Stupify: A Hardware Countermeasure of KRACKs in WPA2 using Physically Unclonable Functions

Chatterjee, Urbi; Sadhukhan, Rajat; Mukhopadhyay, Debdeep; Chakraborty, Rajat Subhra; Mahata, Debashis; Prabhu, M.

doi:10.1145/3366424.3383545

Cited by 10 publications

(6 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [37], the authors proposed a defense mechanism based on Physically Unclonable Functions (PUF) to prevent rogue AP's actions during the MC-MitM attacks. Their approach involved generating a unique secret key from the AP's PUF signature and using it for mutual authentication between the AP and client devices.…”

Section: ) Stage 1 Defense Mechanismsmentioning

confidence: 99%

“…Stupify [37] only detects attacks against WPA2 devices because it introduces changes to the WPA2 authentication mechanisms. It does not protect PMF devices as they do not include a group key (IGTK) in their authentication mechanism, and cannot detect insider attacks since such attackers can forge/bypass authentication details.…”

Section: G Comparison With Existing Defense Mechanismsmentioning

confidence: 99%

See 1 more Smart Citation

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks

Thankappan,

Rifà-Pous,

Garrigues

2024

IEEE Access

View full text Add to dashboard Cite

One of the advanced Man-in-the-Middle (MitM) attacks is the Multi-Channel MitM (MC-MitM) attack, which is capable of manipulating encrypted wireless frames between clients and the Access Point (AP) in a Wireless LAN (WLAN). MC-MitM attacks are possible on any client no matter how the client authenticates with the AP. Key reinstallation attacks (KRACK) in 2017-18, and the latest FragAttacks in 2021 are frontline MC-MitM attacks that widely impacted millions of Wi-Fi systems, especially those with Internet of Things (IoT) devices. Although there are security patches against some attacks, they are not applicable to every Wi-Fi or IoT device. In addition, existing defense mechanisms to combat MC-MitM attacks are not feasible for two reasons: they either require severe firmware modifications on all the devices in a system, or they require the use of several advanced hardware and software for deployment. On top of that, high technical overhead is imposed on users in terms of network setup and maintenance. This paper presents the first plug-and-play system to detect MC-MitM attacks. Our solution is a lightweight, signaturebased, and centralized online passive intrusion detection system that can be easily integrated into Wi-Fi-based IoT environments without modifying any network settings or existing devices. The evaluation results show that our proposed framework can detect MC-MitM attacks with a maximum detection time of 60 seconds and a minimum TPR (true positive rate) of 90% by short-distance detectors and 85% by long-distance detectors in real Wi-Fi or IoT environments.

show abstract

Section: ) Stage 1 Defense Mechanismsmentioning

confidence: 99%

Section: G Comparison With Existing Defense Mechanismsmentioning

confidence: 99%

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks

Thankappan,

Rifà-Pous,

Garrigues

2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…In the above scenarios, it is challenging to distinguish MC-MitM attacks correctly. Some significant defense mechanisms [7], [16], [26], [27] have been proposed in the literature. Generally, such defense mechanisms practice cryptographic authentication of communication channels, beacons, or devices to identify intrusions.…”

Section: A Challenges In Detecting Mc-mitm Attacksmentioning

confidence: 99%

“…Chatterjee et al [26] proposed a Physically Unclonable Functions (PUF) based defense to prevent rogue AP's actions during the MC-MitM attack. Their basic idea was to generate a unique secret key from the AP's PUF signature and use it to authenticate devices (the AP and client) mutually.…”

Section: ) Stage 1 Defense Mechanisms: Vanhoef Et Al [7] Proposed An ...mentioning

confidence: 99%

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-The-Middle Attacks Against Protected Wi-Fi Networks

Thankappan¹,

Rifà-Pous²,

Garrigues³

2022

SSRN Journal

View full text Add to dashboard Cite

“…Therefore, device authentication for Wi-Fi network security is indispensable [7,8]. IEEE 802.11i provides cryptographicbased device authentication methods, but it has been proven to lack security [9][10][11][12]. What is more, Wi-Fi devices with limited hardware resources cannot support these authentication schemes well, which brings challenges to the usage of cryptographic-based device authentication technology.…”

Section: Introductionmentioning

confidence: 99%

Enhancing Packet‐Level Wi‐Fi Device Authentication Protocol Leveraging Channel State Information

Song

Chen

et al. 2021

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

Wi-Fi device authentication is crucial for defending against impersonation attacks and information forgery attacks. Most of the existing authentication technologies rely on complex cryptographic algorithms. However, they cannot be supported well on the devices with limited hardware resources. A fine-grained device authentication technology based on channel state information (CSI) provides a noncryptographic method, which uses the CSI fingerprints for authentication since CSI can uniquely identify the devices. But long-term authentication based on CSI fingerprints is a challenging work. First, the CSI fingerprints are environment-sensitive, which means that the local authenticator should be updated to adapt to the changing channel state. Second, the local authenticator trained with old CSI fingerprints is outdated when users reconnect to the network after being offline for a long time, thus, it needs to be retrained in the access phase with new fingerprints. To tackle these challenges, we propose a CSI-based enhancing Wi-Fi device authentication protocol and an authentication framework. The protocol helps to collect new CSI fingerprints for authenticator’s training in access phase and performs the fingerprints’ dispersion analysis for authentication. In the association phase, it provides packet-level authentication and updates the authenticator with valid CSI fingerprints. The authenticator consists of an ensemble of small-scale autoencoders, which has high enough time efficiency for packet-level authentication and authenticator’s update. Experiments show that the accuracy of the framework is up to 98.7%, and the authenticator updating method can help the framework maintains high accuracy.

show abstract

Stupify: A Hardware Countermeasure of KRACKs in WPA2 using Physically Unclonable Functions

Cited by 10 publications

References 4 publications

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-The-Middle Attacks Against Protected Wi-Fi Networks

Enhancing Packet‐Level Wi‐Fi Device Authentication Protocol Leveraging Channel State Information

Contact Info

Product

Resources

About