SlideShare a Scribd company logo

Advanced WiFi Attacks Using Commodity Hardware

â€ĸ
â€ĸ
V
vanhoefm

This document summarizes advanced WiFi attacks that can be performed using inexpensive commodity hardware. It describes how WiFi assumes each station acts fairly, but with specialized hardware this assumption no longer holds. Various attacks are demonstrated, including continuous jamming to render a channel unusable, and selective jamming to block specific packets. The document also explores selfish behavior attacks, continuous and selective jamming implementations, and impacts on higher network layers including attacks on encrypted WPA-TKIP traffic.

Technology
1 of 67
Download to read offline
Advanced WiFi Attacks Using Commodity Hardware Mathy Vanhoef (@vanhoefm), KU Leuven BruCON 2015
ī‚§ WiFi assumes each station acts fairly ī‚§ With special hardware this isn’t the case īƒ˜ Continuous jamming (channel unusable) īƒ˜ Selective jamming (block specific packets) Background 2
ī‚§ WiFi assumes each station acts fairly ī‚§ With special hardware this isn’t the case īƒ˜ Continuous jamming (channel unusable) īƒ˜ Selective jamming (block specific packets) Background 3 >$4000
Also with cheap hardware! 4 Small 15$ USB sufficient to: ī‚§ Testing selfish behavior in practice ī‚§ Continuous & selective jamming ī‚§ Reliable manipulation of encrypted traffic
Also with cheap hardware! 5 Attacks are cheaper than expected ī‚§ Should be able to detect them. >$4000 ~$15
Selfish Behavior Selfish behavior in practice? Implement & Test!
Selfish Behavior Steps taken to transmit a frame: 1. SIFS: let hardware process the frame 2. AIFSN: depends on priority of frame 3. Random backoff: avoid collisions 4. Send the packet In use SIFS AIFSN Backoff Packet 2
Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: ī‚§ Disable backoff ī‚§ Reducing AIFSN ī‚§ Reducing SIFS In use SIFS AIFSN Backoff Packet 2
Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: ī‚§ Disable backoff ī‚§ Reducing AIFSN ī‚§ Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2
Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: ī‚§ Disable backoff ī‚§ Reducing AIFSN ī‚§ Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2 Upload!
How to control radio chip? 11 Using memory mapped registers ī‚§ Disable backoff: int *GBL_IFS_MISC = (int*)0x10F0; *GBL_IFS_MISC |= IGNORE_BACKOFF; ī‚§ Reset AIFSN and SIFS: int *AR_DLCL_IFS = (int*)0x1040; *AR_DLCL_IFS = 0;
Location of this code? 12 WiFi Dongle CPU radio chip Main machine Userspace Operating System Driver Code runs on CPU of dongle īƒ  Firmware control needed USB
Countermeasures 13 DOMINO defense system reliably detects selfish behavior [1]. More on this later!
Selfish Behavior What if there are multiple selfish stations? ī‚§ In a collision, both frames are lost. ī‚§ Capture effect: in a collision, frame with the best signal and lowest bitrate is decoded. Similar to FM radio Demo: The Queen station generally “wins” the collision with others.
FM Radio Demo
Selfish Behavior 16 Attacker can abuse capture effect ī‚§ Selfish clients will lower their bitrate to beat other selfish stations! ī‚§ Until this gives no more advantage. To increase throughput, bitrate is lowered! īƒ  Other station = background noise
Continuous Jammer 17 Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Frame 1 radio chip â€ĻFrame 2
Continuous Jammer 18 Frame 1 radio chip â€ĻFrame 2 Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Infinite list!
Continuous Jammer 19 Experiments ī‚§ Only first packet visible in monitor mode! ī‚§ Other devices are silenced. Default antenna gives range of ~80 meters. Amplifier gives range of ~120 meters
Demo: Continuous Jammer 20 Ideally done in a shielded room â€Ļ â€Ļ but we can try it here as well īŠ To prevent harm, only active for a few seconds.
Raspberry Pi Supported! 21
Practical Implications 22 Devices in 2.4 and 5 GHz bands? ī‚§ Home automation ī‚§ Industrial control ī‚§ Internet of Things ī‚§ â€Ļ Can easily be jammed!
Practical Implications 23 Devices in 2.4 and 5 GHz bands?
Practical Implications 24 Devices in 2.4 and 5 GHz bands?
Not just wild speculation â€Ļ 25 â€Ļ jammers are already used by thieves! $45 Chinese jammer to prevent cars from being locked [6] GPS jammer to disable anti-theft tracking devices in stolen cars [7] Disable mobile phone service after cutting phone and alarm cables [8]
Selective Jammer 26 Decides, based on the header, whether to jam the frame.
How does it work? Physical packet Detect Init Jam 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet
How does it work? Physical packet Detect Init Jam 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Easy Hard
Detecting frame headers? RAM DMA Internal CPU while(recvbuff[0] == 0): pass radio chip Decodes physical WiFi signals īƒ  Can read header of frames still in the air.
In practice 30 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Timeout Detect incoming packet Poll memory until data is being written:
In practice 31 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Probe request or beacon? buff + 10: sender of packet source : target MAC address
In practice 32 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Set specific bit in register
In practice 33 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet TXE: Transmit (TX) enable (E) Pointer to dummy packet
Selective Jammer: Reliability 34 Jammed beacons with many devices/positions How fast can it react? ī‚§ Position of first mangled byte? ī‚§ 1 Mpbs beacon in 2.4 GHz: position 52 ī‚§ 6 Mpbs beacon in 5 GHz: position 88 Context: ī‚§ MAC header is 34 bytes
Selective Jammer: Reliability 35 Jammed beacons with many devices/positions Conclusion ī‚§ 100% reliable selective jammer not possible ī‚§ Medium to large packets can be jammed ī‚§ Surprising this is possible with a limited API!
DOMINO defense system 36 Also capable of detecting selective jammers ī‚§ Assumes MAC header is still valid. ī‚§ Attacker has low #(corrupted frames) ī‚§ Thrown of the network Unfortunately it’s flawed ī‚§ Jammed (corrupted) frames are not authenticated, we can forge them. ī‚§ Pretend that a client is jamming others.
Demo: Selective Jammer 37 Avoiding harmful interference: ī‚§ Target is in (unused?) 5 GHz channel ī‚§ Will only run for a few seconds If you do more extensive tests â€Ļ
Code is online! 38 modwifi.bitbucket.org ( github.com/vanhoefm/modwifi ) Scenarios where (selective) jammers are useful?
1. Attack WiFi geolocation 39 Location determined by nearby SSIDs. Geolocation attack [9] ī‚§ Inject SSIDs present at other location ī‚§ Can only spoof location having more APs ī‚§ Solution: selectively jam nearby APs īƒ  Never blindly trust WiFi geolocation!
2. As defense system 40 Turn the tables around: Use jamming to protect a network ī‚§ Selectively jam rouge APs ī‚§ Wearable shield to protect medical implants that constantly sends jamming signal. [10] ī‚§ â€Ļ. (active research topic)
2. As defense system 41 May not be legal? Blocking personal hotspots: ī‚§ Done by Marriott and Smart City Holdings ī‚§ Complaint was filled to the FCC ī‚§ Settled for fine of $600,000 and $750,000 Is blocking malicious or rogue hotspots legal?
Impact on higher-layers 42 What about higher- layer protocols?
Impact on higher-layers 43 What if we could reliably manipulate encrypted traffic? We could attack WPA-TKIP! not decrypt!
Reliably Intercepting Traffic! 44 Channel-based MiTM attack ī‚§ Works against any encrypted network ī‚§ Can reliably manipulate encrypted traffic.
Strawman: different MAC 45 Cloned MAC addresses different from target? AP Client Attacker
Strawman: different MAC 46 Cloned MAC addresses different from target? AP Client Handshake verifies MAC addresses and fails. Attacker
Strawman: different MAC 47 Same MAC addresses (as AP and client)? AP Client Attacker
Strawman: different MAC 48 Same MAC addresses (as AP and client)? AP Client AP and client directly communicate. Attacker Channel 1
Solution: channel-based 49 Same addresses, rouge AP on different channel AP Client Handshake will succeed īƒ  Intercept traffic! Attacker
Example 1: attacking TKIP ī‚§ It would allow us to attack TKIP. ī‚§ But why research TKIP? Isn’t it dead? 50 1999 2002 2004 WEP TKIP AES-CCMP
Example 1: attacking TKIP 51 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used ī‚§ It would allow us to attack TKIP. ī‚§ But why research TKIP? Isn’t it dead?
Example 1: attacking TKIP 52 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used Used!! ī‚§ It would allow us to attack TKIP. ī‚§ But why research TKIP? Isn’t it dead?
Why research TKIP? 53 Network can allow both TKIP and CCMP: ī‚§ New devices uses CCMP ī‚§ Old devices uses TKIP Broadcast traffic: ī‚§ Old devices must be able to decrypt it â€Ļ Unicast traffic
Why research TKIP? 54 If a network supports TKIP, all broadcast traffic is encrypted using it.
TKIP Usage (2014) Found ~6000 networks 7% support only TKIP 67% support TKIP 55 TKIP is still widely used!
Quick Background 1. Add Message Integrity Check (MIC) 2. Encrypt using RC4 MICData Encrypted How are packets sent/received? 56 Bad! See rc4nomore.com
MIC Countermeasures 57 MICData If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP
MIC Countermeasures 58 MICData If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP Abuse to decrypt last byte(s) [3]
TKIP Group Cipher 59 For broadcast, all clients send a MIC failure. ī‚§ Use channel-based MiTM and drop them ī‚§ Avoids MIC countermeasures Resulting attack ī‚§ Can obtain MIC key within 7 minutes. ī‚§ Inject & decrypt some packets [3,4] ī‚§ Only allow AES-CCMP!
Firmware vs. driver 60 WiFi Dongle CPU radio chip Main machine Userspace Operating System Driver USB radio chipPCI Only driver control needed! Internal Chip
FCC Security Proposal 61 How to mitigate low-layer attacks? ī‚§ Secure either hardware or software Relevant FCC proposal: “only software that has been approved with a particular radio can be loaded into that radio” īƒ  Device will only run signed software
Goal: prevent interference 62 Weather radar example: ī‚§ Operate in 5 GHz band ī‚§ WiFi can interfere with them ī‚§ FCC had to deal with several cases of intentional interference Software control of frequency, transmit power,â€Ļ ī‚§ Prevent operation outside allowed ranges
Reason for concern 63 The proposed rule is too strict ī‚§ Requires signed software, no alternatives ī‚§ No definition of “radio” or “device” is given! Better proposal: ī‚§ “implement security features so the device never operates outside radio parameters for which the device was certified” īƒ Unclear how to best prevent our attacks â€Ļ â€Ļ cheap triangulators??
Reason for concern 64 The proposed rule is too strict ī‚§ Requires signed software, no alternatives ī‚§ No definition of “radio” or “device” is given! Better proposal: ī‚§ “implement security features so the device never operates outside radio parameters for which the device was certified” See “A case for open radio firmware” īƒ Unclear how to best prevent our attacks â€Ļ â€Ļ cheap triangulators??
@vanhoefm modwifi.bitbucket.com Questions?
References 66 1. M. Raya, J.-P. Hubaux, and I. Aad. DOMINO: a system to detect greedy behavior in EEE 802.11 hotspots. In MobiSys, 2004. 2. A. Cassola, W. Robertson, E. Kirda, and G. Noubir. A practical, targeted, and stealthy attack against wpa enterprise authentication. In NDSS, Apr. 2013. 3. M. Vanhoef and F. Piessens. Practical verification of wpa-tkip vulnerabilities. In ASIACCS, 2013. 4. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC, 2014. 5. J. Robertson and M. Riley. Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar. In Bloomberg, 2014. 6. C. Cox. Hi-tech car thieves hit the streets with ÂŖ30 jamming devices bought over the internet. In Manchester Evening News, 2014.
References 67 7. C. Arthur. Car thieves using GPS 'jammers'. In The Guardian, 2010. 8. J. Weiner. High-tech thieves used phone-jammer in $74k sunglass heist, cops say. In Orlando Sentinel, 2011. 9. P. Dandumont. Don’t trust geolocation! Retrieved 5 October, 2015, from journaldulapin.com/2013/08/26/dont-trust-geolocation/ 10.Gollakota et al. They can hear your heartbeats: non-invasive security for implantable medical devices. In SIGCOMM, 2011.

Recommended

USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
vanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
vanhoefm
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
vanhoefm
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
vanhoefm
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
Sahil Rai
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
Anton Chuvakin
 

Recommended

USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
vanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
vanhoefm
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
vanhoefm
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
vanhoefm
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
Sahil Rai
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
Anton Chuvakin
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher32
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devices
Erez Metula
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
amiable_indian
 
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
System ID Warehouse
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
Hariraj Rathod
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
vilss
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
Viren Rao
 
Acid
AcidAcid
Acid
Michael Boman
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
Kunal Thakur
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
dkaya
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Tanmay 'Unsinkable'
 
3.Network
3.Network3.Network
3.Network
phanleson
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
Chris Hammond-Thrasher
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
jemtallon
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
Snort
SnortSnort
Snort
Michael Boman
 
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversScreaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Priyanka Aash
 
Drone Jammer
Drone JammerDrone Jammer
Drone Jammer
Shop-WiFi - Wireless RF Technology R&R Group Jammers4u
 
Cell phone jammer presentation
Cell phone jammer presentationCell phone jammer presentation
Cell phone jammer presentation
Manikandan Jeeva
 

More Related Content

What's hot

Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devices
Erez Metula
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
Kunal Thakur
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
dkaya
 
3.Network
3.Network3.Network
3.Network
phanleson
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversScreaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Priyanka Aash
 

What's hot (20)

DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devices
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
 
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 
Acid
AcidAcid
Acid
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
3.Network
3.Network3.Network
3.Network
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
Snort
SnortSnort
Snort
 
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversScreaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
 

Viewers also liked

Secure your public WiFi
Secure your public WiFiSecure your public WiFi
Secure your public WiFi
Martin Keg
 
Packet-Hiding Methods: To Prevent Selective Jamming Attacks
Packet-Hiding Methods: To Prevent Selective Jamming AttacksPacket-Hiding Methods: To Prevent Selective Jamming Attacks
Packet-Hiding Methods: To Prevent Selective Jamming Attacks
Swapnil Salunke
 
cell phone jammer report
cell phone jammer reportcell phone jammer report
cell phone jammer report
Sameer Gupta
 
Mobile jammer
Mobile jammerMobile jammer
Mobile jammer
Avay Minni
 

Viewers also liked (20)

Drone Jammer
Drone JammerDrone Jammer
Drone Jammer
 
Cell phone jammer presentation
Cell phone jammer presentationCell phone jammer presentation
Cell phone jammer presentation
 
СаŅ‰Đ¸Ņ‚Đ° ĐžŅ‚ ĐŋĐĩŅ€ĐĩŅ…Đ—Đ°Ņ‰Đ¸Ņ‚Đ° ĐžŅ‚ ĐŋĐĩŅ€ĐĩŅ…ваŅ‚Đ° GSM ŅĐ¸ĐŗĐŊĐ°ĐģаваŅ‚Đ° Gsm ŅĐ¸ĐŗĐŊĐ°ĐģĐ°
СаŅ‰Đ¸Ņ‚Đ° ĐžŅ‚ ĐŋĐĩŅ€ĐĩŅ…Đ—Đ°Ņ‰Đ¸Ņ‚Đ° ĐžŅ‚ ĐŋĐĩŅ€ĐĩŅ…ваŅ‚Đ° GSM ŅĐ¸ĐŗĐŊĐ°ĐģаваŅ‚Đ° Gsm ŅĐ¸ĐŗĐŊĐ°ĐģаСаŅ‰Đ¸Ņ‚Đ° ĐžŅ‚ ĐŋĐĩŅ€ĐĩŅ…Đ—Đ°Ņ‰Đ¸Ņ‚Đ° ĐžŅ‚ ĐŋĐĩŅ€ĐĩŅ…ваŅ‚Đ° GSM ŅĐ¸ĐŗĐŊĐ°ĐģаваŅ‚Đ° Gsm ŅĐ¸ĐŗĐŊĐ°ĐģĐ°
СаŅ‰Đ¸Ņ‚Đ° ĐžŅ‚ ĐŋĐĩŅ€ĐĩŅ…Đ—Đ°Ņ‰Đ¸Ņ‚Đ° ĐžŅ‚ ĐŋĐĩŅ€ĐĩŅ…ваŅ‚Đ° GSM ŅĐ¸ĐŗĐŊĐ°ĐģаваŅ‚Đ° Gsm ŅĐ¸ĐŗĐŊĐ°ĐģĐ°
 
Cellphone Jammer
Cellphone JammerCellphone Jammer
Cellphone Jammer
 
Secure your public WiFi
Secure your public WiFiSecure your public WiFi
Secure your public WiFi
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheep
 
05 wi fi network security
05 wi fi network security05 wi fi network security
05 wi fi network security
 
Packet-Hiding Methods: To Prevent Selective Jamming Attacks
Packet-Hiding Methods: To Prevent Selective Jamming AttacksPacket-Hiding Methods: To Prevent Selective Jamming Attacks
Packet-Hiding Methods: To Prevent Selective Jamming Attacks
 
Cell phone detector & jammer
Cell phone detector & jammerCell phone detector & jammer
Cell phone detector & jammer
 
Ppt
PptPpt
Ppt
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
 
Offline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected SetupOffline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected Setup
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 
cell phone jammer report
cell phone jammer reportcell phone jammer report
cell phone jammer report
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
Cell phone jammer ppt
Cell phone jammer pptCell phone jammer ppt
Cell phone jammer ppt
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
 
Mobile jammer
Mobile jammerMobile jammer
Mobile jammer
 

Similar to Advanced WiFi Attacks Using Commodity Hardware

[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
CODE BLUE
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
YuChianWu
 

Similar to Advanced WiFi Attacks Using Commodity Hardware (20)

5 ghz electronic warfare part i
5 ghz electronic warfare part i5 ghz electronic warfare part i
5 ghz electronic warfare part i
 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh Jadon
 
Synacktiv mobile communications attacks
Synacktiv mobile communications attacksSynacktiv mobile communications attacks
Synacktiv mobile communications attacks
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
 
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
[CB20] Drones' Cryptanalysis - Detecting Spying Drones by Ben Nassi
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of view
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
 
I2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security SolutionI2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security Solution
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
 
Best!
Best!Best!
Best!
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎ī¸+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Advanced WiFi Attacks Using Commodity Hardware

  • 1. Advanced WiFi Attacks Using Commodity Hardware Mathy Vanhoef (@vanhoefm), KU Leuven BruCON 2015
  • 2. ī‚§ WiFi assumes each station acts fairly ī‚§ With special hardware this isn’t the case īƒ˜ Continuous jamming (channel unusable) īƒ˜ Selective jamming (block specific packets) Background 2
  • 3. ī‚§ WiFi assumes each station acts fairly ī‚§ With special hardware this isn’t the case īƒ˜ Continuous jamming (channel unusable) īƒ˜ Selective jamming (block specific packets) Background 3 >$4000
  • 4. Also with cheap hardware! 4 Small 15$ USB sufficient to: ī‚§ Testing selfish behavior in practice ī‚§ Continuous & selective jamming ī‚§ Reliable manipulation of encrypted traffic
  • 5. Also with cheap hardware! 5 Attacks are cheaper than expected ī‚§ Should be able to detect them. >$4000 ~$15
  • 6. Selfish Behavior Selfish behavior in practice? Implement & Test!
  • 7. Selfish Behavior Steps taken to transmit a frame: 1. SIFS: let hardware process the frame 2. AIFSN: depends on priority of frame 3. Random backoff: avoid collisions 4. Send the packet In use SIFS AIFSN Backoff Packet 2
  • 8. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: ī‚§ Disable backoff ī‚§ Reducing AIFSN ī‚§ Reducing SIFS In use SIFS AIFSN Backoff Packet 2
  • 9. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: ī‚§ Disable backoff ī‚§ Reducing AIFSN ī‚§ Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2
  • 10. Selfish Behavior Steps taken to transmit a frame: Manipulate by modifying Atheros firmware: ī‚§ Disable backoff ī‚§ Reducing AIFSN ī‚§ Reducing SIFS Optimal strategy: From 14 to 37 Mbps Reduces throughput In use SIFS AIFSN Backoff Packet 2 Upload!
  • 11. How to control radio chip? 11 Using memory mapped registers ī‚§ Disable backoff: int *GBL_IFS_MISC = (int*)0x10F0; *GBL_IFS_MISC |= IGNORE_BACKOFF; ī‚§ Reset AIFSN and SIFS: int *AR_DLCL_IFS = (int*)0x1040; *AR_DLCL_IFS = 0;
  • 12. Location of this code? 12 WiFi Dongle CPU radio chip Main machine Userspace Operating System Driver Code runs on CPU of dongle īƒ  Firmware control needed USB
  • 13. Countermeasures 13 DOMINO defense system reliably detects selfish behavior [1]. More on this later!
  • 14. Selfish Behavior What if there are multiple selfish stations? ī‚§ In a collision, both frames are lost. ī‚§ Capture effect: in a collision, frame with the best signal and lowest bitrate is decoded. Similar to FM radio Demo: The Queen station generally “wins” the collision with others.
  • 16. Selfish Behavior 16 Attacker can abuse capture effect ī‚§ Selfish clients will lower their bitrate to beat other selfish stations! ī‚§ Until this gives no more advantage. To increase throughput, bitrate is lowered! īƒ  Other station = background noise
  • 17. Continuous Jammer 17 Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Frame 1 radio chip â€ĻFrame 2
  • 18. Continuous Jammer 18 Frame 1 radio chip â€ĻFrame 2 Want to build a continuous jammer 1. Instant transmit: disable carrier sense 2. No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: Infinite list!
  • 19. Continuous Jammer 19 Experiments ī‚§ Only first packet visible in monitor mode! ī‚§ Other devices are silenced. Default antenna gives range of ~80 meters. Amplifier gives range of ~120 meters
  • 20. Demo: Continuous Jammer 20 Ideally done in a shielded room â€Ļ â€Ļ but we can try it here as well īŠ To prevent harm, only active for a few seconds.
  • 22. Practical Implications 22 Devices in 2.4 and 5 GHz bands? ī‚§ Home automation ī‚§ Industrial control ī‚§ Internet of Things ī‚§ â€Ļ Can easily be jammed!
  • 23. Practical Implications 23 Devices in 2.4 and 5 GHz bands?
  • 24. Practical Implications 24 Devices in 2.4 and 5 GHz bands?
  • 25. Not just wild speculation â€Ļ 25 â€Ļ jammers are already used by thieves! $45 Chinese jammer to prevent cars from being locked [6] GPS jammer to disable anti-theft tracking devices in stolen cars [7] Disable mobile phone service after cutting phone and alarm cables [8]
  • 26. Selective Jammer 26 Decides, based on the header, whether to jam the frame.
  • 27. How does it work? Physical packet Detect Init Jam 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet
  • 28. How does it work? Physical packet Detect Init Jam 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Easy Hard
  • 29. Detecting frame headers? RAM DMA Internal CPU while(recvbuff[0] == 0): pass radio chip Decodes physical WiFi signals īƒ  Can read header of frames still in the air.
  • 30. In practice 30 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Timeout Detect incoming packet Poll memory until data is being written:
  • 31. In practice 31 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Probe request or beacon? buff + 10: sender of packet source : target MAC address
  • 32. In practice 32 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Set specific bit in register
  • 33. In practice 33 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet TXE: Transmit (TX) enable (E) Pointer to dummy packet
  • 34. Selective Jammer: Reliability 34 Jammed beacons with many devices/positions How fast can it react? ī‚§ Position of first mangled byte? ī‚§ 1 Mpbs beacon in 2.4 GHz: position 52 ī‚§ 6 Mpbs beacon in 5 GHz: position 88 Context: ī‚§ MAC header is 34 bytes
  • 35. Selective Jammer: Reliability 35 Jammed beacons with many devices/positions Conclusion ī‚§ 100% reliable selective jammer not possible ī‚§ Medium to large packets can be jammed ī‚§ Surprising this is possible with a limited API!
  • 36. DOMINO defense system 36 Also capable of detecting selective jammers ī‚§ Assumes MAC header is still valid. ī‚§ Attacker has low #(corrupted frames) ī‚§ Thrown of the network Unfortunately it’s flawed ī‚§ Jammed (corrupted) frames are not authenticated, we can forge them. ī‚§ Pretend that a client is jamming others.
  • 37. Demo: Selective Jammer 37 Avoiding harmful interference: ī‚§ Target is in (unused?) 5 GHz channel ī‚§ Will only run for a few seconds If you do more extensive tests â€Ļ
  • 38. Code is online! 38 modwifi.bitbucket.org ( github.com/vanhoefm/modwifi ) Scenarios where (selective) jammers are useful?
  • 39. 1. Attack WiFi geolocation 39 Location determined by nearby SSIDs. Geolocation attack [9] ī‚§ Inject SSIDs present at other location ī‚§ Can only spoof location having more APs ī‚§ Solution: selectively jam nearby APs īƒ  Never blindly trust WiFi geolocation!
  • 40. 2. As defense system 40 Turn the tables around: Use jamming to protect a network ī‚§ Selectively jam rouge APs ī‚§ Wearable shield to protect medical implants that constantly sends jamming signal. [10] ī‚§ â€Ļ. (active research topic)
  • 41. 2. As defense system 41 May not be legal? Blocking personal hotspots: ī‚§ Done by Marriott and Smart City Holdings ī‚§ Complaint was filled to the FCC ī‚§ Settled for fine of $600,000 and $750,000 Is blocking malicious or rogue hotspots legal?
  • 42. Impact on higher-layers 42 What about higher- layer protocols?
  • 43. Impact on higher-layers 43 What if we could reliably manipulate encrypted traffic? We could attack WPA-TKIP! not decrypt!
  • 44. Reliably Intercepting Traffic! 44 Channel-based MiTM attack ī‚§ Works against any encrypted network ī‚§ Can reliably manipulate encrypted traffic.
  • 45. Strawman: different MAC 45 Cloned MAC addresses different from target? AP Client Attacker
  • 46. Strawman: different MAC 46 Cloned MAC addresses different from target? AP Client Handshake verifies MAC addresses and fails. Attacker
  • 47. Strawman: different MAC 47 Same MAC addresses (as AP and client)? AP Client Attacker
  • 48. Strawman: different MAC 48 Same MAC addresses (as AP and client)? AP Client AP and client directly communicate. Attacker Channel 1
  • 49. Solution: channel-based 49 Same addresses, rouge AP on different channel AP Client Handshake will succeed īƒ  Intercept traffic! Attacker
  • 50. Example 1: attacking TKIP ī‚§ It would allow us to attack TKIP. ī‚§ But why research TKIP? Isn’t it dead? 50 1999 2002 2004 WEP TKIP AES-CCMP
  • 51. Example 1: attacking TKIP 51 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used ī‚§ It would allow us to attack TKIP. ī‚§ But why research TKIP? Isn’t it dead?
  • 52. Example 1: attacking TKIP 52 1999 2002 2004 WEP Not used TKIP Not used? AES-CCMP Mainly used Used!! ī‚§ It would allow us to attack TKIP. ī‚§ But why research TKIP? Isn’t it dead?
  • 53. Why research TKIP? 53 Network can allow both TKIP and CCMP: ī‚§ New devices uses CCMP ī‚§ Old devices uses TKIP Broadcast traffic: ī‚§ Old devices must be able to decrypt it â€Ļ Unicast traffic
  • 54. Why research TKIP? 54 If a network supports TKIP, all broadcast traffic is encrypted using it.
  • 55. TKIP Usage (2014) Found ~6000 networks 7% support only TKIP 67% support TKIP 55 TKIP is still widely used!
  • 56. Quick Background 1. Add Message Integrity Check (MIC) 2. Encrypt using RC4 MICData Encrypted How are packets sent/received? 56 Bad! See rc4nomore.com
  • 57. MIC Countermeasures 57 MICData If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP
  • 58. MIC Countermeasures 58 MICData If decrypted, reveals MIC key. If ( two MIC failures within a minute) AP halts all traffic for 1 minute Client sends MIC failure report to AP Abuse to decrypt last byte(s) [3]
  • 59. TKIP Group Cipher 59 For broadcast, all clients send a MIC failure. ī‚§ Use channel-based MiTM and drop them ī‚§ Avoids MIC countermeasures Resulting attack ī‚§ Can obtain MIC key within 7 minutes. ī‚§ Inject & decrypt some packets [3,4] ī‚§ Only allow AES-CCMP!
  • 60. Firmware vs. driver 60 WiFi Dongle CPU radio chip Main machine Userspace Operating System Driver USB radio chipPCI Only driver control needed! Internal Chip
  • 61. FCC Security Proposal 61 How to mitigate low-layer attacks? ī‚§ Secure either hardware or software Relevant FCC proposal: “only software that has been approved with a particular radio can be loaded into that radio” īƒ  Device will only run signed software
  • 62. Goal: prevent interference 62 Weather radar example: ī‚§ Operate in 5 GHz band ī‚§ WiFi can interfere with them ī‚§ FCC had to deal with several cases of intentional interference Software control of frequency, transmit power,â€Ļ ī‚§ Prevent operation outside allowed ranges
  • 63. Reason for concern 63 The proposed rule is too strict ī‚§ Requires signed software, no alternatives ī‚§ No definition of “radio” or “device” is given! Better proposal: ī‚§ “implement security features so the device never operates outside radio parameters for which the device was certified” īƒ Unclear how to best prevent our attacks â€Ļ â€Ļ cheap triangulators??
  • 64. Reason for concern 64 The proposed rule is too strict ī‚§ Requires signed software, no alternatives ī‚§ No definition of “radio” or “device” is given! Better proposal: ī‚§ “implement security features so the device never operates outside radio parameters for which the device was certified” See “A case for open radio firmware” īƒ Unclear how to best prevent our attacks â€Ļ â€Ļ cheap triangulators??
  • 66. References 66 1. M. Raya, J.-P. Hubaux, and I. Aad. DOMINO: a system to detect greedy behavior in EEE 802.11 hotspots. In MobiSys, 2004. 2. A. Cassola, W. Robertson, E. Kirda, and G. Noubir. A practical, targeted, and stealthy attack against wpa enterprise authentication. In NDSS, Apr. 2013. 3. M. Vanhoef and F. Piessens. Practical verification of wpa-tkip vulnerabilities. In ASIACCS, 2013. 4. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC, 2014. 5. J. Robertson and M. Riley. Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar. In Bloomberg, 2014. 6. C. Cox. Hi-tech car thieves hit the streets with ÂŖ30 jamming devices bought over the internet. In Manchester Evening News, 2014.
  • 67. References 67 7. C. Arthur. Car thieves using GPS 'jammers'. In The Guardian, 2010. 8. J. Weiner. High-tech thieves used phone-jammer in $74k sunglass heist, cops say. In Orlando Sentinel, 2011. 9. P. Dandumont. Don’t trust geolocation! Retrieved 5 October, 2015, from journaldulapin.com/2013/08/26/dont-trust-geolocation/ 10.Gollakota et al. They can hear your heartbeats: non-invasive security for implantable medical devices. In SIGCOMM, 2011.