Denial of Service Attacks Against 802'11 Wireless Networks

1
Denial of Service Attacks Against 802.11 Wireless
Networks
ECE 478 Final Project

• June 7th, 2004
• By
• Benjamin Humble
• Eric Sundholm

2
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Topics

• Traditional Wireless Jamming
• Definitions
• Methods
• Examples
• Strengths
• Weaknesses
• The 802.11b Vulnerability
• The IEEE 802.11b Standard
• Clear Channel Assessment (CCA) Algorithm
• Flaw Uncovered
• Whats wrong and why?
• Whos At Risk?
• Solutions

3
Traditional Wireless Jamming
4
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Definitions

• Jamming To interfere with or prevent the clear
  reception of (broadcast signals) by electronic
  means1
• Passive Jamming such as putting up buildings
  made of material that block out cell phone
  signals2

5
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Methods

• In almost every case, jamming causes a denial of
  service type attack to either server or client,
  sender or receiver.
• In a few isolated cases, the use of jamming
  equipment can be seen as a man-in-the-middle
  attack.1
• 1Anthony G Persaud, Anti-Jamming Receiver Designs
  and Techniques, www.public.iastate.edu

6
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Past Methods

• Some older analog methods (including radar
  jamming) are
• Simply broadcasting noise into the system so that
  the original message is lost and unintelligible.
  This usually requires the noise to be at an equal
  amplitude level to the jammed signal.
• In the case of radar jamming it is possible to
  send back to the detector the same signal that
  was sent out. This would cause the receiver to
  believe that no target was found.1
• Similarly, instead of a no target situation, more
  or less targets than really exist can be sent
  back.1
• 1www.maclean-nj.com

7
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Modern Methods

• More modern approaches include jamming of
  wireless computer communication
• The easiest form is to continually transmit
  useless data to the point where the servers
  become overloaded. This would cause a denial of
  service attack to all other clients.1
• Inputting noise into the system still works, and
  has a clever advantage with computer systems
• The inputted noise signal can be of lower
  amplitude (and therefore power) which can cause
  DBR (death by retry). This is when the signal to
  noise ratio becomes severely compromised and the
  receiver must constantly re-request that the
  message be sent. This could form an endless
  loop, hence DBR.1
• 1www.maclean-nj.com

8
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Modern Methods (contd)

• In a worst case scenario it is impossible to
  defend against a radio jamming attack.
• A clever attacker can simply jam all frequencies
  so that these listed advanced methods will not
  work1
• Spread spectrum systems
• Frequency hopping spread spectrum
• The frequencies used for 802.11b and low
  bandwidth (lt 20 Mbps) 802.11g standard operating
  ranges are2
• Unlicensed 2.4 GHz band
• Unlicensed 5.2 GHz band
• 1Anthony G Persaud, Anti-Jamming Receiver Designs
  and Techniques, www.public.iastate.edu
• 2www.nwfusion.com

9
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Modern Methods (contd)

• It can be noted that many of the older methods
  can be adopted and tweaked to wreak havoc on
  modern computer systems. The automation of these
  systems can be their undoing, just like with the
  death by retry example.

10
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Examples

• Radio operators have to listen for and identify
  common jamming signals so that they can be
  filtered out. Some of these common signals
  include1
• Random Noise
• Random Pulse
• Stepped Tones
• Wobbler
• Random Keyed Modulated Continuous Wave
• Tone
• Rotary
• Pulse
• Spark
• Recorded Sounds
• Gulls
• Sweep-Through
• 1www.tpub.com

11
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Strengths

• Locating the Source Many times, finding the
  source of the jamming signal must be done
  physically, and therefore is hard to locate the
  attacker.
• Detection Most people have no idea if a jamming
  signal is in use. It simply appears as if there
  is no service. Such is the case with cell
  phones, or wireless networks.1
• Cost Equipment cost is relatively cheap, when
  compared to brute force methods of other computer
  oriented security attacks.
• 2www.stargeek.com

12
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Weaknesses

• Limited use Jamming is limited since most
  attacks can only be used as denial of service
  attacks
• Power In most cases the power needed to
  overcome and jam a signal is too great to be
  practical. Exceptions to this, however include
• Satellite jamming Transmitted signal strength
  degrades as a function of distance squared.
  Therefore, an attacker that is much closer to the
  receiver than the satellite does not have to use
  the same power output to match the original
  satellite transmission.
• 802.11 CCA exploitation To be discussed in later
  slides
• Range Range is usually limited by the power of
  the attackers transmitter

13
The 802.11 Vulnerability
14
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
The IEEE 802.11b Standard

• Established in 1997 by the Institute of
  Electrical and Electronics Engineers (IEEE)1
• Quickly became the most commonly used standard
  for wireless communication
• Only available connection to a wireless network
  in 99.9 of all cases2
• Remains the most commonly used wireless protocol
  despite the development of more advanced and more
  secure standards

1 www.ieee.com 2 maccentral.macworld.com
15
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Clear Channel Assessment (CCA)

• Algorithm used by 802.11 networks to determine if
  a radio frequency (RF) channel is free for use1
• Performed by a Direct Sequence Spread Spectrum
  (DSSS) physical layer2
• Prevents transmission of data by either client or
  access point (AP) until a channel becomes free

1 www.kb.cert.org 2 www.auscert.org.au
16
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
IEEE 802.11b Flaw Uncovered

• Flaw reported May 13th, 2004 by associate
  professor Mark Looi at Queensland University of
  Technologys (QUT) Information Security Research
  Centre1
• Discovered by professor Loois graduate students
  Christian Wullems, Kevin Tham and Jason Smith
  while investigating mechanisms for protecting
  wireless devices from hacking
• US-CERT Vulnerability Note2 VU106678

1 maccentral.macworld.com 2 www.kb.cert.org
17
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Whats Wrong and Why?

• A specially crafted RF signal can cause the CCA
  algorithm to believe there are no free channels
• This type of signal is sometimes called jabber
• Attack prevents any wireless communication to or
  from any client or access point within range of
  the jamming
• Unlike traditional jamming, exploiting the CCA
  flaw requires no more power than normal operation
  for a wireless device
• Attack can be implemented by a modified 35
  network card and laptop or even a wireless
  enabled PDA1

1 maccentral.macworld.com
18
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Whats Wrong and Why? (contd)

• Due to low-power nature of the attack, locating
  the attacker is nearly impossible (though
  locating the access point(s) affected is simple)
• Wireless communication will be disrupted as long
  as the attack remains underway
• Capable of shutting down all wireless
  transmissions within a 1km radius in 5 to 8
  seconds1

1 maccentral.macworld.com
19
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Whos at Risk?

• All IEEE 802.11, 802.11b, and low bandwidth (lt 20
  Mbps) 802.11g wireless networks are vulnerable
• This accounts for 99.9 of all wireless computer
  networks1
• IEEE 802.11a and high bandwidth only ( gt 20 Mbps)
  802.11g wireless networks do not use the same CCA
  algorithm and therefore are not vulnerable
• Flaw is not network implementation specific, it
  is inherent to the IEEE standard2

1 maccentral.macworld.com 2 www.kb.cert.org
20
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Whos at Risk? (contd)

• Attack operates at the hardware level, therefore
  WEP, WPA, WLAN security measures have no effect
• In some countries, wireless networks are used to
  control infrastructures such as railways, energy
  transmission and other utilities1
• Any network that is not completely physically
  isolated (middle of the desert, Faraday cage
  etc) is vulnerable to this attack

1 maccentral.macworld.com 2 www.kb.cert.org
21
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Solutions

• NONE

22
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Solutions (contd)

• The flaw is inherent to the IEEE 802.11 standard
  and its use of the Clear Channel Assessment
  algorithm
• There are no known solutions for preventing this
  attack on a vulnerable system
• The best option for preventing this type of
  attack is to use a wireless standard that is not
  vulnerable (i.e. 802.11a or 802.11g)
• In general, it is impossible to completely
  protect a wireless network from denial of service
  attacks based on radio frequency (RF) jamming

23
Denial of Service Attacks Against 802.11b
Wireless NetworksBy Benjamin Humble Eric
Sundholm
June 7th, 2004
Questions?

• Questions or Comments?
• Benjamin Humble (humblebe_at_engr.orst.edu)
• Eric Sundholm (sundholm_at_engr.orst.edu)