Advanced WiFi Attacks using Commodity Hardware

Presented at BruCON 0x07 (2015), Oct. 8, 2015, 11 a.m. (60 minutes).

This talk explains how advanced low-layer attacks against WiFi can be implemented by modifying the firmware of off-the-shelf WiFi dongles. This allows us to use cheap 15$ WiFi dongles to carry out attacks which previously required expensive USRP setups of more than 3500$. Several types of attacks are implemented and tested. First, we show how to give ourselves a higher throughput than normally allowed. While there are some systems that attempt to detect such selfish behavior, we show that these can easily be bypassed. We then continue by creating a continuous jammer. Such a jammer makes the channel completely unusable for all devices. Based on this we also show how to implement a selective jammer, allowing one to jam only packets of specific clients. This is achieved by decoding the MAC header of a packet while it is still being transmitted, and jamming the remaining content of this packet if it is send towards (or from) a client we are targeting. It’s surprising all this is possible using cheap hardware, in particular the selective jammer, since it must adhere to very strict timing constraints in order to timely jam the remaining content of the packet. We also turn our jamming attacks around and explain how they can be utilized to protected networks and devices. All combined this clearly shows jamming techniques can no longer be ignored. Finally we demonstrate how our low-layer attacks facilitate attacks against higher-layer protocols. In particular we use our modified firmware to implement a channel-based man-in-the-middle attack. This allows reliable manipulation of encrypted traffic, and can be utilized to break WPA-TKIP when used to protect broadcast packets. Interestingly we found that, though TKIP is nowadays rarely used to protect unicast traffic, it is still widely used to protect broadcast traffic.

Presenters:

  • Mathy Vanhoef
    Mathy Vanhoef is a doctoral researcher at KU Leuven specializing in wireless security. In this area he has uncovered several issues in both protocol designs, and implementations by vendors. He also has experience in information flow research, stream cipher analysis (RC4), and low level vulnerabilities and exploitation techniques. Finally he’s an active member of KU Leuven’s Hacknamstyle CTF team, where he regularly gives workshops on practical security topics.

Links:

Similar Presentations: