Abstract
Deauthentication attacks on Wi-Fi protocol (IEEE 802.11) were pointed out in early 2003. In these attacks, an attacker usually impersonates a Wi-Fi access point (a.k.a., authenticator) and sends spoofed deauthentication frames to the connected Wi-Fi supplicants. The connected supplicants receive the frames and process them as if they were sent by the legitimate access point. These frames instruct - connected Wi-Fi supplicants to invalidate their current association and authentication to the access point and get disconnected from the Wi-Fi network. This is possible due to the absence of authentication in management frames (which includes deauthentication frames) in the currently used Wi-Fi security mechanisms (i.e., WPA and WPA2). To thwart these attacks, as well as, many other Denial-of-Service attacks, in 2009, an amendment, standardized IEEE 802.11w, was published as a set of new security mechanisms and procedures to enforce authentication, data freshness, and confidentiality on certain management frames. This amendment uses PMF (Protected Management Frames) to provide authentication of management frames and prevent the occurrence of many management frame spoofing-related attacks, including deauthentication attacks. Although only a few Wi-Fi-certified devices have incorporated IEEE 802.11w as an optional mechanism, the new Wi-Fi security mechanism, WPA3, has made IEEE 802.11w mandatory to provide a better security against those Denial-of-Service attacks. In this paper, we demonstrate through various attack scenarios the feasibility of deauthentication attacks on PMF-enabled WPA2-PSK and WPA3-PSK networks. We provide interpretations to explain the reason behind the feasibility of the attacks and describe possible countermeasures to prevent the attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
There are 4 EAPoL messages that are exchanged between the supplicant and the authenticator during the 4-way-handshake. Based on their order, these messages are often referred to as EAPoL M\(_1\), M\(_2\), M\(_3\), and M\(_4\).
- 2.
IEEE 802.11w only applies to Wi-Fi networks running Robust Security Networks (RSN), i.e., using WPA-TKIP or WPA-CCMP (WPA2 and WPA3).
- 3.
Note that PMF should not be confused with Cisco MFP (Management Frame Protection), which was developed in 2005. In MFP, there are two modes: (1) Infrastructure mode, where the access point sings beacon frames and other broadcast management frames (to detect Rogues). (2) Client mode, where the AP signs management frames that are sent to the client in addition to beacon and broadcast management frames.
- 4.
The request to send (RTS) and clear to send (CTS) is a mechanism used to reserve the radio channel to send time-sensitive packets and prevent collisions.
- 5.
There are three IEEE 802.11 states in which a supplicant can be: (1) State 1, where the supplicant is not authenticated and not associated with any access point. (2) State 2, where the supplicant is authenticated but not associated. (3) State 3, where the supplicant is both authenticated and associated.
- 6.
MSC (Message Sequence Chart) is a graphical language for the description of the interaction between different components of a system. This language is standardized by the ITU (International Telecommunication Union).
- 7.
The Cisco WAP150 is a Wi-Fi access point that uses MFP (Management Frame Protection), which is the Cisco implementation of PMF.
- 8.
We have used different Reason Codes [0–254] and the impact was the same. For the experiments of Table 2, we have used Reason Code 10.
References
IEEE. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY). Amendment 4: Protected Management Frames. IEEE Std. 802.11w-2009 (2009)
Ahmad, M.S., Tadakamadla, S.: Short paper: security evaluation of IEEE 802.11w specification. In: Proceedings of the 4th ACM Conference on Wireless Network Security, pp. 53–58 (2011)
Eian, M.: Fragility of the robust security network: 802.11 denial of service. In: Proceedings of the 7th International Conference on Applied Cryptography and Network Security, pp. 400–416, Springer, Berlin (2009). https://doi.org/10.1007/978-3-642-01957-9
Wang, W., Wang, H. Weakness in 802.11w and an improved mechanism on protection of management frame. In: Proceedings of the 2011 International Conference on Wireless Communications and Signal Processing, pp. 1–4 (2011)
Valli, K.V., Krishnam, R.K.V.: Formal verification of IEEE 802.11w authentication protocol. In: The 2nd International Conference on Communication, Computing & Security (ICCCS-2012), vol. 6, pp. 716–722, Elsevier (2012)
Schepers, D., Vanhoef, M., Ranganathan, A.: DEMO: a framework to test and fuzz Wi-Fi devices. In: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2021, pp. 368–370, ACM (2021)
Ram, M., Kaushik, A.: Deauthenticating and disassociating unauthorized access points with spoofed management frames. United States Patent: US9681299B2, pp. 1–17 (2017)
Lounis,K.: Security of short-range wireless technologies and an authentication protocol for IoT. Ph.D. thesis, Queen’s University (2021)
Lounis, K., Zulkernine, M.: Exploiting race-condition for Wi-Fi denial of service attacks. In: 13th International Conference on Security of Information and Networks, SIN 2020, Istanbul, Turkey, 4–7 November 2020, pp. 1–8 (2020)
Lounis, K., Zulkernine, M.: Bad-Token: denial of service attacks on WPA3. In: Proceedings of the 12th International Conference on Security of Information and Networks, Article no. 15, pp. 1–8, ACM (2019)
Lounis, Karim, Zulkernine, Mohammad: WPA3 connection deprivation attacks. In: Kallel, Slim, Cuppens, Frédéric., Cuppens-Boulahia, Nora, Hadj Kacem, Ahmed (eds.) CRiSIS 2019. LNCS, vol. 12026, pp. 164–176. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41568-6_11
Lounis, K., Zulkernine, M.: Attacks and defenses in short-range wireless technologies for IoT. IEEE Access J. 8, 88892–88932 (2020)
Lounis, K.: Python-based Scapy scripts for deauthentication attacks on PMF (2021). https://github.com/KarimLounis/Scapy-Scripts
Vanhoef, M., Piessens, F.: Key reinstallation attacks: forcing nonce reuse in WPA2. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 1313–1328, ACM (2017)
Lounis, K., Nick: A possible security vulnerability in Wi-Fi PMF on MacOS. Private Email Communications, July 24th to September 1th (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Lounis, K., Ding, S.H.H., Zulkernine, M. (2022). Cut It: Deauthentication Attacks on Protected Management Frames in WPA2 and WPA3. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-08147-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08146-0
Online ISBN: 978-3-031-08147-7
eBook Packages: Computer ScienceComputer Science (R0)