advanced wi fi attacks using
play

Advanced Wi-Fi Attacks Using Commodity Hardware Mathy Vanhoef - PowerPoint PPT Presentation

Mar 06, 2024 •121 likes •885 views

Advanced Wi-Fi Attacks Using Commodity Hardware Mathy Vanhoef @vanhoefm BruCON, Belgium, 3 October 2018 Background Wi-Fi assumes each stations behaves fairly With special hardware we dont have to Continuous jamming: channel

  1. Advanced Wi-Fi Attacks Using Commodity Hardware Mathy Vanhoef — @vanhoefm BruCON, Belgium, 3 October 2018

  2. Background › Wi-Fi assumes each stations behaves fairly › With special hardware we don’t have to  Continuous jamming: channel unusable Selective jamming: block specific packets 2

  3. Background › Wi-Fi assumes each stations behaves fairly >$4000 › With special hardware we don’t have to  Continuous jamming: channel unusable Selective jamming : block specific packets 3

  4. Research: use cheap hardware? Small 15$ USB sufficient to: › Testing selfish behavior in practice › Continuous & selective jamming › Enables reliable manipulation of encrypted traffic 4

  5. Research: use cheap hardware? >$4000 ~$20 Attacks are cheaper than expected! › We should be able to detect them. 5

  6. Selfish Behavior Impact of selfish behavior? Implement & Test! 6

  7. Selfish Behavior Steps taken to transmit a frame: In use 7

  8. Selfish Behavior Steps taken to transmit a frame: In use SIFS 1. SIFS: let hardware process the frame 8

  9. Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN 1. SIFS: let hardware process the frame 2. AIFSN: depends on priority of the frame 9

  10. Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN Backoff 1. SIFS: let hardware process the frame 2. AIFSN: depends on priority of the frame 3. Random backoff: avoid collisions 10

  11. Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN Backoff Packet 2 1. SIFS: let hardware process the frame 2. AIFSN: depends on priority of the frame 3. Random backoff: avoid collisions 4. Send the packet 11

  12. Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN Backoff Packet 2 Manipulate by modifying Atheros firmware: › Disable backoff › Reducing AIFSN › Reducing SIFS 12

  13. Selfish Behavior Steps taken to transmit a frame: In use SIFS AIFSN Backoff Packet 2 Manipulate by modifying Atheros firmware: › Disable backoff Optimal strategy › Reducing AIFSN From 14 to 37 Mbps › Reducing SIFS Reduces throughput 13

  14. How to control radio chip? Using memory mapped registers › Disable backoff: int *GBL_IFS_MISC = (int*)0x10F0; *GBL_IFS_MISC |= IGNORE_BACKOFF; › Reset AIFSN and SIFS: int *AR_DLCL_IFS = (int*)0x1040; *AR_DLCL_IFS = 0; 14

  15. We can’t we just modify the driver? WiFi Dongle Main machine Userspace radio CPU chip USB Operating System Code runs on CPU of dongle Driver  Firmware control needed 15

  16. Countermeasures DOMINO defense system reliably detects this selfish behavior [1]. 16

  17. Selfish Behavior What if there are multiple selfish stations? › In a collision, both frames are lost 17

  18. Selfish Behavior What if there are multiple selfish stations? › In a collision, both frames are lost › Capture effect : in a collision, frame with the best signal and lowest bitrate is decoded Similar to FM radio Demo: The Queen station generally “wins” the collision with other stations. 18

  19. FM Radio Demo 19

  20. Selfish Behavior Attack can abuse capture effect › Selfish clients will lower their bitrate to beat other selfish stations! › Until this gives no more advantage To increase throughput, bitrate is lowered !  Other station = background noise 20

  21. Continuous jammer Want to build a continuous jammer › Instant transmit: disable carrier sense › No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: … radio Frame 1 Frame 2 chip 21

  22. Continuous jammer Want to build a continuous jammer › Instant transmit: disable carrier sense › No interruptions: queue infinite #packets Frames to be transmitted are in a linked list: … radio Frame 1 Frame 2 chip Infinite list! 22

  23. Continuous Jammer Experiments › Only first packet visible in monitor mode! › Other devices are silenced . Default antenna gives Amplifier gives range range of ~80 meters of ~120 meters 23

  24. Demo: continuous jammer Demo: continuous jammer 24

  25. Rapsberry Pi Supported! 25

  26. Practical Implications Devices in 2.4 and 5 GHz band? › Home automation › Industrial control › Internet of Things › … Can all easily be jammed! 26

  27. Practical Implications Devices in 2.4 and 5 GHz band? 27

  28. Practical Implications Devices in 2.4 and 5 GHz band? 28

  29. Not just wild speculation … $45 Chinese jammer to prevent cars from being locked [4] GPS jammer to disable anti-theft tracking devices in stolen cars [5] Disable mobile phone service after cutting phone and alarm cables [6] 29

  30. Selective Jammer Decides, based on the header, whether to jam the frame 30

  31. How does it work? 1. Detect and decode header Physical packet Detect 31

  32. How does it work? 1. Detect and decode header 2. Abort receiving current frame Physical packet Detect Init 32

  33. How does it work? 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Physical packet Detect Init Jam 33

  34. How does it work? 1. Detect and decode header 2. Abort receiving current frame Easy 3. Inject dummy packet Physical packet Detect Init Jam 34

  35. How does it work? 1. Detect and decode header Hard 2. Abort receiving current frame Easy 3. Inject dummy packet Physical packet Detect Init Jam 35

  36. Detecting frame headers? radio Internal Decode physical WiFi signal chip CPU DMA RAM while(recvbuff[0] == 0): pass  Can read header of frames still in the air! 36

  37. In practice 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Poll memory until data is being written: Timeout Detect incoming packet 37

  38. In practice 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Probe request or beacon? buff + 10 : sender of packet source : target MAC address 38

  39. In practice 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Set specific bit in register 39

  40. In practice 1. Detect and decode header 2. Abort receiving current frame 3. Inject dummy packet Pointer to dummy packet TXE: Transmit (TX) enable (E) 40

  41. Selective Jammer: Reliability Jammed beacons with many devices/positions How fast can it react? › Position of first mangled byte? › 1 Mbps beacon in 2.4 GHz: position 52 › 6 Mbps beacon in 5 GHz: position 88 Context: MAC header is 34 bytes 41

  42. Selective Jammer: Reliability Jammed beacons with many devices/positions Conclusion › 100% reliable jammer not possible › Medium to large packets can be jammed › Surprising this is possible with a limited API! 42

  43. Demo: selective jammer Demo: jammin ’ beacons 43

  44. Code is online (and got updates) Virtual Machine: github.com/vanhoefm/modwifi 44

  45. Using your mobile phone Schulz & co: jamming using mobile phones [9] + = Nexus 5 github.com/seemoo-lab/wisec2017_nexmon_jammer 45

  46. Impact on higher-layers What if we could reliably manipulate encrypted traffic? We could attack WPA-TKIP 46

  47. Impact on higher-layers What if we could reliably manipulate encrypted traffic? We could attack WPA-TKIP We can break WPA2 47

  48. Breaking WPA2 Key Reinstallation Attacks (KRACKs) › Block & delay handshake frames › Jammers can block packets! › Or help with getting a MitM 48

  49. WPA2 uses a 4-way handshake Used to connect to any protected Wi-Fi network Negotiates fresh PTK: Mutual authentication pairwise transient key 49

  50. KRACK Attack Channel 1 Channel 6 Jam AP on channel 6  victim will use channel 1 50

  51. KRACK Attack 51

  52. KRACK Attack PTK = Combine(shared secret, ANonce, SNonce) 52

  53. KRACK Attack Block Msg4 53

  54. KRACK Attack Block Msg4 54

  55. KRACK Attack PTK is installed & nonce set to zero Block Msg4 55

  56. KRACK Attack Block Msg4 56

  57. KRACK Attack 57

  58. KRACK Attack 58

  59. KRACK Attack In practice Msg4 is sent encrypted 59

  60. KRACK Attack 60

  61. KRACK Attack Key reinstallation: nonce again reset! 61

  62. KRACK Attack 62

  63. KRACK Attack Encrypted data can now be exchanged 63

  64. Quick background: encryption Nonce Plaintext data (packet number) Packet key PTK Mix (session key) Nonce  Nonce reuse implies keystream reuse (in all WPA2 ciphers) 64

  65. KRACK Attack Next frame reuses previous nonce! 65

  66. KRACK Attack Keystream 66

  67. KRACK Attack Keystream Decrypted! 67

  68. Conclusion › Jamming is cheap › Selective jamming also possible › Can even use mobile phone! › Facilitates KRACK attacks 68

  69. Thank you! Questions? github.com/vanhoefm/modwifi

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1

Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1

Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1 Lecture Overview 1. Advanced MATE attacks models tools & techniques 2. Protected code comprehension processes 3. Advanced MATE defenses 4.

1.79k views • 114 slides
Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced Persistent Threats (APT) Cybercriminals, Exploits and Malware Denial of Service attacks (DDoS) Domain name hijacking Corporate

347 views • 13 slides
Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced

Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced

Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced Security Topics Name: Soteris Constantinou Instructor: Dr. Elias Athanasopoulos Authors: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart

1.65k views • 81 slides
BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced

BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced

BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S..

1.27k views • 100 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen, Enes Gkta (joint first author) (VU) Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB) Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos,

587 views • 26 slides
FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 7: Hacking Techniques I

1.11k views • 25 slides
Anatomy of a Data Theft Attack For Sacramento ISACA January 2016 Mike Landeck Cyber Security

Anatomy of a Data Theft Attack For Sacramento ISACA January 2016 Mike Landeck Cyber Security

Anatomy of a Data Theft Attack For Sacramento ISACA January 2016 Mike Landeck Cyber Security Consultant Agenda 1. USB Attacks 2. QR Code Attacks 3. Advanced Phishing Attacks 4. Malvertising 5. Watering Hole Attacks 6. How Simple Browser

1.32k views • 33 slides
Advanced Systems Security: Attacks on SGX Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security: Attacks on SGX Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Attacks on SGX Trent Jaeger

523 views • 19 slides
Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT Advise Assure 2 Agenda/topics covered Threat overview Advanced User Enumeration and DDoS Trading Turret and Timing Attacks Internal and External User

365 views • 35 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

1.33k views • 108 slides
I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia , Xinshu Dong , Zhenkai Liang , Prateek Saxena ! School of Computing, National University of Singapore ! Advanced Digital

496 views • 28 slides
Distributed Denial of Service Attacks and Coutntermeasures CSE598K/CSE545 - Advanced Network

Distributed Denial of Service Attacks and Coutntermeasures CSE598K/CSE545 - Advanced Network

740 views • 26 slides
BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S.. Leg egacy acy BI BIOS 1. CPU

1.36k views • 101 slides
CS 356: Computer Network Architectures Lecture 6: Multi-access links Chapter 2.5.3, 2.6, 2.7

CS 356: Computer Network Architectures Lecture 6: Multi-access links Chapter 2.5.3, 2.6, 2.7

CS 356: Computer Network Architectures Lecture 6: Multi-access links Chapter 2.5.3, 2.6, 2.7 Xiaowei Yang xwy@cs.duke.edu Overview Reliable transmission Sliding window Concurrent multiple logical channels Multiple access links

626 views • 52 slides
Communications Technology Communications Technology Benjamin Mako Hill :: Hampshire College

Communications Technology Communications Technology Benjamin Mako Hill :: Hampshire College

Communications Technology Communications Technology Benjamin Mako Hill :: Hampshire College :: Div IV & Social Change Activism & Social Change Activism 1. How can social change efforts take advantage of new media? 2. How

446 views • 15 slides
An Intranuclear Cascade Model for Cluster-Induced Reactions Monira J Kobra* and Yusuke Uozumi**

An Intranuclear Cascade Model for Cluster-Induced Reactions Monira J Kobra* and Yusuke Uozumi**

An Intranuclear Cascade Model for Cluster-Induced Reactions Monira J Kobra* and Yusuke Uozumi** *Rajshahi University, Bangladesh **Kyushu University, Japan Joint ICTP/IAEA workshop on nuclear structure and decay data 15-26 October, 2018

549 views • 32 slides
AP0 Target Status and Plans Ralph Ford, Yun He TSD Topical Meeting Jan. 17, 2019 Outline

AP0 Target Status and Plans Ralph Ford, Yun He TSD Topical Meeting Jan. 17, 2019 Outline

AP0 Target Status and Plans Ralph Ford, Yun He TSD Topical Meeting Jan. 17, 2019 Outline AP0 Target Status T18 in AP0 Alcove Modifications to T19 Target Design Fabrication and Assembling Process T19 Rotation Testing on Test

318 views • 9 slides
Categorical and gradient effects of information structure on nuclear prominence in American

Categorical and gradient effects of information structure on nuclear prominence in American

Categorical and gradient effects of information structure on nuclear prominence in American English Eleanor Chodroff, Alaina Arthurs, Priya Kurian, Jonah Pazol, and Jennifer Cole Northwestern University, Department of Linguistics emotion

870 views • 47 slides
[English Co-production Network] [Ziferblat, 28/03/19] [Co-producing Urbanisms] @JamandJustice

[English Co-production Network] [Ziferblat, 28/03/19] [Co-producing Urbanisms] @JamandJustice

[English Co-production Network] [Ziferblat, 28/03/19] [Co-producing Urbanisms] @JamandJustice @UK_RJC jamandjustice-rjc.org realisingjustcities-rjc.org http://www.urbaninstitute.group.shef.ac.uk b.perry@sheffield.ac.uk Jam and Justice:

219 views • 9 slides
p - / p + ratio in asymmetric heavy-ion collisions Natsumi Ikeno (Tottori University) A. Ono

p - / p + ratio in asymmetric heavy-ion collisions Natsumi Ikeno (Tottori University) A. Ono

p - / p + ratio in asymmetric heavy-ion collisions Natsumi Ikeno (Tottori University) A. Ono (Tohoku Univ.), Y. Nara (Akita International Univ.), A. Ohnishi (YITP) Physical Review C 93, 044612 (2016) Nuclear Physics, Compact Stars, and Compact

325 views • 19 slides
Parent Advocacy Summit Legally Authorized to JAM! Parent Advocacy Summit Saturday, February 22,

Parent Advocacy Summit Legally Authorized to JAM! Parent Advocacy Summit Saturday, February 22,

Parent Advocacy Summit Legally Authorized to JAM! Parent Advocacy Summit Saturday, February 22, 2020 9:00am-9:55am Fresno Convention Center, EXPO II To inform, educate, and empower parents to be strong Advocates for Music Education Parent

393 views • 21 slides

More recommend