Autoimmunity Disorder In Wireless Lans (Defcon 16)
Description: An autoimmune disorder is a condition that occurs when the immune system mistakenly attacks and destroys healthy body tissue. This presentation is about discovery of autoimmunity disorder in select open source and commercial 802.11 AP implementations. By sending specially crafted packets, it is possible to trigger autoimmunity disorder and cause AP to turn hostile against its own clients. Eight examples of autoimmune disorder will be demonstrated.
Autoimmunity disorder can be exploited to craft new DoS attacks. Although 802.11w promises immunity from DoS attacks, we show that autoimmunity disorder leaves a door open through which DoS attacks can still be launched.
Presentation Outline
1. What has Autoimmunity disorder got to do with Wireless LANs?
- An autoimmune disorder is a condition that occurs when the immune system mistakenly attacks and destroys healthy body cell.
- We have found many conditions under which wireless APs mistakenly start attacking its own clients.
- Our findings suggest that new avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point S/W.
2. Background
- It is already known that by transmitting spoofed De-auth/Dis-assoc frames DoS attacks can be launched.
- What’s new here? There exist malformed packets whose injection can turn an AP into a connection killing machine. We use the term ‘Self DoS’ to refer to this.
- Explain why does Self DoS Happen?
- Standard Protocol specs are often unclear about how an AP should respond to malformed frames. Different AP implementations behave differently. Some survive, some crash and some turn themselves into killing machines.
- Explain using an example from madwifi-0.9.4 driver
3. Provide eight examples of Self DoS attacks triggered by transmission of mal-formed frames
- List each attack in one line.
4. The root cause of DoS vulnerability in 802.11 is that management frames used for connection establishment and termination are not protected. Hence, a connection can easily be terminated by spoofing these frames. Management Frame Protection (MFP) (11w) proposal is aimed at adding necessary protection to eliminate this vulnerability.
- We show an example of how MFP enabled AP client pair can ignore spoofed disconnection frames.
- In next slide we show an example of how a spoofed (stimulus) packet from an attacker can still cause an AP client pair to get trapped into a mutually dead-lock state.
5. What’s the take away message from this discussion?
- Without MFP protection
- New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point S/W.
- With MFP protection
- DoS vulnerabilities could not be completely eliminated. Even MFP was found vulnerable!
6. Food for Thought
- A fix for MFP vulnerability has already been attempted in the latest 11w draft. Future revisions of 11w draft will continue to raise the bar & try to make 802.11 DoS attack proof.
- Will the dream of attack proof 802.11 be ever realized?
- We don’t think so. By August timeframe we plan to include additional experimental results to support our position.
A high resolution version of the talk is available for
download here.
Tags: fun ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments: