skip to main content
10.1145/2484313.2484368acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Practical verification of WPA-TKIP vulnerabilities

Published: 08 May 2013 Publication History

Abstract

We describe three attacks on the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). The first attack is a Denial of Service attack that can be executed by injecting only two frames every minute. The second attack demonstrates how fragmentation of 802.11 frames can be used to inject an arbitrary amount of packets, and we show that this can be used to perform a portscan on any client. The third attack enables an attacker to reset the internal state of the Michael algorithm. We show that this can be used to efficiently decrypt arbitrary packets sent towards a client. We also report on implementation vulnerabilities discovered in some wireless devices. Finally we demonstrate that our attacks can be executed in realistic environments.

References

[1]
M. Beck. Enhanced TKIP michael attacks. Retrieved 4 Februari, 2013, from http://download.aircrack-ng.org/wiki-files/doc/enhanced_tkip_michael.pdf.
[2]
J. Bellardo and S. Savage. 802.11 denial-of-service attacks: real vulnerabilities and practical solutions. In Proceedigns of the USENIX Security Symposium, 2003.
[3]
K. Bicakci and B. Tavli. Denial-of-service attacks and countermeasures in IEEE 802.11 wireless networks, 2009.
[4]
A. Bittau, M. Handley, and J. Lackey. The final nail in WEP's coffin. In IEEE Symposium on Security and Privacy, pages 386--400, 2006.
[5]
L. Butti and J. Tinnes. Discovering and exploiting 802.11 wireless driver vulnerabilities. Journal in Computer Virology, 4(1):25--37, 2008.
[6]
N. Ferguson. Michael: an improved MIC for 802.11 WEP. IEEE doc. 802.11-2/020r0, Jan. 2002.
[7]
G. Fleishman. Say goodbye to WEP and TKIP. Retrieved 26 November, 2012, from http://bit.ly/cSFSvj, 2010.
[8]
S. R. Fluhrer, I. Mantin, and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. In Selected Areas in Cryptography, pages 1--24, 2001.
[9]
S. M. Glass and V. Muthukkumarasamy. A study of the TKIP cryptographic dos attack. In 15th International Conference on Networks. IEEE, 2007.
[10]
M. Guennoun, A. Lbekkouri, A. Benamrane, M. Ben-Tahir, and K. El-Khatib. Wireless networks security: Proof of chopchop attack. In WOWMOM, pages 1--4, 2008.
[11]
F. M. Halvorsen, O. Haugen, M. Eian, and S. F. Mjølsnes. An improved attack on TKIP. In 14th Nordic Conference on Secure IT Systems, NordSec '09, 2009.
[12]
B. Harris and R. Hunt. Review: TCP/IP security threats and attack methods. Computer Communications, 22(10):885--897, 1999.
[13]
J. Huang, J. Seberry, W. Susilo, and M. W. Bunder. Security analysis of michael: The IEEE 802.11i message integrity code. In EUC Workshops, pages 423--432, 2005.
[14]
IEEE Std 802.11-2012 (Rev. of IEEE Std 802.11-2007). Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, 2012.
[15]
IEEE Std 802.11-2012 (Rev. of IEEE Std 802.11-2007). Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, 2012.
[16]
V. Moen, H. Raddum, and K. J. Hole. Weaknesses in the temporal key hash of WPA. Mobile Computing and Communications Review, 8(2):76--83, 2004.
[17]
M. Morii and Y. Todo. Cryptanalysis for RC4 and breaking WEP/WPA-TKIP. IEICE Transactions, 94-D(11), 2011.
[18]
S. Park, K. Kim, D. Kim, S. Choi, and S. Hong. Collaborative QoS architecture between DiffServ and 802.11e wireless LAN. In Vehicular Technology Conference, 2003.
[19]
A. Stubblefield, J. Ioannidis, and A. D. Rubin. A key recovery attack on the 802.11b wired equivalent privacy protocol (wep). ACM Trans. Inf. Syst. Secur., 7(2), 2004.
[20]
E. Tews and M. Beck. Practical attacks against WEP and WPA. In Proceedings of the second ACM conference on Wireless network security, WiSec '09, 2009.
[21]
Y. Todo, Y. Ozawa, T. Ohigashi, and M. Morii. Falsification attacks against WPA-TKIP in a realistic environment. IEICE Transactions, 95-D(2), 2012.
[22]
A. Wool. A note on the fragility of the Michael message integrity code. IEEE Transactions on Wireless Communications, 3(5):1459--1462, 2004.

Cited By

View all
  • (2024)Fewer Demands, More Chances: Active Eavesdropping in MU-MIMO SystemsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656136(162-173)Online publication date: 27-May-2024
  • (2024)Towards improving the security of wireless networks using secured session keysInformation Security Journal: A Global Perspective10.1080/19393555.2024.234768234:1(1-14)Online publication date: 6-May-2024
  • (2022)Assessing certificate validation user interfaces of WPA supplicantsProceedings of the 28th Annual International Conference on Mobile Computing And Networking10.1145/3495243.3517026(501-513)Online publication date: 14-Oct-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
May 2013
574 pages
ISBN:9781450317672
DOI:10.1145/2484313
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 May 2013

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. 802.11
  2. decryption
  3. dos
  4. driver vulnerabilities
  5. fragmentation
  6. tkip
  7. wpa

Qualifiers

  • Research-article

Conference

ASIA CCS '13
Sponsor:

Acceptance Rates

ASIA CCS '13 Paper Acceptance Rate 35 of 216 submissions, 16%;
Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)36
  • Downloads (Last 6 weeks)7
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Fewer Demands, More Chances: Active Eavesdropping in MU-MIMO SystemsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656136(162-173)Online publication date: 27-May-2024
  • (2024)Towards improving the security of wireless networks using secured session keysInformation Security Journal: A Global Perspective10.1080/19393555.2024.234768234:1(1-14)Online publication date: 6-May-2024
  • (2022)Assessing certificate validation user interfaces of WPA supplicantsProceedings of the 28th Annual International Conference on Mobile Computing And Networking10.1145/3495243.3517026(501-513)Online publication date: 14-Oct-2022
  • (2022)Exploring Wi-Fi WPA2-PSK protocol weaknesses2022 International Conference on Data Analytics for Business and Industry (ICDABI)10.1109/ICDABI56818.2022.10041465(190-195)Online publication date: 25-Oct-2022
  • (2022)Malware Spreading Model for Routers in Wi-Fi NetworksIEEE Access10.1109/ACCESS.2022.318224310(61873-61891)Online publication date: 2022
  • (2022)Wireless LAN (WLAN)Guide to Internet Cryptography10.1007/978-3-031-19439-9_6(99-119)Online publication date: 26-Nov-2022
  • (2020)Wi-Fi Protected Access (WPA)Encyclopedia of Wireless Networks10.1007/978-3-319-78262-1_175(1461-1463)Online publication date: 30-Aug-2020
  • (2019)Practical Side-Channel Attacks against WPA-TKIPProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329832(415-426)Online publication date: 2-Jul-2019
  • (2019)Groundwork for Neural Network-Based Specific Emitter Identification Authentication for IoTIEEE Internet of Things Journal10.1109/JIOT.2019.29087596:4(6429-6440)Online publication date: Aug-2019
  • (2018)A Comprehensive Attack Flow Model and Security Analysis for Wi-Fi and WPA3Electronics10.3390/electronics71102847:11(284)Online publication date: 30-Oct-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media