Sunday, July 10, 2011

Understanding Association Lockout Problem in MFP Enabled Wi-Fi Networks

Association Lockout is a problem that occurs in a Management Frame Protection (MFP) enabled WLANs. This is a worst consequence of a (Re)Association Request frame based Denial of Service (DoS) attack in which attacker manages to delete security association of an already authenticated and authorized client. In this attack, by sending spoofed (Re)Association Request frame, AP is tricked to believe that a legitimate client has got disconnected and is attempting to establish a fresh connection with the AP. In the original 802.11i standard, there is no MAC layer test available to confirm whether legitimate client has actually got disconnected or not.
Let’s try to understand the intensity of the attack in an MFP enabled WLAN.

When an attacker sends a spoofed Association Request frame (It is unprotected frame and can be spoofed) to an MFP AP, the AP can either ignore this request, thinking that client is already associated or it can honor and delete old security association. In the former case, if the AP does that then a client which reboots due to whatever reason shall not be able to associate with the AP, so it can not be a good choice. With the latter case, security association state of a legitimate client can be deleted by an attacker by sending a spoofed (Re)Association Request frame. The AP expects from the client that it will complete layer 2 connection establishment and higher layer authetication procedure in order to establish a new security key. Since the frame was sent by an attacker, so client remains unaware of the deletion of its security state on the AP. Client sends encrypted data to the AP. Since no security key exists on the AP for the client, the AP does not honor client's data packet and sends deauthentication notification. In absence of the security key, the deauthentication frame sent by the AP is unprotected. Since the client is an MFP client and still has a valid security state so it does not honor unprotected deauthentication frame. This continues between the AP and the client and they never be able to synchronize their state. This state of the AP and the client is an example of deadlock in a WLAN environment and known as "Association Lockout" problem.
The problem has been shown present in Cisco's proprietary implementation of MFP.

So, that's all about the Lockout problem. Hope you are enlightened.

1 comment: