Wireless Networks

Attacks on WLAN

Alessandro Redondi

Wireless Networks

• Under the Criminal Italian Code, articles 340, 617, 617 bis:• Up to 1 year of jail for interrupting public

service• 6 months to 4 years of jail for installing

devices used for interrupting or intercepting communications

Disclaimer

2

Wireless Networks

• Passive– Eavesdropping, sniffing

• Active– Jamming– Packet forgery, Frame Injection– Man in the middle– Rogue AP, AP Phishing, MAC spoofing– Denial of service (AP or STA)– Greedy behavior

Classification of Attacks

3

Wireless Networks

• DOS attacks target network availability• Prevent legitimate users from accessing the

network• 802.11 is particularly vulnerable to such

attacks due to the lack of a physicalinfrastructure

• Attackers exploit enhanced anonimity(difficulty in locating the source of the attack)

Denial-of-service (DOS) attacks

4

Wireless Networks

• All 802.11 frame contain the sender MAC address in the header

• Encryption methods work only on the payload

• No mechanisms for verifying the correctnessof the self-reported identity exist!

• Consequently, an attacker may “spoof” (imitate) other nodes and request MAC-layerservices on their behalf

802.11 Identity vulnerabilities

5

Wireless Networks

• 802.11 management frames allows to explicit request deauthentication (type 0, subtype 0x0c)

• The deauthentication message is not authenticated!

• An attacker may pretend to be the AP or the STA and asking deauthentication to the other party

• Deauthentication means disassociation! It takes some time before STA associates again

Deauthentication attack

6

Wireless Networks

Deauthentication attack

7

Wireless Networks

• The deauth attack is very flexible:– Deny access to individual clients– Rate limit their acces

• Attacker needs to monitor the channel and send death only when a new authentication has taken place

• Attacker needs to make sure the target do not switch to another channel

Deauthentication attack

8

Wireless Networks

• Attack is very similar to deauthentication, but less effective

• Clients may be authenticated with multiple AP but associated just to one.

• Deauthentication forces the victim to do more “work” to return to the associated state

Disassociation attack

9

Wireless Networks

• 802.11w MFP (Management Frame Protection) amendment adds WPA2 protection to Deauthand Disassoc frames to make them anti-spoofing (still not widely supported, but mandatory for 802.11ac certification)

• Simple alternative:– Delay deauth request effect by 5-10 seconds– If a data packet arrives from the client after

the request, discard it (no legitimate client would do that)

• Problems if STA move to another AP

Defense for Deauthentication attacks

10

Wireless Networks

• Power conservation functions of 802.11 present several vulnerabilities

• PS-Poll attack: attacker spoof victim AID and polls the access point for any pending traffic while victim is sleeping. AP empties the buffer and victim loses data

• Alternatively (more difficult to implement), an attacker may convince the victim that there is no pending data by spoofing the TIM

Power Saving

11

Wireless Networks

PS-Poll Attack

12

Wireless Networks

• A different attack tricks the AP into believing that the victim is in sleep mode.

• Attacker transmit on or more management frames to the AP with a spoofed source MAC address and the PS bit set.

• AP will start buffering data for STA instead of delivering it.

• STA will ignore TIM because it never really went to sleep

PS attack (2)

13

Wireless Networks

PS attack (2)

14

Wireless Networks

• A series of attacks exploit the CSMA/CA and virtual CS mechanisms

• No spoofing is required• Since every node must wait at least an SIFS

interval, an attacker may monopolize the channel by sending a short signal before the end of every SIFS period

• Method is “expensive”: with a SIFS of 20 microseconds, this requires the attacker to transmit 50k packets per second

802.11 MAC Vulnerabilities

15

Wireless Networks

• The RTS/CTS frames carry a Duration field to prevent (hidden) nodes to access the channel

• An attacker may therefore prevent all stations in RTS/CTS range to access the channel

• RTS attack is cheap and will be propagated by others. Max duration is 32 ms, so 30 RTS/second will jam access to the channel.

Virtual Carrier Sensing Attack

16

Wireless Networks

• Much harder to defend against in practice than deauth attack

• One approach to mitigate its effects is to place a limit on the duration values accepted– Low cap: duration of ACK/CTS frame +

backoff. Usable after observing RTS or all management frames

– High cap: duration of largest data frame + backoff. Usable after ACK or CTS.

Mitigating NAV attack

17

Wireless Networks

• Observing duration field:– In ACK Frame, reservation valid only if the

data frame is fragmented. In case fragmentation is not used, ignore the duration.

– Data Frame, similar to above– RTS frame, valid in a RTS-CTS-Data

sequence. Respect until Data should be observed. If not observed, ignore it.

– CTS frame: either bogus or the observing node is hidden terminal. Not enough information.

Mitigating NAV attack (2)

18

Wireless Networks

• Autoimmune disorder: non conform messages sent to AP cause the AP to send broadcast deauth messages

• BlockACK attacks in 802.11e, DoS effects of 10 seconds with a single message

• Channel Switch attack: force STA to move to a channel not used by AP

• ATIM attack: for ad-hoc mode, forge ATIM to force STA to wake up and deplete their battery

Other Attacks

19

Wireless Networks

• In infrastructure mode, the AP is a single point of failure

• Attacking the AP rather than a particular STA causes the entire network to crash

• Observation: any management frame sent by STA to the AP triggers an elaboration with consequent consumption of computational/transmission resources

Attack against Access Points

20

Wireless Networks

• Probe Request Flood (PRF): sending a burst of probe request with different MAC addresses force the AP to answer to all of them.

• Authentication Request Flood (ARF): similarly to PRF, plus the AP has to allocate memory to keep information about each new (fake) STA

• Association Request Flood (ASRF): even if the STA is not authenticated, some AP will reply with a Disassociation or Deauthentication frame

Flooding attacks

21

Wireless Networks

Flooding attacks

22

Wireless Networks

• 802.11 works under the assumption that all nodes (STA and AP) follow the standard guidelines

• This should provide fair resources to all users

• However, a STA can deliberately misuses the MAC protocol to gain bandwidth at the expense of other stations

Greedy behavior attacks

23

Wireless Networks

• A station selectively interferes with frames sent by other stations– Attacker observes the RTS frame of the

victim and interferes with the CTS frame. The CW of the victim doubles

– Attacker observes the DATA frame of the victim and interferes with the ACK frame. The CW of the victim doubles

• In both cases, the attacker increases its chance to access the channel.

Uplink attack #1

24

Wireless Networks

• Manipulating protocol parameters– Transmit after SIFS but before DIFS– Increase the duration field– Reduce the backoff time by setting a

smaller CWmax• In both cases, the attacker increases its

chance to access the channel.

Uplink attack #2

25

Wireless Networks

• Actually based on TCP congestion control between the victim and an endpoint S

• Observe that TCP is used in the majority of the cases as transport protocol over 802.11

• Jamming a TCP-ACK from the victim to the AP makes S decreases the sending rate so that the attacker bandwidth increases.

Downlink attack

26

Wireless Networks

• An AP can detect greedy stations and prevent them to use the WLAN:– In uplink attack #1 the attacker will have a

number of retransmitted frames lower than other stations

– In uplink attack #2 the AP may monitor idle periods after each ACK and distinguish stations that transit before a DIFS

Detection of greedy attacks

27

Wireless Networks

• 802.11s does not provide any incentives for stations to cooperate

• Therefore, it is vulnerable to insider attacks in which a mesh point hopes to increase its QoS at the expense of others

• This attacks are known as selfish attacks• Some of the attacks are similar to greedy

attacks (jamming other stations frames or modifying protocol parameters)

Attacks in 802.11s Mesh Networks

28

Wireless Networks

• The attacker mesh point tries to modify path selection and reroute traffic beyond itself(less traffic to forward, more capacity for own traffic)

• This can be achieved by modifying PREQ before forwarding (e.g. highly increasing the hop count or metric) or by dropping PREQ or RANN frames to/from the mesh gateway

HWMP Selfish attacks

29

Wireless Networks

• The attacker mesh point tries to modify path selection and reroute traffic beyond itself(less traffic to forward, more capacity for own traffic)

• This can be achieved with Route Diversion, by modifying PREQ before forwarding (e.g. highly increasing the hop count or metric)

• Alternatively, Route Disruption osbtained by dropping PREP or RANN frames to/from the mesh gateway

HWMP Selfish attacks

30

Wireless Networks

Route diversion / disruption

31

RouteDiversion

RouteDisruption

Wireless Networks

• Aircrack-ng: main goal is to check security by cracking WEP and WPA. Supports frame injection and Deauth attacks

• Tools based on Python Scapy (packet forgery tool for Python)– https://github.com/veerendra2/wifi-deauth-attack– https://github.com/DanMcInerney/wifijamme

• Bad guys repositories– https://github.com/wi-fi-analyzer/wifi-arsenal– https://github.com/v1s1t0r1sh3r3/airgeddon

Tools

32

Wireless Networks

• Novel field of study• Main idea: a device (the AP) monitor traffic

and detect attack frames. • When detecting such frames, the friendly

jammer emits interference so that the victim cannot decode the attack frame

• Tool available here: http://netweb.ing.unibs.it/~openfwwf/friendlyjammer/

Friendly Jamming

33