802.16 Vulnerabilities

1
802.16 Vulnerabilities

• Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu
  (Motorola Labs)

Lab for Internet Security Tech, Northwestern
Univ.
2
Project Objective

• Study the 802.16 system specifications with the
  goal of identifying any security vulnerability
  present in various functions/ processes
  documented.
• Report any discovered vulnerability along with
  any proposed solutions.

3
Project Tasks

• Study of 802.16 (2004) Specifications
• Discovery of security vulnerability (ies)
• (If practical) Simulation of vulnerability
  situation (s)
• Proposal of solution (s)

4
Vulnerabilities discovered

• Initial Ranging based Denial-of-Service attack
• Service Interruption/ Denial-of-Service attack
  using TEK invalid message vulnerability

5

• Initial Ranging based Denial-of-Service attack

6
What can an attacker do?

• If successful, the attacker can deny all
  Subscriber Stations, serviced by a BS within one
  of its sectors, entry into the network to send
  and receive user data

7
Network Entry and Synchronization

8
Initial ranging process

• BS allocates contention-based initial ranging
  slots
• Entering SS waits for its transmission
  opportunity and sends range request
• BS evaluates ranging parameters and sends its
  response
• If all is well, SS moves onto the next step, else
  it continues the ranging process till it has fine
  tuned all parameters.

9
Frame Structure

10
Attack Procedure (1)

1. Rogue SS adjusts its ranging parameters
2. Communication link between BS and its SS is
   brought down (e.g. thru jamming)
3. Rogue SS waits for contention-based initial
   ranging slot announcement by the BS
4. Rogue SS sends a valid RNG-REQ message at every
   transmission opportunity of the initial ranging
   slot

11
Attack Procedure (2)

• 4.Normal SSs detect collision whenever they
  attempt to send their RNG-REQ and hence, back off
  each time
• 5.This continues until the normal SS has
  exhausted ranging attempts in all valid channels,
  in the end, reports MAC initialization error

12
Limitations of the Attack

• Need to modify the MAC
• To ignore the requirements of exponential
  back-off algorithm and transmit data in each
  transmission opportunity
• Need tools for jamming
• Need to fine tune the parameters
• Much harder for OFDMA as it uses many ranging
  codes

13
Attack Detection

• Not straightforward
• Need sophisticated detection mechanism based on
  data patterns from normal network behavior
• As with other detection schemes, may not be
  always accurate

14

• Service Interruption/ Denial-of-Service attack
  using TEK invalid message vulnerability

15
What can an attacker do?

• If successful, the attacker can either severely
  disrupt communication between an SS and BS or
  totally deny the SS a chance to communicate with
  the BS.

16
Authorization State Machine of PKM protocol

17
TEK State Machine of PKM protocol

18
TEK invalid message properties

• BS sends a TEK invalid message to an SS when it
  cannot decrypt an encrypted data frame sent by
  the SS
• TEK invalid is unsolicited
• TEK invalid is authenticated with the use of
  HMAC-Digest
• TEK invalid message content may not change for a
  given SA session when AK and CID do not change

19
State diagram for the attack

20
Limitations of the Attack

• Capability to inject messages both in uplink and
  downlink.
• The messages injected should be capable of both
  overriding and corrupting valid messages coming
  from valid sources
• Spoof packets
• Can only attack one SS at a time

21
Attack Detection

• Stealthier than ranging based attack, hence
  harder to detect
• Need sophisticated detection mechanism based on
  data patterns from normal network behavior

22

• Backup slides

23
OFDM frame structure

24
OFDMA frame structure with ranging sub-channel
25
TEK invalid message structure