Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Advanced WiFi Attacks Using Commodity Hardware 
Mathy Vanhoef and Frank Piessens (KU Leuven) 
ACSAC 2014
WiFi assumes each station acts fairly 
With special hardware this isn’t the case 
Continuous jamming (channel unusable)...
WiFi assumes each station acts fairly 
With special hardware this isn’t the case 
Continuous jamming (channel unusable)...
Our Contributions 
4 
A small 15$ USB allows: 
Study of selfish behavior 
Continuous & selective jamming 
Reliable mani...
Selfish Behavior 
Implement & study 
selfish behavior
Selfish Behavior 
Steps taken to transmit a frame: 
1.SIFS: let hardware process the frame 
2.AIFSN: depends on priority o...
Selfish Behavior 
Steps taken to transmit a frame: 
Manipulate by modifying Atheros firmware: 
Disable backoff 
Reducing...
Selfish Behavior 
Steps taken to transmit a frame: 
Manipulate by modifying Atheros firmware: 
Disable backoff 
Reducing...
Countermeasure 
9 
DOMINO defense system [MobiSys ‘04] 
detects this selfish behavior. 
More on this later!
Selfish Behavior 
What if there are multiple selfish stations? 
In a collision, both frames are lost. 
Capture effect: i...
Continuous Jammer 
11 
Want to build a continuous jammer 
1.Instant transmit: disable carrier sense 
2.No interruptions: q...
Continuous Jammer 
12 
Frame 1 
PHY core 
… 
Frame 2 
Want to build a continuous jammer 
1.Instant transmit: disable carri...
Continuous Jammer 
13 
Experiments 
No packets visible in monitor mode! 
Other devices are silenced. 
Default antenna gi...
Selective Jammer 
14 
Decides, based on the header, whether to jam the frame.
How does it work? 
Physical packet 
Detect 
Init 
Jam 
1.Detect and decode header 
2.Abort receiving current frame 
3.Inje...
Detecting frame headers? 
RAM 
DMA 
Internal CPU 
while(recvbuff[0] == 0): pass 
PHY core 
Decodes physical WiFi signals 
...
Selective Jammer: Reliability 
17 
Jammed beacons with many devices/positions 
How fast can it react? 
Position of first ...
Selective Jammer: Reliability 
18 
Jammed beacons with many devices/positions 
Conclusion 
100% reliable selective jammer...
Countermeasures 
19 
DOMINO defense system [MobiSys ‘04]: 
Assumes MAC header is still valid. 
Attacker has low #(corrup...
Impact on higher-layers 
20 
What about higher- layer protocols?
Impact on higher-layers 
21 
What if we could reliably manipulate encrypted traffic?
Impact on higher-layers 
22 
What if we could reliably manipulate encrypted traffic? 
We could attack TKIP! 
not decrypt!
Reliably Intercepting Traffic! 
23 
Channel-based MiTM attack 
Works against encrypted networks 
Can reliably manipulate...
Reliably Intercepting Traffic? 
24 
Create rogue AP with MAC address … 
≠ AP  handshake fails 
= AP  devices communica...
Example: attacking TKIP 
25 
1999 
2002 
2004 
WEP 
Not used 
TKIP Not used? 
AES-CCMP Mainly used 
It would allow us to ...
Example: attacking TKIP 
26 
1999 
2002 
2004 
WEP Not used 
TKIP Not used? 
AES-CCMP Mainly used 
Used!! 
It would allow...
Why research TKIP? 
27 
Network can allow both TKIP and CCMP: 
New devices uses CCMP 
Old devices uses TKIP 
Broadcast t...
Why research TKIP? 
28 
If a network supports TKIP, all broadcast traffic is encrypted using TKIP.
TKIP Usage (2014) 
Found ~6000 networks 
7% support only TKIP 
67% support TKIP 
29 
TKIP is still widely used!
Quick Background 
1.Add Message Integrity Check (MIC) 
2.Encrypt using RC4 
MIC 
Data 
Encrypted 
How are packets sent/rec...
MIC Countermeasures 
31 
MIC 
Data 
If decrypted, reveals MIC key. 
If ( two MIC failures within a minute) 
halt all traff...
TKIP Group Cipher 
32 
For broadcast, all clients send a MIC failure. 
Use channel-based MiTM and drop them 
Avoids MIC ...
Questions?
Upcoming SlideShare
Loading in …5
×

Advanced WiFi Attacks Using Commodity Hardware

2,055 views

Published on

Presentation given at ACSAC 2014 on the paper "Advanced WiFi Attacks Using Commodity Hardware". The gist is that we were able to implement several low-layer attacks using cheap hardware, the most surprising being a selective jammer. We then show how these low-layer attacks faciliate attacks against TKIP (though a man-in-the-middle attack).

  • Be the first to comment

  • Be the first to like this

Advanced WiFi Attacks Using Commodity Hardware

  1. 1. Advanced WiFi Attacks Using Commodity Hardware Mathy Vanhoef and Frank Piessens (KU Leuven) ACSAC 2014
  2. 2. WiFi assumes each station acts fairly With special hardware this isn’t the case Continuous jamming (channel unusable) Selective jamming (block specific packets) Background 2
  3. 3. WiFi assumes each station acts fairly With special hardware this isn’t the case Continuous jamming (channel unusable) Selective jamming (block specific packets) Background 3 >$4000
  4. 4. Our Contributions 4 A small 15$ USB allows: Study of selfish behavior Continuous & selective jamming Reliable manipulation of encrypted traffic
  5. 5. Selfish Behavior Implement & study selfish behavior
  6. 6. Selfish Behavior Steps taken to transmit a frame: 1.SIFS: let hardware process the frame 2.AIFSN: depends on priority of frame 3.Random backoff: avoid collisions 4.Send the packet In use SIFS AIFSN Backoff Packet 2
  7. 7. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: Disable backoff Reducing AIFSN Reducing SIFS In use SIFS AIFSN Backoff Packet 2
  8. 8. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: Disable backoff Reducing AIFSN Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2
  9. 9. Countermeasure 9 DOMINO defense system [MobiSys ‘04] detects this selfish behavior. More on this later!
  10. 10. Selfish Behavior What if there are multiple selfish stations? In a collision, both frames are lost. Capture effect: in a collision, frame with the best signal and lowest bitrate is decoded. Result: Selfish clients will lower their bitrate to beat other selfish stations! Until this gives no more gain.
  11. 11. Continuous Jammer 11 Want to build a continuous jammer 1.Instant transmit: disable carrier sense 2.No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Frame 1 PHY core … Frame 2
  12. 12. Continuous Jammer 12 Frame 1 PHY core … Frame 2 Want to build a continuous jammer 1.Instant transmit: disable carrier sense 2.No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Infinite list!
  13. 13. Continuous Jammer 13 Experiments No packets visible in monitor mode! Other devices are silenced. Default antenna gives range of ~80 meters. Amplifier gives range of ~120 meters
  14. 14. Selective Jammer 14 Decides, based on the header, whether to jam the frame.
  15. 15. How does it work? Physical packet Detect Init Jam 1.Detect and decode header 2.Abort receiving current frame 3.Inject dummy packet Easy Hard
  16. 16. Detecting frame headers? RAM DMA Internal CPU while(recvbuff[0] == 0): pass PHY core Decodes physical WiFi signals  Can read header of frames still in the air.
  17. 17. Selective Jammer: Reliability 17 Jammed beacons with many devices/positions How fast can it react? Position of first mangled byte? 1 Mpbs beacon in 2.4 GHz: position 52 6 Mpbs beacon in 5 GHz: position 88 Context: MAC header is 34 bytes
  18. 18. Selective Jammer: Reliability 18 Jammed beacons with many devices/positions Conclusion 100% reliable selective jammer not possible Medium to large packets can be jammed Surprising this is possible with a limited API!
  19. 19. Countermeasures 19 DOMINO defense system [MobiSys ‘04]: Assumes MAC header is still valid. Attacker has low #(corrupted frames) Thrown of the network Unfortunately it’s flawed Jammed (corrupted) frames are not authenticated, we can forge them. Pretend that a client is jamming others.
  20. 20. Impact on higher-layers 20 What about higher- layer protocols?
  21. 21. Impact on higher-layers 21 What if we could reliably manipulate encrypted traffic?
  22. 22. Impact on higher-layers 22 What if we could reliably manipulate encrypted traffic? We could attack TKIP! not decrypt!
  23. 23. Reliably Intercepting Traffic! 23 Channel-based MiTM attack Works against encrypted networks Can reliably manipulate encrypted traffic.
  24. 24. Reliably Intercepting Traffic? 24 Create rogue AP with MAC address … ≠ AP  handshake fails = AP  devices communicate directly Same MAC address but different channel We forward frames between channels Handshake OK, all traffic via rogue AP Jammers will force clients to our rogue AP
  25. 25. Example: attacking TKIP 25 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used It would allow us to attack TKIP. But why research TKIP? Isn’t it dead?
  26. 26. Example: attacking TKIP 26 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used Used!! It would allow us to attack TKIP. But why research TKIP? Isn’t it dead?
  27. 27. Why research TKIP? 27 Network can allow both TKIP and CCMP: New devices uses CCMP Old devices uses TKIP Broadcast traffic: Old devices must be able to decrypt it … Unicast traffic
  28. 28. Why research TKIP? 28 If a network supports TKIP, all broadcast traffic is encrypted using TKIP.
  29. 29. TKIP Usage (2014) Found ~6000 networks 7% support only TKIP 67% support TKIP 29 TKIP is still widely used!
  30. 30. Quick Background 1.Add Message Integrity Check (MIC) 2.Encrypt using RC4 MIC Data Encrypted How are packets sent/received? 30 MIC key
  31. 31. MIC Countermeasures 31 MIC Data If decrypted, reveals MIC key. If ( two MIC failures within a minute) halt all traffic for 1 minute Oracle to decrypt last byte [WiSec ‘09]
  32. 32. TKIP Group Cipher 32 For broadcast, all clients send a MIC failure. Use channel-based MiTM and drop them Avoids MIC countermeasures Results Can obtain MIC key within 7 minutes. Inject/decrypt some packets [AsiaCCS ‘13] Use only AES-CCMP!
  33. 33. Questions?

×