Advanced WiFi Attacks using Commodity Hardware

Presented at BruCON 0x0A (2018), Oct. 3, 2018, 10:30 a.m. (60 minutes).

This talk explains how low-layer attacks against WiFi can be implemented by modifying the firmware of off-the-shelf WiFi dongles. Additionally, in this new version of the talk, we also discuss how mobile phones can be modified to carry out similar attacks. First, we show how to give ourselves a higher throughput than normally allowed. Then we create a continuous jammer which makes the channel completely unusable for all devices. Based on this we also show how to implement a selective jammer, allowing one to jam only packets of specific clients. It’s surprising all this is possible using cheap hardware, in particular the selective jammer, since it must adhere to very strict timing constraints to timely jam the targeted frames. Finally, we demonstrate how our low-layer attacks facilitate attacks against higher-layer protocols. In particular we use our modified firmware to implement a multi-channel man-in-the-middle attack. This can then be used to attack WPA-TKIP. In this new version of the talk we also discuss how this MitM position was used in the KRACK attacks against WPA2, and several other attacks against protected Wi-Fi networks.

Presenters:

  • Mathy Vanhoef
    Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He is most well known for his KRACK attack against WPA2, and the RC4 NOMORE attack against RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols, applied cryptography, and software security. Currently his research is about automatically discovering (logical) vulnerabilities in network protocol implementations. Apart from research, he is also interested in low-level security, reverse engineering, and binary exploitation.

Links:

Similar Presentations: