Wi-Fi Security Analysis

AbstractIn recent years, a significant increasing in development of Wireless networks is noticed; they become an entire part of the Internet and demonstrate effectiveness in handling communication for reduced public LAN and military applications. This is mainly due to their mobility and low cost solutions; nevertheless, they are also prone to several attacks related to data integrity, Deni of Service and eavesdropping. This paper discusses wireless security protocols, their limitations and weakness. We present also an overview of the FMS (Fluhrer, Mantin, Shamir), a recovery key attack and demonstrate its effectiveness in reducing the average number of intercept packets based on a well choice of IV (initialization vectors). Some comparative experiments on ciphertext-only attacks were performed in order to study the efficiency of such technique and underline encountered difficulties

Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabilities (WIFI)

The growing volume of attacks on the Internet has increased the demand for more robust systems and sophisticated tools for vulnerability analysis, intrusion detection, forensic investigations, and possible responses. Current hacker tools and technologies warrant reengineering to address cyber crime and homeland security. The being aware of the flaws on a network is necessary to secure the information infrastructure by gathering network topology, intelligence, internal/external vulnerability analysis, and penetration testing. This paper has as main objective to minimize damages and preventing the attackers from exploiting weaknesses and vulnerabilities in the 4 ways handshake (WIFI).We equally present a detail study on various attacks and some solutions to avoid or prevent such attacks in WLAN

Plaintext Recovery Attacks Against WPA/TKIP

We conduct an analysis of the RC4 algorithm as it is used in the IEEE WPA/TKIP wireless standard. In that standard, RC4 keys are computed on a per-frame basis, with specific key bytes being set to known values that depend on 2 bytes of the WPA frame counter (called the TSC). We observe very large, TSC-dependent biases in the RC4 keystream when the algorithm is keyed according to the WPA specification. These biases permit us to mount an effective statistical, plaintext-recovering attack in the situation where the same plaintext is encrypted in many different frames (the so-called ``broadcast attack\u27\u27 setting). We assess the practical impact of these attacks on WPA/TKIP

Adoção de protocolos de segurança em redes IEEE 802.11 no Plano Piloto em Brasília

Segurança em redes sem fio é um assunto cada vez mais em evidência. A popularização das redes Wi-Fi é um fenômeno impulsionado pela necessidade de mobilidade trazida por um número cada vez maior de dispositivos como celulares e tablets. A ampla difusão desta tecnologia é evidenciada pelos dados apresentados neste estudo. Sua presença ocorre de forma cada vez mais ubíqua, e seu uso é cada vez mais natural. Passa-se a interagir com a tecnologia de forma mais mecânica e automática. Muitas vezes não se faz a devida análise quanto aos riscos inerentes a sua utilização. Este estudo provê um entendimento melhor destes riscos, por vezes associados à perda de confidencialidade e acesso não autorizado a ambientes lógicos. Identifica também a atuação dos protocolos de segurança presentes na especificação IEEE 802.11 na mitigação destes riscos. Analisa seus pontos de sucesso e falha. Adota uma abordagem prática para verificar sua presença na região do Plano Piloto em Brasília, Distrito Federal, Brasil. Compara três diferentes cenários de uso, delimitados com base na destinação dos setores da cidade conforme planejamento urbanístico: o primeiro composto por usuários predominantemente residenciais, o segundo por médias e grandes empresas e um terceiro por entidades ligadas ao governo. Com base nas informações coletadas de 12.859 pontos de acesso, observou-se que apenas 3,35% das redes localizadas em áreas residenciais encontravam-se sem nenhum tipo de proteção. Viu-se também que o uso do protocolo WEP ainda é expressivo, encontrado em 5% do total das redes analisadas. Observou-se também que a adoção do WPA2 ultrapassa 68% do total das redes. Constatou-se o uso de senha compartilhada para proteção da rede em 70% dos casos observados. Identificou-se a região central da cidade como sendo a área de maior densidade de redes dentre as áreas observadas. Observouse também que as empresas de telecomunicação estão contribuindo para o aumento da segurança das redes sem fio ao fornecerem, como parte de seus serviços, equipamentos e instalação. As análises realizadas possibilitaram uma compreensão melhor da aplicação dos protocolos nas redes da cidade

IEEE 802.11 i Security and Vulnerabilities

Despite using a variety of comprehensive preventive security measures, the Robust Secure Networks (RSNs) remain vulnerable to a number of attacks. Failure of preventive measures to address all RSN vulnerabilities dictates the need for enhancing the performance of Wireless Intrusion Detection Systems (WIDSs) to detect all attacks on RSNs with less false positive and false negative rates

Tornado Attack on RC4 with Applications to WEP & WPA

In this paper, we construct several tools for building and manipulating pools of biases in the analysis of RC4. We report extremely fast and optimized active and passive attacks against IEEE 802.11 wireless communication protocol WEP and a key recovery and a distinguishing attack against WPA. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimization of all the former known attacks and methodologies against RC4 stream cipher in WEP and WPA modes. We support all our claims on WEP by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attack improves its success probability drastically. Our active attack, based on ARP injection, requires 22500 packets to gain success probability of 50\% against a 104-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than 5 seconds on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around 3\% success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires 27500 packets. This is much less than the number of packets Aircrack-ng requires in active mode (around 37500), which is a huge improvement. Deploying a similar theory, we also describe several attacks on WPA. Firstly, we describe a distinguisher for WPA with complexity 2^{42} and advantage 0.5 which uses 2^{42} packets. Then, based on several partial temporary key recovery attacks, we recover the full 128-bit temporary key of WPA by using 2^{42} packets. It works with complexity 2^{96}. So far, this is the best key recovery attack against WPA. We believe that our analysis brings on further insight to the security of RC4

Sécurité dans les réseaux Wi-Fi : étude détaillée des attaques et proposition d'une architecture Wi-Fi sécurisée

Nous avons assisté ces dernières années à la montée en puissance des réseaux locaux sans fil ou encore Wi-Fi, qui sont en passe de devenir l'une des principales solutions de connexion pour de nombreuses entreprises. Le marché du sans fil se développe rapidement dès lors que les entreprises constatent les gains de productivité qui découlent de la disparition des câbles. Avec cette évolution rapide de ce type dématérialisé de réseaux, les exigences en termes de sécurité deviennent de plus en plus sévères. De ce fait, beaucoup de travaux et d'efforts ont été consentis ces dernières années afin d'aboutir à des solutions pour sécuriser ces réseaux. Toutefois, des vulnérabilités persistent encore et il est toujours possible de monter des attaques plus ou moins facilement. Notamment, contre le dernier né des protocoles de sécurité Wi-Fi, à savoir WPA2, qui bien qu'étant plus robuste sur le plan conceptuel que les générations précédentes, fait face à un problème majeur, celui de son incompatibilité matérielle avec les précédents protocoles. En effet, WPA2 exige de nouveaux équipements matériels, ce qui constitue un surcoût économique énorme pour les entreprises ayant déjà déployé des équipements Wi-Fi d'anciennes générations. Dans ce mémoire, nous élaborons une synthèse exhaustive de toutes les attaques qui ciblent les réseaux Wi-Fi. Cette synthèse comprend une classification des attaques par rapport aux standards de sécurité ainsi que l'illustration des détails de leur mise en œuvre. Outre le volet conceptuel et théorique, nous abordons également le volet pratique et montrons sa richesse. Nous proposons également une nouvelle approche architecturale de sécurisation des réseaux Wi-Fi dans l'entreprise. Notre proposition prend en compte l'hétérogénéité des équipements et des standards de sécurité supportés. Cette nouvelle architecture a le mérite d'offrir une grande flexibilité ainsi qu'une sécurité renforcée par rapport aux approches traditionnelles. Pour élaborer cette solution sécurisée, nous nous sommes basés principalement sur la différenciation à plusieurs niveaux (standard de sécurité supporté, communauté d'utilisateurs, nature de trafic). Ces niveaux de différenciation offrent la granularité nécessaire pour permettre une meilleure gestion du réseau et un meilleur contrôle d'accès aux ressources, ce qui améliore la sécurité du réseau Wi-Fi en particulier et du système d'information de l'entreprise dans son ensemble.\ud ______________________________________________________________________________ \ud MOTS-CLÉS DE L’AUTEUR : Wi-Fi, sécurité, attaque, architecture sécurisée, différenciation