Intercepting Mobile Communications: The Insecurity of 802.11

1
Intercepting Mobile Communications The
Insecurity of 802.11

• or Why WEP Stinks
• Dustin Christmann

2
Introduction

• This presentation will discuss the inadequacies
  of WEP encryption
• Well discuss the theoretical weaknesses of the
  WEP standard
• Well discuss the types of attacks that can
  exploit those weaknesses
• Well discuss the speed of real world attacks
  on WEP

3
Agenda

• Whats on your network?
• What is WEP?
• Theoretical weaknesses of WEP
• Types of attacks on WEP
• How well do these attacks work in the real
  world?
• Countermeasures

4
Whats on your wireless network?

• 802.11 (Wi-Fi) networks are ubiquitous today
• Types of encryption
• Open (No encryption)
• WEP
• WPA/WPA2

5
So what is WEP?

• WEP is Wired Equivalent Privacy
• Link-layer encryption
• Defined in the IEEE 802.11 standard
• Least common denominator Wi-Fi encryption
• Goals of WEP
• Confidentiality
• Access control
• Data integrity

6
So how does WEP work?
7
First, lets introduce the players

• Message What youre encrypting
• CRC To verify the integrity of the message
• Plaintext The message CRC
• Initialization vector (IV) A 24-bit number which
  plays two roles that well meet in a moment
• Key A 40 or 104-bit number which is used to
  build the keystream
• Keystream What is used to encrypt the plaintext
• Ciphertext What we end up post-encryption

Message
CRC
IV
Key
Keystream
Ciphertext
8
WEP encryption step-by-step
Message
CRC

• Step 1 Compute CRC for the message
• CRC-32 polynomial is used

9
WEP encryption step-by-step
Key
IV
Keystream

• Step 2 Compute the keystream
• IV is concatenated with the key
• RC4 encryption algorithm is used on the 64 or 128
  bit concatenation

10
WEP encryption step-by-step
Ciphertext
IV
Keystream

• Step 3 Encrypt the plaintext
• The plaintext is XORed with the keystream to form
  the ciphertext
• The IV is prepended to the ciphertext

11
WEP decryption step-by-step
Ciphertext
IV
Keystream
Key

• Step 1 Build the keystream
• Extract the IV from the incoming frame
• Prepend the IV to the key
• Use RC4 to build the keystream

12
WEP decryption step-by-step
Ciphertext
Message
CRC
Keystream

• Step 2 Decrypt the plaintext and verify
• XOR the keystream with the ciphertext
• Verify the extracted message with the CRC

13
What are the main weaknesses of WEP?
14
Initialization vector (IV)

• Its carried in plaintext in the encrypted
  message!
• Its only 24 bits!
• There are no restrictions on IV reuse!
• The IV forms a significant portion of the seed
  for the RC4 algorithm!

15
CRC algorithm

• The CRC is a linear function
• First-order polynomial ymxb
• Key property when b is 0 f(xy) f(x) f(y)
• The CRC is an unkeyed function

16
RC4 cipher

• Some seeds are weaker than others
• By extension, some IV values are weaker than
  others
• Weak seeds more easily calculated keystreams

17
Defragmentation

• Not necessarily a weakness
• Part of 802.11 standard
• Affects WPA and WPA2 encryption as well

18
What are some potential attacks on a WEP network?
19
First, you know more about the plaintext than you
think you know

• With 802.11, you know the first eight bytes of a
  packet
• Many IP services have packets of fixed lengths
• Most WLAN IP addresses follow common conventions.
• Many IP behaviors have predictable responses

20
Message modification

• Takes advantage of CRCs linearity and unkeyed
  nature.
• C is the original cybertext
• c is the CRC-32 function
• ? is the change in the message
• Need to know some of the plaintext, but not all!

21
Message injection

• Takes advantage of CRCs unkeyed nature and IV
  reuse.
• C is the original cybertext
• P is the original plaintext
• RC4(v,k) is the keystream for IV v
• M is the new message
• c is the CRC-32 function
• Need to know all of the plaintext

22
Authentication spoofing

• Takes advantage of IV reuse
• Takes advantage of WEP challenge mechanism for
  new mobile stations
• Access point sends unencrypted 128-bit value
• Mobile station returns the same value encrypted
• Monitor the exchange and
• Learn an IV-keystream pair
• Authenticate on the mobile network

23
Fragmentation attack

• Takes advantage of defragmentation and IV reuse
• Takes advantage of knowledge of plaintext of at
  least first eight bytes of 802.11 data
• Each data includes 4 bytes of checksum
• An 802.11 frame can be divided into 16 segments
• The access point will defragment the frame before
  forwarding, allowing the transmission of 16
  (known bytes of keystream 4 bytes) of data

24
Full keystream recovery using fragmentation

• Send a 64-byte frame to a broadcast address in 16
  segments
• Eavesdrop the defragmented 68-byte frame
• Send a 1024-byte frame to a broadcast address in
  16 segments
• Eavesdrop the defragmented 1028-byte frame
• Send a 1496-byte frame to a broadcast address in
  2 segments
• Eavesdrop the defragmented 1500-byte frame

25
IP redirection

• Takes advantage of defragmentation
• Eavesdrop encrypted frame
• Build encrypted IP header with the desired
  destination IP address
• Configure the 802.11 headers for segmented
  transmission
• Send frames
• Receive unencrypted data at Internet-connected
  computer

26
So how easy do these techniques make a WEP
network to compromise?
27
Answer Darn easy

• Attacks greatly aided by automated tools
• Authors of The Final Nail in WEPs Coffin broke
  40-bit key in under 15 minutes and 104-bit key in
  under 80 minutes
• FBI agents demonstrated it in 3 minutes in 2005
• http//www.informationweek.com/management/complian
  ce/160502612
• Usually it takes five to ten minutes

28
Countermeasures

• DONT USE WEP!
• Use WPA or WPA2 with a strong key
• Change the default settings on your wireless
  router
• Use VPN