Thursday, July 7, 2011

Is 802.11w panacea to all wireless DoS attacks?

IEEE 802.11w is the most recent amendment to 802.11 standard for WiFi networking. It got ratified in September 2009 and since then couple of vendors have already announced support for it. Cisco, one of the WLAN vendors and major market share holder, has been shipping their product with a similar capability which they call Management Frame Protection (MFP). Here are more details about Cisco’s MFP

Cisco has been positioning MFP as a solution to some serious wireless attacks e.g. DoS attack, Man-in-the-middle (MITM) and Dictionary attack.  Infact, the common perception about MFP or 802.11w is that it would solve most of the wireless DoS attacks. In reality MFP was already shown broken in 2008. You can read more about it here 

Also a research published recently in WiSec 2011 also highlights some of the weaknesses of IEEE 802.11w amendment. In this article, we will try to understand the key changes proposed in the 802.11w and how they are going to mitigate wireless DoS attacks:

The most important feature introduced in the IEEE 802.11w is protection of management frames. It also provides solution to Association Lockout (Deletion of legitimate client’s state on AP by attacker causes deadlock) problem.  Key attributes of the IEEE 802.11w are presented below:
Robust Management Frames: The IEEE 802.11w amendment defines Deauthentication, Disassociation and Action Management Frame as Robust Management (RM) frames and associates three key security properties with them- Data origin authenticity, Replay detection and Management frame protection.
Integrity GTK (IGTK) and Broadcast/Multicast Integrity Protocol (BIP): IGTK is a new encryption key introduced in the IEEE 802.11w to encrypt/decrypt group addressed robust management frames. BIP defines procedure to protect group addressed robust management frames.
Security Association (SA) Query Procedure: SA query procedure has been introduced in the IEEE 802.11w to deter the security association state of connected clients and to avoid Association-Lockout problem.
All unicast RM frames and SA Query Request/Response are encrypted/decrypted using Pairwaise Transient Key (PTK). PTK is the same key that is used for encryption/decryption of DATA frames.

So, it is clear that 802.11w shall be able to counter Deauthentication and Disaasociation based wireless DoS attacks. There are other management and data frames based known attacks that exploit the implementation vulnerability and cause disruption in the wireless networks. Such DoS attack cannot be mitigated by 802.11w. 802.11w does not propose any fix to counter physical RF jamming based wireless DoS attack. So even in the presence of 802.11w, there will be some hacks and tools left in the arsenal of hacker to launch DoS attack but the amendment is definitely going to drastically increase the reliability of layer 2 wireless connections. Though 802.11w is not a panacea to wireless DoS attack, it is good enough security to discourage casual DoS attacker.

No comments:

Post a Comment