Autoimmunity Disorder in Wireless LANs (Defcon 16)

An autoimmune disorder is a condition that occurs when the immune system mistakenly attacks and destroys healthy body tissue. This presentation is about discovery of autoimmunity disorder in select open source and commercial 802.11 AP implementations. By sending specially crafted packets, it is possible to trigger autoimmunity disorder and cause AP to turn hostile against its own clients. Eight examples of autoimmune disorder will be demonstrated.

Autoimmunity disorder can be exploited to craft new DoS attacks. Although 802.11w promises immunity from DoS attacks, we show that autoimmunity disorder leaves a door open through which DoS attacks can still be launched.

Presentation Outline

1.    What has Autoimmunity disorder got to do with Wireless LANs?

• An autoimmune disorder is a condition that occurs when the immune system mistakenly attacks and destroys healthy body cell.
• We have found many conditions under which wireless APs mistakenly start attacking its own clients.
• Our findings suggest that new avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point S/W.

2.    Background

• It is already known that by transmitting spoofed De-auth/Dis-assoc frames DoS attacks can be launched.
• What’s new here? There exist malformed packets whose injection can turn an AP into a connection killing machine. We use the term ‘Self DoS’ to refer to this.
• Explain why does Self DoS Happen?
• Standard Protocol specs are often unclear about how an AP should respond to malformed frames. Different AP implementations behave differently. Some survive, some crash and some turn themselves into killing machines.
• Explain using an example from madwifi-0.9.4 driver

3.    Provide eight examples of Self DoS attacks triggered by transmission of mal-formed frames

• List each attack in one line.

4.    The root cause of DoS vulnerability in 802.11 is that management frames used for connection establishment and termination are not protected. Hence, a connection can easily be terminated by spoofing these frames. Management Frame Protection (MFP) (11w) proposal is aimed at adding necessary protection to eliminate this vulnerability. 

• We show an example of how MFP enabled AP client pair can ignore spoofed disconnection frames.
• In next slide we show an example of how a spoofed (stimulus) packet from an attacker can still cause an AP client pair to get trapped into a mutually dead-lock state.

5.    What’s the take away message from this discussion?

• Without MFP protection
• New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point S/W.
• With MFP protection    
• DoS vulnerabilities could not be completely eliminated. Even MFP was found vulnerable!

6.    Food for Thought

• A fix for MFP vulnerability has already been attempted in the latest 11w draft. Future revisions of 11w draft will continue to raise the bar & try to make 802.11 DoS attack proof.
• Will the dream of attack proof 802.11 be ever realized?
• We don’t think so. By August timeframe we plan to include additional experimental results to support our position.

A high resolution version of the talk is available for download here.

Md Sohail Ahmad is a senior wireless security researcher at AirTight Networks. Mr Ahmad possesses strong background in secure driver development, protocol development, and WiFi security and network assessment. He has been speaker to several International conferences e.g. Comsware, Defcon, Toorcon etc. Mr Ahmad has also been a regular contributor to open source software development e.g. madwifi software and has published several advisories on web.

Prior to joining AirTight Networks in 2005, he worked on 3GPP GPRS stack development and stabilization of MAC layer modules as software engineer at Hughes Software System now known as Aricent. Md Sohail Ahmad holds BTech. in Computer Engineering from AMU, Aligarh and MTech in Computer Engineering from Indian Institute of Technology Roorkee, India.