advanced wi-fi attacks using commodity hardware › brucon2018-slides.pdf · 2020-01-10 · 3. m....
TRANSCRIPT
![Page 1: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/1.jpg)
Advanced Wi-Fi Attacks Using
Commodity HardwareMathy Vanhoef — @vanhoefm
BruCON, Belgium, 3 October 2018
![Page 2: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/2.jpg)
Background
› Wi-Fi assumes each stations behaves fairly
› With special hardware we don’t have to
Continuous jamming: channel unusable
Selective jamming: block specific packets
2
![Page 3: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/3.jpg)
Background
› Wi-Fi assumes each stations behaves fairly
› With special hardware we don’t have to
Continuous jamming: channel unusable
Selective jamming: block specific packets
3
>$4000
![Page 4: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/4.jpg)
Research: use cheap hardware?
Small 15$ USB sufficient to:
› Testing selfish behavior in practice
› Continuous & selective jamming
› Enables reliable manipulation of encrypted traffic
4
![Page 5: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/5.jpg)
Research: use cheap hardware?
Attacks are cheaper than expected!
› We should be able to detect them.
5
>$4000 ~$20
![Page 6: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/6.jpg)
Selfish Behavior
Impact of selfish behavior?
Implement & Test!
6
![Page 7: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/7.jpg)
Selfish Behavior
Steps taken to transmit a frame:
7
In use
![Page 8: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/8.jpg)
Selfish Behavior
Steps taken to transmit a frame:
1. SIFS: let hardware process the frame
8
In use SIFS
![Page 9: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/9.jpg)
Selfish Behavior
Steps taken to transmit a frame:
1. SIFS: let hardware process the frame
2. AIFSN: depends on priority of the frame
9
In use SIFS AIFSN
![Page 10: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/10.jpg)
Selfish Behavior
Steps taken to transmit a frame:
1. SIFS: let hardware process the frame
2. AIFSN: depends on priority of the frame
3. Random backoff: avoid collisions
10
In use SIFS AIFSN Backoff
![Page 11: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/11.jpg)
Selfish Behavior
Steps taken to transmit a frame:
1. SIFS: let hardware process the frame
2. AIFSN: depends on priority of the frame
3. Random backoff: avoid collisions
4. Send the packet
11
In use SIFS AIFSN Backoff Packet 2
![Page 12: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/12.jpg)
Selfish Behavior
Steps taken to transmit a frame:
Manipulate by modifying Atheros firmware:
› Disable backoff
› Reducing AIFSN
› Reducing SIFS
12
In use SIFS AIFSN Backoff Packet 2
![Page 13: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/13.jpg)
Selfish Behavior
Steps taken to transmit a frame:
Manipulate by modifying Atheros firmware:
› Disable backoff
› Reducing AIFSN
› Reducing SIFS
13
In use SIFS AIFSN Backoff Packet 2
Optimal strategy
From 14 to 37 Mbps
Reduces throughput
![Page 14: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/14.jpg)
How to control radio chip?
Using memory mapped registers
› Disable backoff:
int *GBL_IFS_MISC = (int*)0x10F0;
*GBL_IFS_MISC |= IGNORE_BACKOFF;
› Reset AIFSN and SIFS:
int *AR_DLCL_IFS = (int*)0x1040;
*AR_DLCL_IFS = 0;
14
![Page 15: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/15.jpg)
We can’t we just modify the driver?
15
WiFi Dongle
CPUradio
chip
Main machine
Userspace
Operating
System
Driver
Code runs on CPU of dongle
Firmware control needed
USB
![Page 16: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/16.jpg)
Countermeasures
DOMINO defense
system reliably detects
this selfish behavior [1].
16
![Page 17: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/17.jpg)
Selfish Behavior
What if there are multiple selfish stations?
› In a collision, both frames are lost
17
![Page 18: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/18.jpg)
Selfish Behavior
What if there are multiple selfish stations?
› In a collision, both frames are lost
› Capture effect: in a collision, frame with the best signal and
lowest bitrate is decoded
Similar to FM radioDemo: The Queen station generally
“wins” the collision with other stations.
18
![Page 19: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/19.jpg)
FM Radio Demo
19
![Page 20: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/20.jpg)
Selfish Behavior
Attack can abuse capture effect
› Selfish clients will lower their bitrate to beat other selfish
stations!
› Until this gives no more advantage
To increase throughput, bitrate is lowered!
Other station = background noise
20
![Page 21: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/21.jpg)
Continuous jammer
Want to build a continuous jammer
› Instant transmit: disable carrier sense
› No interruptions: queue infinite #packets
Frames to be transmitted are in a linked list:
21
Frame 1radio
chip …Frame 2
![Page 22: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/22.jpg)
Continuous jammer
Want to build a continuous jammer
› Instant transmit: disable carrier sense
› No interruptions: queue infinite #packets
Frames to be transmitted are in a linked list:
22
Frame 1radio
chip …Frame 2
Infinite list!
![Page 23: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/23.jpg)
Continuous Jammer
Experiments
› Only first packet visible in monitor mode!
› Other devices are silenced.
23
Default antenna gives range of ~80 meters
Amplifier gives rangeof ~120 meters
![Page 25: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/25.jpg)
Rapsberry Pi Supported!
25
![Page 26: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/26.jpg)
Practical Implications
Devices in 2.4 and 5 GHz band?
26
› Home automation
› Industrial control
› Internet of Things
› …
Can all easily be jammed!
![Page 27: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/27.jpg)
Practical Implications
Devices in 2.4 and 5 GHz band?
27
![Page 28: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/28.jpg)
Practical Implications
Devices in 2.4 and 5 GHz band?
28
![Page 29: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/29.jpg)
Not just wild speculation …
29
$45 Chinese jammer to prevent
cars from being locked [4]
GPS jammer to disable anti-theft
tracking devices in stolen cars [5]
Disable mobile phone service after
cutting phone and alarm cables [6]
![Page 30: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/30.jpg)
Selective Jammer
Decides, based on the header,
whether to jam the frame
30
![Page 31: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/31.jpg)
How does it work?
1. Detect and decode header
31
Physical packet
Detect
![Page 32: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/32.jpg)
How does it work?
1. Detect and decode header
2. Abort receiving current frame
32
Physical packet
Detect Init
![Page 33: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/33.jpg)
How does it work?
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
33
Physical packet
Detect Init Jam
![Page 34: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/34.jpg)
How does it work?
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
34
Physical packet
Detect Init Jam
Easy
![Page 35: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/35.jpg)
How does it work?
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
35
Physical packet
Detect Init Jam
Easy
Hard
![Page 36: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/36.jpg)
Detecting frame headers?
Can read header of frames still in the air!
36
RAM
DMA
Internal
CPU
while(recvbuff[0] == 0): pass
radio
chipDecode physical WiFi signal
![Page 37: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/37.jpg)
In practice
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
37
Poll memory until data is being written:
Timeout Detect incoming packet
![Page 38: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/38.jpg)
In practice
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
38
Probe request or beacon?
buff + 10: sender of packet
source : target MAC address
![Page 39: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/39.jpg)
In practice
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
39
Set specific bit in register
![Page 40: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/40.jpg)
In practice
1. Detect and decode header
2. Abort receiving current frame
3. Inject dummy packet
40
TXE: Transmit (TX) enable (E)
Pointer to dummy packet
![Page 41: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/41.jpg)
Selective Jammer: Reliability
Jammed beacons with many devices/positions
How fast can it react?
› Position of first mangled byte?
› 1 Mbps beacon in 2.4 GHz: position 52
› 6 Mbps beacon in 5 GHz: position 88
Context: MAC header is 34 bytes
41
![Page 42: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/42.jpg)
Selective Jammer: Reliability
Jammed beacons with many devices/positions
Conclusion
› 100% reliable jammer not possible
› Medium to large packets can be jammed
› Surprising this is possible with a limited API!
42
![Page 44: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/44.jpg)
Code is online (and got updates)
Virtual Machine:
github.com/vanhoefm/modwifi
44
![Page 45: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/45.jpg)
Using your mobile phone
Schulz & co: jamming using mobile phones [9]
45
Nexus 5
+
=
github.com/seemoo-lab/wisec2017_nexmon_jammer
![Page 46: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/46.jpg)
Impact on higher-layers
46
What if we could
reliably manipulate
encrypted traffic?
We could attack WPA-TKIP
![Page 47: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/47.jpg)
Impact on higher-layers
47
What if we could
reliably manipulate
encrypted traffic?
We could attack WPA-TKIP
We can break WPA2
![Page 48: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/48.jpg)
Breaking WPA2
48
Key Reinstallation Attacks (KRACKs)
› Block & delay handshake frames
› Jammers can block packets!
› Or help with getting a MitM
![Page 49: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/49.jpg)
WPA2 uses a 4-way handshake
Used to connect to any protected Wi-Fi network
49
Negotiates fresh PTK:
pairwise transient keyMutual authentication
![Page 50: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/50.jpg)
Channel 1
50
KRACK Attack
Channel 6
Jam AP on channel 6
victim will use channel 1
![Page 51: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/51.jpg)
51
KRACK Attack
![Page 52: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/52.jpg)
52
KRACK Attack
PTK = Combine(shared secret,
ANonce, SNonce)
![Page 53: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/53.jpg)
53
KRACK Attack
Block Msg4
![Page 54: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/54.jpg)
54
KRACK Attack
Block Msg4
![Page 55: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/55.jpg)
55
KRACK Attack
PTK is installed &
nonce set to zeroBlock Msg4
![Page 56: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/56.jpg)
Block Msg4
56
KRACK Attack
![Page 57: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/57.jpg)
57
KRACK Attack
![Page 58: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/58.jpg)
58
KRACK Attack
![Page 59: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/59.jpg)
59
KRACK Attack
In practice Msg4
is sent encrypted
![Page 60: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/60.jpg)
60
KRACK Attack
![Page 61: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/61.jpg)
61
KRACK Attack
Key reinstallation:
nonce again reset!
![Page 62: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/62.jpg)
62
KRACK Attack
![Page 63: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/63.jpg)
63
KRACK Attack
Encrypted data can
now be exchanged
![Page 64: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/64.jpg)
Quick background: encryption
64
Plaintext data
Nonce reuse implies keystream reuse (in all WPA2 ciphers)
Nonce
MixPTK(session key)
Nonce(packet number)
Packet key
![Page 65: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/65.jpg)
65
KRACK Attack
Next frame reuses
previous nonce!
![Page 66: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/66.jpg)
66
KRACK Attack
Keystream
![Page 67: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/67.jpg)
67
KRACK Attack
Keystream
Decrypted!
![Page 68: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/68.jpg)
Conclusion
› Jamming is cheap
› Selective jamming also possible
› Can even use mobile phone!
› Facilitates KRACK attacks
68
![Page 69: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/69.jpg)
Questions?github.com/vanhoefm/modwifi
Thank you!
![Page 70: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/70.jpg)
References
1. M. Raya, J.-P. Hubaux, and I. Aad. DOMINO: a system to detect greedy behavior in EEE 802.11 hotspots. In MobiSys, 2004.
2. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIACCS, 2013.
3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC, 2014.
4. C. Cox. Hi-tech car thieves hit the streets with £30 jamming devices bought over the internet. In Manchester Evening News, 2014.
5. C. Arthur. Car thieves using GPS 'jammers'. In The Guardian, 2010.
6. J. Weiner. High-tech thieves used phone-jammer in $74k sunglass heist, cops say. In Orlando Sentinel, 2011.
7. P. Dandumont. Don’t trust geolocation! Retrieved 5 October, 2015, from journaldulapin.com/2013/08/26/dont-trust-geolocation/
8. Gollakota et al. They can hear your heartbeats: non-invasive security for implantable medical devices. In SIGCOMM, 2011.
9. Schulz et al. Massive Reactive Smartphone-Based Jamming using Arbitrary Waveforms and Adaptive Power Control. In WiSec, 2017.
10. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In ACM CCS, 2017.
70
![Page 71: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/71.jpg)
Multi-channel MitM also enables other attacks
71
Attacking broadcast TKIP
› Block MIC failures
› Modify encrypted frames
Traffic Analysis
› Capture all encrypted frames
› Block certain encrypted frames
![Page 72: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/72.jpg)
Multi-channel MitM also enables other attacks
72
Exploit implementation bugs
› Block certain handshake messages
› E.g. bugs in 4-way handshake
Specialized attack scenarios
› E.g. modify advertised capabilities
› See [X] for details
![Page 73: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/73.jpg)
1. Attack Wi-Fi Geolocation
Location determined by nearby SSIDs
Geolocation attack [7]
› Inject SSIDs of another location
› Problem: can only spoof locations with more APs
› Solution: selectively jam nearby Aps
Never blindly trust Wi-Fi geolocation!
73
![Page 74: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/74.jpg)
2. Use as a defense system
Use jamming to protect a network
› Selectively jam rouge APs
› Wearable shield to protect medical implants
that constantly sends jamming signal [8]
› … (it’s an active research topic)
74
![Page 75: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/75.jpg)
2. Use as a defense system
Legal aspects are unclear
Blocking personal hotspots:
› Done by Marriott and Smart City Holdings
› Complaint was filled to the FCC
› Settled for fine of $600,000 and $750,000
75
Is blocking malicious or
rogue hotspots legal?
![Page 76: Advanced Wi-Fi Attacks Using Commodity Hardware › brucon2018-slides.pdf · 2020-01-10 · 3. M. Vanhoef and F. Piessens. Advanced Wi-Fi attacks using commodity hardware. In ACSAC,](https://reader034.vdocuments.us/reader034/viewer/2022042315/5f033d167e708231d40838eb/html5/thumbnails/76.jpg)
DOMINO defense system
Also capable of detecting selective jammers
› Assumes MAC header is still valid
› Attacker has low #(corrupted frames)
› Thrown of the network
Unfortunately it’s flawed
› Jammer (corrupted) frames are not authenticated
› We can pretend that a client is jamming others
76