SECURITY ATTACKS ON DIFFERENT Wi-Fi PROTOCOLS

Prof.S. O. RajankarDept. of Electronics and Telecommunication

Sinhgad College Of Engineering,Vadgaon(Bk.), Pune-41,India

Abstract—This paper describes different attacks that are possible on Wi-Fi protocols. It mostly concentrates on attacks on WEP and WPA as they are most popular protocols. The third protocol is WPA 2 which is similar to WPA except for some changes. This paper is a study for the project of designing a software for Wi-Fi audit.

Keywords- WEP, WPA, Packet building attacks, Key Recovery attacks

I.INTRODUCTION

The security in Wi-Fi networks is a very important subject, because nowadays Wi-Fi networks are extensively used. Although there are numerous protocols suggested for Wi-Fi security, they fail to protect against various attacks due to lack of upgradation. So to secure the wi-fi that is deployed, first it has to be checked for the vulnerability of it to the various types of attacks that are popular and are subjected to happen at present. Also the owner of Wi-Fi need to know what type of security measures he is currently provided with and what type of security measures he needs to incorporate in his Wi-Fi settings to ensure that the deployed Wi-Fi is secure against various attacks that may happen in the current scenario. For this Attacks on Wi-Fi networks are important to be deeply studied. In this seminar the two prominently used Wi-Fi protocols and attacks on them are studied.

There are total three protocols that are deployed on the Wi-Fi:

1. WEP(Wired Equivalent Privacy)2. WPA(Wireless Protected Access)

Mr. Nachiket KetkarDept. of Electronics and Telecommunication

Sinhgad College Of Engineering,Vadgaon(Bk.), Pune-41,Indianachiket.ketkar@gmail.com

.3 WPA2(Wireless Protected Access 2)Out of these WEP is mostly used

protocol and thus many attacks are developed against it. Though it is vulnerable, it is still widely used because of its simplicity. The third protocol i.e. WPA2 is similar to WPA in most ways only a small difference makes it more secure than WPA. Attacks on WPA and WPA2 are almost same with a more computational complexity and less probability of success. So in this seminar, only WEP and WPA are focused.

Aim of this paper is to study the attacks on WEP and WPA and to see how WPA is better than WEP. Also the seminar covers topics such as encryption and decryption techniques used in these protocols so it also covers the primary knowledge of the protocols.

II. ATTACKS ON WEP

A. Key recovery attacks

1. FMS attack

Fluhrer, Mantin and Shamir published the first key recovery attack on WEP in 2001. Their attack is based on the following ideas: An attacker who listens passively to the tra c of affi WEP protected network can record a lot of encrypted packets including the initialization

vectors used for these packets. Because the first bytes of the plaintext of most packets are easily predictable, the attacker is able to recover the first bytes of the keystreams used to encrypt these packets. The initialization vector is transmitted unprotected with the packets, so the attacker initially also knows the first 3 bytes of the per packet key for all packets. All following bytes of the per packet key are the same for all packets, but are initially unknown to the attacker.

This attack uses weaknesses in RC4. If four conditions hold, he can then perform a manipulation on RC4 that allows him to guess with a five percent probability a byte of the key. Using a system of vote, he can guess a probable key and test it. If the key is not correct, he will try another likely correct key and try again. To be more specific, the attack works as follow: As the attacker knows the first l bytes of the per packet key, he can simulate the l first steps of RC4-KSA.

The attack needs 4,000,000 to 6,000,000 packets to succeed with a success probability of at least 50%, depending on the exact environment and implementation .The reason for this is that the resolved condition holds only for a small amount of randomly chosen initialization vectors.

2.Korek Attack

KoreK posted an implementation of an advanced WEP attack tool to the netstumbler.org-forum. Basically this was an advanced version of the FMS attack. FMS uses a correlation between the first x bytes of the pre-shared key, the first byte of the key-stream and the x + 1 byte of the pre-shared key. The Korek attack uses several similar correlations, including some that were previously discuss in public, the one from the original FMS paper and several ones that were found by KoreK himself. The attack follows the same pattern as the FMS attack: Correlations between the first x pre-shared key bytes, the first two bytes of the key-stream and the byte x + 1 of the pre-shared key are used to gather votes for di erent values forff the di erent bytes. The result is a decision treeff that allows the attacker to obtain the presahred

key with a trial and error method. With the additional correlations the number of packets with unique IVs necessary for a 50% success chance is reduced to about 700000.

In 2004, a person under the pseudonym KoreK posted an implementation of an advanced WEP cracking tool in an internet forum. KoreK used 16 additional correlations between the first l bytes of an RC4 key, the first two bytes of the generated keystream, and the next keybyte K[l]. Most of these correlations have been found by KoreK himself, a few had been discussed in public before. KoreK assigned names like A u15 or A s13 to these attacks, the original FMS attack is called A s5 1 here. Nearly all correlations found by KoreK use the approach that the first or second byte of the keystream reveals the value of jl+1 under some conditions, if 2-4 values in S have a special constellation and are not changed during the remaining RC4-KSA after step l + 1. An interesting exception is the A_negative correlation, which doesn’t vote for a certain value of K[l]. Instead a value can be excluded from the list of possible candidates for K[l], which can be seen as a negative vote for K[l]. The overall attack structure is the same decision tree based approach as for the FMS attack and let the attacker find the key faster.. The number of captured packets is reduced to about 700,000 for 50% success probability. Again, the exact numbers depend on the exact environment and the implementation and parameters used for the attack. One important factor is if the initialization vectors are generated by a PRNG algorithm or if they are generated sequentially by a counter.

3.Klein’s attack

In 2006, Klein showed a improved way of attacking RC4 and WEP which does not depend on any weak IV . The advantage of this attack is the small number of packets required for the recovery of the WEP key compared with the FMS attack and the Korek attack.

Klein’s attack is formed by the KSA and PRGA rewinding. The attacker will then collect the probed values for K[i], and finally select the one with the highest vote. Note that to retrieve the secret key byte K[i], this attack must successfully recover the previous bytes

K[3],...,K[i − 2],K[i − 1]. Thus this attack has to execute iteratively to retrieve the whole WEP key. However this approach has a significant disadvantage. If a wrong key byte is guessed by the attack by mistake, the whole WEP key will be probably mis-recovered due to the key byte dependency. Thus, this attack has a problem of the key byte dependency to retrieve the WEP key.

4. PTW attack

To solve the Klein’s computational problem, Tews, Wein- mann and Pyshkin proposed an attack which is reduced the dependency among WEP bytes. Thus this attack can independently recover the sum of the WEP key bytes.

We describe the flow of the PTW attack. To begin with, the PTW attack estimates the internal state by only IV (Klein’s attack uses IV and the previous WEP key bytes), and approximates this internal state as a later internal state. After that it executes the KSA and PRGA rewinding as same as Klein’s attack to retrieve the sum of the WEP key bytes.

This attack can retrieve the sum of the WEP key bytes by using IV and the keystream Z1 to Z15. Furthermore, the success probability recovering the whole WEP key would increase by utilizing the keystream Z16 to Z31, because it can increase the number of vote counts. However the success probability of the PTW function decreases even if it guessed the correct previous key byte. To solve this problem, Teramura et al. proposed the TeAM-OK attack.

B. Packet Building attacks

1.Chopchop attack

The Chopchop Attack The chopchop attack (www.aircrack-ng.org/doku.php? id=korek_chopchop) exploits WEP encryption by determining the PSK through trial and error, rather than mathematically or cryptographically. Figure 2 diagrams the attack. The chopchop

attack uses the access point (AP) to decipher wireless Address Resolution Protocol (ARP) packets. The attack chops off the packet’s last byte and assumes that the encrypted byte is 0. The attack corrects the packet on the basis of a guess of 0, re-encrypts it, and sends it to the AP. If the guess is correct, the AP retransmits the packet because the attack is using a multicast packet. In this case, the attacker knows the guess was correct. If the AP drops the packet, the attacker guesses 1 and restarts the process. Consequently, the attacker can capture a WEP encrypted frame and replay it multiple times to decipher the payload one byte at a time. Attackers can decode small ARP frames in 10 to 20 seconds without breaking the WEP key.

Fig.1 chopchop attack

2. Fragmentation attack

Though a "fragmentation issue" had already been mentioned before, the first practical Fragmentation attack [1] was released in 2005 by Bittau et al. in a paper called "The final nail in WEP co-n". The attack works as follow: At first, the attacker needs to eavesdrop a packet. As all packet send in a 802.11 network have similar headers, the attacker can know/guess the first 8 bytes of clear text. By XORing these 8 bytes with the 8 corresponding bytes of cipher text we obtain 8 bytes of keystream for a specific IV. Those 8 bytes of keystream cannot be used to send a whole packet on the network (it would be ridiculously small). But the WEP protocol allows to send a single packet in up to 16 fragments. Therefore, we can use the 8 bytes of keystream we know to broadcast a packet containing 64 bytes of know text in 16 fragments. (We can only have 64 bytes of known text because each fragment needs its 4 bytes long CRC32 checksum). When the AP receives those 16 fragments, it will decipher them, combine them into a single packet, encrypt it and send it back on the network. This packet is 68 bytes long (64 bytes of known text and 4 bytes ICV). With a XOR, the attacker has now 68 bytes of keystream for a given IV. By repeating this process, the attacker can get up to 1500 bytes of keystream for a IV. When knowing 1500 bytes of keystream for a given IV, it is easy to get 1500 bytes of keystream for other IVs by simply sending a broadcast packet of 1500 bytes to the AP. The AP will then relay this packet, but encrypted with a new IV.

As C ⊕ M = K the attacker can get the keystream for other IVs and build a dictionary, allowing him to decipher every single packet on the network, and also to create traffic.

3.Coolface attack

The Coolface attack uses the second mode of WEP-authentication: Shared key. As opposed to the Open System authentication, the client has to resolve a challenge to be connected. The AP sends to the client a challenge, and the client will send back the encrypted challenge. If it is correct, the AP accepts the connection. It is a new opportunity for the attacker, who can get both a plain- and an encrypted text. To switch

from Open System to Shared key mode, the attacker can begin a denial of service against the AP and then usurpate the AP's identity, thus enabling the Shared key authentication. Repeating this operation, the attacker builds an IV-dictionary very fast !

4. Google replay attack

The Google Replay Attack is based on the fact that any lambda user with an access to the internet will do a Google search. A lot of web users have the URL http://www.google.com as home page. It means the Google logo, a 7330-byte- image, is downloaded every time. With this data, an attacker can easily recover a part of the keystream, knowing plain- and encrypted text. The main difficulty for the attacker is to know exactly at which moment the client will download the Google logo. He has to study the structure of TCP/IP packets, and to wait for a packet which size is exactly 7330 bytes.

II ATTACKS ON WPA

1. Beck and Tews' Improved Attack on RC4

In 2008 Beck and Tews released an attack on WPA. This is not a key recovery attack, but still exploits weaknesses in TKIP to allow the attacker to decrypt ARP packets and to inject traffic into a network, even allowing him to perform a DoS (Denial of Service) or an ARP poisoning. In order to be practical, the attack requires the Quality of Service (QoS) to be enabled. The QoS is a feature of WPA standard that allows several channels to be used. Each channel has its own TSC. As channel 0 is used for most of the traffic, it will be possible to inject valid packets in other channels were the TSC will likely be lower. The attack also requires the Key Renewal Interval to be longer than 15 minutes (the time needed to decrypt an ARP packet with this attack). The attack works as follow: First, the attacker deauthenticates a

station (STA). Then, the attacker can capture an ARP packet. He will then perform a modified Chopchop attack to recover the Integrity Check Value (ICV) and MIC of the packet. When this is done, the attacker will have to guess the last part of the packet: the IP addresses. Eventually, he reverses the MICHAEL algorithm and gets the MIC key. Knowing the keystream and the MIC key, the attacker can now inject custom packets into the network, but only on channels with a lower TSC. The reason why a modified version of Chopchop must be used is that the attack has to bypass the MIC countermeasure. The modified Chopchop attack works as follow: The attack works as an AP sending data to a STA. It chops off the last byte of a packet as the regular Chopchop attack does. When the correct byte is guessed, the ICV of the truncated packet is correct, but the MIC is not. This will cause the STA to send a MIC failure report. So when the attacker receives a MIC failure report, he knows that his guess was correct. Then, he has to wait for a minute in order to prevent the MIC countermeasure from triggering. Eventually, he can chop off a new byte, etc. Nevertheless, this attack has limitations: the TSC limits the number of packets that can be injected into the network from 3 to 15 per QoS channel.

2. Ohigashi-Morii Attack

The Ohigashi-Morii Attack (2009) is an improvement of the Beck-Tews attack on WPA-TKIP.Ohigashi and Morii developed a man-in-the- middle (MITM) attack that doesn’t need IEEE 802.11e QoS activated, thereby reducing the overall attack time .Indeed, this new attack is efficient for all modes of WPA and not just those with QoS features. The time to inject a fake packet is reduced to approximately 15 minutes to 1 minute at the best. For this attack, a man- in-the-middle attack is superposed to the Beck-Tews attack, with tips to reduce the execution time of the attack. Figure 3 diagrams the basic attack. This attack pre- vents chopchop packets from reaching the client station and disconnecting the victim station. It uses directional antennas and selective packet replay. It can relay or withhold packets from the station

or the AP as needed. (In this case, the TSC isn’t incremented by the received packets.) But in a real-world scenario, finding a disconnected client and getting between it and the AP is nearly impossible. The attacker must be in range of the station and the AP, and the station must be outside the AP’s range. This severely limits ease of use, raising the cost and exposure to the attacker. However, “difficult but not impossible” is just the type of opportunity well-funded advanced persistent threats look for

Fig.2 Ohigashi-Morii Attack

3. The Hole196 VulnerabilityThe Hole 196 vulnerability, found by

Sohail Ahmad (Airtight Networks) in 2010, where the standard explains how the GTK is a one-way key that protects multicast and broadcast traffic. This attack isn't a key-recovering attack, the attacker has to be an authorized user of the network. First, he sends an ARP request with his MAC-address and the IP-address of the AP. So the other clients of the AP will update their ARP tables, and will send their packets to the MAC-address of the attacker. So the attacker will receive the packets decrypted by the AP and re-encrypted with his key: he is also able to read them. It's a man-in-the-middle attack, and it works because everyone can build and broadcast fake packets with the GTK (shared group key).

All the wireless supplicants that have joined the network know and store this key. The standard mentions that the GTK doesn’t provide pair wise key support to protect from spoofing or data forgery. Accordingly, a trusted insider can spoof multicast messages protected by the one-way GTK. The Hole 196 attack can enable wireless ARP spoofing. Such spoofing monitors all traffic and executes an MITM attack that uses the AP to decode encrypted traffic. So, stations

acting on behalf of a malicious insider can forge an ARP request packet that announces that their machine is the gateway. Some call this a “pick- pocket attack” (one person distracts the victim while a third party easily empties the victim’s pockets). This attack poisons the victim station’s ARP cache for the gateway.

4. Micheal attack

We wrote earlier that the Michael algorithm is expected to produce a hash of some plaintext. Nevertheless, in 2008, Beck and Tews found a way of reversing the Michael algorithm. And in 2010, Beck found a way to perform an attack based upon the flaws in Michael. Actually, he found that if the internal state of Michael reaches a certain point, the Michael algorithm resets. Therefore, we can inject some text of our choice in a packet, add a string that resets the Michael algorithm, then the packet is changed but the Michael's result remains correct. A complete protocol allowing to perform a Michael Reset Attack is described in the Beck's paper, but one has to notice that the requirements of this attack are even tighter than the requirements of a classic Beck and Tews attack. Moreover, the simple fact of disabling QoS renders this attack impossible.

5. Dictionary attack against the handshake

It exists a key-recovery attack on WPA (Pre-Shared Key version), when the key is a word from a dictionary. Eavesdropping the network, the goal of the attacker is to get a handshake; the hash of the key swapped between the client and the AP when the client begins the connection. The attacker can wait, or launch a deauthenticate-attack against the client. When he gets the hash, he can try to and the key with a dictionary-attack, a rainbow-attack or one of the multiple attacks that exist on hashed keys in general.

III CONCLUSION

Thus different Wi-Fi protocols and attacks on them are studied. Also they are classified so as to ensure that study becomes simpler. It is observed that WEP is very much vulnerable to the attacks as it is the simplest protocol and hence very easy to crack. WPA is a complex protocol and thus is hard to crack. Previously the hardware was not supported for WPA but nowadays hardware for WPA support is also developed. Thus many of scientists suggest that we should start using WPA and WEP should not be used in the secure networks.

IV. REFERENCES

[1] Proposal of a Secure WEP Operation against Existing Key Recovery Attacks and its Evaluation by Tsubasa Tsukaune, Yasuke Todo and Masakatu Morii, 2012 Seventh Asia joint conference on information security.

[2] The insecurity of wireless networks by Frederick T. Sheldon, John Mark Weber, Seong-Moo Yoo and W. David Pan.