Mathy Vanhoef
ABSTRACT
Investigating the security of Wi-Fi devices often requires writing scripts that send unexpected or malformed frames, to subsequently monitor how the devices respond. Such tests generally use Linux and off-the-self Wi-Fi dongles. Typically, the dongle is put into monitor mode to get access to the raw content of received Wi-Fi frames and to inject, i.e., transmit, customized frames. In this paper, we demonstrate that monitor mode on Linux may, unbeknownst to the user, mistakenly inject Wi-Fi frames or even drop selected frames instead of sending them. We discuss cases where this causes security testing tools to misbehave, making users to believe that a device under test is secure while in reality it is vulnerable to an attack. To remedy this problem, we create a script to test raw frame injection, and we extend the Radiotap standard to gain more control over frame injection. Our extension is now part of the Radiotap standard and has been implemented in Linux. We tested it using commercial Wi-Fi dongles and using openwifi, which is an open implementation of Wi-Fi on top of software-defined radios. With our improved setup, we reproduced tests for the KRACK and FragAttack vulnerabilities, and discovered previously unknown vulnerabilities in three smartphones.
- John Bellardo and Stefan Savage. 2003. 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions. In USENIX Security.Google Scholar
- Johannes Berg. 2022. Radiotap: De facto standard for 802.11 frame injection and reception. Retrieved 14 November 2022 from https://www.radiotap.org/.Google Scholar
- Bastian Bloessl, Michele Segata, Christoph Sommer, and Falko Dressler. 2013. Towards an Open Source IEEE 802.11 p stack: A full SDR-based transceiver in GNU Radio. In 2013 IEEE Vehicular Networking Conference. IEEE, 143--149.Google ScholarCross Ref
- Analog Devices. 2022. ADI-linux. Retrieved 17 November 2022 from https://github.com/analogdevicesinc/linux.Google Scholar
- Ryan Dobbins, Saul Garcia, and Brian Shaw. 2011. Software defined radio localization using 802.11-style communications. Bachelor's Thesis.Google Scholar
- Thomas d'Otreppe de Bouvette. 2017. aircrack-ng: iw monitor mode flags. Retrieved 15 November 2022 from https://aircrack-ng.blogspot.com/2017/02/monitor-mode-flags.html.Google Scholar
- Hamed Firooz. 2013. SPAN Lab. https://web.archive.org/web/20130412163400/http://span.ece.utah.edu/pmwiki/pmwiki.php?n=Main.80211bReceiver.Google Scholar
- Paul Fuxj"ager, A Costantini, D Valerio, P Castiglione, G Zacheo, T Zemen, and F Ricciato. 2010. IEEE 802.11p transmission using GNURadio. In 6th Karlsruhe Workshop on Software Radios (WSR). Karlsruhe Germany, 1--4.Google Scholar
- GNURadio. 2013. Projects -- The Comprehensive GNU Radio Archive Network (CGRAN). Retrieved 14 November 2022 from https://web.archive.org/web/20131108081814/https://www.cgran.org/wiki/Projects.Google Scholar
- Andy Green. 2022. How to use packet injection with mac80211. Retrieved 15 Nov. 2022 from hrefhttps://www.kernel.org/doc/html/v6.0/networking/mac80211-injection.htmlkernel.org/doc/html/v6.0/networking/mac80211-injection.html.Google Scholar
- Francesco Gringoli and Lorenzo Nava. 2022. OpenFWWF: Open FirmWare for WiFi networks. Retrieved 17 November 2022 from https://web.archive.org/web/20220121031132/http://netweb.ing.unibs.it/openfwwf/.Google Scholar
- Xianjun Jiao, Wei Liu, Michael Mehari, Muhammad Aslam, and Ingrid Moerman. 2020. openwifi: a free and open-source IEEE802. 11 SDR implementation on SoC. In 2020 IEEE 91st Vehicular Technology Conference (VTC2020-Spring). IEEE, 1--2.Google ScholarCross Ref
- Jouni Malinen. 2002. Fixed auth/assoc TX callback handling to really use information about whether the transmit was successful or not. Retrieved 15 November 2022 form https://w1.fi/cgit/hostap-history/commit/?id=095f76f19170.Google Scholar
- Nuand. 2022. bladeRF-wiphy. Retrieved 17 November 2022 from https://www.nuand.com/bladerf-wiphy/.Google Scholar
- Domien Schepers, Mathy Vanhoef, and Aanjhan Ranganathan. 2021. A framework to test and fuzz Wi-Fi devices. In ACM WiSec. 368--370.Google Scholar
- Matthias Schulz, Daniel Wegemer, and Matthias Hollick. 2017. Nexmon: The C-based Firmware Patching Framework. https://nexmon.orgGoogle Scholar
- twisteroidambassador. 2022. linux-ath-user-regd. Retrieved 17 November 2022 from https://github.com/twisteroidambassador/arch-linux-ath-user-regd.Google Scholar
- Mathy Vanhoef. 2021. Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation. In USENIX Security. USENIX Association.Google Scholar
- Mathy Vanhoef. 2023. Injection test script. hrefhttps://github.com/vanhoefm/wifi-injectiongithub.com/vanhoefm/wifi-injection.Google Scholar
- Mathy Vanhoef and Frank Piessens. 2014. Advanced Wi-Fi attacks using commodity hardware. In ACSAC. 256--265.Google Scholar
- Mathy Vanhoef and Frank Piessens. 2017. Key reinstallation attacks: Forcing nonce reuse in WPA2. In ACM CCS.Google Scholar
- Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In IEEE S&P. IEEE.Google Scholar
Index Terms
- Testing and Improving the Correctness of Wi-Fi Frame Injection
Recommendations
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityWe use model-based testing techniques to detect logical vulnerabilities in implementations of the Wi-Fi handshake. This reveals new fingerprinting techniques, multiple downgrade attacks, and Denial of Service (DoS) vulnerabilities. Stations use the Wi-...
Defence against packet injection in ad hoc networks
Wireless ad hoc networks have very limited network resources and are thus susceptible to attacks that focus on resource exhaustion, such as the injection of junk packets. These attacks cause serious denial-of-service via wireless channel contention and ...
Comments