detection of rogue aps using clock skews does it really
play

Detection of Rogue APs Using Clock Skews: Does it Really Work? - PowerPoint PPT Presentation

Mar 07, 2024 •360 likes •953 views

Detection of Rogue APs Using Clock Skews: Does it Really Work? Sergey Bratus Chrisil Arackaparambil Anna Shubina Dartmouth College This talk in 30 seconds Clock skews are interesting usable for fingerprinting devices (kind of)

  1. Detection of Rogue APs Using Clock Skews: Does it Really Work? Sergey Bratus Chrisil Arackaparambil Anna Shubina Dartmouth College

  2. This talk in 30 seconds ● Clock skews are interesting ● usable for fingerprinting devices (kind of) ● available for the asking or listening (mostly) ● People worked out how to use them ● We can spoof them for 802.11 APs ● How can we detect spoofing?

  3. Clock Skews (NOT to scale!) Physical devices have inherent, tiny but consistent drifts in their hardware clocks Devices' clock readings dev1 dev2 Our clock's time

  4. Clock Skews (NOT to scale!) Different slopes: some clocks are faster clock skew = slope - 1 Devices' clock readings Slope = ∆y/∆x ∆y ∆ x Our clock's time

  5. Drawn to scale: Devices' clocks (adjusted to start at 0) Our clock's time (t - t o )

  6. Measuring skews ● Measurements: (t i , T i ), i = 1, 2, …, n ● t i : local timestamp ● T i : remote timestamp observed ● Clock offsets points: (x i , y i ) ● x i = ∆t i = (t i – t 0 ) ● y i = ∆T i - ∆t i = (T i – T 0 ) – (t i – t 0 )

  7. Use clock-offset points instead: skew = slope ∆T i - ∆t i our clock's time (t - t o )

  8. How to measure skews ● Fit a line y = mx + c to the clock-offset points ● m = clock skew ● Examples ● skew(Linksys1) = 0.00000668 = 6.68 ppm ● skew(Linksys2) = - 0.00000785 = -7.85 ppm ● ppm = parts per million (a millionth, 10 -6 )

  9. Who came up with this ● Kohno, Broido, claffy (2005): ”Remote physical device fingerprinting” Clock skews are useful for remotely fingerprinting networked devices ● different devices have different skews ● these skews are stable enough over time

  10. Remote fingerprinting ● Have timestamps, can fingerprint! ● Layer 3: can use TCP, ICMP timestamps ● ICMP timestamp requests (type 13, code 0) ● TCP timestamp option (option 8 in TCP header) ● ”Do these hosts have the same HW clock?” ● Of possible cloud-mapping interest? ● Statistics to compensate for network latency, variation

  11. Real-world clock skews Kohno, Broido, and Claffy data over 12 hours Skew range, ppm Host #

  12. Clock Skews for 802.11 APs ● Jana, Kasera (2008) ”On fast and accurate detection of unauthorized wireless access points using clock skews” ● Bratus, Cornelius, Peebles, Hansen ”Active 802.11 fingerprinting” @ BH 2008 ● Beacons transmitted by APs periodically (usually 10/sec) ● Beacons contain timestamps! ● Supplied by RF interface chipset clock

  13. $ tshark -r pcapfile -R "wlan.sa==00:1c:10:af:35:b5 && wlan.fc.type_subtype==0x08" -T fields -e wlan_mgt.fixed.timestamp

  14. Why fingerprint? ● Protecting a wireless client from an ”evil-twin AP”: ● Shmoo, 2004–2005 ● Karma (Dino Dai Zovi, ...) ● Johnny Cache, David Maynor @BH 2006 ● ”Month of kernel bugs” in 802.11

  15. Rogue/Fake APs ● It goes something like this...

  16. Rogue/Fake APs ● It goes something like this...

  17. Rogue/Fake APs ● It goes something like this... <may I have a Star Wars theme?>

  18. Rogue/Fake APs ● It goes something like this... STA

  19. Rogue/Fake APs ● It goes something like this... APs STA

  20. Rogue/Fake APs ● It goes something like this... APs STA

  21. Rogue/Fake APs ● It goes something like this... Evil AP STA

  22. Rogue/Fake APs ● It goes something like this... STA ...@#$!!!

  23. Rogue/Fake APs ● It goes something like this... Evil AP STA Too bad

  24. Rogue/Fake APs ● It goes something like this... Evil AP (Beacons with timestamps)

  25. Rogue/Fake APs ● It goes something like this... … back to 802.11 monkey business ...

  26. The TSF Timer ● Wireless nodes maintain a Timing Sync Function (TSF) timer – 64 bit (microsec) ● Clients adjust their timer from beacon TSF timestamps to sync with AP timer ● RF chipset inserts timestamp into beacon at the moment of transmission ● We have a high-precision stream of timestamps to measure clock skews!

  27. Fast & Accurate Detection of Rogue Access Points ● Jana–Kasera results: +/- 0.30 – 0.70 for the same AP

  28. How hard is it to spoof? ● Supposing we want to set up evil fake AP that passes the clock skew test? ● Do we need special equipment? ● Jana–Kasera: pretty hard ● Constructing beacons to match a known skew and injecting them in RF monitor mode gives inconsistent measurements (est. +/- 100 difference) ● SW RF mode injection is not fast enough: latency is one problem

  29. Can we do better? ● Can we spoof clock skews with available 802.11 hardware? ● … like an Atheros card? ● There are some funny things to observe about actual cards+madwifi ...

  30. Monitor Mode Synchronization 1) Even after switching from STA to Monitor mode, card continues to update TSF timer from the AP it used to be associated with 2) Skew of that AP measured by the card is zero 3) BTW, if that AP ceases to transmit beacons, the TSF timer of the card begins to drift with its own, actual skew

  31. Monitor Mode Synchronization ● So an Atheros card continues sync-ing its timer even after leaving association. ● Madwifi gives us ”virtual interfaces” and can bridge (one interface associated with an AP, another in Master mode) ● Can we just get it emit beacons and get AP spoofing for free?

  32. Monitor Mode Synchronization TSF Timer Registers

  33. ”Snakes and ladders” ● Pity it doesn't work :-(

  34. ”Snakes and ladders” ● Pity it doesn't work :-(

  35. Something like this: ● MadWifi: multiple virtual interfaces (VAPs) on same hardware card ● AP VAP and STA VAP ● STA VAP associated with real AP, synchronizing its TSF timer with AP ● AP VAP using same timer to send spoofing beacons

  36. In ath_vap_create(): switch(opmode) { case IEEE80211_M_HOSTAP: if ((sc->sc_nvaps != 0) && \ (ic->ic_opmode == IEEE80211_M_STA)) return NULL; AP VAP needs to be created before case IEEE80211_M_STA: STA VAP if (sc->sc_nvaps != 0) { flags |= IEEE80211_USE_SW_BEACON_TIMERS; sc->sc_nostabeacons = 1; ic_opmode = IEEE80211_M_HOSTAP; /* Run with chip in AP mode */ } else { Run with chip in STA mode ic_opmode = opmode; }

  37. Driver Architecture Station AP ath_pci driver Tx path and Rx path ath_recv_mgt ath_beacon_send .... Hardware Abstraction Layer OS_REG_READ, OS_REG_WRITE Firmware / Hardware Update timer TSF Insert timestamp Insert timestamp from beacon Timer into beacon into beacon timestamp Registers

  38. Driver Architecture ● Timer updating logic is inside firmware ● Driver sets firmware to one operating mode (AP) ● Simulates other modes in software ● TSF timer will not be updated from real AP beacons ● Need to patch driver

  39. Driver Patch /* * Write two regs together. Will use for TSF_L32 and TSF_U32, * the upper and lower half of the TSF */ tsf_dbl_reg_write(struct ath_softc *sc, u_int reg1, u_int32_t val1, u_int reg2, u_int32_t val2) { HAL register write ATH_HAL_LOCK_IRQ(sc); OS_REG_WRITE(sc->sc_ah, reg1, val1); OS_REG_WRITE(sc->sc_ah, reg2, val2); ATH_HAL_UNLOCK_IRQ(sc); }

  40. Driver Patch Beacon frame received In ath_recv_mgmt: if (subtype == 0x80) { Get timestamp from beacon + time = (unsigned long long)le64_to_cpu(ni_or_null->ni_tstamp.tsf); + ptr = (u_int32_t *) (&time); + tsf_dbl_reg_write(sc, AR_TSF_L32, ptr[0], AR_TSF_U32, ptr[1]); Update TSF regs

  41. ...and we hit a snake ● Mucking around with the values in the TSF registers breaks beaconing ● ...beacon scheduling disrupted?

  42. Driver Patch Beacon frame received In ath_recv_mgmt: if (subtype == 0x80) { Get timstamp from beacon Update TSF regs + time = (unsigned long long)le64_to_cpu(ni_or_null->ni_tstamp.tsf); + ptr = (u_int32_t *) (&time); + tsf_dbl_reg_write(sc, AR_TSF_L32, ptr[0], AR_TSF_U32, ptr[1]); Force beacon transmission + ath_beacon_send(sc, &needmark, new);

  43. The Result

  44. The Result Real Skew Spoofed Skew 16.79 16.78 16.82 16.69 16.80 16.74 16.81 16.78 This is within typical variation of one AP's (+/- 0.30 – 0.70) clock skew – close enough!

  45. Can we finesse it? What if the client hears both fake and real AP on the same channel? ● Timestamps will collide, screw up skew ● Place the fake AP on a different channel!

  46. Bridging the Fake AP ● Overlapping 802.11 channels

  47. Staying on an overlapping channel ● The card will automatically switch to the channel of the associated AP ● Must keep it on the chosen neighboring channel instead

  48. Keep card on overlapping channel add_channels(struct ieee80211com *ic, // <skipped args> - int nfreq) + int nfreq, struct ieee80211vap *vap) { // <skip> Channel found by scanning - ss->ss_chans[ss->ss_last++] = c; + ss->ss_chans[ss->ss_last++] = vap->iv_des_chan; Spoofing channel supplied by us }

  49. More Patching ieee80211_recv_mgmt() { // <snip> if (scan.chan != scan.bchan && ic->ic_phytype != IEEE80211_T_FH) { // <snip> vap->iv_stats.is_rx_chanmismatch++; - return 0; + // return 0; Avoid filtering out } beacons

  50. The Result

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bargaining Failure: Aggression by Rogue States Class 7 What is a rogue state? What is a rogue

Bargaining Failure: Aggression by Rogue States Class 7 What is a rogue state? What is a rogue

Bargaining Failure: Aggression by Rogue States Class 7 What is a rogue state? What is a rogue state? State behaving contrary to conventional norms of international community. Typically, small, insulated and not very influential,

413 views • 30 slides
Rogue Waves Thama Duba, Colin Please, Graeme Hocking, Kendall Born, Meghan Kennealy 18 January

Rogue Waves Thama Duba, Colin Please, Graeme Hocking, Kendall Born, Meghan Kennealy 18 January

Rogue Waves Thama Duba, Colin Please, Graeme Hocking, Kendall Born, Meghan Kennealy 18 January 2019 1/25 What is a rogue wave Mechanisms causing rogue waves Where rogue waves have been reported Modelling of oceanic rogue waves

568 views • 25 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

Digital Systems Clock Distribution I CMPE 650 Clock Characteristics Clock signals must toggle twice (full cycle) for each single transition for data. Clock wires also tend to be very heavily loaded nets because they typically fan-out to every

490 views • 19 slides
Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11:

Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11:

Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11: Flip-Flops define edge-triggered flip-flops. clock period discuss parameters of flip-flops: setup time, hold time, 1 Computer Structure pulse width

408 views • 8 slides
Anomaly Based Intrusion Detection in Distributed Applications without global clock Eric Totel,

Anomaly Based Intrusion Detection in Distributed Applications without global clock Eric Totel,

Anomaly Based Intrusion Detection in Distributed Applications without global clock Eric Totel, Mouna Hkimi, Michel Hurfin, Mourad Leslous, Yvan Labiche SEC2-2016 5 July 2016 Outline of the Presentation Position of the problem Building

374 views • 26 slides
ACT Informed Coaching: Examining Outcomes and Mechanisms of Change Dr Rachael Skews, Dr Jo

ACT Informed Coaching: Examining Outcomes and Mechanisms of Change Dr Rachael Skews, Dr Jo

ACT Informed Coaching: Examining Outcomes and Mechanisms of Change Dr Rachael Skews, Dr Jo Lloyd, Prof Frank Bond Institute of Management Studies Rationale for the Research Limitations in the coaching evidence-base highlighted by

338 views • 23 slides
Clock IC Product Update Clock IC Product Update Clock Distribution and Clock Generation Solutions

Clock IC Product Update Clock IC Product Update Clock Distribution and Clock Generation Solutions

The World Leader in High-Performance Signal Processing Solutions Clock IC Product Update Clock IC Product Update Clock Distribution and Clock Generation Solutions Clock Distribution and Clock Generation Solutions September 2005 September 2005

575 views • 29 slides
Skews and Railroads and Seismic Oh My! Jason Stith, PhD, PE, SE Bridge Technical Manager

Skews and Railroads and Seismic Oh My! Jason Stith, PhD, PE, SE Bridge Technical Manager

Skews and Railroads and Seismic Oh My! Jason Stith, PhD, PE, SE Bridge Technical Manager Michael Baker International Presentation Overview Project Description &amp; Goals Project Challenges Project Solutions Project Goals: I-15 SB

618 views • 35 slides
Discuss what you know about time. True or False: Learning about time is not important. 1 maths

Discuss what you know about time. True or False: Learning about time is not important. 1 maths

maths time.notebook April 30, 2020 LO: To identify the time on Steps To Success: I can distinguish between the minute hand and the hour hand on an analogue clock an analogue clock I can tell the time on an analogue clock using o'clock and

1.27k views • 64 slides
The clock, not the steam-engine, is the key-machine of the modern industrial age. --Lewis

The clock, not the steam-engine, is the key-machine of the modern industrial age. --Lewis

The clock, not the steam-engine, is the key-machine of the modern industrial age. --Lewis Mumford Perpignan, 1356 Su Sung's Water Clock, 1094 Mechanical Clock: a definition Verge with Pendulum Regulator (Huygens, 1658) So who

265 views • 22 slides
High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns

High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns

High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns 30ns 40ns 50ns 60ns 70ns 80ns 90ns Clock -- Pulsing signal for enabling latches; ticks like a clock The clock's period must be longer than

658 views • 40 slides
Distributed Systems CS425/ECE428 01/31/2020 Todays agenda Clock synchronization

Distributed Systems CS425/ECE428 01/31/2020 Todays agenda Clock synchronization

Distributed Systems CS425/ECE428 01/31/2020 Todays agenda Clock synchronization Chapter 14.1-14.3 Logical clocks Chapter 14.4 Recap from last class: Failures Three types: omission, arbitrary, timing . Failure detection

873 views • 48 slides
lecture 22 often is asynchronous (e.g. USB - universal serial bus ) = clock based (system bus

lecture 22 often is asynchronous (e.g. USB - universal serial bus ) = clock based (system bus

&quot;synchronous&quot; bus Communication between device controllers and devices lecture 22 often is asynchronous (e.g. USB - universal serial bus ) = clock based (system bus clock is slower than CPU clock) Input / Output (I/O) 4 -

206 views • 4 slides
The strong, silent type Alarm clock | Introduction That wakes you up in a different way

The strong, silent type Alarm clock | Introduction That wakes you up in a different way

Alarm clock | Introduction The strong, silent type Alarm clock | Introduction That wakes you up in a different way Alarm clock | Features Wake up to flashing lights High intensity LED flash Same type as a modern camera or a cell

337 views • 30 slides
Clock Enable Timing Closure Methodology Harish Dangat Samsung Semiconductor (company logo if

Clock Enable Timing Closure Methodology Harish Dangat Samsung Semiconductor (company logo if

Clock Enable Timing Closure Methodology Harish Dangat Samsung Semiconductor (company logo if desired) Agenda Basics of Clock Gating Fixing Clock Enable Timing in RTL-2-GDSII Flow Results Conclusion Harish Dangat 2 Clock

1.17k views • 41 slides
The Dwarf Planets Trans Neptunian Objects (TNO) A New 9 th Planet And what about Rogue Planets ?

The Dwarf Planets Trans Neptunian Objects (TNO) A New 9 th Planet And what about Rogue Planets ?

The Dwarf Planets Trans Neptunian Objects (TNO) A New 9 th Planet And what about Rogue Planets ? There may be more than there are stars ! http://solarsystem.nasa.gov/ planets/planetx 3 min. Links to Solar System Videos on the Internet

427 views • 13 slides
Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h)

Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h)

Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h) truncation Assume y ( t ) is known error y ap (t+h) For small h approximate tangent line y ( t + h ) y ( t ) y(t) y ( t ) h

246 views • 6 slides
CGS, IB, and AP in SCPS Examining our Offerings Key Questions The Commonwealth Governors

CGS, IB, and AP in SCPS Examining our Offerings Key Questions The Commonwealth Governors

CGS, IB, and AP in SCPS Examining our Offerings Key Questions The Commonwealth Governors School International Baccalaureate Diploma Programme Advanced Placement and APPX Engagement Community Academic Access Press Culture True SWS

488 views • 16 slides
Achieving Continuous ROI with AP Automation Todays Speakers Helee Lev Chris Doxey Carrie

Achieving Continuous ROI with AP Automation Todays Speakers Helee Lev Chris Doxey Carrie

Achieving Continuous ROI with AP Automation Todays Speakers Helee Lev Chris Doxey Carrie Buth Chief Revenue Officer President &amp; Owner Solutions Engineer Goby Doxey Inc. Goby Learning Objectives Gain insight into the components

433 views • 32 slides
Presented by: Ifeoluwa Yusuf Introduction Energy management is a relevant problem. -

Presented by: Ifeoluwa Yusuf Introduction Energy management is a relevant problem. -

Avoiding the Rush Hours: WiFi Energy Management via Traffic Isolation Paper By: Justin Manweiler and Romit Roy Choudhury Duke University MobiSys11 Presented by: Ifeoluwa Yusuf Introduction Energy management is a relevant problem. -

342 views • 20 slides
MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test MA/CSSE

MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test MA/CSSE

MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test MA/CSSE 473 Day 08 Student questions Fermat's Little Theorem Implications of Fermats Little Theorem What we can show and what we cant

211 views • 7 slides
Lectures 34: Consumer Theory Alexander Wolitzky MIT 14.121 1 Consumer Theory Consumer theory

Lectures 34: Consumer Theory Alexander Wolitzky MIT 14.121 1 Consumer Theory Consumer theory

Lectures 34: Consumer Theory Alexander Wolitzky MIT 14.121 1 Consumer Theory Consumer theory studies how rational consumer chooses what bundle of goods to consume. Special case of general theory of choice. Key new assumption: choice sets defined

1.04k views • 42 slides
PILOT WIRELESS NETWORK PILOT WIRELESS NETWORK FOR ACCESS TO THE INTERNET FOR ACCESS TO THE

PILOT WIRELESS NETWORK PILOT WIRELESS NETWORK FOR ACCESS TO THE INTERNET FOR ACCESS TO THE

PILOT WIRELESS NETWORK PILOT WIRELESS NETWORK FOR ACCESS TO THE INTERNET FOR ACCESS TO THE INTERNET IN IN POZNAN POZNAN Tadeusz Szkudlarz Tadeusz Szkudlarz - - The The City of City of Poznan Poznan tadeusz_szkudlarz@um.poznan.pl

311 views • 17 slides
David W. Butler High School 2019-2020 Course Registration General Information Students should

David W. Butler High School 2019-2020 Course Registration General Information Students should

David W. Butler High School 2019-2020 Course Registration General Information Students should have the following: Course Selection Card Transcript of your grades Graduation Requirements Chart Career and Technical Education

461 views • 20 slides

More recommend