1

Intercepting Mobile Intercepting Mobile Communications: The Communications: The Insecurity of 802.11Insecurity of 802.11

…or “Why WEP Stinks”

Dustin Christmann

2

Introduction Introduction

This presentation will discuss the inadequacies of WEP encryption

We’ll discuss the theoretical weaknesses of the WEP standard

We’ll discuss the types of attacks that can exploit those weaknesses

We’ll discuss the speed of “real world” attacks on WEP

3

AgendaAgenda

What’s on your network?What is WEP?Theoretical weaknesses of WEPTypes of attacks on WEPHow well do these attacks work in the

“real world”?Countermeasures

4

What’s on your wireless network?What’s on your wireless network?

802.11 (Wi-Fi) networks are ubiquitous today

Types of encryption:– Open (No encryption)– WEP– WPA/WPA2

5

So what is WEP?So what is WEP?

WEP is Wired Equivalent PrivacyLink-layer encryptionDefined in the IEEE 802.11 standard“Least common denominator” Wi-Fi

encryptionGoals of WEP

– Confidentiality– Access control– Data integrity

6

So how does So how does WEP work?WEP work?

7

First, let’s introduce the playersFirst, let’s introduce the players Message: What you’re

encrypting CRC: To verify the integrity of

the message Plaintext: The message + CRC Initialization vector (IV): A 24-

bit number which plays two roles that we’ll meet in a moment

Key: A 40 or 104-bit number which is used to build the keystream

Keystream: What is used to encrypt the plaintext

Ciphertext: What we end up post-encryption

Message CRC

IV Key

Keystream

Ciphertext

8

WEP encryption step-by-stepWEP encryption step-by-step

Step 1: Compute CRC for the message CRC-32 polynomial is used

Message CRC

9

KeyIV

WEP encryption step-by-stepWEP encryption step-by-step

Step 2: Compute the keystream IV is concatenated with the key RC4 encryption algorithm is used on the 64 or

128 bit concatenation

Keystream

10

WEP encryption step-by-stepWEP encryption step-by-step

Step 3: Encrypt the plaintext The plaintext is XORed with the keystream to

form the ciphertext The IV is prepended to the ciphertext

Message CRC

Keystream

CiphertextIV

11

WEP decryption step-by-stepWEP decryption step-by-step

Step 1: Build the keystream Extract the IV from the incoming frame Prepend the IV to the key Use RC4 to build the keystream

Keystream

CiphertextIV

Key

12

WEP decryption step-by-stepWEP decryption step-by-step

Step 2: Decrypt the plaintext and verify XOR the keystream with the ciphertext Verify the extracted message with the CRC

Keystream

Ciphertext

Message CRC

13

What are the What are the main weaknesses main weaknesses

of WEP?of WEP?

14

Initialization vector (IV)Initialization vector (IV)

It’s carried in plaintext in the “encrypted” message!

It’s only 24 bits!There are no restrictions on IV reuse!The IV forms a significant portion of the

“seed” for the RC4 algorithm!

15

CRC algorithmCRC algorithm

The CRC is a linear function– First-order polynomial: y=mx+b– Key property when b is 0: f(x+y) = f(x) + f(y)

The CRC is an unkeyed function

16

RC4 cipherRC4 cipher

Some seeds are “weaker” than othersBy extension, some IV values are weaker

than othersWeak seeds = more easily calculated

keystreams

17

DefragmentationDefragmentation

Not necessarily a weaknessPart of 802.11 standard

– Affects WPA and WPA2 encryption as well

18

What are some What are some potential attacks potential attacks

on a WEP on a WEP network?network?

19

First, you know more about the First, you know more about the plaintext than you think you knowplaintext than you think you know

With 802.11, you know the first eight bytes of a packet

Many IP services have packets of fixed lengths Most WLAN IP addresses follow common

conventions. Many IP behaviors have predictable responses

AA AA 03 00 00 00 08 ??DSAP Ether typeORG CodeCTRLSSAP

Can be eitherIP or ARP

20

Message modificationMessage modification

Takes advantage of CRC’s linearity and unkeyed nature.

C is the original cybertext

c is the CRC-32 function

Δ is the change in the message

Need to know some of the plaintext, but not all!

)(,' cCC

21

Message injectionMessage injection

Takes advantage of CRC’s unkeyed nature and IV reuse.

C is the original cybertext

P is the original plaintext RC4(v,k) is the

keystream for IV v M’ is the new message c is the CRC-32 function Need to know all of the

plaintext

kvRCCP ,4

),(4)'(,'' kvRCMcMC

22

Authentication spoofingAuthentication spoofing

Takes advantage of IV reuse Takes advantage of WEP

challenge mechanism for new mobile stations

Access point sends unencrypted 128-bit value

Mobile station returns the same value encrypted

Monitor the exchange and…

– Learn an IV-keystream pair

– Authenticate on the mobile network

kvRCCP ,4

23

Fragmentation attackFragmentation attack

Takes advantage of defragmentation and IV reuse

Takes advantage of knowledge of plaintext of at least first eight bytes of 802.11 data

Each data includes 4 bytes of checksum An 802.11 frame can be divided into 16

segments The access point will defragment the frame

before forwarding, allowing the transmission of 16 * (known bytes of keystream – 4 bytes) of data

24

Full keystream recovery using Full keystream recovery using fragmentationfragmentation Send a 64-byte frame to a broadcast address in

16 segments Eavesdrop the defragmented 68-byte frame Send a 1024-byte frame to a broadcast address in

16 segments Eavesdrop the defragmented 1028-byte frame Send a 1496-byte frame to a broadcast address in

2 segments Eavesdrop the defragmented 1500-byte frame

25

IP redirectionIP redirection

Takes advantage of defragmentation Eavesdrop encrypted frame Build encrypted IP header with the desired destination IP

address Configure the 802.11 headers for segmented transmission Send frames Receive unencrypted data at Internet-connected computer

CiphertextxIP Headery

IP Header Message

26

So how easy do So how easy do these techniques these techniques

make a WEP network make a WEP network to compromise?to compromise?

27

Answer: Darn easyAnswer: Darn easy

Attacks greatly aided by automated toolsAuthors of “The Final Nail in WEP’s

Coffin” broke 40-bit key in under 15 minutes and 104-bit key in under 80 minutes

FBI agents demonstrated it in 3 minutes in 2005– http://www.informationweek.com/management/compliance/160502612

– “Usually it takes five to ten minutes”

28

CountermeasuresCountermeasures

DON’T USE WEP!Use WPA or WPA2 with a strong keyChange the default settings on your

wireless routerUse VPN