Professional Documents
Culture Documents
Sec16 Paper Vanhoef
Sec16 Paper Vanhoef
Figure 1: Simplified 802.11 frame with a WPA2 header. Beacons: IEs containing supported ciphers
Select cipher
an attacker to use the group key to inject, and in turn de- Association Request: IE with chosen cipher
crypt, any traffic sent in a Wi-Fi network.
Finally, we propose and study a novel random num-
Msg1: ANonce
ber generation tailored for 802.11 platforms. It extracts
randomness from the wireless channel by collecting fine- PTK
grained Received Signal Strength Indicator (RSSI) mea- Msg2: SNonce, IE, MIC
surements. These measurements can be made using com- PTK
modity devices even if there is no background traffic. We
verify IE
show our algorithm can generate more than 3000 bits per Msg3: IEs, GTK, MIC
second, and even when an adversary can predict individ-
verify IEs
ual RSSI measurements with high probability, the output Msg4: ACK, MIC
of the generator still remains close to uniformly random.
To summarize, our main contributions are: Figure 2: Discovering APs by listening to beacons, fol-
We show that the 802.11 random number genera- lowed by the association and 4-way WPA2 handshake.
tor is flawed, and break several implementations by
predicting its output, and hence also the group key.
The Access Point (AP) forwards received frames to their
We present a downgrade-style attack against the destination, which is either a node on the wired network,
4-way handshake, allowing one to recover the group or a Wi-Fi client. In frames received by a client, addr1
key by exploiting weaknesses in the RC4 cipher. should equal addr3, hence no further routing is required.
For example, when a client sends an outbound IP packet,
We show that the group key can be used to inject and
addr1 equals the address of the AP, addr2 contains his
decrypt any (internet) traffic in a Wi-Fi network.
own address, and addr3 equals the address of the router.
We propose and study a random number generator If a client wishes to transmit a broadcast or multicast
that extracts randomness from the wireless channel. frame, i.e., a group addressed frame, he first sends it as a
unicast frame to the AP. This means addr1 equals the
The rest of this paper is organized as follows. Sec-
address of the AP, and addr3 equals the broadcast or
tion 2 introduces relevant parts of the 802.11 standard.
multicast destination address. The AP then encrypts the
We break the random number generator of 802.11 in Sec-
frame using the group key if needed, and broadcasts it to
tion 3. Section 4 presents a downgrade attack against the
all associated clients. This assures all clients within the
4-way handshake, and attacks on its usage of RC4. In
range of the AP will receive the frame, even if certain
Section 5 we use the group key to inject and decrypt any
stations are not within range of each other.
frames, including unicast ones. In Section 6 we propose
The Frame Control (FC) field contains, among other
a new random number generator. Finally, we explore re-
things, the ToDS and FromDS flags. The ToDS flag is set
lated work in Section 7, and conclude in Section 8.
if the frame is sent from a client to an AP, and the FromDS
flag is set if the frame is sent in the reverse direction. The
2 Background fifth field in Figure 1 is only included when encryption is
used, and contains the Key ID and Packet Number (PN).
This section provides a background on the 802.11 proto- The PN prevents replay attacks. The 2-bit Key ID field is
col, the 4-way handshake, and the RC4 stream cipher. only used in group addressed frames, where it identifies
which group key is used to protect and encrypt the frame.
2.1 The 802.11 Protocol
When a station wishes to transmit data, it needs to add a 2.2 Discovering APs and Negotiating Keys
valid 802.11 header (see Figure 1). This headers contains Clients can discover APs by listening for beacons, which
the necessary MAC addresses to route the frame: are periodically broadcasted by the AP (see Figure 2).
addr1 = Receiver MAC address These beacons contain the supported cipher suites of the
AP in Information Elements (IEs). When a client wants
addr2 = Sender MAC address
to connect to an AP, and has selected a cipher to use, it
addr3 = Destination MAC address starts by sending an association request to the AP. This
However, this makes no sense: there is no point in in- 3.4 Practical Consequences
troducing a new key to reduce the impact if that key it-
We now study the RNG of real 802.11 platforms. First
self leaks. Curiously, we found that older versions of the
we focus on popular consumer devices. To estimate
standard did not contain this description of the GMK. In-
the popularity of a specific brand, we surveyed wireless
stead, older versions stated that the GMK may be reini-
networks in two Belgian municipalities. We were able
tialized to reduce the exposure of data in case the current
to recognize specific brands based on vendor-specific
value of the GMK is ever leaked.
information elements in beacons. We detected 6 803
Most implementations renew the GTK every hour by
networks, and found that MediaTek- and Broadcom-
calling a function similar to new gtk. More importantly,
based APs alone covered at least 22% of all Wi-Fi net-
the key counter variable is also used to initialize the
works. We will focus on both because of their popu-
Key IV field of certain EAPOL-Key frames (see Fig-
larity. Additionally we examine Hostapd for Linux. Fi-
ure 3). After using the value of key counter for this
nally, we study embedded systems by analysing the Open
purpose, it is incremented by one. Since these IVs are
Firmware project. We found that, apart from Hostapd, all
public values, the value of key counter is known by
these platforms produce predictable random numbers.
adversaries. We found that some implementations even
use key counter to generate nonce values during the
4-way handshake, though this is not recommended as it 3.4.1 MediaTek-based Routers
may enable precomputation attacks [21, 8.5.3.7].
Access points with a MediaTek radio use out-of-tree
One major disadvantage of the proposed key hierar-
Linux drivers to control the radio1 . These drivers directly
chy, is that fresh entropy is never introduced when gener-
manage the 4-way handshake and key generation. They
ating a new group key in new gtk. Hence, once the value
implement the 802.11 RNG as shown in Listing 1, but
of GMK has been leaked, or recovered by an attacker, all
do not call NetworkJitter. This strengthens our hy-
subsequent groups keys can be trivially predicted.
pothesis that this function is infeasible to implement in
Since the standard assumes that GenRandom provides
cryptographic-quality random numbers, there appears 1 Available from www.mediatek.com/en/downloads1
(a) Using IV a with random KEKs. (b) Using IV b with random KEKs. (c) Using random 16-byte keys.
Figure 6: Biases in the RC4 keystream when concatenating a fixed 16-byte IV with a random 16-byte key (here called
KEK key), and when using random 16-byte keys. Each points encodes a bias as the number (pr 28 ) 224 , capped to
values in [50, 50], with pr the empirical probability of the keystream byte value (y-axis) at a given location (x-axis).
(a) Using IV c with random KEKs. (b) Using IV d with random KEKs. (c) Using random 16-byte keys.
Figure 9: Biases in the RC4 keystream when concatenating a fixed 16-byte IV with a random 16-byte key (here called
KEK key), and when using random 16-byte keys. Each points encodes a bias as the number (pr 28 ) 224 , capped to
values in [50, 50], with pr the empirical probability of the keystream byte value (y-axis) at a given location (x-axis).