Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Advanced WiFi Attacks Using Commodity Hardware

2,116 views

Published on

Presentation given at BruCON 2015 on low-level (physical layer) attacks against WiFi network. Includes selfish behavior, constant jammer, reactive and selective jamming. Additionally we show to to reliably manipulate encrypted WPA and WPA2 traffic, allowing us to attack WPA-TKIP.

Published in: Technology
  • Be the first to comment

Advanced WiFi Attacks Using Commodity Hardware

  1. 1. Advanced WiFi Attacks Using Commodity Hardware Mathy Vanhoef (@vanhoefm), KU Leuven BruCON 2015
  2. 2.  WiFi assumes each station acts fairly  With special hardware this isn’t the case  Continuous jamming (channel unusable)  Selective jamming (block specific packets) Background 2
  3. 3.  WiFi assumes each station acts fairly  With special hardware this isn’t the case  Continuous jamming (channel unusable)  Selective jamming (block specific packets) Background 3 >$4000
  4. 4. Also with cheap hardware! 4 Small 15$ USB sufficient to:  Testing selfish behavior in practice  Continuous & selective jamming  Reliable manipulation of encrypted traffic
  5. 5. Also with cheap hardware! 5 Attacks are cheaper than expected  Should be able to detect them. >$4000 ~$15
  6. 6. Selfish Behavior Selfish behavior in practice? Implement & Test!
  7. 7. Selfish Behavior Steps taken to transmit a frame: 1. SIFS: let hardware process the frame 2. AIFSN: depends on priority of frame 3. Random backoff: avoid collisions 4. Send the packet In use SIFS AIFSN Backoff Packet 2
  8. 8. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware:  Disable backoff  Reducing AIFSN  Reducing SIFS In use SIFS AIFSN Backoff Packet 2
  9. 9. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware:  Disable backoff  Reducing AIFSN  Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2
  10. 10. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware:  Disable backoff  Reducing AIFSN  Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2 Upload!
  11. 11. How to control radio chip? 11 Using memory mapped registers  Disable backoff: int *GBL_IFS_MISC = (int*)0x10F0; *GBL_IFS_MISC |= IGNORE_BACKOFF;  Reset AIFSN and SIFS: int *AR_DLCL_IFS = (int*)0x1040; *AR_DLCL_IFS = 0;
  12. 12. Location of this code? 12 WiFi Dongle CPU radio chip Main machine Userspace Operating System Driver Code runs on CPU of dongle  Firmware control needed USB
  13. 13. Countermeasures 13 DOMINO defense system reliably detects selfish behavior [1]. More on this later!
  14. 14. Selfish Behavior What if there are multiple selfish stations?  In a collision, both frames are lost.  Capture effect: in a collision, frame with the best signal and lowest bitrate is decoded. Similar to FM radio Demo: The Queen station generally “wins” the collision with others.
  15. 15. FM Radio Demo
  16. 16. Selfish Behavior 16 Attacker can abuse capture effect  Selfish clients will lower their bitrate to beat other selfish stations!  Until this gives no more advantage. To increase throughput, bitrate is lowered!  Other station = background noise
  17. 17. Continuous Jammer 17 Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Frame 1 radio chip …Frame 2
  18. 18. Continuous Jammer 18 Frame 1 radio chip …Frame 2 Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Infinite list!
  19. 19. Continuous Jammer 19 Experiments  Only first packet visible in monitor mode!  Other devices are silenced. Default antenna gives range of ~80 meters. Amplifier gives range of ~120 meters
  20. 20. Demo: Continuous Jammer 20 Ideally done in a shielded room … … but we can try it here as well  To prevent harm, only active for a few seconds.
  21. 21. Raspberry Pi Supported! 21
  22. 22. Practical Implications 22 Devices in 2.4 and 5 GHz bands?  Home automation  Industrial control  Internet of Things  … Can easily be jammed!
  23. 23. Practical Implications 23 Devices in 2.4 and 5 GHz bands?
  24. 24. Practical Implications 24 Devices in 2.4 and 5 GHz bands?
  25. 25. Not just wild speculation … 25 … jammers are already used by thieves! $45 Chinese jammer to prevent cars from being locked [6] GPS jammer to disable anti-theft tracking devices in stolen cars [7] Disable mobile phone service after cutting phone and alarm cables [8]
  26. 26. Selective Jammer 26 Decides, based on the header, whether to jam the frame.
  27. 27. How does it work? Physical packet Detect Init Jam 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet
  28. 28. How does it work? Physical packet Detect Init Jam 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Easy Hard
  29. 29. Detecting frame headers? RAM DMA Internal CPU while(recvbuff[0] == 0): pass radio chip Decodes physical WiFi signals  Can read header of frames still in the air.
  30. 30. In practice 30 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Timeout Detect incoming packet Poll memory until data is being written:
  31. 31. In practice 31 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Probe request or beacon? buff + 10: sender of packet source : target MAC address
  32. 32. In practice 32 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Set specific bit in register
  33. 33. In practice 33 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet TXE: Transmit (TX) enable (E) Pointer to dummy packet
  34. 34. Selective Jammer: Reliability 34 Jammed beacons with many devices/positions How fast can it react?  Position of first mangled byte?  1 Mpbs beacon in 2.4 GHz: position 52  6 Mpbs beacon in 5 GHz: position 88 Context:  MAC header is 34 bytes
  35. 35. Selective Jammer: Reliability 35 Jammed beacons with many devices/positions Conclusion  100% reliable selective jammer not possible  Medium to large packets can be jammed  Surprising this is possible with a limited API!
  36. 36. DOMINO defense system 36 Also capable of detecting selective jammers  Assumes MAC header is still valid.  Attacker has low #(corrupted frames)  Thrown of the network Unfortunately it’s flawed  Jammed (corrupted) frames are not authenticated, we can forge them.  Pretend that a client is jamming others.
  37. 37. Demo: Selective Jammer 37 Avoiding harmful interference:  Target is in (unused?) 5 GHz channel  Will only run for a few seconds If you do more extensive tests …
  38. 38. Code is online! 38 modwifi.bitbucket.org ( github.com/vanhoefm/modwifi ) Scenarios where (selective) jammers are useful?
  39. 39. 1. Attack WiFi geolocation 39 Location determined by nearby SSIDs. Geolocation attack [9]  Inject SSIDs present at other location  Can only spoof location having more APs  Solution: selectively jam nearby APs  Never blindly trust WiFi geolocation!
  40. 40. 2. As defense system 40 Turn the tables around: Use jamming to protect a network  Selectively jam rouge APs  Wearable shield to protect medical implants that constantly sends jamming signal. [10]  …. (active research topic)
  41. 41. 2. As defense system 41 May not be legal? Blocking personal hotspots:  Done by Marriott and Smart City Holdings  Complaint was filled to the FCC  Settled for fine of $600,000 and $750,000 Is blocking malicious or rogue hotspots legal?
  42. 42. Impact on higher-layers 42 What about higher- layer protocols?
  43. 43. Impact on higher-layers 43 What if we could reliably manipulate encrypted traffic? We could attack WPA-TKIP! not decrypt!
  44. 44. Reliably Intercepting Traffic! 44 Channel-based MiTM attack  Works against any encrypted network  Can reliably manipulate encrypted traffic.
  45. 45. Strawman: different MAC 45 Cloned MAC addresses different from target? AP Client Attacker
  46. 46. Strawman: different MAC 46 Cloned MAC addresses different from target? AP Client Handshake verifies MAC addresses and fails. Attacker
  47. 47. Strawman: different MAC 47 Same MAC addresses (as AP and client)? AP Client Attacker
  48. 48. Strawman: different MAC 48 Same MAC addresses (as AP and client)? AP Client AP and client directly communicate. Attacker Channel 1
  49. 49. Solution: channel-based 49 Same addresses, rouge AP on different channel AP Client Handshake will succeed  Intercept traffic! Attacker
  50. 50. Example 1: attacking TKIP  It would allow us to attack TKIP.  But why research TKIP? Isn’t it dead? 50 1999 2002 2004 WEP TKIP AES-CCMP
  51. 51. Example 1: attacking TKIP 51 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used  It would allow us to attack TKIP.  But why research TKIP? Isn’t it dead?
  52. 52. Example 1: attacking TKIP 52 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used Used!!  It would allow us to attack TKIP.  But why research TKIP? Isn’t it dead?
  53. 53. Why research TKIP? 53 Network can allow both TKIP and CCMP:  New devices uses CCMP  Old devices uses TKIP Broadcast traffic:  Old devices must be able to decrypt it … Unicast traffic
  54. 54. Why research TKIP? 54 If a network supports TKIP, all broadcast traffic is encrypted using it.
  55. 55. TKIP Usage (2014) Found ~6000 networks 7% support only TKIP 67% support TKIP 55 TKIP is still widely used!
  56. 56. Quick Background 1. Add Message Integrity Check (MIC) 2. Encrypt using RC4 MICData Encrypted How are packets sent/received? 56 Bad! See rc4nomore.com
  57. 57. MIC Countermeasures 57 MICData If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP
  58. 58. MIC Countermeasures 58 MICData If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP Abuse to decrypt last byte(s) [3]
  59. 59. TKIP Group Cipher 59 For broadcast, all clients send a MIC failure.  Use channel-based MiTM and drop them  Avoids MIC countermeasures Resulting attack  Can obtain MIC key within 7 minutes.  Inject & decrypt some packets [3,4]  Only allow AES-CCMP!
  60. 60. Firmware vs. driver 60 WiFi Dongle CPU radio chip Main machine Userspace Operating System Driver USB radio chipPCI Only driver control needed! Internal Chip
  61. 61. FCC Security Proposal 61 How to mitigate low-layer attacks?  Secure either hardware or software Relevant FCC proposal: “only software that has been approved with a particular radio can be loaded into that radio”  Device will only run signed software
  62. 62. Goal: prevent interference 62 Weather radar example:  Operate in 5 GHz band  WiFi can interfere with them  FCC had to deal with several cases of intentional interference Software control of frequency, transmit power,…  Prevent operation outside allowed ranges
  63. 63. Reason for concern 63 The proposed rule is too strict  Requires signed software, no alternatives  No definition of “radio” or “device” is given! Better proposal:  “implement security features so the device never operates outside radio parameters for which the device was certified” Unclear how to best prevent our attacks … … cheap triangulators??
  64. 64. Reason for concern 64 The proposed rule is too strict  Requires signed software, no alternatives  No definition of “radio” or “device” is given! Better proposal:  “implement security features so the device never operates outside radio parameters for which the device was certified” See “A case for open radio firmware” Unclear how to best prevent our attacks … … cheap triangulators??
  65. 65. @vanhoefm modwifi.bitbucket.com Questions?
  66. 66. References 66 1. M. Raya, J.-P. Hubaux, and I. Aad. DOMINO: a system to detect greedy behavior in EEE 802.11 hotspots. In MobiSys, 2004. 2. A. Cassola, W. Robertson, E. Kirda, and G. Noubir. A practical, targeted, and stealthy attack against wpa enterprise authentication. In NDSS, Apr. 2013. 3. M. Vanhoef and F. Piessens. Practical verification of wpa-tkip vulnerabilities. In ASIACCS, 2013. 4. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC, 2014. 5. J. Robertson and M. Riley. Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar. In Bloomberg, 2014. 6. C. Cox. Hi-tech car thieves hit the streets with £30 jamming devices bought over the internet. In Manchester Evening News, 2014.
  67. 67. References 67 7. C. Arthur. Car thieves using GPS 'jammers'. In The Guardian, 2010. 8. J. Weiner. High-tech thieves used phone-jammer in $74k sunglass heist, cops say. In Orlando Sentinel, 2011. 9. P. Dandumont. Don’t trust geolocation! Retrieved 5 October, 2015, from journaldulapin.com/2013/08/26/dont-trust-geolocation/ 10.Gollakota et al. They can hear your heartbeats: non-invasive security for implantable medical devices. In SIGCOMM, 2011.

×