wireless networks: attack and defence...abstract wireless networks are becoming ubiquitous and can...
TRANSCRIPT
-
Wireless Networks: Attack and Defence
Security in Emergency Communications Networks
By
Stephen Mark Glass MSc, PgDip
PhD thesis submitted to the School of Information and Communication
Technology, Science, Environment, Engineering and Technology Group at Griffith
University in fulfilment of the requirements of the degree of Doctor of Philosophy.
December, 2010
-
ii
-
Abstract
Wireless networks are becoming ubiquitous and can be found in domestic, com-
mercial, industrial, military, and health care applications. One application of
particular interest is that of emergency communications where an Incident Area Network
(IAN) can be rapidly deployed at an incident site. Wireless networks are well suited to such
applications because they can be rapidly established and facilitate the exchange of voice,
video and multimedia content such as detailed maps, building plans and photographs. The
experience of Hurricane Katrina, the Asian Tsunami and Black Saturday demonstrates the
importance of effective communications in saving lives following a catastrophic event.
The security of an emergency communications network is extremely important because
a breach of confidentiality, integrity or availability may result in the loss of human life.
Ensuring security presents a thorny problem because communication in a wireless network
uses a shared medium without the benefit of a physical security perimeter. To address this
problem wireless security protocols use cryptographic techniques to protect the network
but the results have not always been successful. Serious flaws have been discovered in the
design, implementation and operation of widely deployed wireless security protocols and
attacks developed to exploit these flaws.
Our investigation adopts the viewpoint of a hostile adversary to identify and exploit
vulnerabilities that remain in wireless security protocols. Purpose-written software tools
have been created to facilitate the investigation, conduct attacks and assist in the identifi-
cation of the underlying causes of the security flaws. Remedial measures are then proposed,
implemented and evaluated for the most serious threats.
This method is applied to an investigation of the security problems present in both
current Land Mobile Radio (LMR) systems and next-generation wireless mesh networks.
iii
-
Firstly, the analysis of the APCO Project 25 LMR system was undertaken using tools
developed for the purpose. These tools made use of a software-defined radio approach to
provide full access to the wireless data link and allow for traffic to be captured, analysed,
modified and injected. The utility of the software-defined radio (SDR) approach is that
the code can be used to achieve goals which are not possible in commercially-available
protocol analysers. The same code base can be used as the basis for prototyping remedial
measures as well as to provide backward-compatibility for next-generation systems. This
project has grown into a small free software project with a number of volunteers both
professional and amateur and users in several countries including government agencies.
The investigation into APCO Project 25 has uncovered a number of serious security flaws
and, where appropriate, proposed remedial actions. These flaws include:
• A denial of service attack that exploits the anti-theft mechanism that allows a hostile
adversary to completely disable selected mobile radios.
• A flawed authentication and access control mechanism that can be bypassed trivially
by a hostile adversary.
• A number of shortcomings in the design of the cipher system that can compromise
the authenticity, integrity and confidentiality of message traffic.
The underlying cause for the denial of service attack is that the appropriate messages
lack any means of ensuring authenticity and freshness. We propose a modified protocol
that remedies these flaws. In contrast, the authentication and access control mechanism
employs strong cryptography (the AES cipher is used) but is trivially circumvented. The
confidentiality mechanism is vulnerable to key-recovery by brute-force key searches when
using some of the most widely used cipher systems. This is a problem because these ciphers
suffer from small, easily searched, key spaces and allow for key recovery with only modest
computing resources. The use of these ciphers should be deprecated and stronger ciphers
used in their place.
The investigation into next-generation emergency communications networks addresses
Wireless Mesh Networks (WMNs). Particular attention is given to WMNs conforming to
the IEEE 802.11 standard and the draft IEEE 802.11s WMN standard to provide concrete
iv
-
examples of both the security problems and their solutions. To facilitate the investigation
a wireless toolkit was developed that enable attacks to be conducted and also allowed for
the rapid implementation of countermeasures. This toolkit is used in the experimental
validation of denial of service, man-in-the-middle and wormhole attacks. The denial-of-
service vulnerabilities are investigated and several vulnerabilities are discovered in the
MAC layer including problems with the IEEE 802.11 Distributed Coordination Function,
the TKIP cipher and vulnerability to wormhole attacks. We demonstrate than a commonly-
proposed countermeasure to the latter attack which employs a distance-bounding approach
is itself insecure and identify the sufficient conditions for its secure use. In this thesis we
also propose novel protocol modifications that enhances the guarantees provided by the
security protocol to ensure that control frames are authentic and ensure the authenticity of
neighbouring stations. This mechanism enables a node to discover the presence of man-in-
the-middle and wormhole attacks by hostile adversaries with no false positives. We finish
with the proposal for an architecture for wireless intrusion detection and prevention which
addresses the threat posed by man-in-the-middle and wormhole attacks.
v
-
vi
-
Declaration
Ideclare that the work presented in this thesis is, to the best of my knowledge, original.
This work has not previously been submitted for a degree or diploma in any university.
To the best of my knowledge and belief, the thesis contains no material previously published
or written by another person except where due reference is made in the thesis itself.
Stephen Mark Glass
August 30, 2011
vii
-
viii
-
Publications
Parts of this thesis have already been published in a number of international refer-
eed journals and conference proceedings. Published papers are cited appropriately
throughout this thesis and include:
• Stephen Glass and Vallipuram Muthukkumarasamy. Denial of service vulnerabilities
in the IEEE802.11 DCF. In 3rd Australian Computer, Information and Network
Forensics Conference, Mount Lawley, Western Australia, September 2005.
• Stephen Glass and Vallipuram Muthukkumarasamy. A study of the IEEE802.11
cryptographic DoS, attack. In 15th IEEE International Conference on Networks
(ICON-07), pages 59–65. Institution of Electrical and Electronics Engineers, Novem-
ber 2007.
• Stephen Glass and Vallipuram Muthukkumarasamy. Securing multi-hop wireless net-
works against impersonation attacks. In Third International Conference Intelligent
Sensors, Sensor Networks and Information Processing (ISSNIP 2007), Melbourne,
Australia, December 2007. Poster Abstract.
• Stephen Glass, Marius Portmann, and Vallipuram Muthukkumarasamy. Securing
wireless mesh networks. IEEE Internet Computing, 12(4):30–36, July–Aug 2008.
• Stephen Glass, Vallipuram Muthukkumarasamy, and Marius Portmann. Detect-
ing man-in-the-middle and wormhole attacks in wireless mesh networks. In IEEE
23rd International Conference on Advanced Information Networking and Applica-
tions (AINA-09), pages 530–538. Institution of Electrical and Electronics Engineers,
May 2009.
ix
-
• Stephen Glass, Vallipuram Muthukkumarasamy, and Marius Portmann. A software-
defined radio receiver for APCO Project 25 signals. In IWCMC ’09: Proceedings of
the 2009 International Conference on Wireless Communications and Mobile Com-
puting, pages 67–72, New York, NY, USA, June 2009. ACM.
• Stephen Glass, Marius Portmann, and Vallipuram Muthukkumarasamy. The in-
security of time-of-arrival distance-ranging in IEEE 802.11 wireless networks. In
30th IEEE International Conference on Distributed Computing Systems Workshops,
2009. ICDCS 2010, pages 227–223. Institution of Electrical and Electronics Engi-
neers, June 2010.
• Stephen Glass, Marius Portmann, and Vallipuram Muthukkumarasamy. Securing
route and path integrity in multi-hop wireless networks. In Sakib Pathan, editor,
Security of Self-Organizing Networks: MANET, WSN, WMN, VANET, chapter 2.
Auerbach Publications, CRC Press, Taylor & Francis Group, USA, September 2010.
• Stephen Glass, Vallipuram Muthukkumarasamy and Marius Portmann. Delta Leashes:
A Practical Defense Against Wormhole Attacks in Wireless Networks. To be sub-
mitted.
• Stephen Glass, Vallipuram Muthukkumarasamy, Marius Portmann, and Matthew
Robert. Insecurity in public-safety communications: APCO project 25. In 7th
International ICST Conference on Security and Privacy in Communication Networks,
SecureComm 2011, London, United Kingdom, September 2011.
x
-
Acknowledgments
There are many people to whom I would like to express my thanks for their assistance
in the pursuit of the research and preparation of the thesis. Without them this
research would never have been completed. Firstly I would like to thank my beloved
Cheryl who is a constant inspiration and the reason for all that I do. In no small part is
the completion of this thesis is due to her unfaltering love and support. I must also sincerely
thank my supervisor Dr Vallipuram Muthukkumarasamy for his patient mentoring, advice,
encouragement and friendship. It has been a privilege to study under him and a life-
enriching experience. To my associate supervisor Dr Anne Nguyen I extend my thanks
for her encouragement and advice. I would also like to express my deep gratitude to Dr
Marius Portmann and Prof. Jadwiga Indulska for supervising my research at NICTA and
providing new challenges, guidance and support which has proven to be invaluable. Thanks
are also due to my colleagues, friends and family who have either contributed to making the
research experience so fulfilling or provided interesting and happy diversions along the way.
Finally, I would also like to acknowledge the support of both the (ISC)2 consortium and
NICTA for making my PhD research possible and for providing the facilities and resources
that I required to complete this thesis.
xi
-
xii
-
Contents
Abstract iii
Declaration vii
Publications ix
Acknowledgments xi
List of Figures xxiii
List of Tables xxv
1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Significance of the Research . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Research Problem and Hypotheses . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.5 Outline of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Literature Review 9
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.1 Security in WMNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.2 Trustworthy Wireless Networks . . . . . . . . . . . . . . . . . . . . . 10
2.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.1 Signal Jamming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.2 MAC-Layer Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
xiii
-
2.2.3 Identity Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.4 Traffic Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.5 MAC-Layer Misbehaviour . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2.6 Grey and Black Hole Traffic-Forwarding Attacks . . . . . . . . . . . 22
2.2.7 Attack Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3 Integrity and Authenticity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3.1 Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3.2 Bit-Flipping Attacks Against Encrypted Checksums . . . . . . . . . 25
2.3.3 Message Integrity Codes . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.4.1 Authentication and Access Control Protocols . . . . . . . . . . . . . 28
2.4.2 WEP Shared-Key Authentication . . . . . . . . . . . . . . . . . . . . 29
2.4.3 Ineffective Access Controls . . . . . . . . . . . . . . . . . . . . . . . . 30
2.4.4 IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.4.5 Authentication in 802.11s . . . . . . . . . . . . . . . . . . . . . . . . 33
2.4.6 Location-Based Authentication . . . . . . . . . . . . . . . . . . . . . 35
2.5 Path Selection and Routing Integrity . . . . . . . . . . . . . . . . . . . . . . 36
2.5.1 HWMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.2 Authenticated Routing . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.3 Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . 38
2.5.4 Rushing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.5.5 Wormhole Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.5.6 Threats from Compromised Nodes . . . . . . . . . . . . . . . . . . . 39
2.6 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.6.1 IV Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.6.2 Weak Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.6.3 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.7 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.7.1 Location-Sensing Using Received Signal Strength . . . . . . . . . . . 45
2.7.2 Location-Sensing Using Two-Way Time-of-Arrival . . . . . . . . . . . 46
xiv
-
2.7.3 Distance-Bounding Protocols . . . . . . . . . . . . . . . . . . . . . . 49
2.7.4 Neighbour Verification . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.7.5 Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.7.6 MAC Layer Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.7.7 Protocols for Detecting Intruders . . . . . . . . . . . . . . . . . . . . 51
2.7.8 Other Detection Techniques . . . . . . . . . . . . . . . . . . . . . . . 53
2.8 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3 Research Method 55
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.2 Research Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.3 Hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.4 Research Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.4.1 Technology Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.4.2 Detailed Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.4.3 Attack Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.4.4 Attack evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.4.5 Countermeasure Prototyping . . . . . . . . . . . . . . . . . . . . . . 60
3.4.6 Countermeasure Evaluation . . . . . . . . . . . . . . . . . . . . . . . 61
3.5 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.6 Ethical considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4 Security in APCO Project 25Land Mobile Radio Networks 65
4.1 Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.2.1 APCO Project 25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.2.2 P25 Voice and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.2.3 Security in P25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.3 Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.3.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
xv
-
4.3.2 GNU Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.3.3 P25 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.3.4 P25 Transmitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.3.5 P25Lib Abstraction Layer . . . . . . . . . . . . . . . . . . . . . . . . 77
4.4 Security Flaws in P25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.4.1 Optional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.4.2 Optional Authentication and Access Control Mechanism . . . . . . . 78
4.4.3 Flawed Authentication and Access Control Mechanism . . . . . . . . 79
4.4.4 Flawed Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.4.5 Weak Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.4.6 No Guarantee of Message Freshness . . . . . . . . . . . . . . . . . . 81
4.4.7 Flawed Message Authenticity and Integrity Mechanism . . . . . . . . 82
4.5 Security Attacks and Defences in P25 . . . . . . . . . . . . . . . . . . . . . . 82
4.5.1 Theft of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.5.2 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.5.3 Key Recovery by Exhaustive Key Search . . . . . . . . . . . . . . . . 87
4.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5 Availability Threats in Wireless Networks 97
5.1 Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.2.1 Carrier-Sense Jamming . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.2.2 Virtual Carrier-Sense Jamming . . . . . . . . . . . . . . . . . . . . . 99
5.3 Experiments: Attacks Against the MAC DCF . . . . . . . . . . . . . . . . . 100
5.3.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.3.2 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.4 The TKIP Cryptographic Denial-of-Service Attack . . . . . . . . . . . . . . 107
5.4.1 Cryptographic vulnerability . . . . . . . . . . . . . . . . . . . . . . . 107
5.4.2 Exploiting the vulnerability . . . . . . . . . . . . . . . . . . . . . . . 107
5.4.3 Message modification attack . . . . . . . . . . . . . . . . . . . . . . . 108
xvi
-
5.4.4 Cryptographic DoS attack . . . . . . . . . . . . . . . . . . . . . . . . 110
5.4.5 Equipment and Preparation . . . . . . . . . . . . . . . . . . . . . . . 110
5.4.6 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
5.4.7 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6 Detecting and Preventing Wormhole Attacks in Wireless Mesh Networks121
6.1 Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6.3 Secure Wormhole Detection Protocol . . . . . . . . . . . . . . . . . . . . . . 124
6.3.1 Proposed Detection Method . . . . . . . . . . . . . . . . . . . . . . . 124
6.3.2 Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.3.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
6.3.4 Experimental Method . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.3.5 Analysis of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
6.4 Distance-Ranging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
6.4.1 Two-Way TOA Distance-Ranging in IEEE 802.11 . . . . . . . . . . . 140
6.4.2 Proposed Distance-Ranging Attack . . . . . . . . . . . . . . . . . . . 141
6.4.3 Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.4.4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.4.5 Experimental Method . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.4.6 Analysis of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.5 Wormhole Detection and Prevention Architecture . . . . . . . . . . . . . . . 153
6.5.1 Delta Leashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
6.5.2 Intrusion Detection Watchdog . . . . . . . . . . . . . . . . . . . . . . 156
6.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
7 Conclusions 163
7.1 Conclusions About Each Research Question . . . . . . . . . . . . . . . . . . 164
7.1.1 Cryptographic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 164
7.1.2 MAC Layer DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 165
7.1.3 Wormhole Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
xvii
-
7.1.4 MAC Layer Frame Authentication . . . . . . . . . . . . . . . . . . . 167
7.1.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.2 Further Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Appendices 170
A Banjax 173
A.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
A.2 Organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
A.3 Banjax Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
A.4 Detailed Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
A.4.1 The wnic Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
A.4.2 The Standard wnic Implementations . . . . . . . . . . . . . . . . . . 177
A.4.3 buffer and Related Types . . . . . . . . . . . . . . . . . . . . . . . . 178
A.4.4 frame and Other Dissectors . . . . . . . . . . . . . . . . . . . . . . . 180
A.4.5 The frame_editor Interface and Implementations . . . . . . . . . . 181
A.5 Further Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
A.5.1 License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
A.5.2 Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
B Kernel Modifications 183
B.1 Linux Kernel IEEE 802.11 Wireless Architecture . . . . . . . . . . . . . . . 183
B.1.1 FullMAC and SoftMAC Devices . . . . . . . . . . . . . . . . . . . . . 183
B.1.2 MadWiFi-NG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
B.1.3 mac80211 and ath5k . . . . . . . . . . . . . . . . . . . . . . . . . . 184
B.2 Frame Transmission and Reception . . . . . . . . . . . . . . . . . . . . . . . 185
B.2.1 Interrupt Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
B.2.2 Priority Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
B.2.3 Buffers, Descriptors and DMA Transfers . . . . . . . . . . . . . . . . 186
B.3 Kernel Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
B.3.1 Time-stamping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
xviii
-
B.3.2 Software Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 188
Glossary 190
Bibliography 196
xix
-
xx
-
List of Figures
1.1 An IEEE 802.11s wireless mesh network. . . . . . . . . . . . . . . . . . . . . 3
2.1 Signal jamming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 Monitor receiving from nodes which are hidden to each other . . . . . . . . 21
2.3 IEEE 802.11 encrypted WEP frame . . . . . . . . . . . . . . . . . . . . . . . 25
2.4 Entities involved in 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.5 802.1X session hi-jacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.6 TKIP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.7 Annotated DATA/ACK timing diagram . . . . . . . . . . . . . . . . . . . . 46
3.1 Investigation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.1 P25 System Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.2 P25 Voice Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.3 The USRP Software-Defined Radio with 80–870 MHz VHF/UHF receiver and 400–500 MHz UHF transceiv
4.4 Block diagram for P25 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.5 The P25 Receiver graphical user interface . . . . . . . . . . . . . . . . . . . 73
4.6 The P25 Receiver graphical user interface . . . . . . . . . . . . . . . . . . . 74
4.7 Wireshark packet sniffer being used to inspect P25 traffic . . . . . . . . . . 75
4.8 Block diagram for P25 Transmitter . . . . . . . . . . . . . . . . . . . . . . . 76
4.9 Extended Function Command . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.10 ADP Cipher Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.11 Bit Schedule of DES/OFB for LDU1 Voice Codewords 8 and 9 . . . . . . . 92
4.12 Bit Schedule of DES/OFB for LDU2 Voice Codewords 17 and 18 . . . . . . 93
xxi
-
5.1 Use of RTS/CTS to address hidden-terminal scenario . . . . . . . . . . . . . 100
5.2 Infrastructure Test-bed Network . . . . . . . . . . . . . . . . . . . . . . . . 101
5.3 Ad hoc Test-bed Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.4 TKIP Data Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.5 Middleperson attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.6 Mac OSX response to deauthentication attack . . . . . . . . . . . . . . . . . 116
5.7 TKIP countermeasures response to cryptographic DoS attack . . . . . . . . 117
5.8 Harkins countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.1 Effect of wormhole on network topology . . . . . . . . . . . . . . . . . . . . 123
6.2 Timing diagram for message exchange in IEEE 802.11b . . . . . . . . . . . . 125
6.3 Modified send-data procedure . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.4 Modified recv-data procedure . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.5 The suppress-ack? function . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.6 Wormhole detection experiment . . . . . . . . . . . . . . . . . . . . . . . . . 129
6.7 Frequency distribution of suppressed-ACK distance . . . . . . . . . . . . . . 134
6.8 Timing diagram for an example IEEE 802.11 DATA/ACK exchange. . . . . 140
6.9 Distance-Ranging experiment . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.10 Expected and observed SIFS times . . . . . . . . . . . . . . . . . . . . . . . 151
6.11 Modified send-data procedure . . . . . . . . . . . . . . . . . . . . . . . . . 156
6.12 Modified recv-data procedure . . . . . . . . . . . . . . . . . . . . . . . . . 156
6.13 Watchdog Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6.14 Link state model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
A.1 Banjax packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
A.2 Core banjax classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
A.3 Standard implementations of the wnic interface . . . . . . . . . . . . . . . . 178
A.4 Class diagram for buffer and related types . . . . . . . . . . . . . . . . . . 179
A.5 Class diagram for frame hierarchy . . . . . . . . . . . . . . . . . . . . . . . 180
A.6 Class hierarchy for the frame_editor types . . . . . . . . . . . . . . . . . . 181
B.1 The ieee80211_ops wireless device driver interface . . . . . . . . . . . . . . 185
xxii
-
B.2 ath5k descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
xxiii
-
xxiv
-
List of Tables
4.1 Performance of ADP exhaustive key search . . . . . . . . . . . . . . . . . . 89
4.2 Performance of ADP exhaustive key search . . . . . . . . . . . . . . . . . . 90
5.1 Success of middleperson establishment . . . . . . . . . . . . . . . . . . . . . 114
5.2 July 2006 wireless security survey results . . . . . . . . . . . . . . . . . . . . 120
6.1 Experiment throughput results . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.2 Comparison of ACK strategies . . . . . . . . . . . . . . . . . . . . . . . . . 137
6.3 Timing Calibration Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
6.4 Frequency of Incorrect frame sizes captured by PRISM II . . . . . . . . . . 149
xxv
-
xxvi
-
Chapter 1
Introduction
1.1 Background
In an emergency situation effective communications can make the difference between life
and death. In recent years man-made and natural disasters have exposed the inade-
quacies of existing communications technologies for Public-Safety and Disaster-Recovery
(PSDR) communications. The tragic consequences of Hurricane Katrina in 2005 were exac-
erbated by an almost complete breakdown of the communications infrastructure. Hurricane
Katrina destroyed 2,000 cellular telephony base stations as the result of high winds and
flooding. The surviving base stations were overloaded with traffic and many remained
operational for only a few hours until their reserves of diesel fuel became exhausted. In
situations such as bush-fires, floods, tsunami, earthquakes and extreme weather events it
is to be expected that damage will take place to power and communications infrastructure.
Emergency first-responders bring their own communications equipment to an incident site
precisely because existing infrastructure may be damaged or otherwise unavailable. Hur-
ricane Katrina exposed the inadequacies of this approach because the first-responder or-
ganisations employed a wide variety of incompatible equipment which severely hampered
efforts to coordinate the work of the different organisations. The badly degraded commu-
nications capabilities caused unnecessary delay and confusion and resulted in the loss of
human lives that might otherwise have been prevented [1].
1
-
To ensure that the different emergency first-responders have effective and interoperable
telecommunications equipment the US Department of Homeland Security (DHS) has spon-
sored the SAFECOM programme [2]. This programme defines the requirements for the
communications equipment used by almost 60,000 emergency first-responder organisations
in the US. One aspect of the SAFECOM requirements that cannot be met by existing
PSDR systems is the provision of high-data rate services such as video communication and
rich multimedia content that combines detailed maps, building plans and photographs.
Existing Land Mobile Radio (LMR) systems currently offer only very low data rates that
are incapable of meeting these requirements. To use a concrete example, an APCO Project
25 LMR system usually exchanges data traffic at just 9600 bits/second [3]. This is much
too slow to support anything more than compressed voice and short text messages and is
certainly insufficient for the rapid exchange of detailed photographic or video imagery. The
APCO Project 25 standard has been revised to allow for communication at 473 Kb/s [4]
although this is not yet widely implemented and even this data rate is insufficient for
carrying multiple streams of real-time video traffic.
Wireless Mesh Networks (WMNs) combine the high-bandwidth and performance ex-
pected of conventional infrastructure-based wireless networks with the large service area,
self-organising and self-healing properties of mobile ad hoc networks (MANETs). This com-
bination of properties has led some to suggest the use of WMNs for use as Incident Area
Networks (IANs) [5] which are usually established in response to an emergency situation
when the existing communications infrastructure may have been destroyed or otherwise
disabled. WMNs mitigate the performance, scalability and management problems inherent
in MANETs by the use of a high-speed back-haul network infrastructure. The back-haul
network makes use of dedicated wireless routers to optimise network performance and pro-
vide portals or gateways to the wired Internet and other wireless services. These devices
are usually equipped with multiple radios and additional battery reserves. The multi-hop
routing protocol autonomously discovers routes between network nodes and employs spe-
cialised routing metrics to favour the use of the back-haul network because of the additional
resources of bandwidth and power available there.
2
-
The self-organising nature of hybrid WMNs means that they can be established rapidly
at a disaster site to provide flexible high-bandwidth communications during the critical
period immediately following an incident. This period, known as the “Golden Hour”, is
the time following a major incident during which prompt action will have the highest
probability of saving lives.
Figure 1.1: An IEEE 802.11s wireless mesh network.
A serious problem for the development of WMNs has been a lack of standardisation.
IEEE 802.11 defines both the Medium Access Control (MAC) and physical (PHY) layers
but leaves unspecified the question of routing and many of the details needed to create
a workable multi-hop network. Commercial WMNs have used IEEE 802.11 with propri-
etary extensions to handle such issues as network formation, connection of the wireless
network to the wired infrastructure, performance optimisation and routing. The proposed
IEEE 802.11s standards amendment specifies mandatory solutions to these interoperability
problems and specifically addresses the problem of PSDR communications [6].
3
-
The IEEE 802.11s Mesh Basic Service Set (MBSS) is intended for small to medium-
scale wireless mesh networks with a maximum of between 32–64 nodes. Figure 1.1 shows
an IEEE 802.11s WMN in which network nodes are divided into different types depending
on their functions:
• Mesh STA: The most basic elements of an MBSS, these nodes participate in routing
and forwarding traffic on behalf of their neighbours and are typically mobile nodes.
• Mesh Router: A mesh STA dedicated to routing traffic. These nodes may have several
wireless network interface controllers (WNICs) and additional power reserves. Such
nodes are usually static but may also be affixed to trucks and other mobile equipment.
• Mesh AP: A mesh STA which also provides access point (AP) functionality for
infrastructure-mode 802.11 clients. The mesh AP can route frames between the
infrastructure BSS and the MBSS.
• Mesh Portal: A mesh STA which provides a bridge or gateway to other networks
such as WiMax or UMTS. Mesh portals are important because they often represent
the destination for a significant amount of network traffic.
In this description list we have differentiated between mesh STAs and mesh routers. This
is not a distinction made in the draft standard but it does help to clarify the difference
between client devices and network infrastructure. In a MANET all nodes may be mobile
and there is no network infrastructure or back-haul network. In a WMN the mesh routers
provide a back-haul network to optimise the traffic flow. The large service area presents
many locations from which an adversary may monitor or attack the network. Multi-
hop routing strategies also present new threats through which a hostile adversary can
render much of the network in-operational. To counter this the security protocols used
for infrastructure networks have been adapted to address the WMN environment. A more
thorough overview of the 802.11s architecture and concepts is given by Hiertz et al. [7].
4
-
1.2 Significance of the Research
The security of PSDR networks is of high importance because any compromise of confi-
dentiality, integrity or availability may lead directly to the loss of human life. The security
protocols for existing wireless network technologies can ensure the security for domains such
as commerce and industry but do not place an emphasis on availability which assumes a
much greater prominence in PSDR communications. This represents a class of problems
that MAC-layer security protocols have considered of less importance and, therefore, many
of the security threats to network availability have not been addressed.
The PHY layer communication channels in wireless networks are inherently insecure.
Radio signals do not respect organisational boundaries and maybe intercepted, modified
and jammed by a hostile adversary. Military systems such as TADIL-J/Link 16 make use
of cryptographically-generated hopping sequences to lower the probability of detection and
the probability of interception by a jammer. WMNs maybe thought of as being tolerant to
jamming attacks because they can route traffic around a jammer but there are no provisions
for jamming avoidance at the PHY layer.
At the MAC layer and above there are many opportunities for a successful attack
against the design, implementation and operation of a secure PSDR network. A hostile
adversary can conduct denial-of-service attacks which use less energy, affect more of the
service area than is possible using PHY layer jamming techniques and have a lower prob-
ability of detection. The latter property is essential if the adversary is to evade discovery
and avoid countermeasures by the network operator. The use of security protocols designed
to meet requirements in other domains, or protocols that have received insufficient secu-
rity analysis, means that there exist security flaws which can lead to successful attacks.
Many of those are denial-of-service attacks against availability but some security flaws
are present in the cryptographic protocols themselves. Our investigation addresses these
remaining risks and does so using an iterative, experimental process to uncover the under-
lying causes, identify the constraints on successful attacks and seek to use the experience
of attack implementation to propose effective countermeasures.
5
-
1.3 Research Problem and Hypotheses
The purpose of this study is to answer the following questions:
• What are the security risks present when using wireless networks for public-safety
and disaster recovery?
• Which of the identified security risks pose the most serious threat and what can be
done to mitigate these threats?
The central hypothesis of this project is that the adoption of an adversarial stance and
implementation of attacks under laboratory conditions can help to uncover the conditions
necessary for a successful attack. Knowledge of the security flaws and the constraints
placed on successful attacks allows for stronger defensive measures to be developed. These
may be summarised as follows:
1. Detailed investigation of the design, implementation and operation of a security
protocol can identify security flaws.
2. The legitimacy of the security threats can be substantiated by replicating the attack
under laboratory conditions.
3. Adopting an adversarial mind-set and implementing attacks can expose the incidental
problems faced by an adversary and lead to new, more effective, countermeasures.
1.4 Methodology
An experimental methodology is used which seeks low-level access to message traffic in
order to understand the security flaws which may be present in the protocol. The inves-
tigation adopts a process in which technologies are studied both in theory and practise.
Using low-level traffic analysis tools we investigate the operation of the protocol and iden-
tify possible routes for attack. Attacks are implemented under laboratory conditions and
then countermeasures proposed in the light of experience gained from the attack imple-
mentation.
6
-
1.5 Outline of the Thesis
The following chapters describe the conduct and results of the investigation into the secu-
rity of networks used for PSDR communications. Chapter 2 contains a critical survey of
the relevant threats and countermeasures discussed in the published literature. Chapter
3 presents the research question, the associated hypothesis and describes the proposed re-
search method and related procedures. The subsequent chapters report the results of the
investigation beginning with Chapter 4, which investigates the security problems present
in current generation PSDR networks. Chapter 5 discusses the simple denial-of-service
threats present in the 802.11 wireless MAC protocol itself progressing from highly visible
and energy-consuming attacks to very much lower visibility and more energy-efficient at-
tacks. In Chapter 6 we address the wormhole attack and defences against it — this is one
of the most serious attacks that can be used against WMNs that can deny service to a
large part of the network. Finally, we present a summary of our conclusions and future
directions in Chapter 7.
7
-
8
-
Chapter 2
Literature Review
2.1 Introduction
2.1.1 Security in WMNs
When WMNs are used in PSDR applications there must be robust security protocols
available that ensure secure operation, however, they should not hinder the operation
of legitimate users. The principal goals of the security protocols should be to ensure
the confidentiality, integrity, authenticity of network traffic and preserve the availability
of communications. A more comprehensive set of requirements might also address the
problems of intrusion detection and prevention. In the following sections we consider
the challenges to WMN security at the data-link or MAC layer and the network layer.
Many of these security threats are shared with infrastructure mode networks and other
wireless technologies. It is common for WMNs to make use of extended versions of the
proven security protocols used to protect infrastructure networks. The MAC layer security
protocol is responsible for ensuring that the network carries traffic only for authorised
stations and thus prevents unauthorised stations participating in the network conducting
theft-of-service and other attacks. The following sections describe the properties which are
required of a secure network and the threats and countermeasures which are described in
the literature.
9
-
2.1.2 Trustworthy Wireless Networks
Trustworthy information systems are usually considered in terms of three critical charac-
teristics known as the C-I-A triad. These characteristics describe the goals for information
managed by trustworthy systems and consist of:
Confidentiality Information should be prevented or protected from disclosure to individ-
uals or systems which do not possess the appropriate authorisation.
Integrity Information should be complete and un-corrupted and should only be able to
be changed by those explicitly authorised to do so.
Availability Information should be made available to authorised individuals or systems
when needed and without interference or obstruction.
Although the C-I-A triad is widely used, Parker has made the criticism that it is incomplete
because it omits important characteristics such as accuracy, utility and authenticity [8].
Wireless networks are involved primarily in the transmission of information as opposed
to its processing and storage. Therefore, the fundamental property is availability because
all of the other characteristics depend upon it. In PSDR networks threats to availability
assume a higher priority than is the case in other domains. Integrity and authenticity are
likewise prerequisites for ensuring secure operation. A failure to consider the authenticity
of messages leaves the network exposed to adversaries who modify and spoof message
traffic. During this discussion we explicitly augment the CIA triad to address problems of
authenticity and treat this together with integrity as two fundamental properties of network
messages. The final property of confidentiality ensures that a message can be read only by
its intended recipients. In PSDR applications confidentiality provides a tactical advantage
to emergency responders who may wish to avoid public panic or hostile pre-emption. These
users are likely to revert to communicating in the plain if the use of encryption hampers
effective communications. The following sections review the literature under the headings
of availability, authenticity and integrity, and confidentiality. We then end with a review of
those defences and countermeasures that appear most relevant to the problem of securing
PSDR communications.
10
-
2.2 Availability
Availability, in the context of wireless networks, refers to the survivability of the network
services when denial-of-service attacks are mounted by a hostile party. It also includes the
problem of individual stations cheating to gain more bandwidth and, therefore, reducing
the bandwidth available to other stations. The availability of a wireless network is one of
the most important properties, yet it is also one of the most difficult to ensure. It is a
particular problem in IEEE 802.11 networks where:
“There is no guarantee of availability in 802.11-based networks because denial-
of-service attacks exist in just about every layer of the network stack.” [9]
During the re-engineering process the IEEE 802.11 TGi task group decided that a jam-
ming attack would be very easy to mount but almost impossible to prevent. Given that an
attacker may always resort to a jamming attack the task group opted not address availabil-
ity concerns because an attacker could always fall back to using a signal jamming attack.
IEEE 802.11 WLANs may be subjected to a variety of denial-of-service (DoS) attacks that
include: signal jamming, MAC layer attacks, traffic flooding, man-in-the-middle attacks
and so on. Any of these attacks can be used to disrupt communications but in a WMN
the self-healing property means that in traffic will be routed around the area affected by
the attack or maybe transmitted using a radio channel which is not the subject of a DoS
attack. The decision to ignore DoS threats is short-sighted and means that DoS problems
exist which should have been addressed in the standard. DoS threats remain at every layer
of the protocol stack:
• Physical layer signal jamming.
• Using spoofed MAC layer frames.
• Black hole, grey hole and wormhole attacks against the network routing protocols.
• Application layer traffic-flooding attacks.
Some selected examples of these DoS attacks are discussed below.
11
-
2.2.1 Signal Jamming
The most basic form of DoS attack is when another signal interferes with data transmissions
as shown in Figure 2.1 (reproduced from Codenotti et al. [10]). Such interference can occur
continuously or intermittently and arise from a variety of sources apart from malicious
activity.
Figure 2.1: Signal jamming
Environmental Interference
IEEE 802.11 “b” and “g” networks operate in the ISM band and are susceptible to inter-
ference from other equipment using the same band such as microwave ovens and cordless
telephones. Simulations of interference to IEEE 802.11 networks from Bluetooth equip-
ment suggest that such equipment causes interference which can seriously impact IEEE
802.11 network performance [11, 12]. The 4.9 GHz Public-Safety band is reserved for
PSDR communications and may be used by IEEE 802.11 networks which are employed for
this role. Using a dedicated band means that interference from other users is significantly
reduced.
12
-
Hidden Terminal Interference
In all IEEE 802.11 networks other network nodes can accidentally interfere with transmis-
sions as the result of the hidden terminal problem. The protocol incorporates a Request-To-
Send (RTS)/Clear-To-Send (CTS) mechanism to reduce the incidence of hidden terminal
jamming but experimental observations demonstrate that this is ineffective for all stations
except that with the highest signal strength [13]. This is an unwelcome result because
hidden terminal scenarios are not uncommon in ad hoc networks.
Continuous Collision Jamming
Continuous collision jamming is effective but relatively expensive in energy terms and
increases the probability that the attacker’s location will be discovered. The study of
Karhima et al. considered the effectiveness of continuous jamming signals against IEEE
802.11 “b” and “g” networks [14]. Using both narrow-band and wide-band jamming signals
they report the results of jamming against a simple two station ad hoc wireless network.
The results show that the the encoding and modulation schemes have different character-
istics:
• Direct-Sequence Spread Spectrum (DSSS) signals, as used in IEEE 802.11b, appear
to be resistant to wide-band jamming. DSSS can continue to be work in the presence
of a strong jamming signal by lowering the data rate.
• Orthogonal Frequency Division Multiplexing (OFDM) signals, as used by IEEE
802.11a and 802.11g are resistant to narrow-band jamming whereas it is vulnera-
ble to a complete breakdown in the presence of a wide-band jamming signal.
IEEE 802.11 equipment is usually capable of operating in both DSSS and OFDM modes
and so its possible to minimise interference (whether unintentional or deliberately caused)
by changing the data rate and/or transmission mode. In many commodity WNICs this can
be achieved on frame-by-frame basis and allows for an adaptive defence to simple jamming
strategies.
13
-
Intermittent Collision Jamming
Lin and Noubir studied the problem of intermittent collision jamming [15]. They observe
that an attacker needs to change only one bit to invalidate the frame checksum and cause
that frame to be rejected. This represents a considerable asymmetry in favour of the
attacker because changing just one bit will invalidate an entire transmission of over 10,000
bits. To address this situation they propose the use of error correcting codes and the use of
cryptographic interleaving of these bits within the frame. This would substantially increase
the work effort for an attacker to cause a frame to be rejected. Codenotti et al. studied the
same problem and also proposed the use of error-correcting codes but interleaved according
to a schedule derived from the characteristics of the jammer [10].
Carrier-Sense Jamming
A particularly effective jamming mechanism is that of Wullems et al. [16, 17]. Instead
of using radio frequency signals to collide with and disrupt legitimate transmissions this
attack seeks to exploit a flaw in the MAC protocol. 802.11 networks employ a Carrier-
Sense Multiple Access with Collision Avoidance (CSMA/CA) access method that requires
stations to listen before transmitting. If a signal is heard then the station will back off for a
period of time before repeating the listen-then-transmit procedure. An attacker generating
a continuous carrier signal can cause all stations within reception range to fall silent while
they wait for the signal to end. So far, this has been demonstrated only for IEEE 802.11b
but this is a security flaw in CSMA/CA itself and is, in principle, applicable to a wide
variety of contention-based wireless networks [18]. Wullems et al. suggest a preventative
measure of using dynamically-negotiated spreading sequences for each network but there
are some problems with this proposal:
• Network discovery requires the secret to be known in advance.
• IEEE 802.11 channels are either 25 MHz or 40 MHz wide — which is narrow enough
to be captured as a whole and from which the signal can be recovered.
• The scheme does not generalise to the OFDM encoding mechanism networks which
employ sub-carriers at fixed frequencies and is not frequency agile.
14
-
Military networks, such as TADIL-J/Link 16 [19], make use of a closely-related approach
in which cryptographically generated hopping sequences are used over several hundreds
of MHz of radio spectrum. This approach lowers the probability of detection and the
probability of interception and makes it impossible for an adversary to jam the link unless
they know the hopping sequence. Unfortunately, this approach also suffers from poor
spectrum efficiency and limited communications bandwidth.
Another carrier-sense jamming attack is that of Gummadi et al. who describe how
transmitting a continuous IEEE 802.11 preamble can deny service to a node even when
the signal is 1000 times weaker than the victim’s own signal [20]. Gummadi et al. propose a
channel-hopping defence which has the benefit of being applicable to OFDM and covering
a larger portion of the radio spectrum. Changing channels in response to a DoS attack is
explicitly permitted by the IEEE 802.11-2007 standard and is known as channel agility.
Detection of the carrier-sense jamming attack is a relatively simple matter because
the IEEE 802.11 Clear Channel Assessment (CCA) state can be interrogated directly.
Monitoring of the CCA state will allow for detection of an attack because a continuous
signal will not honour the constraints on the maximum duration for which the channel may
be busy and the mandatory inter-frame spacing during which the channel will be silent.
Once detected appropriate alarms can be raised and countermeasures undertaken.
2.2.2 MAC-Layer Attacks
Bellardo and Savage proposed that the DoS vulnerabilities in IEEE 802.11 could be di-
vided into either media-access control or identity vulnerabilities [21]. Media-access control
vulnerabilities arise out of security flaws in the MAC itself. These flaws enable a virtual
carrier-sense jamming attack in which the network is flooded with RTS or CTS frames to
reserve all of the available bandwidth. In practice Bellardo and Savage did not demonstrate
this attack to work. To address the problem of virtual carrier-sense jamming Wullems et
al. suggest in passing that cryptographic measures to authenticate the RTS/CTS would be
a suitable countermeasure [16]. Unfortunately, these frames are used to coordinate access
by spectrum users who may not have a trust relationship. An alternative is the approach
advocated by both Bellardo and Savage and known as NAV validation which ignores the
15
-
bandwidth reservation if a transmission does not start within the minimum time. This
approach is also advocated as a defence against virtual carrier-sense jamming attacks by
Chen et al. [22] who evaluated this approach using simulation of the attack and identify a
possible countermeasure in the form of NAV validation. NAV validation resets the NAV to
zero if the expected data frame does not commence within the appropriate time following
an RTS/CTS exchange. The NAV validation scheme is intended to significantly increase
the amount of traffic an attacker must generate for this attack to be effective. Unfortu-
nately the proposal is flawed in that listening stations maybe out of radio range of one of
the parties in the exchange and must be silenced by a CTS or DATA for which they may
legitimately never hear the response. The net effect is to require a small increase in the
frequency of injected frames from the adversary.
Zhou et al. discuss the problems posed by MANETs and WSNs where the problems
of MAC layer attacks can be significant [23]. They consider the situation where large
traffic flows can be directed from unauthenticated nodes consuming bandwidth all along
the route between the source and destination. The use of frame-by-frame authentication is
sufficient to defeat such attacks enabling stations to distinguish between frames that must
be forwarded and those that can be safely ignored.
2.2.3 Identity Attacks
Identity vulnerabilities arise because of the implicit trust that IEEE 802.11 networks place
in the source address of transmitted frames. The assumption is that the EUI-48 source
address cannot be spoofed is flawed and enables identity attacks.
Spoofed Management Frames
Management frames are authenticated only by their source address. Bellardo and Savage
described how they were able to spoof management frames by exploiting a race hazard in
the wireless network interface [21]. Modern hardware makes this task easier and less error-
prone. An attacker repeatedly spoofing dis-association and de-authentication frames can
deny service to a specific station. Sending such frames to the broadcast address (although
technically an error) can cause all stations in reception range to become unassociated.
16
-
There are several other management frames that maybe spoofed to the same effect:
• Channel Change actions and Quieten Channel requests. The IEEE 802.11h standards
amendment allows for dynamic frequency selection using management frames which
can be used to conduct a DoS attack as described by Könings et al. [24].
• Beacons identifying the presence of stored frames for equipment in power saving
mode. For equipment in power-saving mode a beacon indicating that there are no
messages can cause a station to miss frames whereas repeatedly advertising stored
traffic can cause the device to continuously poll for traffic — a sleep deprivation
attack [25].
The solution to this problem is simply to require that the management frames are au-
thenticated and Bellardo and Savage were able to demonstrate the effectiveness of this
solution. The recent IEEE 802.11w-2009 standards amendment addresses this problem by
authenticating many management action frames using a cryptographic protocol known as
the Broadcast Integrity Protocol (BIP) [26]. The Assoc and Auth Request management
frames are exchanged before all parties are in possession of the Integrity Group Temporal
Key (IGTK) which is used to establish frame authenticity. These same frames will cause
existing sessions to be torn down and so special measures are taken to avoid this being used
to conduct a DoS attack. On receipt of one of these frame types BIP sends a cryptographic
challenge to the frame’s originator to ensure that the request is authentic. If, and only if,
the originator answers with the correct response will the session be torn down.
The problems of management frame spoofing are not unique to IEEE 802.11. Boom
investigated the DoS vulnerabilities of IEEE 802.16 networks using the known problems
of 802.11 as his starting point [27]. Boom identified the lack of mutual authentication
and the unauthenticated nature of certain management frames as key problems — the
result of the same mistaken assumptions about source address authenticity that are made
by IEEE 802.11. Although IEEE 802.16 has fewer unauthenticated management frames
than the IEEE802.11-2007 standard it does not eliminate them altogether and does not
adequately protect against replay attacks. The result is that Boom describes two new DoS
vulnerabilities that flow from these identity flaws.
17
-
DoS and Authentication
From the above argument it should be apparent that strong frame-by-frame authentication
is a major impediment to certain types of DoS attack. This dramatically reduces the
potential for bogus frames of any type. One area that needs careful design, however, is
the authentication and key agreement mechanism because these processes are necessary
to establish the keys used to validate subsequent traffic. Before session keys have been
exchanged it is necessary to exchange unauthenticated frames and an adversary could
exploit this to conduct a DoS attack that prevents stations from joining the network.
He et al. showed that a DoS vulnerability of this type was present in the original IEEE
802.11 four-way handshake which is executed after authenticating to establish the session
keys [28]. The four-way exchange is shown in Protocol 1 where an authenticator A and
supplicant S exchange nonces in steps 1 and 2 which are necessary to derive the Pairwise
Transient Key (PTK). The derived PTK is used to verify the authenticity of these nonces
in steps 3 and 4. He et al. showed that if an adversary can spoof the first message
then key derivation would fail and showed that repeatedly spoofing frames presents a DoS
vulnerability.
Protocol 1 Original IEEE 802.11 4-Way ,Handshake Protocol1 A→ S : A,ANonce, sn,msg12 S → A : S, SNonce, sn,msg2, [SNonce, sn,msg2]PTK3 A→ S : A,ANonce, sn + 1,msg3, [ANonce, sn + 1,msg3]PTK4 S → A : S, SNonce, sn+ 1,msg4, [sn + 1,msg4]PTK
He et al. also identified three alternative changes to the protocol to counter this threat
and verified these protocols using a model-checking approach. Their preferred remedy is
to have the supplicant compute the PTK twice - once when it receives message 1 and
again when it receives message 3. If the values do not agree then it does not complete
the handshake. This is the approach which has since been incorporated into the IEEE
802.11-2007 standard.
Faria and Cheriton investigated the opportunities for DoS attacks in a pre-standard
version of an IEEE 802.11/802.1X wireless network [29]. They identified the problems in
the differing objectives of these standards and the potential for DoS vulnerabilities. The
18
-
solution proposed by Faria and Cheriton was a pair of new protocols but these have not
met widespread acceptance. The threat of DoS attacks has been explicitly considered in
the new IEEE 802.11s SAE authentication protocol [6]. This protocol requires that the
receiving node to do a considerable amount of work on receipt of a Commit message and
represents a DoS threat. SAE takes special measures to ensure that it does not fall victim
to a DoS attack by repeated Commit requests by limiting the number of requests which can
be outstanding at once. If this limit is exceeded it uses a token-based queuing mechanism
to prevent backlogs and ensure fairness amongst clients.
2.2.4 Traffic Flooding
Traffic flooding is a well-established technique in wired networks for consuming bandwidth.
By flooding the network with traffic, or otherwise causing network congestion, authorised
stations will not be able to make use of the bandwidth. Traffic flooding in wireless LANs
exploits the inherent unfairness present in the MAC layers of many wireless network de-
signs. Contention based access schemes often permit channel capture by stations because:
• Exponential back-off favours stations which have already gained access to the channel.
• Stations that generate the strongest signals will capture the channel despite the
RTS/CTS handshake. Ware et al. experimentally validated this behaviour [30], re-
futing the claims of a number of simulations.
• Stations can cheat at the MAC layer to increase their chance of channel capture.
Gupta et al. demonstrated that in the face of such attacks the approaches used in
wired networks for detection and prevention are ineffective [31]. They propose a fair MAC
as the solution to these problems which has the benefit of also addressing the problem
of misbehaving stations (those not obeying the MAC to obtain more bandwidth). IEEE
802.11-2007 does not provide a fair MAC but does define several Coordination Functions
(CFs) to provide contention-based and contention-free access to the wireless channel. The
contention-based mechanisms use an exponential back-off which favours stations that are
placing the network under heavy load. This inherent unfairness is exploited by traffic-
flooding attacks to deliberately starve other stations of bandwidth.
19
-
Centrally arbitrated media access schemes such as the Point Coordination Function
(PCF) and the Hybrid Coordination Function (HCF) can ensure fairness for contention-
free access in infrastructure networks. In these schemes, a station coordinates access to
the radio channel during the contention-free period ensuring that all stations have access
in accordance with the policy. Early versions of the draft IEEE 802.11s standard proposed
an optional Mesh Deterministic Access (MDA) CF intended to permit congestion-aware,
contention-based and contention-free access for WMNs. This has been removed from later
versions and the threat from resource consumption attacks remains un-addressed.
2.2.5 MAC-Layer Misbehaviour
MAC layer misbehaviour or cheating is a mechanism by which an adversary subverts the
MAC-layer protocol to gain privileged access to the channel. The reason maybe simply
to prioritise traffic or it could be used in conjunction with a traffic-flooding attack. In an
IEEE 802.11 network node could reduce the size of the contention window or the back-off
timers to gain access to the medium earlier than would normally be the case. Kyasanur
and Vaidya studied the problem of misbehaving stations and proposed a mechanism for
detecting such misbehaviour and changes to the MAC to enforce correct behaviour [32].
Although effective in the limited case this scheme assumes that the station is behaving
rationally and is trying to maximise its own bandwidth for other purposes. The scheme
does not stand up to a malicious adversary who is seeking purely to deny or degrade service.
Cheating can also be detected in other ways. Raya et al. propose the DOMINO system
which promiscuously monitors the network and identifies misbehaving stations [33]. This
scheme is proposed for infrastructure networks and so DOMINO is either installed at the
access point or runs on a monitor co-located with the access point. Since all stations
communicate via the access point then any station not obeying the protocol’s minimum
inter-frame spacing is clearly cheating. What is more difficult to spot is a station which
is using a non-standard contention procedure and picking slots early in the contention
window. To make detection easier Raya et al. propose a protocol modification in which
the receiver specifies the back-off times to be used by the sender. If the sender is observed
to send before this time they can the be presumed to be cheating.
20
-
Djahel and Naït-Abdesselam propose a similar scheme for MANETs (and, by extension,
WMNs) that also modifies the protocol to make detection of cheating stations easier [34]. In
a MANET environment there is no centralised monitor and so the receiver and neighbours
are responsible for detection of any misbehaviour on the part of the sender. The scheme
modifies the RTS frame to make detection of cheating possible by other stations and this
allows a receiving station to withhold the CTS from stations which appear to be cheating.
Bansal et al. also try to resolve the problem of detecting misbehaviour but this time
in WMNs using a simple statistical model and employing simple cut-off values to detect
cheaters [35]. Their work is conducted in a real mesh network as opposed to a simulation
and so modification of the MAC protocol is much more difficult but the detection model
is far from satisfactory.
A key problem when detecting misbehaviour between neighbours is not always apparent
in the simulation based studies cited above. This is that a node may monitor neighbours
which are out of radio range of each other as shown in Figure 2.2. In this case neighbour
A may not hear a transmission from neighbour B and could legitimately broadcast during
B’s DIFS period. The use of RTS/CTS cannot eliminate this problem and the monitor
must have some way of knowing which neighbours are actually in range of each other to
disambiguate between cheaters and legitimate stations. This information may be available
directly from the routing protocol or it might be necessary to implement a protocol such as
the Neighbourhood Discovery Protocol (NHDP) [36] to discover the topology of the local
network neighbourhood.
Node A Node BMonitor
Figure 2.2: Monitor receiving from nodes which are hidden to each other
21
-
2.2.6 Grey and Black Hole Traffic-Forwarding Attacks
The routing protocol is responsible for ensuring that messages sent from one node to
another can be delivered across multiple hops and multiple potential routes. Routing in
WMNs and MANETs relies on two distinct operations:
• Route discovery: in which the routing protocol finds routes between nodes.
• Traffic forwarding: in which nodes forward traffic on behalf of their neighbours.
Some protocols, such as OLSR, perform route discovery proactively and continuously main-
tain routes between all network nodes even if they are not needed at that time. Others, such
as AODV and DYMO, adopt a reactive approach and discover routes only when needed.
A serious threat to routing protocols are Grey Hole and Black Hole attacks. These are
created when a node becomes part of a route but it either selectively fails to forward traffic
(grey hole) or forwards no traffic at all (black hole). Grey/black holes must attract traffic
through themselves and so this attack maybe used in conjunction with an attack against
route integrity to improve its chances of participating in the preferred route for network
traffic.
Reputation-Based Defence
A novel approach to detecting misbehaving stations (including routing unfairness, grey and
black holes) are the reputation-based approaches such as the Watchdog/PathRater proto-
col of Marti et al. [37]. Their proposal has two parts, the first promiscuously monitors the
wireless channel to ensure that frames are forwarded as expected. If the onward transmis-
sion of a forwarded data frame is not detected then the Watchdog adjusts the trust value
for that node. The PathRater routing protocol uses the trust information provided by the
Watchdog to pick routes via trustworthy nodes. Unfortunately, the Watchdog/PathRater
approach is of limited applicability in WMNs because of the use of MAC layer security
protocols which use different keys for each link. It is further complicated by multi-channel
operation in which a mesh router forwards a frame using a radio channel that cannot be
heard by all of its neighbours.
22
-
Loss-Tolerant Secure Message Transmission
A robust technique for dealing with the presence of grey and black holes is to make use of
the redundancy present in a multi-hop network to maintain multiple, preferably disjoint,
routes between nodes. Traffic forwarded from the source is first protected by an error-
correction code (ECC) and then divided into fragments which are sent via different routes.
At the receiver the fragments are re-assembled and, even if some fragments are missing, the
original message can be recovered. One protocol that achieves this is the Secure Message
Transmission (SMT) of Papadimitratos and Haas [38]. This scheme demonstrates relatively
low overhead for larger traffic flows and significantly increases network robustness and its
ability to withstand multiple grey/black hole attacks.
2.2.7 Attack Countermeasures
Throughout this section a series of DoS vulnerabilities have been presented and the ap-
propriate solutions described. These have been intended to illustrate the argument that
there is no single threat to and no single mechanism can guarantee availability. Never-
theless, once a DoS attack is detected it is possible to employ countermeasures that apply
to a variety of different attack types. One such approach is to invalidate one or more
of the key variables on which the attack relies by changing the location of the stations
and/or changing the properties of the radio signal being used such as its frequency and/or
encoding [39].
Changing locations as a response to a DoS attack is a potential response in MANETs
where station mobility is to be expected. Rather than guarantee availability during a DoS
attack this response allows for network recovery and, as a by-product, physically locating
the attacker. In WSNs the stations may not be able to be moved but the network can
survive in degraded form as a result of the self-healing property inherent to multi-hop
networks. Wood et al. describe a process of jammed area mapping which allows nodes to
reason about the area under attack as a whole rather than simply as a collection of broken
links [40]. Such a service can be an effective intrusion-detection countermeasure that allows
the network operator to respond once an attack has been detected.
23
-
Channel agility allows for the network to respond to interference (whether deliberate
or not) by changing channels to use spectrum that is less affected by interference. This
is proposed by Gummadi et al. as a defence to carrier-sense jamming attacks [20]. Xu et
al. evaluate these strategies both in simulation and experimentally and find them to be
effective countermeasures [39]. The findings of Karhima et al. [14] discussed earlier suggest
that changing the transmission mode from OFDM to DSSS, or vice versa, and changing
the transmission rate may also prove to be an effective countermeasure to a interference.
2.3 Integrity and Authenticity
Integrity and authenticity are closely related concepts in wireless networking. The error
rates of transmissions in wireless networks are many times greater than is experienced
in wired networks. The potential for interference means that the physical layer cannot
guarantee the integrity of information. Instead, the approach most often adopted is to
detect errors in transmission and cause the sender to re-transmit damaged frames. In this
section we review the mechanisms which are used to ensure integrity and authenticity and
review checksums and message integrity and authentication codes.
2.3.1 Checksums
Checksums can be used to detect unintentional damage to a received frame. IEEE 802.11
networks make use of a CRC32 checksum which is calculated and appended to every
transmitted frame. When the frame is received the station recomputes the checksum and
compares it with the received value. If the two values agree the frame is considered to be
valid. While effective at detecting accidental damage to a frame plaintext checksums are
simply not effective in the presence of a malicious adversary who may intercept, modify and
re-transmit frames with valid checksums. Integrity protection mechanisms should ensure
that frames are rejected whether they have been changed either by accident or malice.
Checksums can be used to protect against intentional damage if they are computed for
the plaintext message and themselves sent in encrypted form. There is, however, a serious
problem when using this approach with stream ciphers.
24
-
2.3.2 Bit-Flipping Attacks Against Encrypted Checksums
The approach taken by the original IEEE 802.11 WEP security protocol was to encrypt
the frame data after the checksum computation, as is shown in figure 2.3 (reproduced from
Borisov et al. [41]). In this example a CRC is computed for the plaintext message and
appended to it prior to encryption. The RC4 stream cipher is initialised from the initial-
isation vector v and the secret key k. This is presumed to ensure message integrity and
authenticity because an adversary cannot modify or inject a frame with a valid checksum
without knowledge of k.
Figure 2.3: IEEE 802.11 encrypted WEP frame
Unfortunately, this assumption is flawed when encryption is performed using a stream
ciphers. A bit-flipping attack exists which allows encrypted frames to be successfully mod-
ified by a malicious party and yet remain undetected by the receiving station. This attack
was first described by Borisov et al. [41] and exploits the mathematical properties of the
CRC checksum function and the use of XOR in stream ciphers. The attack modifies the
ciphertext C into a ciphertext C ′ such that the receiver cannot detect the modification.
The result is that the recovered plaintext M ′ of the message will differ from the original
plaintext M ′ in that bits chosen by the attacker has been changed. Normally such a mod-
ification is trivially detected by the receiver because CRC(M ′) will not be the same as the
CRC of the original message CRC(M) — allowing the receiver to detect that a modifica-
tion has taken place. What allows the bit-flipping attack to succeed is that the adversary
also makes a compensating change to the CRC. When the receiver decrypts the frame and
computes the CRC for the modified message M ′ then it will be equal to CRC(M ′) the
modified CRC recovered from the decrypted ciphertext.
25
-
The procedure for conducting an attack starts with the construction of a bit string ∆
which is the same length as the plaintext message M . For each bit to change in M the
corresponding bit in ∆ is set to 1; for each unchanged bit in M the corresponding bit in
∆ is set to 0. Then CRC(∆) is computed and the modification applied as shown below:
C ′ = Ek(M′‖CRC(M ′))
= Ek(M‖CRC(M)) ⊕ (∆‖CRC(∆))
= C ⊕ (∆‖CRC(∆))
(2.1)
The security flaw results from combining CRC functions and stream ciphers and generalises
to other cipher systems in which CRCs are used to ensure integrity but are protected by
a stream cipher. Given the prevalence of stream ciphers in wireless networking then there
is a need for a stronger guarantee of integrity and authenticity than can be provided by
encrypted checksums.
2.3.3 Message Integrity Codes
Message Integrity Codes (MICs) maybe thought of as keyed cryptographic hashes com-
puted for a message. (Cryptographers usually name such functions Message Authentica-
tion Codes (MACs) but a different meaning for this acronym is already in widespread use
in communications and so we will refer to these codes as MICs.) The advantage to using
MICs is that the integrity and authenticity of a frame can be easily verified on reception,
eliminating message injection and modification attacks, without requiring the existence of
a confidentiality layer.
Michael
The IEEE 802.11-2007 specification specifies a security protocol known as TKIP which
aims to address the key flaws of WEP whilst making use of the same hardware. In order
to address the problems of integrity and authenticity described above TKIP makes use of
a 64-bit MIC function named Michael which is designed to be used on modest hardware
without specific hardware support for cryptography [42].
26
-
Unlike WEP, a Transitional Security Network (TSN) Association using TKIP will en-
crypt all data frames and so the CPU maybe heavily loaded and the Michael function
must meet severe performance constraints. To achieve these goals Michael’s designer Niels
Ferguson implemented a design which makes several compromises (which he colourfully
describes as “sins”) which are identified as:
• Designing a new cryptographic primitive.
• Using a new structure for the primitive.
• Designing a primitive with marginal security.
• Fielding an untested design.
• Relying on other system properties to achieve the security goals.
The last point describes how Michael relies on the same inversion of layers in the Avail-
ability/Integrity and Availability/Confidentiality tower as does WEP. The reasons for this
are not immediately apparent but Wool [43] demonstrated that the Michael function is
inevitable, that is, it is not a one-way function. Given a single plaintext message and its
MIC value it is possible to recover the MIC key and it is for this reason that the MIC
values must be kept secret.
CBC-MAC
The 802.11i amendment also introduced a new cipher system based on the AES cipher.
Unlike TKIP, which was constrained by existing hardware, the new standard was designed
to be secure and use best-practice. The new cipher system is known as AES Counter/CBC-
MAC Protocol (AES/CCMP) where Counter denotes the cipher chaining mode and CBC-
MAC the integrity and authenticity provisions. AES/CBC-MAC is produces a MAC of 128
bits. This MAC has received significant attention from the cryptographic community and
been formally validated [44]. As a result, there is a high degree of confidence in CBC-MAC
as an integrity and authentication mechanism.
27
-
2.4 Authentication
Authentication is the process of asserting and verifying the identity of a station or user. In
wireless networks the authentication and key negotiation processes are usually integrated
so that result of a successful authentication is that the station will possess session keys
that will allow it access to the network.
2.4.1 Authentication and Access Control Protocols
IEEE 802.11 uses the IEEE 802.1X port-based access control mechanism to manage the
authentication exchange and initiate the 4-way handshake used for key establishment. In
this scenario there are three parties: the supplicant which is seeking to be authenticated,
the authenticator to which the association is being established and the Authentication
Server (AS) a trusted third party which is responsible for verifying supplicant identities.
802.1X is very effective in the infrastructure environment but has shortcomings when used
for a WMN. In conventional infrastructure networks a single IEEE 802.1X exchange takes
place between the supplicant station seeking to join the network and the access point which
is the authenticator. When used in a WMN IEEE 802.1X requires that:
• Two complete IEEE 802.1X authentication exchanges to establish mutual authenti-
cation.
• Both stations must implement the supplicant and authenticator state machines as
both roles must be performed.
• Each station has access to the Authentication Server (AS).
• One station must access the AS via the other, as-yet untrusted, station.
This approach is complex, time-consuming and negatively impacts the self-organising prop-
erty of the WMN. There is, therefore, significant interest in alternative authentication pro-
tocols for mesh access. The DWAP protocol [45], for example, is an efficient alternative
that substantially reduces the overhead associated with 802.1X.
28
-
2.4.2 WEP Shared-Key Authentication
The 802.11 WEP security protocol has the unwelcome distinction of implementing two
completely ineffective authentication mechanisms: Open System authentication in which
access is granted to everyone; Shared Key authentication an insecure and flawed challenge-
response authentication protocol. The problems with the shared key authentication proto-
col were identified simultaneously by Borisov et al. [41] and Arbaugh et al. [46] working
independently and resulted in its deprecation by 802.11i. In this scheme a challenge text
Chal is sent from the access point to the station which must encrypt it using a shared
secret K and send it back to the access point.
Resp1 = EK(Chal1) (2.2)
The problem is that a potential intruder need do no more than observe a single authenti-
cation exchange to obtain all the information she needs to successfully authenticate. The
exchange will allow h