IntroductionWireless networks in unlicensed bands like Wi-Fi are more vulnerable because of their “open” or accessible “to all” nature, unlike a wired network in a building or an underground duct, where we can protect it by limiting the access to the building or duct physically.
Security ThreatsThe security threat to Wi-Fi networks are primarily two types.
- The bad actor can break the confidentiality/integrity algorithms and get access to data exchange and steal valuable information (Ex: Passwords, Credit card numbers). [reference]
- The bad actor can inject some malicious packets and prevent the network from functioning normally (called Denial of service DOS).
Probe FloodingIn the previous blog, we had suggested that the ability to handle a large number of probes is a key performance metric for an Access Point. The same feature can also be used to make the network vulnerable to denial of service. If the bad actor sets up a number of clients that would constantly send broadcast or unicast probes targeting a set of Access Points in the network, the APs would not be able to service genuine clients. This can lead to network efficiency problems and ultimately lead to denial of service. It is also possible that this scenario exposes other problems in the AP (out of memory situation or a crash).
Authentication floodingIn this type of denial of service, the rogue clients try to authenticate with the network with an incorrect password. Since the whole of Authentication, Association, 4 way handshake takes a significant amount of time. This would also lead to reservation of resources on the AP until the 4 way Handshake fails. Many such rogue clients and repetition of these attempts with different MAC addresses (MAC spoofing) can lead similarly to denial of service for genuine clients.
A variant of this attack can also happen on Public Hotspots with open security. In these networks once Authentication and Association is completed, the user is presented a Captive portal page to enter valid credentials. Since the rogue clients don’t have any valid credentials, they can simply squat (do nothing) or enter random credentials. Many such rogue clients coupled with MAC spoofing can lead to denial of service for genuine clients.
Deauthentication AttackThis attack has been well known in Wi-Fi networks [reference] for a while. This classic form of this attack uses the MAC addresses of clients already authenticated with the AP to send a deauthentication message to AP. This would make the real clients to be deauthenticated by the AP and they would now need to go through the full authentication and 4 way handshake cycle. This attack is not possible if the network uses 802.11w (Protected management frames). However, many access points are shipped with 802.11w turned off by default to be able to interoperate with older Wi-Fi clients.
SWAT WiCheck Multiclient Simulator can be used to generate many such scenarios using the inbuilt packet injection feature together with robot framework scripts. This would lead to an efficient and automated way of testing the APs for these kinds of attacks at scale.