SlideShare a Scribd company logo

Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf

Y
YuChianWu

This document discusses various flaws in Wi-Fi security related to frame aggregation and fragmentation. It begins by providing background on advancements in Wi-Fi security over time. It then details three categories of flaws: design flaws related to assumptions in aggregation and fragmentation, implementation flaws in how devices handle aggregated and fragmented frames, and trivial injection flaws in some devices. Specific attacks are demonstrated that exploit flaws in how encrypted frames are aggregated, how fragments are reassembled after key changes, and how plaintext and fragmented frames are handled. Defenses are proposed to address each category of flaws.

Engineering
1 of 80
Download to read offline
FragAttacks Breaking Wi-Fi Through Frame Aggregation and Fragmentation Mathy Vanhoef 4-5 August, Black Hat USA (Virtual)
Advancements in Wi-Fi security 2 1999 Wired Equivalent Privacy (WEP) › Horribly broken [FMS01] Early 2000 Wi-Fi Protected Access (WPA and WPA2) › Offline dictionary attacks › KRACK and Kraken attack [VP17,VP18] › KRACK defenses now proven secure [CKM20]
Advancements in Wi-Fi security Uses a new handshake to prevent dictionary attacks › Vulnerable to Dragonblood: side-channel leaks [VR20] › WPA3 certification updated to require defenses [WFA20] Once connected, the encryption of WPA2 & WPA3 is similar › The attacks in this presentation work against both 3 2018 Wi-Fi Protected Access 3 (WPA3)
Advancements in Wi-Fi security › Operating channel validation [VBDOP18] › Beacon protection [VAP20] Would make presented attacks harder but still possible › Still undergoing adoption  currently no practical impact 4 Late 2020 Two extra defenses standardized
Advancements in Wi-Fi security 5 Despite these major advacements, found new flaws in all networks
Design flaws Implementation Flaws
Design flaws Implementation Flaws
Implementation Flaws Aggregation Mixed key Fragment cache
Background Sending small frames causes high overhead: 9 header packet1 ACK ACK ... This can be avoided by aggregating frames: header’ packet1 packet2 ... ACK header packet2
Background Sending small frames causes high overhead: 10 header packet1 ACK ACK ... This can be avoided by aggregating frames: header’ packet1 packet2 ... ACK Problem: how to recognize aggregated frames? header packet2
False packet Aggregation design flaw 11 header aggregated? encrypted True metadata len packet1 metadata len packet2
False packet Aggregation design flaw 12 header aggregated? encrypted True metadata len packet1 metadata len packet2 Not authenticated
False packet Aggregation design flaw 13 header aggregated? encrypted True metadata len packet1 metadata len packet2 Not authenticated Flip flag  decrypted payload is parsed in wrong manner
Exploit steps 14 Get image from attacker’s server
Exploit steps 15 Get image from attacker’s server Example: • Send e-mail with embedded image • Send WhatsApp message to cause link/image preview
Exploit steps 16 Get image from attacker’s server Send special IPv4 packet
Exploit steps 17 Get image from attacker’s server Encrypt as normal frame Send special IPv4 packet
Exploit steps 18 Get image from attacker’s server Set aggregated flag Encrypt as normal frame Send special IPv4 packet Can’t modify encrypted content
Exploit steps 19 Get image from attacker’s server Set aggregated flag Encrypt as normal frame Inject any packet  Inject ICMPv6 RA with malicious DNS server Send special IPv4 packet Set aggregated flag
Exploit steps 20 Get image from attacker’s server Set aggregated flag Encrypt as normal frame Inject any packet  Inject ICMPv6 RA with malicious DNS server Send special IPv4 packet Set aggregated flag  Easier than BEAST, TIME, & HEIST attack against TLS!
Easier version 21 Set aggregated flag Inject special handshake frame Encrypt as normal frame Inject any packet  Inject ICMPv6 RA with malicious DNS server Bug in AP  do attack w/o user interaction (affected 2 4 of home APs)
DEMO!  22
Impact All major operating systems affected Only NetBSD & some IoT devices unaffected 23
Aggr? rfc1042 hdr len ID TCP data False ... 45 00 01 0C 00 22 ... ... Frame to inject How to construct the special IPv4/TCP packet? 24
Aggr? rfc1042 hdr len ID TCP data False ... 45 00 01 0C 00 22 ... ... Frame to inject How to construct the special IPv4/TCP packet? 25
Aggr? rfc1042 hdr len ID TCP data False ... 45 00 01 0C 00 22 ... ... Frame to inject How to construct the special IPv4/TCP packet? 26 Adversary turns normal frame into aggregated one
Aggr? rfc1042 hdr len ID TCP data False ... 45 00 01 0C 00 22 ... ... Frame to inject How to construct the special IPv4/TCP packet? 27 True metadata len ignore meta. len packet Adversary turns normal frame into aggregated one › At Wi-Fi layer 1st sub-packet is ignored › Control IP ID & part of TCP data  inject arbitrary packets
Implementation Flaws Aggregation Mixed key Fragment cache
Background 29 header fragment1 ACK heade Avoid by fragmenting & only retransmitting lost fragments: Problem: how to (securely) reassemble the fragments? header fragment2 ACK Large frames have a high chance of being corrupted: header packet ACK
header fragment1 header fragment2 header fragment3 Reassembling plaintext fragments 30
header 𝑠 fragment1 header 𝑠 fragment2 header 𝑠 fragment3 Reassembling plaintext fragments 31 › Fragments have the same sequence number 𝒔
header 𝑠 0 fragment1 header 𝑠 1 fragment2 header 𝑠 2 fragment3 Reassembling plaintext fragments › Fragments have the same sequence number 𝒔 › All fragments also have a fragment number ... 32
header 𝑠 0 More fragment1 header 𝑠 1 More fragment2 header 𝑠 2 Last fragment3 Reassembling plaintext fragments › Fragments have the same sequence number 𝒔 › All fragments also have a fragment number ... ... and a flag to identify the last fragment 33
header 𝑠 𝑛 0 More fragment1 header 𝑠 𝑛 + 1 1 More fragment2 header 𝑠 𝑛 + 2 2 Last fragment3 Reassembling encrypted fragments 34 › Encrypted frames have a packet number to detect replays
header 𝑠 𝑛 0 More fragment1 header 𝑠 𝑛 + 1 1 More fragment2 header 𝑠 𝑛 + 2 2 Last fragment3 Reassembling encrypted fragments › Encrypted frames have a packet number to detect replays › If packet & fragment numbers are not consecutive, drop it 35 Authenticated Authenticated
Problem: key renewal › Session key can be periodically renewed ... › ... or updated when roaming between APs 36 › During rekey packet numbers restart from zero › Problem: receiver is allowed to reassemble fragments encrypted under different keys (i.e. mixed keys)
Mixed key design flaw 37 Refresh session key from 𝒌 to 𝐦 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔0) 𝐸𝑛𝑐𝒌 𝐹𝑟𝑎𝑔0 , 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔1)
Mixed key design flaw 38 Refresh session key from 𝒌 to 𝐦 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔0) 𝐸𝑛𝑐𝒌 𝐹𝑟𝑎𝑔0 , 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔1) Resets packet numbers
Mixed key design flaw 39 Refresh session key from 𝒌 to 𝐦  Can mix fragments of different frames 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔0) 𝐸𝑛𝑐𝒌 𝐹𝑟𝑎𝑔0 , 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔1) 𝐸𝑛𝑐𝒎(𝐹𝑟𝑎𝑔1) 𝐸𝑛𝑐𝒎 𝐹𝑟𝑎𝑔0 , 𝐸𝑛𝑐𝒎(𝐹𝑟𝑎𝑔1) Reassemble fragment
Summary of impact Abuse to exfiltrate data assuming: 1. Someone sends fragmented frames (rare unless Wi-Fi 6) 2. Victim will connect to server of attacker 3. Network periodically refreshes the session key 40
Summary of impact Abuse to exfiltrate data assuming: 1. Someone sends fragmented frames (rare unless Wi-Fi 6) 2. Victim will connect to server of attacker 3. Network periodically refreshes the session key Combine with implementation flaw to avoid this condition 41
How to exfiltrate data? 42 𝐹𝑟𝑎𝑔0 𝐹𝑟𝑎𝑔1 Frame 1 192.168.1.2 to 3.5.1.1 GET /image.png HTTP/1.1 Frame 2 192.168.1.2 to 8.8.8.8 POST /login.php HTTP/1.1 user=admin&pass=SeCr3t
How to exfiltrate data? 43 𝐹𝑟𝑎𝑔0 𝐹𝑟𝑎𝑔1 Frame 1 192.168.1.2 to 3.5.1.1 GET /image.png HTTP/1.1 Frame 2 192.168.1.2 to 8.8.8.8 POST /login.php HTTP/1.1 user=admin&pass=SeCr3t 192.168.1.2 to 3.5.1.1 POST /login.php HTTP/1.1 user=admin&pass=SeCr3t Adversary mixes different fragments  Login info is sent to attacker’s server
Implementation Flaws Aggregation Mixed key Fragment cache
Fragment cache design flaw Fragments aren’t removed after disconnecting: 45
Fragment cache design flaw Fragments aren’t removed after disconnecting: 46 𝐸𝑛𝑐𝑘(𝐹𝑟𝑎𝑔0) Store fragment
Fragment cache design flaw Fragments aren’t removed after disconnecting: 47 𝐸𝑛𝑐𝑘(𝐹𝑟𝑎𝑔0) Client connects Store fragment Disconnect 𝐹𝑟𝑎𝑔0 stays in memory of AP
Summary of impact Abuse to exfiltrate or inject packets assuming: 1. Hotspot-like network where users distrust each other 2. Client sends fragmented frames (rare unless Wi-Fi 6) 48
Summary of impact Abuse to exfiltrate or inject packets assuming: 1. Hotspot-like network where users distrust each other 2. Client sends fragmented frames (rare unless Wi-Fi 6) Even the ancient WEP protocol is affected! › WEP is also affected by the mixed key design flaw  Design flaws have been part of Wi-Fi since 1997 49
Defenses 50
Preventing aggregation-based attacks Aggregation design flaw › Protect the “is aggregated” flag. Not backwards-compatible. › Current fix: prevent known attacks by dropping aggregated frames whose first 6 bytes equal an rfc1042 header 51
Preventing aggregation-based attacks Aggregation design flaw › Protect the “is aggregated” flag. Not backwards-compatible. › Current fix: prevent known attacks by dropping aggregated frames whose first 6 bytes equal an rfc1042 header 52 False rfc1042 packet Aggregated?
Preventing aggregation-based attacks Aggregation design flaw › Protect the “is aggregated” flag. Not backwards-compatible. › Current fix: prevent known attacks by dropping aggregated frames whose first 6 bytes equal an rfc1042 header 53 False rfc1042 packet True metadata packet1 metadata packet2 Aggregated?
Preventing aggregation-based attacks Aggregation design flaw › Protect the “is aggregated” flag. Not backwards-compatible. › Current fix: prevent known attacks by dropping aggregated frames whose first 6 bytes equal an rfc1042 header 54 False rfc1042 packet True metadata packet1 metadata packet2 Aggregated?
Preventing fragmentation-based attacks Mixed key attack: › Only reassemble fragments decrypted under the same key Fragment cache attack: › Clear unused fragments when the corresponding key is removed 55
Design flaws Implementation Flaws
Design flaws Cloacked A-MSDUs Broadcast fragments Plaintext frames EAPOL forwarding Out of order fragments Mixed fragments Out of order frag
Trivial frame injection Plaintext frames wrongly accepted: › Depending if fragmented, broadcasted, or while connecting 58
Trivial frame injection Plaintext frames wrongly accepted: › Depending if fragmented, broadcasted, or while connecting › Examples: Apple and some Android devices, some Windows dongles, home and professional APs, and many others! 59  Can trivially inject frames
DEMO!  60
Design flaws Cloacked A-MSDUs Broadcast fragments Plaintext frames EAPOL forwarding No fragmentation support Mixed fragments Out of order frag
True AA AA 03 00 00 00 00 00 88 8E ... 2nd subpacket Cloacked aggregated (A-MSDU)frames 62 Set “is aggregated” flag and send as plaintext: Normally: first deaggregate & then check if handshake frame
True AA AA 03 00 00 00 00 00 88 8E ... 2nd subpacket Cloacked aggregated (A-MSDU)frames 63 Some switch the order! Set “is aggregated” flag and send as plaintext: ... 2nd subpacket 1st subpacket is ignored because it has invalid metadata Plaintext data packet is rejected Normally: first deaggregate & then check if handshake frame
True AA AA 03 00 00 00 00 00 88 8E ... 2nd subpacket Cloacked aggregated (A-MSDU)frames 64 Set “is aggregated” flag and send as plaintext: Vulnerable order: check if handshake & then deaggregate Handshake header  accept full frame
True AA AA 03 00 00 00 00 00 88 8E ... 2nd subpacket Cloacked aggregated (A-MSDU)frames 65 Set “is aggregated” flag and send as plaintext: ... 2nd subpacket 1st subpacket is ignored because it has invalid metadata Plaintext data is also accepted! Vulnerable order: check if handshake & then deaggregate Handshake header  accept full frame
Cloacked aggregated (A-MSDU)frames Affects FreeBSD, some Windows dongles, several Androids, 3 out of 4 home routers, 1 out of 3 professional APs, etc. 66 DEMO! 
Design flaws Cloacked A-MSDUs Broadcast fragments Plaintext frames EAPOL forwarding No fragmentation support Mixed fragments Out of order frag
Flaw: mixed plaintext/encrypted fragments Only require that the first fragment is encrypted › Affects nearly all network cards on Windows & Linux › Simplifies aggregation & cache attack Only require the last fragment to be encrypted › Affects nearly all network cards on Free/NetBSD › Trivial to inject & exfiltrate data 68
Design flaws Cloacked A-MSDUs Broadcast fragments Plaintext frames EAPOL forwarding No fragmentation support Mixed fragments Out of order frag
header 𝑠 𝒏 0 More fragment1 header 𝑠 𝒏 + 𝟏 1 More fragment2 header 𝑠 𝒏 + 𝟐 2 Last fragment3 Flaw: non-consective packet numbers › Nobody but Linux checks if packet numbers are consecutive › Can do mixed key attack without periodic rekeys 70
Design flaws Cloacked A-MSDUs Broadcast fragments Plaintext frames EAPOL forwarding No fragmentation support Mixed fragments Out of order frag
No fragmentation support Some devices don’t support fragmentation › But they treat fragmented frames as full frames › Examples: OpenBSD and Espressif chips Abuse to inject frames under right conditions All devices are vulnerable to one or more flaws! 72
Created tool to test devices Has 45+ test cases for both clients and APs 73 https://github.com/vanhoefm/fragattacks › Can detect all vulnerabilities › Needs network password (not an attack tool) › Can also be used as basis for other Wi-Fi research [SVR21]
Discussion Design flaws took two decades to discover › Without modified drivers some attacks will fail 74
Discussion Design flaws took two decades to discover › Without modified drivers some attacks will fail › Fragmentation & aggregation wasn’t considered important 75
Discussion Design flaws took two decades to discover › Without modified drivers some attacks will fail › Fragmentation & aggregation wasn’t considered important Long-term lessons: › Adopt defences early even if concerns are theoretic › Isolate security contexts (data decrypted with different keys) › Keep fuzzing devices. Wi-Fi Alliance can help here! 76
Coordinated disclosure Wi-Fi Alliance & ICASI contacted vendors › Embargo of roughly 9 months › Test tool (= PoC) received several updates during embargo! Currently doing following-up work › Updating the IEEE 802.11 standard to fix design flaws › Maintaining test tool and checking some vendor patches 77
Looking back Was it the long disclosure worth it? › Some companies had patches for most devices but still weren’t happy... ¯_(ツ)_/¯ › Others appreciated this even if not all devices had patches! › Props to: Cisco, LANCOM, Aruba, Huawei, Ubiquity, MediaTek, Samsung, NETGEAR, as well as others 78
Conclusion › Discovered three design flaws › Multiple implementation flaws › Implementation flaws easy to abuse, but design flaws hard to abuse › More info: www.fragattacks.com 79
References › Presentation is based on: Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation. https://papers.mathyvanhoef.com/usenix2021.pdf › [VP17] Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 › [VP18] Release the Kraken: New KRACKs in the 802.11 Standard › [CKM20] A Formal Analysis of IEEE 802.11's WPA2: Countering the Kracks Caused by Cracking the Counters › [VR20] Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd › [WFA20] Wi-Fi Alliance Wi-Fi Security Roadmap and WPA3 Updates. https://wi-fi.org/file/wi- fi-security-roadmap-and-wpa3-updates-december-2020 › [VBDOP18] Operating Channel Validation: Preventing Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks › [VAP20] Protecting Wi-Fi Beacons from Outsider Forgeries › [SVR21] DEMO: A Framework to Test and Fuzz Wi-Fi Devices. https://papers.mathyvanhoef.com/wisec2021-demo.pdf 80

Recommended

Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Mandeep Jadon
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonOWASP Delhi
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityShital Kat
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 

Recommended

Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Mandeep Jadon
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonOWASP Delhi
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityShital Kat
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking Mehul Jariwala
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...vanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows Vrushank Narola
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
Network security
Network securityNetwork security
Network securityGreater Noida Institute Of Technology
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSreekanth GS
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11bguestd7b627
 
Intro to firewalls
Intro to firewallsIntro to firewalls
Intro to firewallsJoshua Johnston
 
Chapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxChapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxAmanuelZewdie4
 
Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
 
Resilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeResilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeAleph Tav Technologies Private Limited
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)Bhargu Bhargavi
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 
lecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdflecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdfYuChianWu
 
lecture02_LinearRegression.pdf
lecture02_LinearRegression.pdflecture02_LinearRegression.pdf
lecture02_LinearRegression.pdfYuChianWu
 

More Related Content

Similar to Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf

Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...vanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows Vrushank Narola
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSreekanth GS
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11bguestd7b627
 
Chapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxChapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxAmanuelZewdie4
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 

Similar to Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf (20)

Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
Network security
Network securityNetwork security
Network security
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
 
Intro to firewalls
Intro to firewallsIntro to firewalls
Intro to firewalls
 
Chapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxChapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptx
 
Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later years
 
Resilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeResilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential Mode
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
 

More from YuChianWu

lecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdflecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdfYuChianWu
 
lecture02_LinearRegression.pdf
lecture02_LinearRegression.pdflecture02_LinearRegression.pdf
lecture02_LinearRegression.pdfYuChianWu
 
week13_yolo_mobilenet.pdf
week13_yolo_mobilenet.pdfweek13_yolo_mobilenet.pdf
week13_yolo_mobilenet.pdfYuChianWu
 
week14_segmentation.pdf
week14_segmentation.pdfweek14_segmentation.pdf
week14_segmentation.pdfYuChianWu
 
week10_Reinforce.pdf
week10_Reinforce.pdfweek10_Reinforce.pdf
week10_Reinforce.pdfYuChianWu
 
week12_cv_intro_and_r-cnn.pdf
week12_cv_intro_and_r-cnn.pdfweek12_cv_intro_and_r-cnn.pdf
week12_cv_intro_and_r-cnn.pdfYuChianWu
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...YuChianWu
 
Lets-Attack-Lets_Encrypt.pdf
Lets-Attack-Lets_Encrypt.pdfLets-Attack-Lets_Encrypt.pdf
Lets-Attack-Lets_Encrypt.pdfYuChianWu
 
A-Hole-in-the-Tube.pdf
A-Hole-in-the-Tube.pdfA-Hole-in-the-Tube.pdf
A-Hole-in-the-Tube.pdfYuChianWu
 
IPvSeeYou.pdf
IPvSeeYou.pdfIPvSeeYou.pdf
IPvSeeYou.pdfYuChianWu
 
kolmogorov_foundations.pdf
kolmogorov_foundations.pdfkolmogorov_foundations.pdf
kolmogorov_foundations.pdfYuChianWu
 
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdfIntroductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdfYuChianWu
 

More from YuChianWu (12)

lecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdflecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdf
 
lecture02_LinearRegression.pdf
lecture02_LinearRegression.pdflecture02_LinearRegression.pdf
lecture02_LinearRegression.pdf
 
week13_yolo_mobilenet.pdf
week13_yolo_mobilenet.pdfweek13_yolo_mobilenet.pdf
week13_yolo_mobilenet.pdf
 
week14_segmentation.pdf
week14_segmentation.pdfweek14_segmentation.pdf
week14_segmentation.pdf
 
week10_Reinforce.pdf
week10_Reinforce.pdfweek10_Reinforce.pdf
week10_Reinforce.pdf
 
week12_cv_intro_and_r-cnn.pdf
week12_cv_intro_and_r-cnn.pdfweek12_cv_intro_and_r-cnn.pdf
week12_cv_intro_and_r-cnn.pdf
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
 
Lets-Attack-Lets_Encrypt.pdf
Lets-Attack-Lets_Encrypt.pdfLets-Attack-Lets_Encrypt.pdf
Lets-Attack-Lets_Encrypt.pdf
 
A-Hole-in-the-Tube.pdf
A-Hole-in-the-Tube.pdfA-Hole-in-the-Tube.pdf
A-Hole-in-the-Tube.pdf
 
IPvSeeYou.pdf
IPvSeeYou.pdfIPvSeeYou.pdf
IPvSeeYou.pdf
 
kolmogorov_foundations.pdf
kolmogorov_foundations.pdfkolmogorov_foundations.pdf
kolmogorov_foundations.pdf
 
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdfIntroductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
 

Recently uploaded

Online blood donation management system project.pdf
Online blood donation management system project.pdfOnline blood donation management system project.pdf
Online blood donation management system project.pdfKamal Acharya
 
retail automation billing system ppt.pptx
retail automation billing system ppt.pptxretail automation billing system ppt.pptx
retail automation billing system ppt.pptxfaamieahmd
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
 
Arduino based vehicle speed tracker project
Arduino based vehicle speed tracker projectArduino based vehicle speed tracker project
Arduino based vehicle speed tracker projectRased Khan
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationRobbie Edward Sayers
 
ENERGY STORAGE DEVICES INTRODUCTION UNIT-I
ENERGY STORAGE DEVICES INTRODUCTION UNIT-IENERGY STORAGE DEVICES INTRODUCTION UNIT-I
ENERGY STORAGE DEVICES INTRODUCTION UNIT-IVigneshvaranMech
 
KIT-601 Lecture Notes-UNIT-5.pdf Frame Works and Visualization
KIT-601 Lecture Notes-UNIT-5.pdf Frame Works and VisualizationKIT-601 Lecture Notes-UNIT-5.pdf Frame Works and Visualization
KIT-601 Lecture Notes-UNIT-5.pdf Frame Works and VisualizationDr. Radhey Shyam
 
Explosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdfExplosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdf884710SadaqatAli
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.PrashantGoswami42
 
Cloud-Computing_CSE311_Computer-Networking CSE GUB BD - Shahidul.pptx
Cloud-Computing_CSE311_Computer-Networking CSE GUB BD - Shahidul.pptxCloud-Computing_CSE311_Computer-Networking CSE GUB BD - Shahidul.pptx
Cloud-Computing_CSE311_Computer-Networking CSE GUB BD - Shahidul.pptxMd. Shahidul Islam Prodhan
 
BRAKING SYSTEM IN INDIAN RAILWAY AutoCAD DRAWING
BRAKING SYSTEM IN INDIAN RAILWAY AutoCAD DRAWINGBRAKING SYSTEM IN INDIAN RAILWAY AutoCAD DRAWING
BRAKING SYSTEM IN INDIAN RAILWAY AutoCAD DRAWINGKOUSTAV SARKAR
 
Automobile Management System Project Report.pdf
Automobile Management System Project Report.pdfAutomobile Management System Project Report.pdf
Automobile Management System Project Report.pdfKamal Acharya
 
Fruit shop management system project report.pdf
Fruit shop management system project report.pdfFruit shop management system project report.pdf
Fruit shop management system project report.pdfKamal Acharya
 
NO1 Pandit Amil Baba In Bahawalpur, Sargodha, Sialkot, Sheikhupura, Rahim Yar...
NO1 Pandit Amil Baba In Bahawalpur, Sargodha, Sialkot, Sheikhupura, Rahim Yar...NO1 Pandit Amil Baba In Bahawalpur, Sargodha, Sialkot, Sheikhupura, Rahim Yar...
NO1 Pandit Amil Baba In Bahawalpur, Sargodha, Sialkot, Sheikhupura, Rahim Yar...Amil baba
 
Introduction to Casting Processes in Manufacturing
Introduction to Casting Processes in ManufacturingIntroduction to Casting Processes in Manufacturing
Introduction to Casting Processes in Manufacturingssuser0811ec
 
Hall booking system project report .pdf
Hall booking system project report .pdfHall booking system project report .pdf
Hall booking system project report .pdfKamal Acharya
 
A case study of cinema management system project report..pdf
A case study of cinema management system project report..pdfA case study of cinema management system project report..pdf
A case study of cinema management system project report..pdfKamal Acharya
 
Digital Signal Processing Lecture notes n.pdf
Digital Signal Processing Lecture notes n.pdfDigital Signal Processing Lecture notes n.pdf
Digital Signal Processing Lecture notes n.pdfAbrahamGadissa
 
İTÜ CAD and Reverse Engineering Workshop
İTÜ CAD and Reverse Engineering WorkshopİTÜ CAD and Reverse Engineering Workshop
İTÜ CAD and Reverse Engineering WorkshopEmre Günaydın
 

Recently uploaded (20)

Online blood donation management system project.pdf
Online blood donation management system project.pdfOnline blood donation management system project.pdf
Online blood donation management system project.pdf
 
retail automation billing system ppt.pptx
retail automation billing system ppt.pptxretail automation billing system ppt.pptx
retail automation billing system ppt.pptx
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
 
Arduino based vehicle speed tracker project
Arduino based vehicle speed tracker projectArduino based vehicle speed tracker project
Arduino based vehicle speed tracker project
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
 
ENERGY STORAGE DEVICES INTRODUCTION UNIT-I
ENERGY STORAGE DEVICES INTRODUCTION UNIT-IENERGY STORAGE DEVICES INTRODUCTION UNIT-I
ENERGY STORAGE DEVICES INTRODUCTION UNIT-I
 
KIT-601 Lecture Notes-UNIT-5.pdf Frame Works and Visualization
KIT-601 Lecture Notes-UNIT-5.pdf Frame Works and VisualizationKIT-601 Lecture Notes-UNIT-5.pdf Frame Works and Visualization
KIT-601 Lecture Notes-UNIT-5.pdf Frame Works and Visualization
 
Explosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdfExplosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdf
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.
 
Cloud-Computing_CSE311_Computer-Networking CSE GUB BD - Shahidul.pptx
Cloud-Computing_CSE311_Computer-Networking CSE GUB BD - Shahidul.pptxCloud-Computing_CSE311_Computer-Networking CSE GUB BD - Shahidul.pptx
Cloud-Computing_CSE311_Computer-Networking CSE GUB BD - Shahidul.pptx
 
BRAKING SYSTEM IN INDIAN RAILWAY AutoCAD DRAWING
BRAKING SYSTEM IN INDIAN RAILWAY AutoCAD DRAWINGBRAKING SYSTEM IN INDIAN RAILWAY AutoCAD DRAWING
BRAKING SYSTEM IN INDIAN RAILWAY AutoCAD DRAWING
 
Automobile Management System Project Report.pdf
Automobile Management System Project Report.pdfAutomobile Management System Project Report.pdf
Automobile Management System Project Report.pdf
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
Fruit shop management system project report.pdf
Fruit shop management system project report.pdfFruit shop management system project report.pdf
Fruit shop management system project report.pdf
 
NO1 Pandit Amil Baba In Bahawalpur, Sargodha, Sialkot, Sheikhupura, Rahim Yar...
NO1 Pandit Amil Baba In Bahawalpur, Sargodha, Sialkot, Sheikhupura, Rahim Yar...NO1 Pandit Amil Baba In Bahawalpur, Sargodha, Sialkot, Sheikhupura, Rahim Yar...
NO1 Pandit Amil Baba In Bahawalpur, Sargodha, Sialkot, Sheikhupura, Rahim Yar...
 
Introduction to Casting Processes in Manufacturing
Introduction to Casting Processes in ManufacturingIntroduction to Casting Processes in Manufacturing
Introduction to Casting Processes in Manufacturing
 
Hall booking system project report .pdf
Hall booking system project report .pdfHall booking system project report .pdf
Hall booking system project report .pdf
 
A case study of cinema management system project report..pdf
A case study of cinema management system project report..pdfA case study of cinema management system project report..pdf
A case study of cinema management system project report..pdf
 
Digital Signal Processing Lecture notes n.pdf
Digital Signal Processing Lecture notes n.pdfDigital Signal Processing Lecture notes n.pdf
Digital Signal Processing Lecture notes n.pdf
 
İTÜ CAD and Reverse Engineering Workshop
İTÜ CAD and Reverse Engineering WorkshopİTÜ CAD and Reverse Engineering Workshop
İTÜ CAD and Reverse Engineering Workshop
 

Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf

  • 1. FragAttacks Breaking Wi-Fi Through Frame Aggregation and Fragmentation Mathy Vanhoef 4-5 August, Black Hat USA (Virtual)
  • 2. Advancements in Wi-Fi security 2 1999 Wired Equivalent Privacy (WEP) › Horribly broken [FMS01] Early 2000 Wi-Fi Protected Access (WPA and WPA2) › Offline dictionary attacks › KRACK and Kraken attack [VP17,VP18] › KRACK defenses now proven secure [CKM20]
  • 3. Advancements in Wi-Fi security Uses a new handshake to prevent dictionary attacks › Vulnerable to Dragonblood: side-channel leaks [VR20] › WPA3 certification updated to require defenses [WFA20] Once connected, the encryption of WPA2 & WPA3 is similar › The attacks in this presentation work against both 3 2018 Wi-Fi Protected Access 3 (WPA3)
  • 4. Advancements in Wi-Fi security › Operating channel validation [VBDOP18] › Beacon protection [VAP20] Would make presented attacks harder but still possible › Still undergoing adoption  currently no practical impact 4 Late 2020 Two extra defenses standardized
  • 5. Advancements in Wi-Fi security 5 Despite these major advacements, found new flaws in all networks
  • 9. Background Sending small frames causes high overhead: 9 header packet1 ACK ACK ... This can be avoided by aggregating frames: header’ packet1 packet2 ... ACK header packet2
  • 10. Background Sending small frames causes high overhead: 10 header packet1 ACK ACK ... This can be avoided by aggregating frames: header’ packet1 packet2 ... ACK Problem: how to recognize aggregated frames? header packet2
  • 11. False packet Aggregation design flaw 11 header aggregated? encrypted True metadata len packet1 metadata len packet2
  • 12. False packet Aggregation design flaw 12 header aggregated? encrypted True metadata len packet1 metadata len packet2 Not authenticated
  • 13. False packet Aggregation design flaw 13 header aggregated? encrypted True metadata len packet1 metadata len packet2 Not authenticated Flip flag  decrypted payload is parsed in wrong manner
  • 14. Exploit steps 14 Get image from attacker’s server
  • 15. Exploit steps 15 Get image from attacker’s server Example: • Send e-mail with embedded image • Send WhatsApp message to cause link/image preview
  • 16. Exploit steps 16 Get image from attacker’s server Send special IPv4 packet
  • 17. Exploit steps 17 Get image from attacker’s server Encrypt as normal frame Send special IPv4 packet
  • 18. Exploit steps 18 Get image from attacker’s server Set aggregated flag Encrypt as normal frame Send special IPv4 packet Can’t modify encrypted content
  • 19. Exploit steps 19 Get image from attacker’s server Set aggregated flag Encrypt as normal frame Inject any packet  Inject ICMPv6 RA with malicious DNS server Send special IPv4 packet Set aggregated flag
  • 20. Exploit steps 20 Get image from attacker’s server Set aggregated flag Encrypt as normal frame Inject any packet  Inject ICMPv6 RA with malicious DNS server Send special IPv4 packet Set aggregated flag  Easier than BEAST, TIME, & HEIST attack against TLS!
  • 21. Easier version 21 Set aggregated flag Inject special handshake frame Encrypt as normal frame Inject any packet  Inject ICMPv6 RA with malicious DNS server Bug in AP  do attack w/o user interaction (affected 2 4 of home APs)
  • 23. Impact All major operating systems affected Only NetBSD & some IoT devices unaffected 23
  • 24. Aggr? rfc1042 hdr len ID TCP data False ... 45 00 01 0C 00 22 ... ... Frame to inject How to construct the special IPv4/TCP packet? 24
  • 25. Aggr? rfc1042 hdr len ID TCP data False ... 45 00 01 0C 00 22 ... ... Frame to inject How to construct the special IPv4/TCP packet? 25
  • 26. Aggr? rfc1042 hdr len ID TCP data False ... 45 00 01 0C 00 22 ... ... Frame to inject How to construct the special IPv4/TCP packet? 26 Adversary turns normal frame into aggregated one
  • 27. Aggr? rfc1042 hdr len ID TCP data False ... 45 00 01 0C 00 22 ... ... Frame to inject How to construct the special IPv4/TCP packet? 27 True metadata len ignore meta. len packet Adversary turns normal frame into aggregated one › At Wi-Fi layer 1st sub-packet is ignored › Control IP ID & part of TCP data  inject arbitrary packets
  • 29. Background 29 header fragment1 ACK heade Avoid by fragmenting & only retransmitting lost fragments: Problem: how to (securely) reassemble the fragments? header fragment2 ACK Large frames have a high chance of being corrupted: header packet ACK
  • 30. header fragment1 header fragment2 header fragment3 Reassembling plaintext fragments 30
  • 31. header 𝑠 fragment1 header 𝑠 fragment2 header 𝑠 fragment3 Reassembling plaintext fragments 31 › Fragments have the same sequence number 𝒔
  • 32. header 𝑠 0 fragment1 header 𝑠 1 fragment2 header 𝑠 2 fragment3 Reassembling plaintext fragments › Fragments have the same sequence number 𝒔 › All fragments also have a fragment number ... 32
  • 33. header 𝑠 0 More fragment1 header 𝑠 1 More fragment2 header 𝑠 2 Last fragment3 Reassembling plaintext fragments › Fragments have the same sequence number 𝒔 › All fragments also have a fragment number ... ... and a flag to identify the last fragment 33
  • 34. header 𝑠 𝑛 0 More fragment1 header 𝑠 𝑛 + 1 1 More fragment2 header 𝑠 𝑛 + 2 2 Last fragment3 Reassembling encrypted fragments 34 › Encrypted frames have a packet number to detect replays
  • 35. header 𝑠 𝑛 0 More fragment1 header 𝑠 𝑛 + 1 1 More fragment2 header 𝑠 𝑛 + 2 2 Last fragment3 Reassembling encrypted fragments › Encrypted frames have a packet number to detect replays › If packet & fragment numbers are not consecutive, drop it 35 Authenticated Authenticated
  • 36. Problem: key renewal › Session key can be periodically renewed ... › ... or updated when roaming between APs 36 › During rekey packet numbers restart from zero › Problem: receiver is allowed to reassemble fragments encrypted under different keys (i.e. mixed keys)
  • 37. Mixed key design flaw 37 Refresh session key from 𝒌 to 𝐦 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔0) 𝐸𝑛𝑐𝒌 𝐹𝑟𝑎𝑔0 , 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔1)
  • 38. Mixed key design flaw 38 Refresh session key from 𝒌 to 𝐦 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔0) 𝐸𝑛𝑐𝒌 𝐹𝑟𝑎𝑔0 , 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔1) Resets packet numbers
  • 39. Mixed key design flaw 39 Refresh session key from 𝒌 to 𝐦  Can mix fragments of different frames 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔0) 𝐸𝑛𝑐𝒌 𝐹𝑟𝑎𝑔0 , 𝐸𝑛𝑐𝒌(𝐹𝑟𝑎𝑔1) 𝐸𝑛𝑐𝒎(𝐹𝑟𝑎𝑔1) 𝐸𝑛𝑐𝒎 𝐹𝑟𝑎𝑔0 , 𝐸𝑛𝑐𝒎(𝐹𝑟𝑎𝑔1) Reassemble fragment
  • 40. Summary of impact Abuse to exfiltrate data assuming: 1. Someone sends fragmented frames (rare unless Wi-Fi 6) 2. Victim will connect to server of attacker 3. Network periodically refreshes the session key 40
  • 41. Summary of impact Abuse to exfiltrate data assuming: 1. Someone sends fragmented frames (rare unless Wi-Fi 6) 2. Victim will connect to server of attacker 3. Network periodically refreshes the session key Combine with implementation flaw to avoid this condition 41
  • 42. How to exfiltrate data? 42 𝐹𝑟𝑎𝑔0 𝐹𝑟𝑎𝑔1 Frame 1 192.168.1.2 to 3.5.1.1 GET /image.png HTTP/1.1 Frame 2 192.168.1.2 to 8.8.8.8 POST /login.php HTTP/1.1 user=admin&pass=SeCr3t
  • 43. How to exfiltrate data? 43 𝐹𝑟𝑎𝑔0 𝐹𝑟𝑎𝑔1 Frame 1 192.168.1.2 to 3.5.1.1 GET /image.png HTTP/1.1 Frame 2 192.168.1.2 to 8.8.8.8 POST /login.php HTTP/1.1 user=admin&pass=SeCr3t 192.168.1.2 to 3.5.1.1 POST /login.php HTTP/1.1 user=admin&pass=SeCr3t Adversary mixes different fragments  Login info is sent to attacker’s server
  • 45. Fragment cache design flaw Fragments aren’t removed after disconnecting: 45
  • 46. Fragment cache design flaw Fragments aren’t removed after disconnecting: 46 𝐸𝑛𝑐𝑘(𝐹𝑟𝑎𝑔0) Store fragment
  • 47. Fragment cache design flaw Fragments aren’t removed after disconnecting: 47 𝐸𝑛𝑐𝑘(𝐹𝑟𝑎𝑔0) Client connects Store fragment Disconnect 𝐹𝑟𝑎𝑔0 stays in memory of AP
  • 48. Summary of impact Abuse to exfiltrate or inject packets assuming: 1. Hotspot-like network where users distrust each other 2. Client sends fragmented frames (rare unless Wi-Fi 6) 48
  • 49. Summary of impact Abuse to exfiltrate or inject packets assuming: 1. Hotspot-like network where users distrust each other 2. Client sends fragmented frames (rare unless Wi-Fi 6) Even the ancient WEP protocol is affected! › WEP is also affected by the mixed key design flaw  Design flaws have been part of Wi-Fi since 1997 49
  • 51. Preventing aggregation-based attacks Aggregation design flaw › Protect the “is aggregated” flag. Not backwards-compatible. › Current fix: prevent known attacks by dropping aggregated frames whose first 6 bytes equal an rfc1042 header 51
  • 52. Preventing aggregation-based attacks Aggregation design flaw › Protect the “is aggregated” flag. Not backwards-compatible. › Current fix: prevent known attacks by dropping aggregated frames whose first 6 bytes equal an rfc1042 header 52 False rfc1042 packet Aggregated?
  • 53. Preventing aggregation-based attacks Aggregation design flaw › Protect the “is aggregated” flag. Not backwards-compatible. › Current fix: prevent known attacks by dropping aggregated frames whose first 6 bytes equal an rfc1042 header 53 False rfc1042 packet True metadata packet1 metadata packet2 Aggregated?
  • 54. Preventing aggregation-based attacks Aggregation design flaw › Protect the “is aggregated” flag. Not backwards-compatible. › Current fix: prevent known attacks by dropping aggregated frames whose first 6 bytes equal an rfc1042 header 54 False rfc1042 packet True metadata packet1 metadata packet2 Aggregated?
  • 55. Preventing fragmentation-based attacks Mixed key attack: › Only reassemble fragments decrypted under the same key Fragment cache attack: › Clear unused fragments when the corresponding key is removed 55
  • 58. Trivial frame injection Plaintext frames wrongly accepted: › Depending if fragmented, broadcasted, or while connecting 58
  • 59. Trivial frame injection Plaintext frames wrongly accepted: › Depending if fragmented, broadcasted, or while connecting › Examples: Apple and some Android devices, some Windows dongles, home and professional APs, and many others! 59  Can trivially inject frames
  • 62. True AA AA 03 00 00 00 00 00 88 8E ... 2nd subpacket Cloacked aggregated (A-MSDU)frames 62 Set “is aggregated” flag and send as plaintext: Normally: first deaggregate & then check if handshake frame
  • 63. True AA AA 03 00 00 00 00 00 88 8E ... 2nd subpacket Cloacked aggregated (A-MSDU)frames 63 Some switch the order! Set “is aggregated” flag and send as plaintext: ... 2nd subpacket 1st subpacket is ignored because it has invalid metadata Plaintext data packet is rejected Normally: first deaggregate & then check if handshake frame
  • 64. True AA AA 03 00 00 00 00 00 88 8E ... 2nd subpacket Cloacked aggregated (A-MSDU)frames 64 Set “is aggregated” flag and send as plaintext: Vulnerable order: check if handshake & then deaggregate Handshake header  accept full frame
  • 65. True AA AA 03 00 00 00 00 00 88 8E ... 2nd subpacket Cloacked aggregated (A-MSDU)frames 65 Set “is aggregated” flag and send as plaintext: ... 2nd subpacket 1st subpacket is ignored because it has invalid metadata Plaintext data is also accepted! Vulnerable order: check if handshake & then deaggregate Handshake header  accept full frame
  • 66. Cloacked aggregated (A-MSDU)frames Affects FreeBSD, some Windows dongles, several Androids, 3 out of 4 home routers, 1 out of 3 professional APs, etc. 66 DEMO! 
  • 68. Flaw: mixed plaintext/encrypted fragments Only require that the first fragment is encrypted › Affects nearly all network cards on Windows & Linux › Simplifies aggregation & cache attack Only require the last fragment to be encrypted › Affects nearly all network cards on Free/NetBSD › Trivial to inject & exfiltrate data 68
  • 70. header 𝑠 𝒏 0 More fragment1 header 𝑠 𝒏 + 𝟏 1 More fragment2 header 𝑠 𝒏 + 𝟐 2 Last fragment3 Flaw: non-consective packet numbers › Nobody but Linux checks if packet numbers are consecutive › Can do mixed key attack without periodic rekeys 70
  • 72. No fragmentation support Some devices don’t support fragmentation › But they treat fragmented frames as full frames › Examples: OpenBSD and Espressif chips Abuse to inject frames under right conditions All devices are vulnerable to one or more flaws! 72
  • 73. Created tool to test devices Has 45+ test cases for both clients and APs 73 https://github.com/vanhoefm/fragattacks › Can detect all vulnerabilities › Needs network password (not an attack tool) › Can also be used as basis for other Wi-Fi research [SVR21]
  • 74. Discussion Design flaws took two decades to discover › Without modified drivers some attacks will fail 74
  • 75. Discussion Design flaws took two decades to discover › Without modified drivers some attacks will fail › Fragmentation & aggregation wasn’t considered important 75
  • 76. Discussion Design flaws took two decades to discover › Without modified drivers some attacks will fail › Fragmentation & aggregation wasn’t considered important Long-term lessons: › Adopt defences early even if concerns are theoretic › Isolate security contexts (data decrypted with different keys) › Keep fuzzing devices. Wi-Fi Alliance can help here! 76
  • 77. Coordinated disclosure Wi-Fi Alliance & ICASI contacted vendors › Embargo of roughly 9 months › Test tool (= PoC) received several updates during embargo! Currently doing following-up work › Updating the IEEE 802.11 standard to fix design flaws › Maintaining test tool and checking some vendor patches 77
  • 78. Looking back Was it the long disclosure worth it? › Some companies had patches for most devices but still weren’t happy... ¯_(ツ)_/¯ › Others appreciated this even if not all devices had patches! › Props to: Cisco, LANCOM, Aruba, Huawei, Ubiquity, MediaTek, Samsung, NETGEAR, as well as others 78
  • 79. Conclusion › Discovered three design flaws › Multiple implementation flaws › Implementation flaws easy to abuse, but design flaws hard to abuse › More info: www.fragattacks.com 79
  • 80. References › Presentation is based on: Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation. https://papers.mathyvanhoef.com/usenix2021.pdf › [VP17] Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 › [VP18] Release the Kraken: New KRACKs in the 802.11 Standard › [CKM20] A Formal Analysis of IEEE 802.11's WPA2: Countering the Kracks Caused by Cracking the Counters › [VR20] Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd › [WFA20] Wi-Fi Alliance Wi-Fi Security Roadmap and WPA3 Updates. https://wi-fi.org/file/wi- fi-security-roadmap-and-wpa3-updates-december-2020 › [VBDOP18] Operating Channel Validation: Preventing Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks › [VAP20] Protecting Wi-Fi Beacons from Outsider Forgeries › [SVR21] DEMO: A Framework to Test and Fuzz Wi-Fi Devices. https://papers.mathyvanhoef.com/wisec2021-demo.pdf 80