WPA TOO !Md Sohail AhmadAirTight Networkswww.airtightnetworks.comAbout t

1. WPA TOO !
2. Md Sohail Ahmad
3. AirTight Networks
4. www.airtightnetworks.com
5. About the Speaker
6. 2007, Toorcon9
7. 2009, Defcon 17
8. 2008, Defcon 16
9. Caffe Latte Attack
10. Autoimmunity
11. Disorder in
12. Wireless LANs
13. WiFish Finder: Who
14. will bite the bait?
15. 2010, Defcon 18
16. WPA TOO !
17. Defcon 18
18. WPA2 is vulnerable under certain conditions. This
19. limitation, though known to the designers of WPA2, is not
20. well understood or appreciated by WiFi users.
21. In this talk, I am going to show that exploits are possible
22. using off the shelf tools with minor modifications.
23. About the Talk
24. Background
25. WEP, the one and only security configuration present in the original 802.11
26. standard, was cracked in 2001. Since then several attacks on WEP have been
27. published and demonstrated
28. Nowadays most WLANs are secured with a much better and robust security
29. protocol called WPA2.
30. Interestingly, WPA2 is also being used to
31. secure Guest WiFi, Municipal WiFi (e.g.
32. GoogleWiFi Secure) and Public WiFi (e.g. T-
33. Mobile or AT&T WiFi Hotspot) networks.
34. Defcon 18
35. Is WPA2 safe to be used in WiFi networks?
36. Defcon 18
37. 2003
38. PSK
39. Vulnerability
40. 2004
41. PSK cracking
42. tool,
43. Eavesdropping
44. 2008
45. TKIP
46. Vulnerability
47. PEAP
48. Mis-config
49. Vulnerability
50. Known attacks on WPA/WPA2
51. Attack on Pre-Shared Key (PSK)
52. Authentication
53. Attack on 802.1x
54. Authentication
55. Attack on
56. Encryption
57. Implications:
58. Eavesdropping
59. Unauthorized Access
60. to the network
61. Implications:
62. Client compromise
63. Implications:
64. Injection of small size
65. frames to create
66. disruption
67. Defcon 18
68. 1. Do not use PSK authentication in other than private/home network
69. (Solves PSK Vulnerability)
70. 2. Do not ignore certificate validation check in client’s configuration
71. (Solves Client Vulnerability)
72. 3. Use AES encryption
73. (Solves TKIP Vulnerability)
74. Solution
75. Is WPA2 safe to be used in WiFi networks?
76. Defcon 18
77. Encryption in WPA2
78. Defcon 18
79. Encryption Keys
80. Two types of key for data encryption
81. 1. 1. Pairwise Key (PTK)
82. 2. 2. Group Key (GTK)
83. While PTK is used to protect unicast data
84. frames , GTK is used to protect group
85. addressed data frames e.g. broadcast ARP
86. request frames.
87. Defcon 18
88. GTK is shared among all associated clients
89. Client 1
90. Client 1 PTK = PTK1
91. Client 1 Group key = K1
92. Client 2
93. Client 2 PTK = PTK2
94. Client 2 Group key = K1
95. Client 3
96. Client 3 PTK = PTK3
97. Client 3 Group key = K1
98. Three connected clients
99. New client
100. Your Group key is K1
101. Defcon 18
102. Group addressed traffic in a WLAN
103. Group addressed 802.11 data frames are always sent by an access
104. point and never sent by a WiFi client
105. GTK is designed to be used as an encryption key in the AP and as a
106. decryption key in the client
107. ToDS “Broadcast ARP Req”
108. frame
109. Address 1 (or Destination
110. MAC) = AP/BSSID MAC
111. From DS “Broadcast ARP Req”
112. frame
113. Address 1 (or Destination MAC) =
114. FF:FF:FF:FF:FF:FF
115. Defcon 18
116. What if a client starts using GTK for group
117. addressed frame encryption?
118. Defcon 18
119. Is it possible for a client to send forged group
120. addressed data frames?
121. From DS “Broadcast ARP Req.”
122. frame
123. Actually injected by a client
124. Address 1 (or Destination MAC) =
125. FF:FF:FF:FF:FF:FF
126. Defcon 18
127. Console log of a WiFi user’s machine
128. Parameters (GTK, KeyID and PN) required to send group addressed data frame is
129. known to all connected clients.
130. A malicious user can always create fake packets
131. Defcon 18
132. WPA2 secured WiFi networks are vulnerable…
133. Malicious insider can inject forged
134. group addressed data traffic
135. Legitimate clients can never detect
136. data forgery
137. …to Insider Attack
138. Client
139. Malicious Insider
140. Defcon 18
141. Implications
142.  Stealth mode ARP Poisoning/Spoofing attack
143.  Traffic snooping
144.  Man in the Middle (MiM): How about “Aurora” ?
145.  IP layer DoS attack
146.  IP level targeted attack
147.  TCP reset, TCP indirection, Port scanning, malware injection, privilege
148. escalation etc. etc.
149.  Wireless DoS attack
150.  Blocks downlink broadcast data frame reception
151. Defcon 18
152. Stealth mode ARP Poisoning
153. 1. Attacker injects fake ARP packet to
154. poison client’s cache for gateway.
155. The ARP cache of victim gets
156. poisoned. For victim client Gateway
157. is attacker’s machine.
158. 2. Victim sends all traffic to attacker
159. 3. Now attacker can either drop traffic
160. or forward it to actual gateway
161. 1
162. 2
163. Target
164. Attacker
165. 3
166. I am the Gateway
167. Wired LAN
168. Defcon 18
169. ARP Poisoning Attack: Normal vs Stealth Mode
170. Target
171. Attacker
172. I am the
173. Gateway
174. Wired LAN
175. Target Attacker
176. Wired LAN
177. Normal Stealth Mode
178. ARP poisoning frames appear on wire
179. through AP. Chances of being caught is
180. high.
181. ARP poisoning frames invisible to AP,
182. never go on wire. Can’t be detected by
183. any ARP cache poison detection tool.
184. Defcon 18
185. IP Level Targeted Attack
186. Defcon 18
187. PN or Packet Number in CCMP Header
188. 48 bit Packet Number (PN) is present in all CCMP encrypted DATA frames
189. Legitimate client Access Point
190. Replay Attack Detection in WPA2
191. PN=701
192. 1. All clients learn the PN associated with a
193. GTK at the time of association
194. 2. AP sends a group addressed data frame to
195. all clients with a new PN
196. 3. If new PN > locally cached PN than packet
197. is decrypted and after successful
198. decryption, old PN is updated with new PN
199. Expecting
200. PN >700
201. Defcon 18
202. Wireless DoS Attack (WDoS)
203. Defcon 18
204. Demo: Stealth mode attack
205. A live demo of the exploit will be done
206. during presentation
207. Defcon 18
208. Prevention & Countermeasures
209. Defcon 18
210. Endpoint Security
211. Client software such as DecaffeintID or Snort can be used to
212. detect ARP cache poisoning.
213. Detects ARP Cache Poisoning attack
214. Defcon 18
215. Limitations
216. Smartphones
217. Varieties of client device which connect to WPA2 secured WiFi
218. networks while software is available only for either Windows or
219. Linux running devices
220. Operating Systems Hardware
221. Defcon 18
222. Infrastructure Side
223. Public Secure Packet Forwarding (PSPF)/peer-to-peer (P2P) or
224. Client Isolation
225. Client A
226. Client B
227. X X
228. AP does not
229. forward A’s
230. packet to B
231. The feature can be used to stop communication between two
232. WiFi enabled client devices
233. Defcon 18
234. Limitations
235. Not all standalone mode APs or WLAN controllers have built-in
236. PSPF or client isolation capabilities
237. PSPF or Client Isolation does not always work
238. - It does not work across APs in standalone mode
239. - In controller based architecture, PSPF (peer2peer) does not
240. work across controllers even the controllers are present in
241. the same mobility group
242. Attacker can always use WiFi client to launch attack and setup a
243. non-WiFi host to serve the victim and easily bypass PSPF/Client
244. isolation
245. Defcon 18
246. Long Term Solution: Protocol Enhancement
247. Deprecate use of GTK and group addressed data traffic from AP
248. 1. Convert all group addressed data traffic into unicast traffic
249. 2. For backward compatibility AP should send randomly generated
250. different GTKs to different clients so that all associated clients have
251. different copies of group key
252. Disadvantages:
253. a. Brings down total network throughput
254. b. Requires AP software upgrade
255. Defcon 18
256. Key Take Away
257.  WPA2 – secure, but vulnerable to insider attack!
258.  This limitation known to WPA2 designers, but not well
259. understood by WiFi users
260.  Countermeasures can be deployed wherever threat of insider
261. attacks is high
262.  Using endpoint security; or
263.  Using wireless traffic monitoring using WIPS sensors
264. Defcon 18
265. Thank You!
266. Md Sohail Ahmad
267. Email: md.ahmad@airtightnetworks.com
268. www.airtightnetworks.com
269. For up-to-date information on developments in wireless
270. security, visit
271. blog.airtightnetworks.com
272. Defcon 18
273. References
274. [1] Task Group I, IEEE P802.11i Draft 10.0. Project IEEE 802.11i, 2004.
275. [2] Aircrack-ng
276. www.aircrack-ng.org
277. [3] PEAP: Pwned Extensible Authentication Protocol
278. http://www.willhackforsushi.com/presentations/PEAP_Shmoocon2008_Wright_Antoniewicz.pdf
279. [4]. WPA/WPA2 TKIP Exploit: Tip of the Iceberg?
280. www.cwnp.com/pdf/TKIPExploit08.pdf
281. [5]. Cisco’s PSPF or P2P
282. http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da
283. 3.shtml
284. [6] Client isolation
285. http://www.cisecurity.org/tools2/wireless/CIS_Wireless_Addendum_Linksys.pdf
286. [7]. The Madwifi Project
287. http://madwifi-project.org/
288. Defcon 18
289. References
290. [8]. Host AP Driver
291. http://hostap.epitest.fi/
292. [9]. ARP Cache Poisoning
293. http://www.grc.com/nat/arp.htm
294. [10] Detecting Wireless LAN MAC Address Spoofing
295. http://forskningsnett.uninett.no/wlan/download/wlan-mac-spoof.pdf
296. [11]. DecaffeinatID
297. http://www.irongeek.com/i.php?page=security/decaffeinatid-simple-ids-arpwatch-for-
298. windows&mode=print
299. [12] SNORT
300. http://www.snort.org/
301. [13]. Wireless Hotspot Security
302. http://www.timeatlas.com/Reviews/Reviews/Wireless_Hotspot_Security