autoimmunity disorder in wireless lans by md sohail ahmad j v r murthy, amit vartak airtight...
TRANSCRIPT
Autoimmunity Disorder in Wireless LANs
By
Md Sohail Ahmad J V R Murthy, Amit Vartak
AirTight Networks
August 9, 2008 DefCon 16
Immune system
foreignbodies
Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies
Purpose of WLAN system software is to defend against attacks from intruders and hackers
Biological Systems Vs WLAN Systems: Similarities
Biological systems Wireless LAN systems
Built-in Security software
Attacker
August 9, 2008 DefCon 16
Immune system
foreignbodies
When immune system mistakenly attacks & destroys healthy body tissues
When AP mistakenly attacks and destroys legitimate client connections
Autoimmunity Disorder
Biological systems Wireless LAN systems
Built-in Security software
Attacker
August 9, 2008 DefCon 16
What’s Well Known -- DoS from an External Source
It is well known that by sending spoofed De-authentication or Dis-association packets it is possible to break connections.
APClient Attacker
DoS Attack Launched on CL
DoS Attack launched on AP
Connection Breaks
Connection Breaks
August 9, 2008 DefCon 16
What’s New – Self DoS Triggered by an External Stimulus There exist mal-formed packets whose injection
can turn an AP into a connection killing machine
APClient Attacker
Stimulus
Self DoS
August 9, 2008 DefCon 16
Example of Self DoS (1)APClient
Broadcast Disconnection Notification from AP
Attacker
August 9, 2008 DefCon 16
Result
Broadcast MAC as source
Multicast MAC as source
DLink, Model No DIR-655, Firmware Ver 1.1 Linksys Model No WRT350N, Firmware Ver 1.0.3.7
Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3
Buffalo Model No-WZR-AG300NH, Firmware ver 1.48 Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card
August 9, 2008 DefCon 16
Example of Self DoS (2)
APClient
Disconnection Notification or Response
with “Failure” status code
Client and AP in Associated StateAttacker
Stimulus: Req packet with invalid attributes•Attributes: Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs ….
August 9, 2008 DefCon 16
Stimulus
Reason Codes Status
Codes
6,7,10,11,13,14,15,21,22
10,13,14,18,19,20,21,22,23,24,25
,26,40,44,45,51
Newly introduced reason code in 802.11w• 26: Robust management frame policy violation
August 9, 2008 DefCon 16
Result
Broadcast MAC as source
Multicast MAC as source
Reassoc Req
Authentication
Assoc Request
DLink, Model No DIR-655, Firmware Ver 1.1 Linksys Model No WRT350N, Firmware Ver 1.0.3.7 Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3 Buffalo Model No-WZR-AG300NH, Firmware ver 1.48 Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card
August 9, 2008 DefCon 16
Is Cisco MFP also vulnerable to Self DoS ?
Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally
attack resistant.
August 9, 2008 DefCon 16
Example: MFP (L)AP
Client and AP in Associated state
MFP Client MFP AP
Stimulus:Assoc Req, from Client to AP
Attacker
Ignore or Honor Assoc Req Packet
?Assoc Response
Client ignores unsolicitedAssociation Response
AP has an important decision to make !!!
Data
DeauthenticationUprotected “Deauth” ignored
by ClientAP and Client in Deadlock
August 9, 2008 DefCon 16
Example: MFP Client
Client and AP in Associated state
MFP ClientMFP AP
Stimulus:Assoc Response, from AP to
Client, Status Code Failure
Attacker
Protected Deauthentication,
teardown connection Association dropped at AP
Association dropped at Client
August 9, 2008 DefCon 16
The Key Point
New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software.
Even with MFP (11w) protection DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable!
August 9, 2008 DefCon 16
Demo
August 9, 2008 DefCon 16
References
www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf
http://en.wikipedia.org/wiki/IEEE_802.11w
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml
IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 )
IEEE P802.11w™/D5.0, February 2008
August 9, 2008 DefCon 16
Contact Us
Md Sohail Ahmad
Amit Vartak
J V R Murthy
August 9, 2008 DefCon 16
Stimulus #1 Input : Class 2 or 3 frame with Source MAC as Broadcast
MAC address (FF:FF:FF:FF:FF:FF) and
Destination MAC address as AP MAC address Output : Broadcast Deauthentication generated by AP Effect : Associated clients which honor Broadcast
Deauthentication packet, disconnect from AP
Stimulus #2 Input : Class 2 or 3 frame with Source MAC as Multicast
MAC address (01:XX:XX:XX:XX:XX) and
Destination MAC address as AP MAC address Output : Multicast Deauthentication generated by AP Effect : Associated clients honor Multicast Deauthentication
packet and disconnect from AP
August 9, 2008 DefCon 16
Stimulus #3 Input : Reassociation Request frame with Source MAC
address as Client’s MAC address and Destination MAC address as APMAC address and current AP MAC as any spoofed non-existent MAC address
Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet
and disconnect from AP
Stimulus #4 Input : Association Request frame with spoofed Basic
Rate Param and Source MAC address as Client
MAC address and Destination MAC address as AP
MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet
and disconnect from AP
August 9, 2008 DefCon 16
Stimulus #5 Input : 4 MAC address DATA frame with Source
MAC as victim’s Client MAC address (or Broadcast MAC) Destination MAC address as AP MAC address
Output : Deauthentication Frame generated by AP Effect : Associated client honor Deauthentication packet
and disconnect from AP
Stimulus #6 Input : Association Request frame with spoofed
capabilities field and Source MAC address as
Client MAC address and Destination MAC
address as AP MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication
packet and disconnect from AP
August 9, 2008 DefCon 16
Stimulus #7 Input : Authentication frame with invalid Authentication
Algorithm sent to AP with Source MAC as Client’s
MAC address and Destination MAC address as
AP MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet
and disconnect from AP
Stimulus #8 Input : Authentication frame with invalid Authentication
Transaction sequence number sent to AP with
Source MAC as Client’s MAC address and
Destination MAC address as AP MAC address Output : Unicast Deauthentication generated by AP Effect : Associated client honor Deauthentication packet
and disconnect from AP