Extending Automated Protocol State Learning for the 802.11 4-Way Handshake

Stone, Chris McMahon; Chothia, Tom; Ruiter, Joeri de

doi:10.1007/978-3-319-99073-6_16

Cited by 27 publications

(6 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The automaton has a state that encapsulates a 4-way handshake mechanism granting access to the controlled port. Since learning the 4-way handshake mechanisms is already addressed in [22], we focus on learning the AKM service. We used the following management frames: Auth(Open), AssoReq, Deauth(leaving), Disas(leaving), ProbeReq, and timeout [14, p. 45-49].…”

Section: Android Authentication and Key Managementmentioning

confidence: 99%

Learning Mealy Machines with One Timer

Vaandrager

Bloem

2021

Language and Automata Theory and Applications

View full text Add to dashboard Cite

We present Mealy machines with a single timer (MM1Ts), a class of models that is both sufficiently expressive to describe the realtime behavior of many realistic applications, and can be learned efficiently. We show how learning algorithms for MM1Ts can be obtained via a reduction to the problem of learning Mealy machines. We describe an implementation of an MM1T learner on top of LearnLib, and compare its performance with recent algorithms proposed by Aichernig et al. and An et al. on several realistic benchmarks.

show abstract

Section: Android Authentication and Key Managementmentioning

confidence: 99%

Learning Mealy Machines with One Timer

Vaandrager

Bloem

2021

Language and Automata Theory and Applications

View full text Add to dashboard Cite

show abstract

“…These attacks can be launched by anyone within range of the victim, and nowadays low-cost Wi-Fi "deauthers" are readily available for less than $10 [31]. Disconnecting a client from the network is an essential step towards successfully executing many attacks, in particular those targeting the connection process, with example attacks being [3,6,7,16,23,24,39]. For instance, offline dictionary attacks against the passphrase of a WPA2 network require the adversary to capture a client's 4-way handshake, and can be accelerated by capturing additional handshakes.…”

Section: Introductionmentioning

confidence: 99%

On the Robustness of Wi-Fi Deauthentication Countermeasures

Schepers

Ranganathan

Vanhoef

2022

Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

View full text Add to dashboard Cite

With the introduction of WPA3 and Wi-Fi 6, an increased usage of Wi-Fi Management Frame Protection (MFP) is expected. defined in IEEE 802.11w, protects robust management frames by providing data confidentiality, integrity, origin authenticity, and replay protection. One of its key goals is to prevent deauthentication attacks in which an adversary forcibly disconnects a client from the network. In this paper, we inspect the standard and its implementations for their robustness and protection against deauthentication attacks. In our standard analysis, we inspect the rules for processing robust management frames on their completeness, consistency, and security, leading to the discovery of unspecified cases, contradictory rules, and revealed insecure rules that lead to new denial-of-service vulnerabilities. We then inspect implementations and identify vulnerabilities in clients and access points running on the latest versions of the Linux kernel, hostap, IWD, Apple (i.e., macOS, iOS, iPadOS), Windows, and Android. Altogether, these vulnerabilities allow an adversary to disconnect any client from personal and enterprise networks despite the usage of MFP. Our work highlights that management frame protection is insufficient to prevent deauthentication attacks, and therefore more care is needed to mitigate attacks of this kind. In order to address the identified shortcomings, we worked with industry partners to propose updates to the IEEE 802.11 standard. CCS CONCEPTS• Networks → Wireless access points, base stations and infrastructure; Mobile and wireless security; Denial-of-service attacks.

show abstract

“…The usage of TKIP is being discouraged by the Wi-Fi Alliance [60], however, WPA2 certified devices are still allowed to support both TKIP and CCMP. Several vulnerabilities have been found in WPA2 implementations [18,61], and more recently we have seen key reinstallation attacks (KRACKs) against the WPA2 standard itself [1,62].…”

Section: Historymentioning

confidence: 99%

“…In addition, researchers identified vulnerabilities in technology surrounding Wi-Fi, such as Wi-Fi Protected Setup (WPS) [80,39]. In [81], message forging attacks against AES-CCMP were described, and several WPA2 implementations have been analyzed in works such as [18,61] revealing how clients may be downgraded from AES-CCMP to WPA-TKIP. Downgrading clients to WPA-TKIP makes them vulnerable to the attacks devised against it.…”

Section: Related Workmentioning

confidence: 99%

“…For example, researchers identified key reinstallation attacks [1], security weaknesses in encryption protocols such as WPA-TKIP [20,11] and the Dragonfly handshake of WPA3 [166], and shown stealthy evil-twin attacks against enterprise networks [167]. Furthermore, researchers modeled the four-way handshake to identify weaknesses [18,61], inspected the impact of Wi-Fi Protected Setup (WPS) flaws [39], and proposed numerous methods to enhance the security of Wi-Fi networks, for example, by presenting an extensive formal analysis of the WPA2 protocol design [168]. In their experiments, researchers are often required to implement complex features or entire procedures from scratch (e.g., using Python and Scapy).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Towards rapid prototyping for wi-fi security research

Schepers

View full text Add to dashboard Cite

The rapid deployment of wireless networks, combined with an increasing demand for performance and security, resulted in the significant evolution of standards. Today, ) and Wi-Fi Protected Access 3 (WPA3) are the latest standard and set of security protocols. In order to enhance the security protections offered by these networks, it remains key to adopt the newest standards and promptly deprecate any old and vulnerable protocols. With this perspective, and the knowledge that early research in new protocols allows us to identify and address shortcomings before they are widely-adopted in practice, we are motivated to perform rigorous security and privacy analyses.In this dissertation, we perform an extensive wireless survey to understand and contextualize the Wi-Fi (IEEE 802.11) landscape. It allows us to gain real-world insights in the adoption rates of deprecated, recommended, and state-of-the-art protocols, and thereby identify trends and determine their security impact in practice. Based on our newfound insights, we perform a security and privacy analysis on the Temporal Key Integrity Protocol (TKIP) and Wi-Fi Fine Timing Measurement (FTM), revealing a wide-variety of sidechannels and security vulnerabilities. In order to ease and streamline our research process, and address implementation challenges faced throughout, we design a novel framework for rapid prototyping. Our framework allows one to rapidly test hypothesis on new weaknesses, implement proof-of-concepts, build on-target fuzz-testing tools, create testing suites (e.g., test if a device is vulnerable to known attacks), and automate experiments. We then demonstrate the features of our framework by means of two practical use cases. First, we perform a security analysis on the Wi-Fi Management Frame Protection (MFP) standard and its implementations, revealing numerous deauthentication vulnerabilities. Second, we analyze frame queuing mechanisms used within access points, revealing vulnerabilities which enable an adversary to bypass encryption. Finally, we release our framework for rapid prototyping to the community in order to encourage and support further security and privacy research.

show abstract

Extending Automated Protocol State Learning for the 802.11 4-Way Handshake

Cited by 27 publications

References 25 publications

Learning Mealy Machines with One Timer

Learning Mealy Machines with One Timer

On the Robustness of Wi-Fi Deauthentication Countermeasures

Towards rapid prototyping for wi-fi security research

Contact Info

Product

Resources

About