protecting wi fi beacons
play

Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, - PowerPoint PPT Presentation

Jan 31, 2024 •379 likes •713 views

Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina Ppper WiSec, 9 July 2020. Background: beacons Wi-Fi networks use beacons to announce their presence They are sent every ~100 ms by an

  1. Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina Pöpper WiSec, 9 July 2020.

  2. Background: beacons › Wi-Fi networks use beacons to announce their presence › They are sent every ~100 ms by an Access Point Contains properties of the network: Name of the network Supported bitrates (e.g. 11n or 11ac) Regulatory constraints (e.g. transmission power) ... Problem: beacons can be forged by an adversary! 2

  3. Our contributions Novel attacks Standardized as Defense to prevent abusing beacons outsider forgeries part of 802.11 Defense is being implemented by Linux and might become part of WPA3 3

  4. Taking a step back: Wi-Fi security Focus was protecting data, not beacons: › WEP, WPA1/2: only includes data frame protection › WPA3: includes management frame protection › Operating channel validation: verifies channel info  In all cases beacons remain unprotected 4

  5. Beacons are not protected › WPA version & channel: verified when connecting [WiSec’18] › All other fields can be spoofed by an adversary 5

  6. Novel Attacks 6

  7. Power constraint attacks Beacons contain the maximum allowed transmit power  Adversary can lower transmission power of victim 7

  8. Power constraint attacks Beacons contain the maximum allowed transmit power Experiments: › iPad, MacBook, and Linux : lowers transmit power of device › All other test devices not affected (unknown why) 8

  9. Power constraint attacks Beacons contain the maximum allowed transmit power Vendor-specific power element of Cisco: › Can also be exploited to lower transmit power of device › Linux: can be abused to forcibly disconnect a victim Normally we cannot set negative transmission limits But with the Cisco power element we can 9

  10. Power constraint attacks DEMO! 10

  11. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 11

  12. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 › Beacon contains the duration of these waiting periods: 12

  13. Lowering a victim’s bandwidth › Before transmission the medium must be idle: In use SIFS AIFSN Backoff (CW) Packet 2 › Spoofing this info causes clients to delay transmissions : In use SIFS AIFSN Backoff (CW) Pac › If another device transmits in the meantime, the victim restarts the waiting process & possibly never transmits 13

  14. Lowering a victim’s bandwidth: experiments Linux is affected with any network card we tested Apple devices are affected (Macbook Pro, iPhone, iPad) Windows is affected depending on network card (e.g. Alfa and TP-Link cards are affected but not Intel ones) Android is affected depending on the device: Nexus 5X was affected, but not our old Samsung i9305 14

  15. Targeted unfairness DEMO! 15

  16. Other attacks & findings Partial machine-in-the-middle attack › Bypasses channel operating validation in Linux Battery depletion attacks › Spoof beacons to make clients stay awake Send beacon as unicast frames to target specific clients › Worked against all tested devices 16

  17. Our Defense 17

  18. Design goals Focus on practicality & simplicity to encourage adoption › Cryptographic operations must be efficient › Bandwidth overhead must be low Beacons are sent at low bitrate and consume significant airtime Straightforward to implement › Ideally reuse existing crypto primitives of Wi-Fi 18

  19. Design approach To achieve our goals, we rely on symmetric encryption › Reuse crypto primitives of management frame protection We defend against outsider attacks › Adversary doesn’t possess network credentials › Similar to protection of broadcast Wi-Fi traffic 19

  20. Beacon protection: new element We add a new type-length-value element to beacons: Element ID Length Key ID Nonce MIC › Clients that do not recognize this element will ignore it › Nonce: incremental number to prevent replay attacks › Message Integrity Check: CMAC or GMAC over the beacon Existing crypto primitive of management frame protection All WPA3-capable devices already support it 20

  21. Key management Key used to generate/verify the authenticity tag? › AP generates a fresh beacon protection key when booting › AP always sends the beacon key when a client connects Older clients will ignore this key New clients will enable beacon protection  Adversary can’t manipulate handshake that transports the beacon key, preventing downgrade attacks . 21

  22. Pre-authentication behavior Periodic beacons Client cannot verify beacon before connecting (no key!) 22

  23. Pre-authentication behavior Periodic beacons Store 1 beacon as reference & extra info from it 23

  24. Pre-authentication behavior Periodic beacons Store 1 beacon as reference & extra info from it Connect to network and receive beacon protection key 24

  25. Pre-authentication behavior Periodic beacons Store 1 beacon as reference & extra info from it Connect to network and receive beacon protection key Verify authenticity reference beacon (disconnect if invalid) 25

  26. Pre-authentication behavior Periodic beacons Store 1 beacon as reference & extra info from it Connect to network and receive beacon protection key Verify authenticity reference beacon (disconnect if invalid) Send data 26

  27. Reporting forged beacons › Clients can report forged beacons to the AP › Can now detect far away rouge APs Out of range 2. Report 1. Detect forged rogue AP beacon 27

  28. Practical Results 28

  29. Specification › Collaborated with industry to standardize our defense (Intel, Broadcom, Qualcomm and Huawei) › Since March 2019 part of the (draft) IEEE 802.11 standard : 29

  30. Specification › Collaborated with industry to standardize our defense (Intel, Broadcom, Qualcomm and Huawei) › Since March 2019 part of the (draft) IEEE 802.11 standard : Might become part of WPA3 specification?  Source: https://www.wi-fi.org/security-development (July 2020) 30

  31. Implementation Now being implemented by Linux: › Kernel: generate and verify authentication tags › Hostap: manages keys and enables beacon protection DEMO! 31

  32. Conclusion › Prevent outsiders from forging beacons › Our focus on practicality paid off: Defense is now part of the 802.11 standard Being implemented by Linux Might become part of WPA3? 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Beacons 1 Beacon is continuous Bluetooth Low Energy (BLE) transmitter device with unique

Beacons 1 Beacon is continuous Bluetooth Low Energy (BLE) transmitter device with unique

Beacons 1 Beacon is continuous Bluetooth Low Energy (BLE) transmitter device with unique identifier at a known place. 2 The beacons manufacturers BlueCats BlueSense Estimote Gelo Kontact Sonic Notify

972 views • 11 slides
EDDYSTONE BEACONS: An application for Earthquake Survivors Identification By Jaylen Gregory

EDDYSTONE BEACONS: An application for Earthquake Survivors Identification By Jaylen Gregory

EDDYSTONE BEACONS: An application for Earthquake Survivors Identification By Jaylen Gregory Eddystone Beacons: Results Though we were unable to perform the experiment, we created viable webpage and server that will activate when a survivor

204 views • 8 slides
anytime anywhere with Apsima 1 www.apsima.com Intro to BLE Beacons Micro-location

anytime anywhere with Apsima 1 www.apsima.com Intro to BLE Beacons Micro-location

Stay in touch, anytime anywhere with Apsima 1 www.apsima.com Intro to BLE Beacons Micro-location beacons utilize Bluetooth Low Energy (BLE) to allow any mobile device with enabled Bluetooth 4.0 to know where it is in relation to a

443 views • 28 slides
Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and

Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and

Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and Christina Ppper. With special thanks to various IEEE members. Black Hat Webcast, 17 September 2020. Background: beacons Wi-Fi networks use

798 views • 42 slides
Driver Yielding at Traffic Control S ignals, Pedestrian Hybrid Beacons, and Rectangular Rapid

Driver Yielding at Traffic Control S ignals, Pedestrian Hybrid Beacons, and Rectangular Rapid

Driver Yielding at Traffic Control S ignals, Pedestrian Hybrid Beacons, and Rectangular Rapid Flashing Beacons by Kay Fitzpatrick Texas A&M Transportation Institute Traffic Safety Conference, May 13, 2014 Recent Research Efforts

237 views • 21 slides
How can SACRES transform schools to become beacons of HOPE? Thank you for inviting me here to

How can SACRES transform schools to become beacons of HOPE? Thank you for inviting me here to

NASACRE Conference 22-05-2019 Cohesive Communities and Effective Partnerships RE near and far. How can SACRES transform schools to become beacons of HOPE? Thank you for inviting me here to address you today. I would like to start with

382 views • 13 slides
BEACONS BEACH IMPROVEMENTS 18-185 Design Review October 15, 2018 1 WELCOME WEL COME AND

BEACONS BEACH IMPROVEMENTS 18-185 Design Review October 15, 2018 1 WELCOME WEL COME AND

BEACONS BEACH IMPROVEMENTS 18-185 Design Review October 15, 2018 1 WELCOME WEL COME AND AND INTR INTRODUC ODUCTIO TIONS Facilitator Jerry Harmon City of Encinitas Brenda Wisneski, Development Services Director Ed

921 views • 45 slides
MILLENNIALS POINTS-FOR-PURCHASE ECOMMERCE BEACONS Its All In The Numbers 3.6% ZERO

MILLENNIALS POINTS-FOR-PURCHASE ECOMMERCE BEACONS Its All In The Numbers 3.6% ZERO

Retail Presentation Looking Back at 2015 and Moving Forward in 2016 Presented By: Karen Rich Retail Buzz Words OMNICHANNEL SOCIAL SOCIAL NETWORKS NETWORKS BRICKS & MORTAR MILLENNIALS POINTS-FOR-PURCHASE ECOMMERCE BEACONS Its

485 views • 13 slides
Wearable / Attachable Beacons for Proximity Monitoring Designed for enterprises with people and

Wearable / Attachable Beacons for Proximity Monitoring Designed for enterprises with people and

Wearable / Attachable Beacons for Proximity Monitoring Designed for enterprises with people and assets in motion, such as hospitals, oil rigs, mines, factories, schools & assist. living facilities. The BluRanger System Bluetooth / Wifi Hubs

378 views • 6 slides
Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

6/2/20 HealthMatters in our Homes Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k and nd Wh Why 1 During this presentation, we will: Summarize what COVID-19 is, how it spreads, and who

463 views • 19 slides
The new NIST reference for Randomness Beacons Lu s Brand ao Joint work with: John

The new NIST reference for Randomness Beacons Lu s Brand ao Joint work with: John

The new NIST reference for Randomness Beacons Lu s Brand ao Joint work with: John Kelsey, Ren e Peralta, Harold Booth National Institute of Standards and Technology (Gaithersburg MD, USA) 1 1 1 1 0 1 1 0 1 1 0 1 0 0 0

1.42k views • 121 slides
What Am I Looking At? Low Power Radio-Optical Beacons For In-View Recognition Ashwin Ashok

What Am I Looking At? Low Power Radio-Optical Beacons For In-View Recognition Ashwin Ashok

What Am I Looking At? Low Power Radio-Optical Beacons For In-View Recognition Ashwin Ashok aashok@winlab.rutgers.edu with Chenren Xu, Tam Vu, Wenjia Yuan, Richard Howard, Marco Gruteser, Kristin Dana, Narayan Mandayam WINLAB IAB, 15 th May

361 views • 18 slides
Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

@csunivie Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota, Michael Jensen, Sebastian Kristensen, Mathias Michno, Yvonne-Anne Pignolet, Rene Hansen, Stefan Schmid Randomness: An Important Tool of Our

394 views • 35 slides
Presentation of Annual Report January to December 2016 From Beacons of Hope to Spotlights of

Presentation of Annual Report January to December 2016 From Beacons of Hope to Spotlights of

GEF SGP UNDP Presentation of Annual Report January to December 2016 From Beacons of Hope to Spotlights of Transformation Giles Romulus WHO ARE WE? WHO ARE WE? A corporate programme of To achieve the GEF which is Environmental

365 views • 33 slides
Brecon Beacons National Park Authority F indings and Conclusions WFG examination and Audit of

Brecon Beacons National Park Authority F indings and Conclusions WFG examination and Audit of

Brecon Beacons National Park Authority F indings and Conclusions WFG examination and Audit of Partnership and Collaborations Steve Frank and Euros Lake The Auditor Generals responsibilities under the Act The Auditor General must 1.

581 views • 33 slides
Connected School Zones City of Knoxville At a Glance!!! 142 flashing school beacons

Connected School Zones City of Knoxville At a Glance!!! 142 flashing school beacons

Connected School Zones City of Knoxville At a Glance!!! 142 flashing school beacons 324 indicator Y ellow LED (Light emitting diode) Modules for school zones 150 cabinet locations About 75% complete with initial

826 views • 16 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
Searches for new physics with unconventional signatures at ATLAS and CMS Kevin Pedro (FNAL) on

Searches for new physics with unconventional signatures at ATLAS and CMS Kevin Pedro (FNAL) on

FERMILAB-SLIDES-19-013-PPD Searches for new physics with unconventional signatures at ATLAS and CMS Kevin Pedro (FNAL) on behalf of the ATLAS and CMS Collaborations March 26, 2019 This document was prepared by [ATLAS AND CMS Collabrations]

448 views • 34 slides
Identity, Security and Privacy: Mobile Web Payments Giri Mandyam March 25, 2014 W3C Web

Identity, Security and Privacy: Mobile Web Payments Giri Mandyam March 25, 2014 W3C Web

Open Source Open Possibilities Identity, Security and Privacy: Mobile Web Payments Giri Mandyam March 25, 2014 W3C Web Payments Workshop Open Source Open Possibilities PAGE 1 Mobile Web Payments - Legacy Premium SMS still popular

218 views • 7 slides
IP Spoofer Project Observations on four-years of data Rob Beverly, Arthur Berger, Young Hyun

IP Spoofer Project Observations on four-years of data Rob Beverly, Arthur Berger, Young Hyun

IP Spoofer Project Observations on four-years of data Rob Beverly, Arthur Berger, Young Hyun {rbeverly,awberger}@csail.mit, youngh@caida ISMA AIMS 2009 February 12, 2009 Spoofer Project Background Recent Relevance Project

692 views • 58 slides
CSE 154 LECTURE 3: MORE CSS Cascading Style Sheets (CSS): <link> <head> ...

CSE 154 LECTURE 3: MORE CSS Cascading Style Sheets (CSS): <link> <head> ...

CSE 154 LECTURE 3: MORE CSS Cascading Style Sheets (CSS): <link> <head> ... <link href="filename" type="text/css" rel="stylesheet" /> ... </head> HTML CSS describes the appearance and

769 views • 25 slides
John McCrae Cognitive Interaction Technology Excellence Center Universitt Bielefeld Linked

John McCrae Cognitive Interaction Technology Excellence Center Universitt Bielefeld Linked

The need for Lexicalization of Linked Data John McCrae Cognitive Interaction Technology Excellence Center Universitt Bielefeld Linked Data Linked data is growing rapidly... but mostly it looks like this: Linked Data We

514 views • 13 slides
Kimmo Kettunen, Paul McNamee and Feza Baskaya HLT2010, Riga, October 7-8, 2010 1. Why use

Kimmo Kettunen, Paul McNamee and Feza Baskaya HLT2010, Riga, October 7-8, 2010 1. Why use

Kimmo Kettunen, Paul McNamee and Feza Baskaya HLT2010, Riga, October 7-8, 2010 1. Why use syllables? 2. Our view of syllabification 3. IR test collections 4. Results 5. Discussion & conclusions N-gramming has been found very effective in

504 views • 13 slides
YOUR SHORTCUT TO MASSIVE CREDIBILITY CONTAINS ALL VIDEO SLIDEDECKS FOR THIS SESSION 1 VIRTUAL

YOUR SHORTCUT TO MASSIVE CREDIBILITY CONTAINS ALL VIDEO SLIDEDECKS FOR THIS SESSION 1 VIRTUAL

SLIDEDECKS SESSION 4 YOUR SHORTCUT TO MASSIVE CREDIBILITY CONTAINS ALL VIDEO SLIDEDECKS FOR THIS SESSION 1 VIRTUAL KICK OFF MARCH 8, 2015 2 SESSION 4 YOUR SHORTCUT TO MASSIVE CREDIBILITY 3 YOUR SHORTCUT TO MASSIVE CREDIBILITY SESSION

1.38k views • 66 slides

More recommend