WLAN SecurityAn article about wireless protocols and their security. This article is part of a presentation made for The Hacker Contest module.The presentation slides can be downloaded here (German).
Authors: Roman Hergenreder, Lars Prepens
This article and the presentation contain slides of Mathy Vanhoef
As the number of wireless devices (Smartphones, Notebooks, TVs, Light bulbs…) rises and it's easier to connect using wireless networks than using cables, the WLAN-security becomes even more important. Wireless technology implies no need for phyical access which is of course useful for mobile devices on the one hand but also emerges risks on the other hand, as the medium is publicly accessible. Attackers can easily capture (optimally) encrypted traffic without anyone noticing. Attackers also can hide attacking devices (like a small Raspberry PI or something similar) in range of the wireless gateway or just attack "from outside" without needing to enter company buildings for example. Public hotspots like in cafes, libraries and airports are popular targets for attackers.
In the following sections, we will focus on wireless networks deployed in infrastructure mode. This is the most common case in private networks and for example small company networks, where a base station acts as an access point. There may be multiple connected access points with the same SSID and connecting to one of them results in joining the network of these access points.
Nowadays the WLAN standard is defined by the Wi-Fi Alliance . It is a non-profit organization founded in 1999 with about 800 companies involved today. They certify products for conformity to certain standards like Wi-Fi, WPS, WPA, Miracast and much more .
When analysing the security of such WLAN networks, we first need to know, how they work in general. The IEEE 802.11  standard is part of the set of Local Area Network (LAN) protocols and it contains wireless protocols operating on the MAC (media access control) and the physical layer. Part of this standard is the service set (also known as extendes service set or ESS). It defines a group of wireless network dwevices indentified by the same name called the SSID (service set identifier). They are usually natural language labels, which are seen on the "nearby WLAN list", when connecting to an access point. The BSSID is a 48-bit-label and defines a subgroup of devices operating on the same physical layer i.e. frequency, security settings and so on. It can be either a random number of the device's mac address. A device can have multiple BSSIDs but usually they uniquely define an access point.
If a wireless network is not hidden, the access point usually broadcasts this customizable SSID to announce it's presence periodically. These broadcast packets are called Beacon Packets. Hidden networks usually have a null SSID (zero length SSID field). But a client may also broadcast a probe request to ask, which access points are nearby available.
When the client got the SSID to connect to, the used protocol decides how to continue, e.g. perform router authentication, exchange/generate connection keys, perform handshakes. The attack vector and the protocol used determine our chances of success. Some common attacks are described in the following paragraphs.
Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup is a network security standard to create and configure a secure wireless network. It should provide a simple method to add new devices to an existing network without needing to enter a passphrase. There are four possible modes:
- PIN method
The PIN is usually printed on a sticker or the display of the device. The PIN must be entered to join the network. This method is also mandatory in the standard and all devices with a keypad or display must support that method.
- Push button method
If the button on the access point is pressed, the first device who connects can join the network. This method is also required to be supported on all devices.
- NFC method
Using Near-field Communication (NFC) the device must be brought within reach to join the network. Depending on the device the range is about 5cm but up to 20cm is possible. This method is optional.
- USB method
A USB-flash drive is used to transfer data between the access point and the client device. Support is optional.
While the USB and NFC method seems to be safe, the PIN method is rather vulnerable. In December 2011 a security flaw was revealed in which the PIN could be recovered within hours using a bruteforce attack. In general the PIN has seven numeric digits what means, there are 10^7 = 10.000.000 possible combinations, which allows an online or offline bruteforce, if the handshake is captured. Besides that, if the access point is not placed in a safe location, an attacker can easily use the push-button or NFC method or just read the PIN and other sensitive data. to gain access to the network.
In contrast to physical connections, an attacker can't perform a man in the middle attack in the same way, like blocking or manipulating packets. To achieve this and to perform attacks like KRACK we need to setup an Evil Twin . An evil twin is a cloned access point with an identical SSID and MAC-address. Careless users may connect to the malicious access point and potentially transmit unencrypted data which can in the worst case contain sensitive information like credentials, bank data or personal information. However, when an access point with the same SSID/MAC-address is already registered on the client's device, it trys to authenticate with the configured method e.g. WEP, WPA or WPA2. As we don't know the original router's secrets, clients won't accept the connection. The other way is forwarding packets to the original access point on a different channel, which gives us the ability to block/delay/modify/resend packets, but we won't be able to decrypt the traffic in the first place.
But we can also force clients to connect to our malicious access point: Before WPA3 managment packets are transmitted unencrypted, as described later. Thus we can send deauthentication packets  with spoofed source addresses to force the connection to be interrupted and the client has to re-authenticate. When using a stronger signal, the client rather connects to our access point, as it's assumed to be "closer". This deauthentication can be forced using aircrack-ng  as seen below:
If the router's mac-address is not known yet, we can use the following command, otherwise you can skip this step. Note: You might need to kill other network processed like the tool tells you, as it might interfere with the minitor mode.
phy1 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
(mac80211 station mode vif disabled for [phy1]wlan0)
The above command puts our wireless interface wlan0 into monitor mode, it can be accessed with wlan0mon now.
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
38:XX:XX:XX:XX:XX -41 13 32 0 6 130 WPA2 CCMP PSK XXXXXXXXX
AC:XX:XX:XX:XX:XX -56 15 0 0 6 130 WPA2 CCMP PSK XXXXXXXXX
AE:XX:XX:XX:XX:XX -51 13 0 0 6 130 WPA2 CCMP MGT XXXXXXXXX
54:XX:XX:XX:XX:XX -63 13 0 0 1 270 WPA2 CCMP PSK XXXXXXXXX
78:XX:XX:XX:XX:XX -69 15 0 0 11 130 WPA2 CCMP PSK XXXXXXXXX
AC:XX:XX:XX:XX:XX -74 14 0 0 11 130 WPA2 CCMP PSK XXXXXXXXX
02:XX:XX:XX:XX:XX -78 3 0 0 6 130 WPA2 CCMP PSK <length: 21>
4C:XX:XX:XX:XX:XX -76 13 0 0 6 260 OPN XXXXXXXXX
We can see a list of nearby routers identified by the BSSID, the used encryption and authentication method. There is even a hidden access point (<length: 21>), where the SSID has probably 21 characters but is not broadcasted . We could obtain the real SSID by waiting for an authentication (or sending deauth packets) or bruteforcing it. The last access point in the list does not have an authentication method, so it's a public WLAN.
If we want to see, which clients are connecting to a given access point, we can use the following command, where parameter c is the used channel. Because we often want to see, which clients are already connected, we can deauthenticate them first to force them to authenticate again, so we can capture the mac address.
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
38:XX:XX:XX:XX:XX -36 96 943 459 0 6 130 WPA2 CCMP PSK XXXXXXXXX
BSSID STATION PWR Rate Lost Frames Probe
38:XX:XX:XX:XX:XX B8:XX:XX:XX:XX:XX -48 1e-24e 0 511
To deauthenticate clients connected to a certain access point, we can now execute the following command, where parameter a is the router's BSSID and --deauth the number of deauthentication packets to send or 0 for infinity. We can additionally specify a client mac address with parameter c. This is also desribed in 
20:29:41 Sending DeAuth (code 7) to broadcast -- BSSID: [38:XX:XX:XX:XX:XX]
20:29:41 Sending DeAuth (code 7) to broadcast -- BSSID: [38:XX:XX:XX:XX:XX]
20:29:42 Sending DeAuth (code 7) to broadcast -- BSSID: [38:XX:XX:XX:XX:XX]
You may want to increase the transmission power of your WLAN card, by setting the regulatory agent (reg) to BO (bolivia), as every country has their own regulation on maximum allowed transmission power and in bolivia 1000mW is allowed. Note: Please use this (and all the other) commands with caution. Stick to your national regulations if you don't want to get any trouble.
Another way to force clients to connect to our evil twin is sending spoofed channel switch announcements.
Now we got everything we need to setup a real evil twin. The following command set's up a public WLAN without a password. You can also specify the access point's mac address using the --bssid flag, but this did not work for me somehow
21:15:05 Trying to set MTU on at0 to 1500
21:15:05 Access Point with BSSID 7C:XX:XX:XX:XX:XX started.
Wired Equivalent Privacy (WEP)
The Wired Equivalent Privacy  is a standard also part of IEEE 802.11 and was originally introduced in 1997. The intention was to provide access control, data integrity and confidentiality using an Integration Code (IVC) and XOR stream cipher. In 2003, WPA was declared as the new standard and as of 2004 WEP got deprecated. Interesting fact: WEP was already weak when released, as US restrictions on the export of wireless technology restricted devices to use only 64-bit encryption, but later also "stronger" encryptions were allowed. The WEP key usually is 40-bit (64-bit mode) or 104-bit (128-bit mode).
When a client attempts to connect to a WEP-based wireless network, a challenge-reponse authentication is performed. After the probe request/response the server sends a challenge, which is some random data, the client has to encrypt with his WEP key and send it back to the access point. The access point encrypts his challenge and compares it with the received response, if it matches, the client is successfully authenticated and the WEP key is used for further encryption.
After a client successfully authenticated, every data packet is encrypted using the following scheme:
- A random 24-bit Initialization Vector (IV) is calculated.
- A RC4 key is generated by combining the IV and the WEP key.
- Using CRC-algorithm an Integrity Check Value (ICV) is calculated.
- The message M and ICV are xored using a keystream generated by RC4
- The encrypted packet is now combied by the plaintext IV and the encrypted message.
The decryption works the same way. The client can generate the RC4 key and keystream using the publicly known IV and his WEP key. The decryption and integrity can then be checked with the appended ICV after decrypting the message.
WEP: Security Flaws
WEP has multiple vulnerabilities and should not be used anymore:
- Small IV space and IV reuse
The only "random" part for generating the xor keystream is the IV, which only has 24 bit. There are only 2^24 = 16777216 unique IVs. The more packets are captured, the higher is the probability of a duplicate IV. This can be used to calculate the WEP-Key using different attacks. With a method found by researches at TU-Darmstadt in 2007, it is even possible to break the key within a minute .
- No specification on IV choice
It is not specified, how the IV has to be chosen. Many implementations start with an initial IV of 0 and increment it packet by packet. This leads to multiple reuses for new connections. Some implementations use random IVs, which is also a bad idea, as it's increases the probability for a reuse on a single connection (compared to increment method): with 5000 packets captured, the probability is already at 50%. There even exist implementations, which use a static IV.
- Ineffective integrity check
WEP does have an integrity check but it can be easily recalculated and modified, if an attacker has the key or keystream according to the used IV. The access point can't verify, if a received packet is valid and can be trusted.
- Bad key managment
There is one pre-shared key used to encrypt and decrypt the entire traffic, so no individual key managment at all. If this key is known, an attacker can easily decrypt all packets.
- Small Key space
As the IV is known and part of the key generation, the remaining part is very small (40 or 104 Bit). A 40 Bit key can easily be bruteforced with modern computers, as there are "only" 1099511627776 possibilities.
- Weak algorithm
To efficiently crack WEP and re-calculate the used key, we need to capture about 80.000 packets. Usually, the more packets captured, the faster the algorithm is. For further commands it is required to have an interface enabled in monitor mode. You also need to know the BSSID of the access point using WEP. These steps are described in Evil Twin.
Using the above command, we can dump traffic for the given access point to a file wepdump. After we captured a sufficient amount of packets, we can run the following command, to crack the wep key:
We may need to generate traffic to collect more IVs. This can be done by injecting the same ARP request again and again. The access point will respond with an encrypted packet and a new IV for every packet. Note: This will make the attack active, as we are manipulating the network and don't only collect IVs passivly anymore.
Wi-Fi Protected Access (WPA)
Wi-Fi protected access is the following standard after WEP and works on a similar basis but includes many improvements. The first version of WPA was certified in 2003 and was superseded by WPA2 after 2004. The differences and improvements to WEP are listed below:
WPA can use a pre-shared key (PSK) but also supports the Extensible Authentication Protocol EAP. With EAP, users can either login with a username/password combination, a digitial certificate, a sim-card, etc. As it's extensible, there is no need for another protocol or standard to include new authentication methods.
- Key Managment
For pre-shared keys, every session has a dynamic temporary key generated by Temporal Key Integrity Protocol (TKIP).
WPA also uses RC4 in general but with some improvements: 48-Bit IV instead of 24-Bit IV and it's generated using per-packet key mixing and re-keying. The final key is calculated using the IV and the source mac-address with a hash function. Thus key-collisions are very unlikely, there are indeed about 280 trillion possible generated keys for a data packet
A Message Integrity Check (MIC) is used for integrity checking, which includes a counter increased by every packet. This value is sent in the encrypted part and make packet forgeries harder.
Unfortunately, WPA is insecure because TKIP uses the same underlying mechanism as WEP.
Besides that, a common attack is still bruteforce using dictionaries. Access points are often insecure due to weak passwords or default passwords provided by the manufacturers. Router KeyGen  is such a tool, which can calculate default passwords based on the device mac address for example.
Security improvements: WPA2
With WPA2 released in 2004 it's the mostly used standard nowadays. It was secure for about 15 years now and it was even been mathematically proved to be secure. The only requirement: the handshake is performed correctly. The most important improvement to WPA is the used encrpytion method.
WPA2 uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) instead of the vulnerable TKIP method. CCMP is based on AES-CCM and combines the CTR-mode for confidentiality and CBC-MAC mode for authentication and integrity. It is not possible to forge frames as an attacker using this algorithm. There is a list of known attacks including side channel attacks  and attacks, which lower the needed rounds for breaking the key , but there is no practial attack to read the encrypted data without knowledge of the key.
The four-way handshake performed in WPA2 works simplied according to these steps:
- Optional authentication checking using a pre-shared secret like password (PSK), credentials, certificate (Enterprise)
- Access point generates a random Access Nonce (ANonce) and sends it to the client
- Client generates a random Supplicant Nonce (SNonce) and sends it back to the access point
- Client and Access Point derive the Pairwise Transient Key PTK = Combine(shared secret, ANonce and SNonce).
- AP derives the Group Temporal Key GTK used for decrypting multicast/broadcast messages and sends it to the client with a MIC
- Client verifies the MIC and responds, that everything is OK. Both Client and AP install the PTK (and Client the GTK) now.
After this handshake is performed, encrypted data frames can be exchanged.
Key reinstallation attack (KRACK)
KRACK was published in October 2017 and affected alot of devices, which used WPA or WPA2, even though, WPA2 was mathematically proven to be secure . This is because, KRACK affects the handshake phase so the prove is still valid as the requirement is not fulfilled anymore. KRACK affects various handshakes, like the four-way-handshake, the group handshake or the Fast Roaming handshake but only because the implementations did not exactly follow the (unclear) standard.
It works as following:
- The attacker launchs a man-in-the-middle attack either by using a stronger signal or spoofing a Switch Channel Announcement (CSA)
- When the 4-way-handshake is performed, forward the first three messages (ANonce, SNonce, GTK).
- The client installs the PTK, initialises the Packet Nonce with zero and sends the fourth message.
- The fourth message is not forwarded (so simply blocked). The access points retransmits message three because the 4th message is not received.
- The client reinstalls the PTK and re-initialises the Packet Nonce with zero.
- The client retransmits packet four, but encrypted.
- If the client has already sent an encrypted packet with the installed PTK and zero packet nounce, we got a nonce reuse and therefore can decrypt the packet.
There are still some misconceptions, that Mathy Vanhoef also mentioned in his presentation:
- "Updating only client or AP is sufficient"
Both client and access point are vulnerable depending on which handshake is attacked, it is highly suggested to update both.
- "It is required to be close to the network/victim"
No, as a special antennas can be used from far away.
- "No useful data is transmitted right after handshake"
An attacker could just wait some time and then send deauth packets and start the attack. The browser would buffer the request data and resend it, as soon as the connection is established again.
- "Obtaining channel-based Man-in-the-Middle is hard"
No, we can just send channel switch announcements
- "Attack complexity is hard"
Well yes, but actually the script only needs to be written once and people can use and modify/improve it easily.
- "CCMP mitigates the attack"
CCMP only prevents forgeries, but the attack still allows decryption and replay of frames.
- "Enterprise networks aren't affected"
As enterprise networks also use the 4-way handshake, the attack is still possible.
WPA2 can still be used on patched devices but it is recommended to switch to WPA3, as soon as it will be available.
WPA3 brings alot of new features including OWE and SAE . The standard was first announced in January 2018 by the Wi-Fi Alliance. It provides the following improvements:
- Opportunitstic Wireless Encrpytion (OWE)
Using OWE a open Wi-Fi can be provided but in opposite to earlier versions, it is still encrypted. This is done by using a diffie-hellman key exchange, so everyone gets a unique encryption key. Disadvantage: We have to verify or trust the access point, as man-in-the-middle is still possible. Another feature is protected managment frames. An attacker is no loger able to spoof deauthentication packets. The standard also requires devices to use WPA3 if possible, there is no possibility to switch to unencrypted connections, but an access point can still provide OWE and unencrypted connections for compatibility reasons.
- Simultaneous Authentication of Equals (SAE)
SAE can be seen as the replacement to WPA2 PSK. A new feature is, that the handshake can be initiated by either client or access point (no lock-step protocol). This handshake is called Dragonfly Handshake
- Stronger Encryption for WPA3-Enterprise
For the enterprise mode there are no essential changes. It includes additional client-checks for certificate chains. The encrpytion is stronger using AES-GCM-256 and SHA385.
- WiFi Device Provisioning Protocol (DDP)
Instead of WPS, new devices can be added using the DDP by scanning a QR-Code or connecting through NFC.
There is no possibility for passive/offline attacks against OWE and SAE. Protected managment frames are required for all of the named improvements. Unfortunately, the Dragonfly Handshake already suffers from an vulnerability called Dragonblood . Five vulnerabilities are part of this attack including Denial-of-Service, downgrade attacks and side-channel information leakage. Good news: these vulnerabilities can be fixed through software updates.