This document summarizes advanced WiFi attacks that can be performed using inexpensive commodity hardware. It describes how WiFi assumes each station acts fairly, but with specialized hardware this assumption no longer holds. Various attacks are demonstrated, including continuous jamming to render a channel unusable, and selective jamming to block specific packets. The document also explores selfish behavior attacks, continuous and selective jamming implementations, and impacts on higher network layers including attacks on encrypted WPA-TKIP traffic.
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Â
Advanced WiFi Attacks Using Commodity Hardware
1. Advanced WiFi Attacks Using
Commodity Hardware
Mathy Vanhoef (@vanhoefm), KU Leuven
BruCON 2015
2. ī§ WiFi assumes each station acts fairly
ī§ With special hardware this isnât the case
ī Continuous jamming (channel unusable)
ī Selective jamming (block specific packets)
Background
2
3. ī§ WiFi assumes each station acts fairly
ī§ With special hardware this isnât the case
ī Continuous jamming (channel unusable)
ī Selective jamming (block specific packets)
Background
3
>$4000
4. Also with cheap hardware!
4
Small 15$ USB sufficient to:
ī§ Testing selfish behavior in practice
ī§ Continuous & selective jamming
ī§ Reliable manipulation of encrypted traffic
5. Also with cheap hardware!
5
Attacks are cheaper than expected
ī§ Should be able to detect them.
>$4000 ~$15
7. Selfish Behavior
Steps taken to transmit a frame:
1. SIFS: let hardware process the frame
2. AIFSN: depends on priority of frame
3. Random backoff: avoid collisions
4. Send the packet
In use SIFS AIFSN Backoff Packet 2
8. Selfish Behavior
Steps taken to transmit a frame:
Manipulate by modifying Atheros firmware:
ī§ Disable backoff
ī§ Reducing AIFSN
ī§ Reducing SIFS
In use SIFS AIFSN Backoff Packet 2
9. Selfish Behavior
Steps taken to transmit a frame:
Manipulate by modifying Atheros firmware:
ī§ Disable backoff
ī§ Reducing AIFSN
ī§ Reducing SIFS
Optimal strategy:
From 14 to 37 Mbps
Reduces throughput
In use SIFS AIFSN Backoff Packet 2
10. Selfish Behavior
Steps taken to transmit a frame:
Manipulate by modifying Atheros firmware:
ī§ Disable backoff
ī§ Reducing AIFSN
ī§ Reducing SIFS
Optimal strategy:
From 14 to 37 Mbps
Reduces throughput
In use SIFS AIFSN Backoff Packet 2
Upload!
11. How to control radio chip?
11
Using memory mapped registers
ī§ Disable backoff:
int *GBL_IFS_MISC = (int*)0x10F0;
*GBL_IFS_MISC |= IGNORE_BACKOFF;
ī§ Reset AIFSN and SIFS:
int *AR_DLCL_IFS = (int*)0x1040;
*AR_DLCL_IFS = 0;
12. Location of this code?
12
WiFi Dongle
CPU
radio
chip
Main machine
Userspace
Operating
System
Driver
Code runs on CPU of dongle
ī Firmware control needed
USB
14. Selfish Behavior
What if there are multiple selfish stations?
ī§ In a collision, both frames are lost.
ī§ Capture effect: in a collision, frame with the
best signal and lowest bitrate is decoded.
Similar to FM radio
Demo: The Queen station generally
âwinsâ the collision with others.
16. Selfish Behavior
16
Attacker can abuse capture effect
ī§ Selfish clients will lower their bitrate to beat
other selfish stations!
ī§ Until this gives no more advantage.
To increase throughput, bitrate is lowered!
ī Other station = background noise
17. Continuous Jammer
17
Want to build a continuous jammer
1. Instant transmit: disable carrier sense
2. No interruptions: queue infinite #packets
Frames to be transmitted are in a linked list:
Frame 1
radio
chip
âĻFrame 2
18. Continuous Jammer
18
Frame 1
radio
chip
âĻFrame 2
Want to build a continuous jammer
1. Instant transmit: disable carrier sense
2. No interruptions: queue infinite #packets
Frames to be transmitted are in a linked list:
Infinite list!
19. Continuous Jammer
19
Experiments
ī§ Only first packet visible in monitor mode!
ī§ Other devices are silenced.
Default antenna gives
range of ~80 meters.
Amplifier gives range
of ~120 meters
20. Demo: Continuous Jammer
20
Ideally done in a shielded room âĻ
âĻ but we can try it here as well ī
To prevent harm, only active for a few seconds.
22. Practical Implications
22
Devices in 2.4 and 5 GHz bands?
ī§ Home automation
ī§ Industrial control
ī§ Internet of Things
ī§ âĻ
Can easily be jammed!
25. Not just wild speculation âĻ
25
âĻ jammers are already used by thieves!
$45 Chinese jammer to prevent
cars from being locked [6]
GPS jammer to disable anti-theft
tracking devices in stolen cars [7]
Disable mobile phone service after
cutting phone and alarm cables [8]
30. In practice
30
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
Timeout Detect incoming packet
Poll memory until data is being written:
31. In practice
31
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
Probe request or beacon?
buff + 10: sender of packet
source : target MAC address
32. In practice
32
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
Set specific bit in register
33. In practice
33
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
TXE: Transmit (TX) enable (E)
Pointer to dummy packet
34. Selective Jammer: Reliability
34
Jammed beacons with many devices/positions
How fast can it react?
ī§ Position of first mangled byte?
ī§ 1 Mpbs beacon in 2.4 GHz: position 52
ī§ 6 Mpbs beacon in 5 GHz: position 88
Context:
ī§ MAC header is 34 bytes
35. Selective Jammer: Reliability
35
Jammed beacons with many devices/positions
Conclusion
ī§ 100% reliable selective jammer not possible
ī§ Medium to large packets can be jammed
ī§ Surprising this is possible with a limited API!
36. DOMINO defense system
36
Also capable of detecting selective jammers
ī§ Assumes MAC header is still valid.
ī§ Attacker has low #(corrupted frames)
ī§ Thrown of the network
Unfortunately itâs flawed
ī§ Jammed (corrupted) frames are not
authenticated, we can forge them.
ī§ Pretend that a client is jamming others.
37. Demo: Selective Jammer
37
Avoiding harmful interference:
ī§ Target is in (unused?) 5 GHz channel
ī§ Will only run for a few seconds
If you do more extensive tests âĻ
39. 1. Attack WiFi geolocation
39
Location determined by nearby SSIDs.
Geolocation attack [9]
ī§ Inject SSIDs present at other location
ī§ Can only spoof location having more APs
ī§ Solution: selectively jam nearby APs
ī Never blindly trust WiFi geolocation!
40. 2. As defense system
40
Turn the tables around:
Use jamming to protect a network
ī§ Selectively jam rouge APs
ī§ Wearable shield to protect medical implants
that constantly sends jamming signal. [10]
ī§ âĻ. (active research topic)
41. 2. As defense system
41
May not be legal?
Blocking personal hotspots:
ī§ Done by Marriott and Smart City Holdings
ī§ Complaint was filled to the FCC
ī§ Settled for fine of $600,000 and $750,000
Is blocking malicious or
rogue hotspots legal?
50. Example 1: attacking TKIP
ī§ It would allow us to attack TKIP.
ī§ But why research TKIP? Isnât it dead?
50
1999 2002 2004
WEP TKIP AES-CCMP
51. Example 1: attacking TKIP
51
1999 2002 2004
WEP
Not used
TKIP
Not used?
AES-CCMP
Mainly used
ī§ It would allow us to attack TKIP.
ī§ But why research TKIP? Isnât it dead?
52. Example 1: attacking TKIP
52
1999 2002 2004
WEP
Not used
TKIP
Not used?
AES-CCMP
Mainly used
Used!!
ī§ It would allow us to attack TKIP.
ī§ But why research TKIP? Isnât it dead?
53. Why research TKIP?
53
Network can allow both TKIP and CCMP:
ī§ New devices uses CCMP
ī§ Old devices uses TKIP
Broadcast traffic:
ī§ Old devices must be able to decrypt it âĻ
Unicast traffic
58. MIC Countermeasures
58
MICData
If decrypted, reveals MIC key.
If ( two MIC failures within a minute)
AP halts all traffic for 1 minute
Client sends MIC failure report to AP
Abuse to decrypt last byte(s) [3]
59. TKIP Group Cipher
59
For broadcast, all clients send a MIC failure.
ī§ Use channel-based MiTM and drop them
ī§ Avoids MIC countermeasures
Resulting attack
ī§ Can obtain MIC key within 7 minutes.
ī§ Inject & decrypt some packets [3,4]
ī§ Only allow AES-CCMP!
60. Firmware vs. driver
60
WiFi Dongle
CPU
radio
chip
Main machine
Userspace
Operating
System
Driver
USB
radio
chipPCI
Only driver
control
needed!
Internal Chip
61. FCC Security Proposal
61
How to mitigate low-layer attacks?
ī§ Secure either hardware or software
Relevant FCC proposal:
âonly software that has
been approved with a
particular radio can be
loaded into that radioâ
ī Device will only run signed software
62. Goal: prevent interference
62
Weather radar example:
ī§ Operate in 5 GHz band
ī§ WiFi can interfere with them
ī§ FCC had to deal with several
cases of intentional interference
Software control of frequency, transmit power,âĻ
ī§ Prevent operation outside allowed ranges
63. Reason for concern
63
The proposed rule is too strict
ī§ Requires signed software, no alternatives
ī§ No definition of âradioâ or âdeviceâ is given!
Better proposal:
ī§ âimplement security features so the device
never operates outside radio parameters
for which the device was certifiedâ
ī Unclear how to best prevent our attacks âĻ
âĻ cheap triangulators??
64. Reason for concern
64
The proposed rule is too strict
ī§ Requires signed software, no alternatives
ī§ No definition of âradioâ or âdeviceâ is given!
Better proposal:
ī§ âimplement security features so the device
never operates outside radio parameters
for which the device was certifiedâ
See âA case for open
radio firmwareâ
ī Unclear how to best prevent our attacks âĻ
âĻ cheap triangulators??
66. References
66
1. M. Raya, J.-P. Hubaux, and I. Aad. DOMINO: a system to detect
greedy behavior in EEE 802.11 hotspots. In MobiSys, 2004.
2. A. Cassola, W. Robertson, E. Kirda, and G. Noubir. A practical,
targeted, and stealthy attack against wpa enterprise authentication.
In NDSS, Apr. 2013.
3. M. Vanhoef and F. Piessens. Practical verification of wpa-tkip
vulnerabilities. In ASIACCS, 2013.
4. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using
commodity hardware. In ACSAC, 2014.
5. J. Robertson and M. Riley. Mysterious â08 Turkey Pipeline Blast
Opened New Cyberwar. In Bloomberg, 2014.
6. C. Cox. Hi-tech car thieves hit the streets with ÂŖ30 jamming devices
bought over the internet. In Manchester Evening News, 2014.
67. References
67
7. C. Arthur. Car thieves using GPS 'jammers'. In The Guardian, 2010.
8. J. Weiner. High-tech thieves used phone-jammer in $74k sunglass
heist, cops say. In Orlando Sentinel, 2011.
9. P. Dandumont. Donât trust geolocation! Retrieved 5 October, 2015,
from journaldulapin.com/2013/08/26/dont-trust-geolocation/
10.Gollakota et al. They can hear your heartbeats: non-invasive
security for implantable medical devices. In SIGCOMM, 2011.