All your Credentials are Belong to Us: On Insecure WPA2-Enterprise Configurations

Hue, Man Hong; Debnath, Joyanta; Leung, Kin Man; Li, Li; Minaei, Mohsen; Mazhar, M. Hammad; Xian, Kailiang; Hoque, Endadul; Chowdhury, Omar; Chau, Sze Yiu

doi:10.1145/3460120.3484569

Cited by 6 publications

(3 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These attacks can be launched by anyone within range of the victim, and nowadays low-cost Wi-Fi "deauthers" are readily available for less than $10 [31]. Disconnecting a client from the network is an essential step towards successfully executing many attacks, in particular those targeting the connection process, with example attacks being [3,6,7,16,23,24,39]. For instance, offline dictionary attacks against the passphrase of a WPA2 network require the adversary to capture a client's 4-way handshake, and can be accelerated by capturing additional handshakes.…”

Section: Introductionmentioning

confidence: 99%

On the Robustness of Wi-Fi Deauthentication Countermeasures

Schepers

Ranganathan

Vanhoef

2022

Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

View full text Add to dashboard Cite

With the introduction of WPA3 and Wi-Fi 6, an increased usage of Wi-Fi Management Frame Protection (MFP) is expected. defined in IEEE 802.11w, protects robust management frames by providing data confidentiality, integrity, origin authenticity, and replay protection. One of its key goals is to prevent deauthentication attacks in which an adversary forcibly disconnects a client from the network. In this paper, we inspect the standard and its implementations for their robustness and protection against deauthentication attacks. In our standard analysis, we inspect the rules for processing robust management frames on their completeness, consistency, and security, leading to the discovery of unspecified cases, contradictory rules, and revealed insecure rules that lead to new denial-of-service vulnerabilities. We then inspect implementations and identify vulnerabilities in clients and access points running on the latest versions of the Linux kernel, hostap, IWD, Apple (i.e., macOS, iOS, iPadOS), Windows, and Android. Altogether, these vulnerabilities allow an adversary to disconnect any client from personal and enterprise networks despite the usage of MFP. Our work highlights that management frame protection is insufficient to prevent deauthentication attacks, and therefore more care is needed to mitigate attacks of this kind. In order to address the identified shortcomings, we worked with industry partners to propose updates to the IEEE 802.11 standard. CCS CONCEPTS• Networks → Wireless access points, base stations and infrastructure; Mobile and wireless security; Denial-of-service attacks.

show abstract

Section: Introductionmentioning

confidence: 99%

On the Robustness of Wi-Fi Deauthentication Countermeasures

Schepers

Ranganathan

Vanhoef

2022

Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

View full text Add to dashboard Cite

show abstract

“…These flaws allowed an attacker to recover the password of the wireless network even if configured with WPA3. Furthermore, researchers analyzed the security of enterprise networks and identified several weaknesses [214,215], for example, widespread security issues due to evil twin attacks [216] and poor configurations [176,217]. Denial-of-service attacks against Wi-Fi networks are ubiquitous [218,219,220], have existed since the first version of the 4-way handshake [57,59], and even affect WPA3 [4,5].…”

Section: Related Workmentioning

confidence: 99%

“…These attacks can be launched by anyone within range of the victim, and nowadays low-cost Wi-Fi "deauthers" are readily available for less than $10 [171]. Disconnecting a client from the network is an essential step towards successfully executing many attacks, in particular those targeting the connection process, with example attacks being [172,167,173,18,174,175,176]. For instance, offline dictionary attacks against the passphrase of a WPA2 network require the adversary to capture a client's 4-way handshake, and can be accelerated by capturing additional handshakes.…”

Section: Introductionmentioning

confidence: 99%

Towards rapid prototyping for wi-fi security research

Schepers

View full text Add to dashboard Cite

The rapid deployment of wireless networks, combined with an increasing demand for performance and security, resulted in the significant evolution of standards. Today, ) and Wi-Fi Protected Access 3 (WPA3) are the latest standard and set of security protocols. In order to enhance the security protections offered by these networks, it remains key to adopt the newest standards and promptly deprecate any old and vulnerable protocols. With this perspective, and the knowledge that early research in new protocols allows us to identify and address shortcomings before they are widely-adopted in practice, we are motivated to perform rigorous security and privacy analyses.In this dissertation, we perform an extensive wireless survey to understand and contextualize the Wi-Fi (IEEE 802.11) landscape. It allows us to gain real-world insights in the adoption rates of deprecated, recommended, and state-of-the-art protocols, and thereby identify trends and determine their security impact in practice. Based on our newfound insights, we perform a security and privacy analysis on the Temporal Key Integrity Protocol (TKIP) and Wi-Fi Fine Timing Measurement (FTM), revealing a wide-variety of sidechannels and security vulnerabilities. In order to ease and streamline our research process, and address implementation challenges faced throughout, we design a novel framework for rapid prototyping. Our framework allows one to rapidly test hypothesis on new weaknesses, implement proof-of-concepts, build on-target fuzz-testing tools, create testing suites (e.g., test if a device is vulnerable to known attacks), and automate experiments. We then demonstrate the features of our framework by means of two practical use cases. First, we perform a security analysis on the Wi-Fi Management Frame Protection (MFP) standard and its implementations, revealing numerous deauthentication vulnerabilities. Second, we analyze frame queuing mechanisms used within access points, revealing vulnerabilities which enable an adversary to bypass encryption. Finally, we release our framework for rapid prototyping to the community in order to encourage and support further security and privacy research.

show abstract