Short paper

Wireless networks are particularly vulnerable to spoofing and route poisoning attacks due to the contested transmission medium. Recent works investigate physical layer features such as received signal strength or radio frequency fingerprints to localize and identify malicious devices. In this paper we demonstrate a novel and complementary approach to exploiting physical layer differences among wireless devices that is more energy efficient and invariant with respect to the environment. Specifically, we exploit subtle design differences among transceiver hardware types. Transceivers fulfill the physicallayer aspects of wireless networking protocols, yet specific hardware implementations vary among manufacturers and device types. In this paper we demonstrate that precise manipulation of the physical layer header prevents a subset of transceiver types from receiving the manipulated packet. By soliciting acknowledgments from wireless devices using a small number of packets with manipulated preambles and frame lengths, a response pattern identifies the true transceiver class of the device under test. Herein we demonstrate a transceiver taxonomy of six classes with greater than 99% accuracy, irrespective of environment. We successfully demonstrate wireless multi-factor authentication, intrusion detection, and transceiver type fingerprinting through preamble manipulation.

show abstract

Injection attacks on 802.11n MAC frame aggregation

Robyns

Quax

Lamotte

2015

Proceedings of the 8th ACM Conference on Security &Amp; Privacy in Wireless and Mobile Networks

View full text Add to dashboard Cite

The ability to inject packets into a network is known to be an important tool for attackers: it allows them to exploit or probe for potential vulnerabilities residing on the connected hosts. In this paper, we present a novel practical methodology for injecting arbitrary frames into wireless networks, by using the Packet-In-Packet (PIP) technique to exploit the frame aggregation mechanism introduced in the 802.11n standard. We show how an attacker can apply this methodology over a WAN -without physical proximity to the wireless network and without requiring a wireless interface card. The practical feasibility of our injection method is then demonstrated through a number of proof-of-concept attacks. More specifically, in these proof-of-concepts we illustrate how a host scan can be performed on the network, and how beacon frames can be injected from a remote location. We then both analytically and experimentally estimate the success rate of these attacks in a realistic test setup. Finally, we present several defensive measures that network administrators can put in place in order to prevent exploitation of our frame injection methodology.

show abstract

Short paper

Cited by 3 publications

References 6 publications

Wanda: Securely introducing mobile devices

Wanda: Securely introducing mobile devices

Wireless Intrusion Detection and Device Fingerprinting through Preamble Manipulation

Injection attacks on 802.11n MAC frame aggregation

Contact Info

Product

Resources

About