Understanding Association Lockout Problem in MFP Enabled Wi-Fi Networks

Association Lockout is a problem that occurs in a Management Frame Protection (MFP) enabled WLANs. This is a worst consequence of a (Re)Association Request frame based Denial of Service (DoS) attack in which attacker manages to delete security association of an already authenticated and authorized client. In this attack, by sending spoofed (Re)Association Request frame, AP is tricked to believe that a legitimate client has got disconnected and is attempting to establish a fresh connection with the AP. In the original 802.11i standard, there is no MAC layer test available to confirm whether legitimate client has actually got disconnected or not.

Let’s try to understand the intensity of the attack in an MFP enabled WLAN.

When an attacker sends a spoofed Association Request frame (It is unprotected frame and can be spoofed) to an MFP AP, the AP can either ignore this request, thinking that client is already associated or it can honor and delete old security association. In the former case, if the AP does that then a client which reboots due to whatever reason shall not be able to associate with the AP, so it can not be a good choice. With the latter case, security association state of a legitimate client can be deleted by an attacker by sending a spoofed (Re)Association Request frame. The AP expects from the client that it will complete layer 2 connection establishment and higher layer authetication procedure in order to establish a new security key. Since the frame was sent by an attacker, so client remains unaware of the deletion of its security state on the AP. Client sends encrypted data to the AP. Since no security key exists on the AP for the client, the AP does not honor client's data packet and sends deauthentication notification. In absence of the security key, the deauthentication frame sent by the AP is unprotected. Since the client is an MFP client and still has a valid security state so it does not honor unprotected deauthentication frame. This continues between the AP and the client and they never be able to synchronize their state. This state of the AP and the client is an example of deadlock in a WLAN environment and known as "Association Lockout" problem.
The problem has been shown present in Cisco's proprietary implementation of MFP.
http://www.networkworld.com/community/node/30842

So, that's all about the Lockout problem. Hope you are enlightened.

Is 802.11w panacea to all wireless DoS attacks?

IEEE 802.11w is the most recent amendment to 802.11 standard for WiFi networking. It got ratified in September 2009 and since then couple of vendors have already announced support for it. Cisco, one of the WLAN vendors and major market share holder, has been shipping their product with a similar capability which they call Management Frame Protection (MFP). Here are more details about Cisco’s MFP

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml

Cisco has been positioning MFP as a solution to some serious wireless attacks e.g. DoS attack, Man-in-the-middle (MITM) and Dictionary attack.  Infact, the common perception about MFP or 802.11w is that it would solve most of the wireless DoS attacks. In reality MFP was already shown broken in 2008. You can read more about it here 

http://www.networkworld.com/community/node/30842

Also a research published recently in WiSec 2011 also highlights some of the weaknesses of IEEE 802.11w amendment. In this article, we will try to understand the key changes proposed in the 802.11w and how they are going to mitigate wireless DoS attacks:

The most important feature introduced in the IEEE 802.11w is protection of management frames. It also provides solution to Association Lockout (Deletion of legitimate client’s state on AP by attacker causes deadlock) problem.  Key attributes of the IEEE 802.11w are presented below:

Robust Management Frames: The IEEE 802.11w amendment defines Deauthentication, Disassociation and Action Management Frame as Robust Management (RM) frames and associates three key security properties with them- Data origin authenticity, Replay detection and Management frame protection.

Integrity GTK (IGTK) and Broadcast/Multicast Integrity Protocol (BIP): IGTK is a new encryption key introduced in the IEEE 802.11w to encrypt/decrypt group addressed robust management frames. BIP defines procedure to protect group addressed robust management frames.

Security Association (SA) Query Procedure: SA query procedure has been introduced in the IEEE 802.11w to deter the security association state of connected clients and to avoid Association-Lockout problem.

All unicast RM frames and SA Query Request/Response are encrypted/decrypted using Pairwaise Transient Key (PTK). PTK is the same key that is used for encryption/decryption of DATA frames.

So, it is clear that 802.11w shall be able to counter Deauthentication and Disaasociation based wireless DoS attacks. There are other management and data frames based known attacks that exploit the implementation vulnerability and cause disruption in the wireless networks. Such DoS attack cannot be mitigated by 802.11w. 802.11w does not propose any fix to counter physical RF jamming based wireless DoS attack. So even in the presence of 802.11w, there will be some hacks and tools left in the arsenal of hacker to launch DoS attack but the amendment is definitely going to drastically increase the reliability of layer 2 wireless connections. Though 802.11w is not a panacea to wireless DoS attack, it is good enough security to discourage casual DoS attacker.

WPA Too!

If you believe that only Open and WEP configurations are unsafe and do not provide inter user privacy, its high time to get yourself updated about a new security weakness as WPA TOO has also been found vulnerable. The weakness is inherited in the protocol due to a design choice made by the architects of the 802.11i standard.

Since a lot has been already said and written about it, so instead of writing it by myself, I would redirect you to some interesting and informative articles here.

The most recent article written on this topic can be read here.

A copy of the slide deck presented in the Defcon 18 can be found here.

WPA/WPA2 protocol allows users to establish a mutual trust relationship between Wi-Fi users and network which carry a transitive relationship due to use of a shared key. And hence WPA/WPA2 users end up establishing an unintentional trust relationship among each other. The trust relation is exploited by malicious Wi-Fi user to redirect legitimate users traffic and gain access to their private data.

The security risk is low in an enterprise network environment where most users are trusted insider though insider threats are increasing and act of spying has also gotton some attention, the risk becomes extremely high in WPA/WPA2 enabled public Wi-Fi hotspots. Such networks are also setup in conference. Security enabled Municipal Wi-Fi (Google-Secure) and Guest Wi-Fi networks are also gaining popularity.

In next blog post, I would share insight on some mitigation strategies discussed and proposed by community.

SSIDvertisements

[Category- Innovative Ideas]


Number of page view is one the most important factors that decides the popularity of a website or an online business. Let's imagine a complete wireless world. What would be the most viewed page? Of course the page that pops up when we search for available Wi-Fi networks or when we open Wi-Fi network connectivity settings on smartphones.

Figure1: List of Available WiFi Networks

What we see in the list is the name of available wireless networks in the range. In technical terms, it is called Service Set Identifier or SSID. The maximum length of SSID can be 32 characters. Thousands of travelers round the world click and search for the available wireless networks. So can it be used by local businesses to advertise and promote their products? Though it sounds weired, but it is possible. You just need to have SSIDvertisement enabled WiFi networks. What you could do is basically advertise your offerings through SSID name. And this would appear in your potential customer as follows:

Figure2: SSIDvertisement seen on a Smartphone

Figure 3: SSIDvertisements seen on a Windows Laptop

Places like Airports, Stations, Sport grounds etc. its hard to reach people because of the number neither you can advertise through pamphlets. But "SSIDvertisements" technique can help you reach them without putting extra effort. It is that easy. What you need is basically a platform or product using which you can advertise the cool discounts or offers you may be giving.


I am talking about a completely hypothetical idea. I haven't yet seen any platform or product that would allow you advertise ads in a wireless network. If you are a wireless platform vendor want to productize a product, please leave a comment with your contact and I would soon get back to you.

IBM Researchers Propose To Fix Security Issues of Open Wi-Fi Networks! Oh Really?

IBM researchers have proposed a solution to solve security problems of open Wi-Fi networks. It has come in light of the release of the Firesheep tool.


Basically, two software developer Eric Butler and Ian “craSH” Gallagher have created and released a Firefox plugin at Toorcon 12 this year using which one can easily capture session cookies and hijack account of other users present in an open Wi-Fi network.


Though, the session hijacking is not a new attack and it has been talked, discussed and demonstrated in various security forums since 2007 (session hijacking was first revealed by Robert Grahm at Blackhat US in 2007), the key contribution is the attack has been made extremely naive for executors. I will use another post to talk about Firesheep tool and how the attack is carried out. In this post, I would like to keep security issues of an open Wi-Fi network as prime focus and would discuss merits and demerits of the solution presented by researchers of IBM'x X-Force group.

There are three major security issues of open Wi-Fi networks:

1. Passive Data Sniffing :
A lot of web services are using http protocol which does not encrypt data exchanged between client and servers. Which means if such sites are accessed in an open Wi-Fi network, any malicious user present in the radio range of wireless client device or AP can passively sniff and capture data flowing to or from client. These data can contain user's private credential or website's cookie which can be further misused to steal user's valuable private information. A few web sites also use HTTPS protocol to provide services to users. Such websites are not vulnerable to passive sniffing. But establishing connection to HTTPS enabled websites is the crux. Sometimes users ignore certificate sent by web servers and hence their chances of getting hacked though they always use HTTPS enabled services are extremely high.


2. Man-in-the-Middle (MiTM) Attack
MiTM attack can be very easily carried out in an open Wi-Fi network. Due to lack of authentication, its very convenient for attacker to attract and establish connection with a wireless client device looking to connect connection with a public Wi-Fi hotspot or any open wireless network. Two attacks are mentioned here. Though they are alike, technically they differ in the way these attacks are launched.


a. Evil Twin Attack: Evil twin is a hacker planted AP present in the proximity of legitimate wireless network having same SSID or network name. Since clients use wireless network name to discover and establish connection. It's very difficult for client to differentiate between legitimate and attacker's AP. So it is very easy for a hacker to victimize client device. Sometimes, DoS attack is also launched to starve clients from connecting to legitimate networks.



b. Honeypot Attack: There is a subtle difference between Honeypot and Evil Twin. Honeypot is also a hacker planted AP but the name of the network is assigned to lure legitimate wireless client device. For example: hacker advertises "open wireless network" service. As soon as wireless client connect to Honeypot AP, hacker takes control of all its traffic.


3. Wireless Client's Preferred Network List (PNL) Poisoning
Whenever a wireless client device connect to open Wi-Fi network, an entry for that network gets created and remains there in the cache of the client. This is known as preferred network list or PNL. So far, wireless client does not automatically purge wireless network profiles present in the PNL. This cause wireless client device to always search for the availability of wireless network in the PNL and make an automatic connection as soon as a matching network is found.  So an unintentional wireless connection (mis-association) is possible causing different other application to become active and start accessing web services. For example email client can start fetching emails from email server without you actually know about the activity or the network through which client has been accessing your private mailbox.

What exactly are they proposing?
The whole security community falls back to the same public key cryptography technique to solve all types of security problems. And the solution proposed by IBM researchers are no exception. As per the solution briefly described in their post, client should be able to receive a certificate which will authenticate the SSID used by a wireless network service provider. After that client and AP will establish a secure channel. This secure channel will be used to access Internet. Though, this is a wonderful idea and has potential to solve passive sniffing problem as well as Evil Twin, it might not be able to solve Honeypot attack completely. Further, Client mis-association will still remain a problem until and unless open cached profile of open Wi-Fi network is removed from each and every wireless client device.


The solution proposed is impractical in the sense that it requires software upgrade of wireless access points and clients. Now you may guess the number of wireless client devices being used in an open Wi-Fi network that would be required to undergo software upgrade. Essentially, the solution proposed is a subset of WPA2/802.1x. As per the proposal, the certificate can be used to differentiate between an authorized and a rogue wireless network. If you take out inner authentication from WPA2/PEAP, what you are left with is the same what is being proposed by IBM researchers. The fact of the matter is even private enterprises have not been able to adopt this security even after six years of finalization of the standard as the biggest bottleneck is managing and maintaining certificates. Here, they are proposing solution to one of the burning and most serious security threat of wireless networks. It would take at least few years if not months to implement such a solution. 


The wireless community should put effort in creating a wireless infrastructure that can be trusted like wired infrastructure. Can we achieve that without spending years to solve open Wi-Fi network problems? Think!

Are You Betting on Wireless Clients?

If yes, be watchful as you might be on the verge of inviting serious security risks to your enterprise network or confidential data residing on the network. Unlike APs, WiFi enabled clients are physically unconnected mobile end points. They keep moving in and out of your wireless networks and might carry infected wireless network profile. In this blog post, I am going to share with you how a wireless client device can easily break the security cordon of an enterprise network.

Infected Clients

An infected wireless device present on the corporate network is a serious security threat. Here infection doesn't mean infected from virus or worms. Such problems are already known. A wireless infection can create backdoor. These infection occurs when a roaming wireless client connect to insecure WiFi network. There are two types of infection possible:

a. Probing clients

Wireless devices keep the memory of wireless network they have connected to in the past and keep probing for such networks. This gives opportunity to hacker to launch honeypot attach on a corporate wireless device. Once the infected corporate client connects to attacker planted "Honeypot" several other upper layer attacks can be launched to take root access of the machine. Imagine if the infected client is connected to corporate network through ethernet. Attacker can exploit and access corporate network as well. This puts serious threat to the data residing on corporate client device as well as corporate network.

b. Adhoc mode

A corporate client device can be infected from Ad hoc mode or Viral SSID profile. Such a client invites peer to peer connection from other wireless client devices. Attackers looking for an opportunity to break into corporate network can make first connection with infected client device. Later, she can run higher layer attacks or exploits to gain root access of the machine. Once the access to machine is taken attacker can also connect ti corporate network and scan for vulnerable machine on the network. This puts serious threat to the data residing on corporate client device as well as corporate network.

Virtual AP Threat

Windows 7 has included a new wireless feature called virtual WiFi or virtual AP which allow its user to run a fully functional access point on a laptop with just a few clicks. Similar features are also available in different operating system and different types of mobile devices e.g. Intel’s MyWiFi works on Windows Vista as well as on Windows 7 operating system and allow user to run AP with any type of security configuration. If the client device is connected to corporate network and having a virtual AP running in open configuration, any unauthorized user connect to virtual AP and gain access of the corporate network.

 

It's equally important to scan for wireless client and deter whether a client is carrying infected wireless profiles or running virtual AP. This can be achieved by using a wireless network monitoring system.

Deadlock in WiFi Networks

You might have experienced deadlock occurring in a chaotic traffic condition or if you are a software guy then must be aware of deadlock occurring in software programs. In simple term, deadlock is a condition which cease the progress of any process or operation.

Interestingly, the deadlock can also occur in a WiFi network. It happens between a wireless client and an access point (AP) at the time of connection establishment. 

To understand it better, let me first explain how connection establishment takes place between a wireless client device and an AP.

There are three important steps involved in connection establishment. First step is wireless network Discovery, second is Authentication, and third is Association.

Until and unless network discovery completes wireless client does not start Authentication and Association.

Figure 1: Connection Establishment

All WiFi networks are identified by a network name also known as Service Set Identifier or SSID. SSID is at most 32 characters string advertised in beacon frames which are periodically transmitted by APs. All clients in the proximity of an AP listen to these periodic advertisements and know the presence of a WiFi network. This is known as passive network scanning or discovery. Sometimes, wireless client devices send request frames to know the presence of a WiFi network. These frames are called “Probe Requests”. APs in the radio range of client listen to these request frames and respond thorugh “Probe Response” frames. These frames are very similar to Beacon frames and also contain the wireless network name. The process of discovering wireless network by sending probes is called active scanning or active discovery. 

Probe Requests may or may not contain the wireless network name. When no network name is present in “Probe Request” frame, it is known as Null Probe. These types of frames are used by client to discover any WiFi network present in the proximity of the client. Sometimes “Probe Request” does contain the name of the WiFi network. These types of frames are sent by a wireless client device when it looks for the presence of pre-configured wireless networks.

Wireless Client (In)Security

The active scanning done by client, especially when it leaks the trusted WiFi network name in the probe request frames, gives rise to various wireless attacks on client device. One example of such attack is setting up “Honeypot” to launch Man-in-the-Middle (MITM) attack. It’s very easy to launch honeypot attack on a wireless device which does active scanning for a WiFi network. In fact security enabled Honeypots are also possible.

WiFi clients configured to connect to WEP secured WiFi network can be victimized by launching Caffe Latte attack. WPA-PSK or WPA2-PSK (also called Personal Mode) configured clients can be lured by attacker with the help of airodum-ng and aircrack-ng tool. You can learn more about security enabled WiFi network here. A few clients which only connect to WPA2-802.1x based WiFi network and are not properly configured, they can be attacked by launching PEAP attack.

If you analyze, you will find that wireless enabled clients were victimized due to the reason that trusted WiFi network present in the client's memory were leaked during network discovery phase. In fact there exist a tool called WiFish Finder that will tell you which client is vulnerable to Honeypot attack and what kind of attack is possible. The tool is used to do security assessment of wireless client devices. 

To defeat attacks on wireless clients, Microsoft, in recent releases such as Windows XP service pack2 (SP2) and later, tricked the wireless client behavior. These clients are programmed not to leak the name of trusted WiFi network name present in its preferred network list (PNL) during active scanning. Null probes are sent by such clients during active scanning. If it finds a WiFi network advertising a name which matches with a network name present in it's PNL then only it tries to do connection establishment. More details about the behavior of Windows XP, Windows Server or Vista based wireless clients can be found here. http://technet.microsoft.com/hi-in/library/bb726942(en-us).aspx

So the security against Honeypot attacks have been achieved by not advertising or leaking the trusted wireless network name present in the PNL.

Access Point (In)Security

Disabling SSID broadcast has become common practice and is being widely adopted by network administrators as a security measure. Most AP vendors provide support to turnoff SSID advertisements. When you turn off SSID broadcasting, though the periodic wireless network advertisement frames are sent by AP, it does not contain network name. This prevents a casual user from locating private wireless network just by performing a simple network discovery (View available wireless network in Windows). Believe me; you do not achieve any security. In fact there are other ways of figuring out SSID of a non-broadcasting wireless network. (e.g. Probe Responses or Association Responses sent to connecting client do contain the name of wireless network, so if if you do wireless packet capture, you should be able to discover SSID of non-broadcasting wireless network).

So, it doesn't add anything to wireless security, at the same time it might create havoc in your existing wireless network deployment if you are planning to turn off SSID broadcast.

WiFi Connection Deadlock

Let’s take an example of WiFi network deployed in a big corporate network. The name of the network is “M-Mobile” and is being advertised initially. There is a WiFi user Jhon who is using a Windows XP and SP2 based WiFi client to connect to "M-Mobile". Jhon's client is automatically configured to connect to “M-Mobile”. One fine day, the network administrator Mr. Patrick learns that disabling SSID broadcast is a good security practice so he disables the SSID broadcasting on tens or hundreds of APs installed in the office premises and may be managed through a controller. Next day, when Jhon arrives office, he is not able to connect to WiFi network. He asks others, but other colleagues are still connected to the network may be because they leave their laptops in the office itself or whatever reason. Mr. Patrick, the administrator has absolutely no idea as what went wrong; all other users are still connected. What should he do? Should he rollback the change that he had applied yesterday or debug the problem of Mr. Jhon. What if Jhon works from distant office. Mr. Patrick might be helpless as he can't keep on flipping fully functional network settings so he might ignore the request and advice Jhon to use another machine. But it's important to understand the reason.

As soon as Mr. Patrick disables SSID broadcast, all APs present in the network stop advertising the name of the network. Clients which reveals the name of the trusted WiFi network in active scanning should be able to connect. But since Jhon is using a WiFi client which does not see advertise wireless network present in it’s preferred network list, so it send simply a null probe request. SSID broadcast disabled APs are not going to honor null porbe requests coming from Jhon's client and hence does not reveal the network name.

Figure 2: WiFi Connection Deadlock

As a result Jhon's client is not able to complete network discovery though the trusted WiF network exists in the range of the client. The scenario is depicted in the figure 2 above. Since the discovery does not complete, client does not initiate Authentication and Association with the AP and always remains in a wireless network scanning state. The condition in which wireless client is not able to discover its own trusted Wireless Network and the network is not able to serve legitimate wireless client device is termed as "Deadlock in WiFi Network".

First of all you should not turn off SSID broadcast, and if you done it and facing similar problem as reported by Jhon, then you must investigate and see whether you have your wireless network is in a Deadlock state or not.

The key take away of this post is:

"Disable SSID broadcast, but in Wireless Client Devices and Not in Access Points"