Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Vanhoef, Mathy; Schepers, Domien; Piessens, Frank

doi:10.1145/3052973.3053008

Cited by 14 publications

(16 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The usage of TKIP is being discouraged by the Wi-Fi Alliance [7], however, WPA2 certified devices are still allowed to support both TKIP and CCMP. Several vulnerabilities have been found in WPA2 implementations [28,35], and more recently we have seen key reinstallation attacks (KRACKs) against the WPA2 standard itself [33,34].…”

Section: Historymentioning

confidence: 99%

“…It has been shown that MediaTek devices may be vulnerable to a downgrade attack from AES-CCMP to WPA-TKIP [35]. As a result, clients using AES-CCMP may be downgraded to WPA-TKIP and fall victim to our attack.…”

Section: Mediatek Fragmentation Oraclementioning

confidence: 99%

“…In addition, researchers identified vulnerabilities in technology surrounding Wi-Fi, such as Wi-Fi Protected Setup (WPS) [26,36]. In [12], message forging attacks against AES-CCMP were described, and several WPA2 implementations have been analyzed in works such as [28,35] revealing how clients may be downgraded from AES-CCMP to WPA-TKIP. Downgrading clients to WPA-TKIP makes them vulnerable to the attacks devised against it.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Practical Side-Channel Attacks against WPA-TKIP

Schepers

Ranganathan

Vanhoef³

2019

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

We measure the usage of cipher suites in protected Wi-Fi networks, and do this for several distinct geographic areas. Surprisingly, we found that 44.81% of protected networks still support the old WPA-TKIP cipher. Motivated by this, we systematically analyze the security of several implementations of WPA-TKIP, and present novel side-channel attacks against them. The presented attacks bypass existing countermeasures and recover the Michael message authentication key in 1 to 4 minutes. Using this key, an adversary can then decrypt and inject network traffic. In contrast, previous attacks needed 7 to 8 minutes. These results stress the urgent need to stop using WPA-TKIP. CCS CONCEPTS• Networks → Wireless access points, base stations and infrastructure; • Security and privacy → Mobile and wireless security; • Information systems → Data encryption.

show abstract

Section: Historymentioning

confidence: 99%

Section: Mediatek Fragmentation Oraclementioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Practical Side-Channel Attacks against WPA-TKIP

Schepers

Ranganathan

Vanhoef³

2019

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…ACM ISBN 978-1-4503-8349-3/21/06. https://doi.org/10.1145/3448300.3468261 modeled the four-way handshake to identify weaknesses [7,11], inspected the impact of Wi-Fi Protected Setup (WPS) flaws [4], and proposed numerous methods to enhance the security of Wi-Fi networks, for example, by presenting an extensive formal analysis of the WPA2 protocol design [2]. In their experiments, researchers are often required to implement complex features or entire procedures from scratch (e.g., using Python and Scapy).…”

Section: Introductionmentioning

confidence: 99%

A framework to test and fuzz wi-fi devices

Schepers

Vanhoef²,

Ranganathan

2021

Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Self Cite

View full text Add to dashboard Cite

Over the years, numerous weaknesses have been identified in the IEEE 802.11 standard and its implementations. In order to present a proof-of-concept or demonstrate their impact in practice, researchers are often required to implement entire procedures or complex features from scratch (e.g., injecting encrypted frames with customized header flags). In this paper, we present a framework that allows researchers to more easily test and fuzz any device (i.e., access points and clients). This framework enables one to, for example, test hypothesis on new weaknesses, implement proofof-concepts, create testing suites, and automate experiments. Our framework is implemented on top of the hostap user space daemon, and includes a language in which complex test cases can be defined (e.g., instructions to inject a sequence of user-modified frames into the network). Notably, a test case can make use of the hostap control interface, providing access to built-in features (e.g., authentication procedures, retrieval of encryption keys) and allows users to create customized hostap extensions. CCS CONCEPTS• Networks → Wireless access points, base stations and infrastructure; Mobile and wireless security.

show abstract

“…The nature of wireless network transmission and the emerging attacks are continuously creating or exploiting more vulnerability [3]. Despite the fact that the security mechanism and protocols are upgraded and enhanced, some companies or organization environments cannot afford a separate authentication system, and generally adopt the Wi-Fi-Protected-Access/Preshared-key(WPA2-PSK) which is not assuring 100 % security and are still exposed to some categories of attacks such as downgrade attacks, de-authentication attacks and DoS, that aims to push wireless clients to re-authenticate to Access point( AP) and try to capture the key exchanged during the handshake to compromise the network security [4].…”

Section: Introcutionmentioning

confidence: 99%

Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabilities (WIFI)

Teyou¹,

Zhang²

2018

IJEMR

View full text Add to dashboard Cite

The growing volume of attacks on the Internet has increased the demand for more robust systems and sophisticated tools for vulnerability analysis, intrusion detection, forensic investigations, and possible responses. Current hacker tools and technologies warrant reengineering to address cyber crime and homeland security. The being aware of the flaws on a network is necessary to secure the information infrastructure by gathering network topology, intelligence, internal/external vulnerability analysis, and penetration testing. This paper has as main objective to minimize damages and preventing the attackers from exploiting weaknesses and vulnerabilities in the 4 ways handshake (WIFI).We equally present a detail study on various attacks and some solutions to avoid or prevent such attacks in WLAN.

show abstract

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Cited by 14 publications

References 23 publications

Practical Side-Channel Attacks against WPA-TKIP

Practical Side-Channel Attacks against WPA-TKIP

A framework to test and fuzz wi-fi devices

Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabilities (WIFI)

Contact Info

Product

Resources

About