Attacks on WiFi: Reflections on Recently Revealed VulnerabilitiesBy CWNP On 09/01/2009 - 4 Comments
In the last couple of weeks, we've witnessed a flurry of activities in the wireless security space. Security researchers have revealed a couple of new attacks on WiFi infrastructure – Skyjacking and an improved attack on WPA-TKIP. This post provides a high level overview of both of these attacks.
Attack #1: Skyjacking exploits the weak “Over The Air Provisioning” (OTAP) feature of Lightweight Access Points (LAP) in a Cisco WLAN. OTAP is one of the techniques used by LAPs to discover Wireless LAN Controllers (WLC) in a network. A LAP can advertise the associated WLC controller via the wireless medium. Other LAPs can utilize information in these un-encrypted over-the-air frames to discover the available WLCs in the network. This “zero configuration” feature provides an avenue for the following attack. An attacker can inject fake OTAP packets to trick a LAP into connecting to a rogue controller (e.g., on the Internet). Note that just by having a LAP connect to the rogue controller, an attacker may not be able to retrieve any confidential information via the LAP. This is due to the fact that the rogue controller will not be able to authenticate the enterprise wireless users. However, as acknowledged by Cisco, this definitely results in a DoS attack on an enterprise.
Attack #2: WPA TKIP (Temporal Key Integrity Protocol) was originally developed to improve some of the well known weaknesses of WEP encryption. Two of the main improvements are related to robustness against replay attacks and message tampering. Replay protection is achieved using TKIP Sequence Counter (TSC) field in transmitted packets. Packets that have TSC values less than or equal to the TSC of the previous packet are to be dropped by a receiver. Further, protection against message tampering is achieved using a Message Integrity Code (MIC) that is based on the Michael algorithm. On receiving a packet, a receiver compares the MIC embedded in the packet with the value that it calculates. A packet is accepted only if both the calculated and expected values match, otherwise, it is dropped. With these improvements, everyone was happy that WPA had put the problems of WEP into bed. However, in November 2008, researchers (Beck-Tews attack) revealed a clever way to practically defeat the replay protection defined in TKIP. Beck-Tews attack exploits the fact that WiFi devices implementing Quality of Service (QoS) have multiple streams, each with independent sets of TSCs. By replaying packets of one QoS stream on another QoS stream with a lower TSC value, packets can be successfully replayed to the receiver. Using this idea, they were able to successfully launch the “Chopchop” attack on a TKIP WLAN. Chopchop attack is based on a well-known limitation in the checksum mechanism (CRC32) used in TKIP. The checksum mechanism uses a field called Integrity Check Value (ICV) (Note: This is different from MIC, both MIC and ICV are present in an encrypted form in a received TKIP packet). However, one can easily modify any bit in a TKIP packet and “guess” the corresponding bit to be flipped in the ICV field to retain the integrity of the packet. Chopchop works by truncating a packet of M bytes by 1 byte. It then guesses the value of the truncated byte and correspondingly, calculates the new ICV value. It replays the truncated packet along with the ICV. If the packet is “accepted” at the receiver (which can be deduced by the fact a client sends a “MIC failure” packet over the air), then the byte was guessed correctly. If not, it repeats this process with a next guessed value. On an average, it needs 128 attempts to guess the correct value of a byte. Beck-Tews employed this approach to successfully decrypt small packets such as ARPs in a TKIP WLAN. The attack took about 12 minutes for decrypting ARP packets. Further, they used the information learned from the ARP decryption to inject fake packets in a TKIP-protected WLAN (e.g., ARP packets to launch ARP poisoning attacks). Very recently, Japanese researchers (Ohigashi-Morii) have revealed an improved version of the above attack. The improved version extends the original attack in two ways – it can work with non-QoS implementations and requires much less time to inject fake ARP packets. It works by combining Man-in-the-Middle attack (MITM) with Beck-Tews attack. The attack model assumes a client-AP pair that is not within RF range of each other. A wireless relay is used to launch a MITM attack between such a client and an AP. The key idea is that the device performing MITM attack can “block” selected packets such as ARPs from a sender (e.g., an AP) in reaching a receiver (client). MITM device will instead transmit a modified packet (Chopchop packets) to the receiver (client). This is one simple way to beat the replay protection at the receiver (client) even if it does not implement multiple QoS streams. Please note that this does not mean that WPA is completely broken, though – keys are not being retrieved in this kind of attack!
With WiFi assuming mainstream status, the focus on trying to break WiFi will continue. In light of this, assuming that the WiFi protocol suite or the available WLAN implementations will be self-defending is utopia! Hence, there is a need for a complementary security layer to provide additional monitoring and security capabilities to an enterprise network. Since the wired security world has already successfully adopted the approach of multi-layered security, isn’t the WLAN world better off doing the same? Please tune-in with your views.
Tagged with: gopi