skip to main content
10.1145/3212480.3212493acmconferencesArticle/Chapter ViewAbstractPublication PageswisecConference Proceedingsconference-collections
research-article

Operating Channel Validation: Preventing Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks

Published: 18 June 2018 Publication History

Abstract

We present a backwards compatible extension to the 802.11 standard to prevent multi-channel man-in-the-middle attacks. This extension authenticates parameters that define the currently in-use channel.
Recent attacks against WPA2, such as most key reinstallation attacks, require a man-in-the-middle (MitM) position between the client and Access Point (AP). In particular, they all employ a multi-channel technique to obtain the MitM position. In this technique, the adversary acts as a legitimate AP by copying all frames sent by a real AP to a different channel. At the same time, the adversary acts as a legitimate client by copying all frames sent by the client to the channel of the real AP. When copying frames between both channels, the adversary can reliably manipulate (encrypted) traffic. We propose an extension to the 802.11 standard to prevent such multi-channel MitM attacks, making exploitation of future weaknesses in protected Wi-Fi networks harder, to practically infeasible. Additionally, we propose a method to securely verify dynamic channel switches that may occur while already connected to a network.
Finally, we implemented a prototype of our extension on Linux for both the client and AP to confirm practical feasibility.

References

[1]
Dylan Ayrey. 2016. WPA2-HalfHandshake-Crack. (2016). Retrieved 28 February 2018 from https://github.com/dxa4481/WPA2-HalfHandshake-Crack
[2]
John Bellardo and Stefan Savage. 2003. 802.11 denial-of-service attacks: real vulnerabilities and practical solutions. In USENIX Security.
[3]
Nehru Bhandaru, Thomas Derham, Mathy Vanhoef, and Ido Ouzieli. 2018. Defense against multi-channel MITM attacks via Operating Channel Validation. (March 2018). Retrieved 7 May 2018 from https://mentor.ieee.org/802.11/
[4]
Aldo Cassola, William Robertson, Engin Kirda, and Guevara Noubir. 2013. A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication. In NDSS.
[5]
darkAudax. 2010. Tutorial: How to Crack WPA/WPA2. (2010). Retrieved 20 February 2018 from https://www.aircrack-ng.org/doku.php?id=cracking_wpa
[6]
Brett Douglas, Greg Corsetto, and Douglas Chan. 2007. Greenfield Mode and DFS. (2007). Retrieved 27 February 2018 from https://mentor.ieee.org/802.11/
[7]
Scott Fluhrer, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the key scheduling algorithm of RC4. In SAC.
[8]
Aurélien Francillon, Boris Danev, and Srdjan Capkun. 2011. Relay attacks on passive keyless entry and start systems in modern cars. In NDSS.
[9]
Tom Van Goethem, Mathy Vanhoef, Frank Piessens, and Wouter Joosen. 2016. Request and Conquer: Exposing Cross-Origin Resource Size. In USENIX Security.
[10]
Yih-Chun Hu, Adrian Perrig, and David B Johnson. 2006. Wormhole attacks in wireless networks. IEEE journal on selected areas in communications (2006).
[11]
IEEE Std 802.11. 2016. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Spec.
[12]
Bastian Könings, Florian Schaub, Frank Kargl, and Stefan Dietzel. 2009. Channel switch and quiet attack: New DoS attacks exploiting the 802.11 standard. In LCN.
[13]
Mike Lynn and Robert Baird. 2002. Advanced 802.1lb Attack. In Black Hat USA.
[14]
Suhas Mathur, Wade Trappe, Narayan Mandayam, Chunxuan Ye, and Alex Reznik. 2008. Radio-telepathy: extracting a secret key from an unauthenticated wireless channel. In MobiCom.
[15]
Toshihiro Ohigashi and Masakatu Morii. 2009. A practical message falsification attack on WPA. Proc. JWIS (2009).
[16]
Patrick Schaller, Benedikt Schmidt, David Basin, and Srdjan Capkun. 2009. Modeling and verifying physical properties of security protocols for wireless networks. In CSF.
[17]
Dorothy Stanley. 2017. TGm IEEE Nov 2017 Agenda. (2017). Retrieved 20 February 2018 from https://mentor.ieee.org/802.11/
[18]
Mathy Vanhoef and Frank Piessens. 2014. Advanced Wi-Fi attacks using commodity hardware. In ACSAC.
[19]
Mathy Vanhoef and Frank Piessens. 2016. Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys. In USENIX Security.
[20]
Mathy Vanhoef and Frank Piessens. 2017. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS.
[21]
Mathy Vanhoef, Domien Schepers, and Frank Piessens. 2017. Discovering logical vulnerabilities in the Wi-Fi handshake using model-based testing. In ASIA CCS.
[22]
Stefan Viehböck. 2011. Brute forcing Wi-Fi protected setup. (2011). Retrieved 20 April 2018 from packetstorm.foofus.com/papers/wireless/viehboeck_wps.pdf
[23]
Wi-Fi Alliance. 2017. Neighbor Awareness Networking Technical Spec. Version 2.0.
[24]
Wi-Fi Alliance. 2017. Wi-Fi Agile Multiband Technical Spec. Version 1.1.
[25]
Wi-Fi Alliance. 2017. Wi-Fi Certified Location: Indoor location of Wi-Fi.
[26]
Wi-Fi Alliance. 2018. Discover Wi-Fi: Security. (2018). Retrieved 25 February 2018 from https://www.wi-fi.org/discover-wi-fi/security
[27]
Wi-Fi Alliance. 2018. Wi-Fi Alliance introduces security enhancements. Retrieved 19 Feburary 2018 from https://wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements. (2018).
[28]
Joshua Wright. 2003. Weaknesses in LEAP challenge/response. In DEF CON.

Cited By

View all
  • (2024)Untangling the Knot: Breaking Access Control in Home Wireless Mesh NetworksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670380(2072-2086)Online publication date: 2-Dec-2024
  • (2024)Position-based Rogue Access Point Detection2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00055(436-442)Online publication date: 8-Jul-2024
  • (2024)A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi NetworksIEEE Access10.1109/ACCESS.2024.336280312(23096-23121)Online publication date: 2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks
June 2018
317 pages
ISBN:9781450357319
DOI:10.1145/3212480
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 June 2018

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

WiSec '18
Sponsor:

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)39
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Untangling the Knot: Breaking Access Control in Home Wireless Mesh NetworksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670380(2072-2086)Online publication date: 2-Dec-2024
  • (2024)Position-based Rogue Access Point Detection2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00055(436-442)Online publication date: 8-Jul-2024
  • (2024)A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi NetworksIEEE Access10.1109/ACCESS.2024.336280312(23096-23121)Online publication date: 2024
  • (2024)A distributed and cooperative signature-based intrusion detection system framework for multi-channel man-in-the-middle attacks against protected Wi-Fi networksInternational Journal of Information Security10.1007/s10207-024-00899-923:6(3527-3546)Online publication date: 14-Aug-2024
  • (2023)Countering Relay and Spoofing Attacks in the Connection Establishment Phase of Wi-Fi SystemsProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3558482.3590185(275-285)Online publication date: 29-May-2023
  • (2023)CheckShake: Passively Detecting Anomaly in Wi-Fi Security Handshake Using Gradient Boosting Based Ensemble LearningIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323635520:6(4868-4880)Online publication date: Nov-2023
  • (2023)Closed WiFi Hotspot - Truly Hidden Network2023 IEEE International Conference on Consumer Electronics (ICCE)10.1109/ICCE56470.2023.10043474(01-06)Online publication date: 6-Jan-2023
  • (2023)Multi-channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks and Their Attack SignaturesComputer, Communication, and Signal Processing. AI, Knowledge Engineering and IoT for Smart Systems10.1007/978-3-031-39811-7_22(269-285)Online publication date: 28-Aug-2023
  • (2022)Privacy-Preserving Positioning in Wi-Fi Fine Timing MeasurementProceedings on Privacy Enhancing Technologies10.2478/popets-2022-00482022:2(325-343)Online publication date: 3-Mar-2022
  • (2022)On the Robustness of Wi-Fi Deauthentication CountermeasuresProceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3507657.3528548(245-256)Online publication date: 16-May-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media