abusing wi fi beacons and detecting preventing attacks
play

Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy - PowerPoint PPT Presentation

Dec 29, 2023 •368 likes •798 views

Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and Christina Ppper. With special thanks to various IEEE members. Black Hat Webcast, 17 September 2020. Background: beacons Wi-Fi networks use

  1. Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and Christina Pöpper. With special thanks to various IEEE members. Black Hat Webcast, 17 September 2020.

  2. Background: beacons › Wi-Fi networks use beacons to announce their presence › They are sent every ~100 ms by an Access Point Contains properties of the network: Name of the network Supported bitrates (e.g. 11n or 11ac) Regulatory constraints (e.g. transmission power) ... Problem: beacons can be forged by an adversary! 2

  3. Our contributions Novel attacks Standardized as Defense to prevent abusing beacons outsider forgeries part of 802.11 Defense is being implemented by Linux and might become part of WPA3 3

  4. Taking a step back: Wi-Fi security Focus was protecting data, not beacons: › WEP, WPA1/2: only includes data frame protection › WPA3: includes management frame protection › Operating channel validation: verifies channel info  In all cases beacons remain unprotected 4

  5. Beacons are not protected › WPA version & channel: verified when connecting [WiSec’18] › All other fields can be spoofed by an adversary 5

  6. Novel Attacks 6

  7. Power constraint attacks Beacons contain the maximum allowed transmit power  Adversary can lower transmission power of victim 7

  8. Power constraint attacks Beacons contain the maximum allowed transmit power Experiments: › iPad, MacBook, and Linux : lowers transmit power of device › All other test devices not affected (unknown why) 8

  9. Power constraint attacks Beacons contain the maximum allowed transmit power Vendor-specific power element of Cisco: › Can also be exploited to lower transmit power of device › Linux: can be abused to forcibly disconnect a victim Normally we cannot set negative transmission limits But with the Cisco power element we can 9

  10. Power constraint attacks DEMO! 10

  11. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 11

  12. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 12

  13. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 13

  14. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 14

  15. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 15

  16. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 › Beacon contains the duration of these waiting periods: 16

  17. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 › Spoofing this info causes clients to delay transmissions : In use SIFS AIFSN Backoff (CW) Pac › If another device transmits in the meantime, the victim restarts the waiting process & possibly never transmits 17

  18. Lowering a victim’s bandwidth: experiments Linux is affected with any network card we tested Apple devices are affected (Macbook Pro, iPhone, iPad) Windows is affected depending on network card (e.g. Alfa and TP-Link cards are affected but not Intel ones) Android is affected depending on the device: Nexus 5X was affected, but not our old Samsung i9305 18

  19. Targeted unfairness DEMO! 19

  20. MitM Attack Channel 1 20

  21. MitM Attack Channel 1 Spoof beacons on channel 6 Channel 1 Channel 6 › Adversary forwards frames between both channels 21

  22. MitM Attack Channel 1 Spoof beacons Spoof beacons with on channel 6 CSAs on channel 1 Channel 1 Channel 6 › Adversary forwards frames between both channels › This MitM makes other attacks easier (e.g. KRACK) 22

  23. Other attacks & findings Partial machine-in-the-middle attack › Bypasses channel operating validation in Linux Battery depletion attacks › Spoof beacons to make clients stay awake Send beacon as unicast frames to target specific clients › Worked against all tested devices 23

  24. Practical attack considerations Beacons are by default broadcasted to all clients › This means we attack all clients simultaneously We can also send them as unicast frames to a specific victim: 24

  25. Our Defense 25

  26. Design goals Focus on practicality & simplicity to encourage adoption › Cryptographic operations must be efficient › Bandwidth overhead must be low Beacons are sent at low bitrate and consume significant airtime Straightforward to implement › Ideally reuse existing crypto primitives of Wi-Fi 26

  27. Design approach To achieve our goals, we rely on symmetric encryption › Reuse crypto primitives of management frame protection We defend against outsider attacks › Adversary doesn’t possess network credentials › Similar to protection of broadcast Wi-Fi traffic 27

  28. Beacon protection: new element We add a new type-length-value element to beacons: Element ID Length Key ID Nonce MIC › Clients that do not recognize this element will ignore it › Nonce: incremental number to prevent replay attacks › Message Integrity Check: CMAC or GMAC over the beacon Existing crypto primitive of management frame protection All WPA3-capable devices already support it 28

  29. Key management Key used to generate/verify the authenticity tag? › AP generates a fresh beacon protection key when booting › AP always sends the beacon key when a client connects Older clients will ignore this key New clients will enable beacon protection  Adversary can’t manipulate handshake that transports the beacon key, preventing downgrade attacks . 29

  30. Pre-authentication behavior Periodic beacons Client cannot verify beacon before connecting (no key!) 30

  31. Pre-authentication behavior Periodic beacons Store 1 beacon as reference & extra info from it 31

  32. Pre-authentication behavior Periodic beacons Store 1 beacon as reference & extra info from it Connect to network and receive beacon protection key Verify authenticity reference beacon (disconnect if invalid) 32

  33. Pre-authentication behavior Periodic beacons Store 1 beacon as reference & extra info from it Connect to network and receive beacon protection key Verify authenticity reference beacon (disconnect if invalid) Send data 33

  34. Reporting forged beacons › Clients can report forged beacons to the AP › Can now detect far away rouge APs Out of range 34

  35. Reporting forged beacons › Clients can report forged beacons to the AP › Can now detect far away rouge APs Out of range 1. Detect forged beacon 35

  36. Reporting forged beacons › Clients can report forged beacons to the AP › Can now detect far away rouge APs Out of range 2. Report 1. Detect forged rogue AP beacon 36

  37. Practical Results 37

  38. Specification › Collaborated with industry to standardize our defense (Intel, Broadcom, Qualcomm and Huawei) › Since March 2019 part of the (draft) IEEE 802.11 standard : 38

  39. Specification › Collaborated with industry to standardize our defense (Intel, Broadcom, Qualcomm and Huawei) › Since March 2019 part of the (draft) IEEE 802.11 standard : Might become part of WPA3 specification?  Source: https://www.wi-fi.org/security-development (July 2020) 39

  40. Specification › Collaborated with industry to standardize our defense (Intel, Broadcom, Qualcomm and Huawei) › Since March 2019 part of the (draft) IEEE 802.11 standard : Special thanks to: › Nehru Bhandaru and Thomas Derham ( Broadcom ) › Emily Qi and Ido Ouzueli ( Intel ) › Jouni Malinen and Menzo Wentink (Qualcomm) › Yunsong Yang (Huawei) 40

  41. Implementation Now being implemented by Linux: › Kernel: generate and verify authentication tags › Hostap: manages keys and enables beacon protection DEMO! 41

  42. Conclusion › Prevent outsiders from forging beacons › Our focus on practicality paid off: Defense is now part of the 802.11 standard Being implemented by Linux Might become part of WPA3? 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preventing and detecting network attacks Harald Vranken 1 About me Open University &

Preventing and detecting network attacks Harald Vranken 1 About me Open University &

Advanced Network Security (2019-2020) Preventing and detecting network attacks Harald Vranken 1 About me Open University & Radboud University Office: Mercator I, room 2.16 (Friday) Email: harald.vranken@ou.nl Skype: harald.vranken

1.11k views • 62 slides
Detecting Sybil Attacks using Proofs of Work and Location for Vehicular AdHoc Networks (VANETS)

Detecting Sybil Attacks using Proofs of Work and Location for Vehicular AdHoc Networks (VANETS)

Master Defense Detecting Sybil Attacks using Proofs of Work and Location for Vehicular AdHoc Networks (VANETS) Presented by: Niclas Bewermeier Electrical and Computer December 14, 2018 Engineering Detecting Sybil Attacks using Proofs of

510 views • 49 slides
Detecting Power Attacks on Reconfigurable Hardware Adrien Le Masle Wayne Luk Department of

Detecting Power Attacks on Reconfigurable Hardware Adrien Le Masle Wayne Luk Department of

Detecting Power Attacks on Reconfigurable Hardware Adrien Le Masle Wayne Luk Department of Computing Imperial College London, UK 22 nd International Conference on Field Programmable Logic and Applications A. Le Masle and W. Luk Detecting

285 views • 24 slides
Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

WLCG Group Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security Workshop, Taiwan. 1 Overview Underground market The main motive behind most security attacks: money. 3 Exposure and motivation Grids

434 views • 25 slides
Invasive Plants to Wildlife Meeting the Challenge: Preventing, Detecting, and Controlling

Invasive Plants to Wildlife Meeting the Challenge: Preventing, Detecting, and Controlling

Direct and Indirect Impacts of Invasive Plants to Wildlife Meeting the Challenge: Preventing, Detecting, and Controlling Invasive Plants Seattle, WA Sept. 16, 2014 Shawna L. Bautista Pesticide Use & Invasive Plant Coordinator US Forest

383 views • 20 slides
ICANN 50 Detecting Distributed DNS Attacks Utilizing Levenshtein String Distances

ICANN 50 Detecting Distributed DNS Attacks Utilizing Levenshtein String Distances

ICANN 50 Detecting Distributed DNS Attacks Utilizing Levenshtein String Distances Nils Clausen, M.Sc. University Lecturer n.clausen@ium.edu.na Detecting Distributed DNS Attacks Utilizing Levenshtein String

328 views • 14 slides
RESEARCH PROJECT PREVENTING MOST COMMON ATTACKS ON CRITICAL INFRASTRUCTURES Wouter Miltenburg

RESEARCH PROJECT PREVENTING MOST COMMON ATTACKS ON CRITICAL INFRASTRUCTURES Wouter Miltenburg

RP#80 RESEARCH PROJECT PREVENTING MOST COMMON ATTACKS ON CRITICAL INFRASTRUCTURES Wouter Miltenburg & Koen Veelenturf University of Amsterdam Students Master System and Network Engineering Supervisors: Jaya Baloo & Oscar Koeroo

314 views • 14 slides
An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin

An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin

An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin Ahmad Jonas, Md. Shohrab Hossain, Risul Islam, Husnu S. Narman , Mohammed Atiquzzaman Outlines Motivation Problem Contributions Results

1.03k views • 25 slides
Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

692 views • 31 slides
Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

520 views • 48 slides
Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer &

Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer &

WCIS: A Prototype for Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer & Electrical Engineering & Computer Science California State University, Bakersfield Presentation Outline Web

217 views • 20 slides
Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina

Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina

Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina Ppper WiSec, 9 July 2020. Background: beacons Wi-Fi networks use beacons to announce their presence They are sent every ~100 ms by an

713 views • 32 slides
Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and

492 views • 47 slides
Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 ,

Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 ,

Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 , Rui Shao 2 , Yan Chen 3 , Xiang Pan 3 , Shihong Zou 4 , and Ryan Riley 5 1 University of Wisconsin and Pennsylvania State University 2 Zhejiang

490 views • 27 slides
Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia

239 views • 21 slides
A Primer on Detecting, Preventing, and Investigating Nonprofit Fraud, Embezzlement, and

A Primer on Detecting, Preventing, and Investigating Nonprofit Fraud, Embezzlement, and

nonprofit alert FEBRUARY 19, 2015 A Primer on Detecting, Preventing, and Investigating Nonprofit Fraud, Embezzlement, and Charitable Diversion Increasing Scrutiny of Nonprofit Fraud, Embezzlement, and Charitable Diversion CALIFORNIA DELAWARE

287 views • 9 slides
Distributed Spectrum Assignment for Home WLANs Julien Herzen (EPFL) Ruben Merz (Swisscom) Patrick

Distributed Spectrum Assignment for Home WLANs Julien Herzen (EPFL) Ruben Merz (Swisscom) Patrick

Distributed Spectrum Assignment for Home WLANs Julien Herzen (EPFL) Ruben Merz (Swisscom) Patrick Thiran (EPFL) April 17th, 2013 1 / 14 Context Interfering neighboring wi-fi home/office networks www.wigle.net Several possible channels

533 views • 24 slides
Modeling Meeting Turns Dan Ellis <dpwe@ee.columbia.edu> LabROSA, Columbia University &

Modeling Meeting Turns Dan Ellis <dpwe@ee.columbia.edu> LabROSA, Columbia University &

Modeling Meeting Turns Dan Ellis <dpwe@ee.columbia.edu> LabROSA, Columbia University & ICSI Meeting turns visualization Turn-pattern segmentation Talkativity modeling m4 meeting - Dan Ellis 2003-01-29 Meeting Turn

395 views • 10 slides
Software with RapidMiner Data Analytics @ Lufthansa Agenda 1 Lufthansa Industry Solutions: Who

Software with RapidMiner Data Analytics @ Lufthansa Agenda 1 Lufthansa Industry Solutions: Who

From Prototype to Operative Software with RapidMiner Data Analytics @ Lufthansa Agenda 1 Lufthansa Industry Solutions: Who We Are 2 Our Daily Challenges 3 FlightPrediction @ Lufthansa 4 Lufthansa Industry Solutions & RapidMiner 2

734 views • 34 slides
Health Diagnosis and Congestion Mitigation of WiFi Networks Mukulika Maity Prof. Bhaskaran Raman

Health Diagnosis and Congestion Mitigation of WiFi Networks Mukulika Maity Prof. Bhaskaran Raman

Health Diagnosis and Congestion Mitigation of WiFi Networks Mukulika Maity Prof. Bhaskaran Raman & Prof. Mythili Vutukuru Mukulika Maity Health Diagnosis and Congestion Mitigation of WiFi Networks Real-life WiFi Deployment AP Microwave

478 views • 5 slides
Highlights from Lecture 7 Yaw Amokra Computing and the OpenMRS David Edelstein

Highlights from Lecture 7 Yaw Amokra Computing and the OpenMRS David Edelstein

Highlights from Lecture 7 Yaw Amokra Computing and the OpenMRS David Edelstein Developing World Village Phone Operators Joyojeet Pal CSEP 590B, Spring 2008 Computers in Schools Lecture 8 Computers and

594 views • 9 slides
G oNo o dle is a fr e e w e bsi t e w i th 1 00 + vid e os t hat get kid s mo v ing ! 1 M ove m

G oNo o dle is a fr e e w e bsi t e w i th 1 00 + vid e os t hat get kid s mo v ing ! 1 M ove m

G oNo o dle is a fr e e w e bsi t e w i th 1 00 + vid e os t hat get kid s mo v ing ! 1 M ove m ent Mat t ers . Research shows fit and active kids outperform less fit kids on tests of math and reading, as well as tasks of memory, attention

340 views • 6 slides
Using Dialogue to Build Understanding and Support for Refugees Fostering Community Engagement and

Using Dialogue to Build Understanding and Support for Refugees Fostering Community Engagement and

Using Dialogue to Build Understanding and Support for Refugees Fostering Community Engagement and Welcoming Communities is supported by the Office of Refugee Resettlement (ORR/ACF/DHHS) Outcomes for Todays Webinar Learn what dialogue is

701 views • 31 slides
Tactical Strategies to Avoid Pitfalls and Optimize Performance 2 Upcoming Webinar: July 9th Join

Tactical Strategies to Avoid Pitfalls and Optimize Performance 2 Upcoming Webinar: July 9th Join

Presenter: Tony DeBono, Chief of Interprofessional Practice Moderated by: Ash Couillard, Moderated by: Ash Couillard Presenter: Jane Hastie, Patient Experience Specialist Topic: Team Dynamics from the Frontline to the C-Suite: Organizational

752 views • 24 slides

More recommend