A framework to test and fuzz wi-fi devices

Schepers, Domien; Vanhoef, Mathy; Ranganathan, Aanjhan

doi:10.1145/3448300.3468261

Cited by 15 publications

(9 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In Table 2, a dash indicates the respective technique does not apply to the evaluated system. Furthermore, for each of the deauthentication attacks, we write a test case (i.e., proof-of-concept) within the Wi-Fi Framework [30]. The attacks are straightforward to execute against any new system (e.g., Linux, Windows, Apple, Android).…”

Section: Methodology and Experimental Setupmentioning

confidence: 99%

“…Prior research evaluated the MFP standard and identified denial-of-service attacks against the SA Query procedure in earlier drafts of the standard [1,13] as well as its default timeout intervals in commercial systems [8], deadlock vulnerabilities [5,14], and the 4-way handshake [40]. Furthermore, researchers evaluated the resilience against deauthentication and association flooding attacks [8], and implementation vulnerabilities in the hostap daemon allowed an adversary to trick the access point in deauthenticating all clients by transmitting association frames from invalid source addresses [30]. In this paper, we performed the first study of the standard, investigating how stations are expected to handle deauthentication and disassociation frames in the context of MFP.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

On the Robustness of Wi-Fi Deauthentication Countermeasures

Schepers

Ranganathan

Vanhoef

2022

Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Self Cite

View full text Add to dashboard Cite

With the introduction of WPA3 and Wi-Fi 6, an increased usage of Wi-Fi Management Frame Protection (MFP) is expected. defined in IEEE 802.11w, protects robust management frames by providing data confidentiality, integrity, origin authenticity, and replay protection. One of its key goals is to prevent deauthentication attacks in which an adversary forcibly disconnects a client from the network. In this paper, we inspect the standard and its implementations for their robustness and protection against deauthentication attacks. In our standard analysis, we inspect the rules for processing robust management frames on their completeness, consistency, and security, leading to the discovery of unspecified cases, contradictory rules, and revealed insecure rules that lead to new denial-of-service vulnerabilities. We then inspect implementations and identify vulnerabilities in clients and access points running on the latest versions of the Linux kernel, hostap, IWD, Apple (i.e., macOS, iOS, iPadOS), Windows, and Android. Altogether, these vulnerabilities allow an adversary to disconnect any client from personal and enterprise networks despite the usage of MFP. Our work highlights that management frame protection is insufficient to prevent deauthentication attacks, and therefore more care is needed to mitigate attacks of this kind. In order to address the identified shortcomings, we worked with industry partners to propose updates to the IEEE 802.11 standard. CCS CONCEPTS• Networks → Wireless access points, base stations and infrastructure; Mobile and wireless security; Denial-of-service attacks.

show abstract

Section: Methodology and Experimental Setupmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

On the Robustness of Wi-Fi Deauthentication Countermeasures

Schepers

Ranganathan

Vanhoef

2022

Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Self Cite

View full text Add to dashboard Cite

show abstract

“…When set, the network card actively acknowledges incoming unicast frames if they match the configured MAC address. However, at the time of writing, few network cards on Linux support this flag, and recent works instead used virtual interface to assure that incoming frames are acknowledged [15,18] (see also Section 3.2).…”

Section: Frame Injection On Linuxmentioning

confidence: 99%

“…This is done using virtual interfaces: one virtual interface implements the client or AP behavior, while a second virtual interface can be used to monitor and inject frames. Recent works used this ability to quickly prototype proof-of-concepts [15,18].…”

Section: Virtual Interfaces On Linuxmentioning

confidence: 99%

Testing and Improving the Correctness of Wi-Fi Frame Injection

Vanhoef

Jiao

Wei

et al. 2023

Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Self Cite

View full text Add to dashboard Cite

Investigating the security of Wi-Fi devices often requires writing scripts that send unexpected or malformed frames, to subsequently monitor how the devices respond. Such tests generally use Linux and off-the-self Wi-Fi dongles. Typically, the dongle is put into monitor mode to get access to the raw content of received Wi-Fi frames and to inject, i.e., transmit, customized frames.In this paper, we demonstrate that monitor mode on Linux may, unbeknownst to the user, mistakenly inject Wi-Fi frames or even drop selected frames instead of sending them. We discuss cases where this causes security testing tools to misbehave, making users believe that a device under test is secure while in reality it is vulnerable to an attack. To remedy this problem, we create a script to test raw frame injection, and we extend the Radiotap standard to gain more control over frame injection. Our extension is now part of the Radiotap standard and has been implemented in Linux. We tested it using commercial Wi-Fi dongles and using openwifi, which is an open implementation of Wi-Fi on top of software-defined radios. With our improved setup, we reproduced tests for the KRACK and FragAttack vulnerabilities, and discovered previously unknown vulnerabilities in three smartphones. CCS CONCEPTS• Security and privacy → Mobile and wireless security; • Networks → Protocol testing and verification.

show abstract

“…Although a testing framework [45] exists for detecting fragmentation and aggregation vulnerabilities in Wi-Fi devices, no specific defense mechanisms are available for FragAttacks.…”

Section: ) Stage 1 Defense Mechanisms: Vanhoef Et Al [7] Proposed An ...mentioning

confidence: 99%