
  • 2.  WiFi assumes each station acts fairly  With special hardware this isn’t the case  Continuous jamming (channel unusable)  Selective jamming (block specific packets) Background 2
  • 3.  WiFi assumes each station acts fairly  With special hardware this isn’t the case  Continuous jamming (channel unusable)  Selective jamming (block specific packets) Background 3 >$4000
  • 4. Also with cheap hardware! 4 Small 15$ USB sufficient to:  Testing selfish behavior in practice  Continuous & selective jamming  Reliable manipulation of encrypted traffic
  • 5. Also with cheap hardware! 5 Attacks are cheaper than expected  Should be able to detect them. >$4000 ~$15
  • 6. Selfish Behavior Selfish behavior in practice? Implement & Test!
  • 7. Selfish Behavior Steps taken to transmit a frame: 1. SIFS: let hardware process the frame 2. AIFSN: depends on priority of frame 3. Random backoff: avoid collisions 4. Send the packet In use SIFS AIFSN Backoff Packet 2
  • 8. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware:  Disable backoff  Reducing AIFSN  Reducing SIFS In use SIFS AIFSN Backoff Packet 2
  • 9. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware:  Disable backoff  Reducing AIFSN  Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2
  • 10. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware:  Disable backoff  Reducing AIFSN  Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2 Upload!
  • 11. How to control radio chip? 11 Using memory mapped registers  Disable backoff: int *GBL_IFS_MISC = (int*)0x10F0; *GBL_IFS_MISC |= IGNORE_BACKOFF;  Reset AIFSN and SIFS: int *AR_DLCL_IFS = (int*)0x1040; *AR_DLCL_IFS = 0;
  • 12. Location of this code? 12 WiFi Dongle CPU radio chip Main machine Userspace Operating System Driver Code runs on CPU of dongle  Firmware control needed USB
  • 13. Countermeasures 13 DOMINO defense system reliably detects selfish behavior [1]. More on this later!
  • 14. Selfish Behavior What if there are multiple selfish stations?  In a collision, both frames are lost.  Capture effect: in a collision, frame with the best signal and lowest bitrate is decoded. Similar to FM radio Demo: The Queen station generally “wins” the collision with others.
  • 16. Selfish Behavior 16 Attacker can abuse capture effect  Selfish clients will lower their bitrate to beat other selfish stations!  Until this gives no more advantage. To increase throughput, bitrate is lowered!  Other station = background noise
  • 17. Continuous Jammer 17 Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Frame 1 radio chip …Frame 2
  • 18. Continuous Jammer 18 Frame 1 radio chip …Frame 2 Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Infinite list!
  • 19. Continuous Jammer 19 Experiments  Only first packet visible in monitor mode!  Other devices are silenced. Default antenna gives range of ~80 meters. Amplifier gives range of ~120 meters
  • 20. Demo: Continuous Jammer 20 Ideally done in a shielded room … … but we can try it here as well  To prevent harm, only active for a few seconds.
  • 22. Practical Implications 22 Devices in 2.4 and 5 GHz bands?  Home automation  Industrial control  Internet of Things  … Can easily be jammed!
  • 23. Practical Implications 23 Devices in 2.4 and 5 GHz bands?
  • 24. Practical Implications 24 Devices in 2.4 and 5 GHz bands?
  • 25. Not just wild speculation … 25 … jammers are already used by thieves! $45 Chinese jammer to prevent cars from being locked [6] GPS jammer to disable anti-theft tracking devices in stolen cars [7] Disable mobile phone service after cutting phone and alarm cables [8]
  • 26. Selective Jammer 26 Decides, based on the header, whether to jam the frame.
  • 27. How does it work? Physical packet Detect Init Jam 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet
  • 28. How does it work? Physical packet Detect Init Jam 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Easy Hard
  • 29. Detecting frame headers? RAM DMA Internal CPU while(recvbuff[0] == 0): pass radio chip Decodes physical WiFi signals  Can read header of frames still in the air.
  • 30. In practice 30 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Timeout Detect incoming packet Poll memory until data is being written:
  • 31. In practice 31 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Probe request or beacon? buff + 10: sender of packet source : target MAC address
  • 32. In practice 32 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Set specific bit in register
  • 33. In practice 33 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet TXE: Transmit (TX) enable (E) Pointer to dummy packet
  • 34. Selective Jammer: Reliability 34 Jammed beacons with many devices/positions How fast can it react?  Position of first mangled byte?  1 Mpbs beacon in 2.4 GHz: position 52  6 Mpbs beacon in 5 GHz: position 88 Context:  MAC header is 34 bytes
  • 35. Selective Jammer: Reliability 35 Jammed beacons with many devices/positions Conclusion  100% reliable selective jammer not possible  Medium to large packets can be jammed  Surprising this is possible with a limited API!
  • 36. DOMINO defense system 36 Also capable of detecting selective jammers  Assumes MAC header is still valid.  Attacker has low #(corrupted frames)  Thrown of the network Unfortunately it’s flawed  Jammed (corrupted) frames are not authenticated, we can forge them.  Pretend that a client is jamming others.
  • 37. Demo: Selective Jammer 37 Avoiding harmful interference:  Target is in (unused?) 5 GHz channel  Will only run for a few seconds If you do more extensive tests …
  • 38. Code is online! 38 modwifi.bitbucket.org ( github.com/vanhoefm/modwifi ) Scenarios where (selective) jammers are useful?
  • 39. 1. Attack WiFi geolocation 39 Location determined by nearby SSIDs. Geolocation attack [9]  Inject SSIDs present at other location  Can only spoof location having more APs  Solution: selectively jam nearby APs  Never blindly trust WiFi geolocation!
  • 40. 2. As defense system 40 Turn the tables around: Use jamming to protect a network  Selectively jam rouge APs  Wearable shield to protect medical implants that constantly sends jamming signal. [10]  …. (active research topic)
  • 41. 2. As defense system 41 May not be legal? Blocking personal hotspots:  Done by Marriott and Smart City Holdings  Complaint was filled to the FCC  Settled for fine of $600,000 and $750,000 Is blocking malicious or rogue hotspots legal?
  • 42. Impact on higher-layers 42 What about higher- layer protocols?
  • 43. Impact on higher-layers 43 What if we could reliably manipulate encrypted traffic? We could attack WPA-TKIP! not decrypt!
  • 44. Reliably Intercepting Traffic! 44 Channel-based MiTM attack  Works against any encrypted network  Can reliably manipulate encrypted traffic.
  • 45. Strawman: different MAC 45 Cloned MAC addresses different from target? AP Client Attacker
  • 46. Strawman: different MAC 46 Cloned MAC addresses different from target? AP Client Handshake verifies MAC addresses and fails. Attacker
  • 47. Strawman: different MAC 47 Same MAC addresses (as AP and client)? AP Client Attacker
  • 48. Strawman: different MAC 48 Same MAC addresses (as AP and client)? AP Client AP and client directly communicate. Attacker Channel 1
  • 49. Solution: channel-based 49 Same addresses, rouge AP on different channel AP Client Handshake will succeed  Intercept traffic! Attacker
  • 50. Example 1: attacking TKIP  It would allow us to attack TKIP.  But why research TKIP? Isn’t it dead? 50 1999 2002 2004 WEP TKIP AES-CCMP
  • 51. Example 1: attacking TKIP 51 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used  It would allow us to attack TKIP.  But why research TKIP? Isn’t it dead?
  • 52. Example 1: attacking TKIP 52 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used Used!!  It would allow us to attack TKIP.  But why research TKIP? Isn’t it dead?
  • 53. Why research TKIP? 53 Network can allow both TKIP and CCMP:  New devices uses CCMP  Old devices uses TKIP Broadcast traffic:  Old devices must be able to decrypt it … Unicast traffic
  • 54. Why research TKIP? 54 If a network supports TKIP, all broadcast traffic is encrypted using it.
  • 55. TKIP Usage (2014) Found ~6000 networks 7% support only TKIP 67% support TKIP 55 TKIP is still widely used!
  • 56. Quick Background 1. Add Message Integrity Check (MIC) 2. Encrypt using RC4 MICData Encrypted How are packets sent/received? 56 Bad! See rc4nomore.com
  • 57. MIC Countermeasures 57 MICData If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP
  • 58. MIC Countermeasures 58 MICData If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP Abuse to decrypt last byte(s) [3]
  • 59. TKIP Group Cipher 59 For broadcast, all clients send a MIC failure.  Use channel-based MiTM and drop them  Avoids MIC countermeasures Resulting attack  Can obtain MIC key within 7 minutes.  Inject & decrypt some packets [3,4]  Only allow AES-CCMP!
  • 60. Firmware vs. driver 60 WiFi Dongle CPU radio chip Main machine Userspace Operating System Driver USB radio chipPCI Only driver control needed! Internal Chip
  • 61. FCC Security Proposal 61 How to mitigate low-layer attacks?  Secure either hardware or software Relevant FCC proposal: “only software that has been approved with a particular radio can be loaded into that radio”  Device will only run signed software
  • 62. Goal: prevent interference 62 Weather radar example:  Operate in 5 GHz band  WiFi can interfere with them  FCC had to deal with several cases of intentional interference Software control of frequency, transmit power,…  Prevent operation outside allowed ranges
  • 63. Reason for concern 63 The proposed rule is too strict  Requires signed software, no alternatives  No definition of “radio” or “device” is given! Better proposal:  “implement security features so the device never operates outside radio parameters for which the device was certified” Unclear how to best prevent our attacks … … cheap triangulators??
  • 64. Reason for concern 64 The proposed rule is too strict  Requires signed software, no alternatives  No definition of “radio” or “device” is given! Better proposal:  “implement security features so the device never operates outside radio parameters for which the device was certified” See “A case for open radio firmware” Unclear how to best prevent our attacks … … cheap triangulators??
  • 66. References 66 1. M. Raya, J.-P. Hubaux, and I. Aad. DOMINO: a system to detect greedy behavior in EEE 802.11 hotspots. In MobiSys, 2004. 2. A. Cassola, W. Robertson, E. Kirda, and G. Noubir. A practical, targeted, and stealthy attack against wpa enterprise authentication. In NDSS, Apr. 2013. 3. M. Vanhoef and F. Piessens. Practical verification of wpa-tkip vulnerabilities. In ASIACCS, 2013. 4. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC, 2014. 5. J. Robertson and M. Riley. Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar. In Bloomberg, 2014. 6. C. Cox. Hi-tech car thieves hit the streets with £30 jamming devices bought over the internet. In Manchester Evening News, 2014.
  • 67. References 67 7. C. Arthur. Car thieves using GPS 'jammers'. In The Guardian, 2010. 8. J. Weiner. High-tech thieves used phone-jammer in $74k sunglass heist, cops say. In Orlando Sentinel, 2011. 9. P. Dandumont. Don’t trust geolocation! Retrieved 5 October, 2015, from journaldulapin.com/2013/08/26/dont-trust-geolocation/ 10.Gollakota et al. They can hear your heartbeats: non-invasive security for implantable medical devices. In SIGCOMM, 2011.