skip to main content
10.1145/3558482.3590174acmconferencesArticle/Chapter ViewAbstractPublication PageswisecConference Proceedingsconference-collections
research-article

Owfuzz: Discovering Wi-Fi Flaws in Modern Devices through Over-The-Air Fuzzing

Published: 28 June 2023 Publication History

Abstract

Fuzzing is a practical approach to discovering flaws in the design and implementation of Wi-Fi protocols. However, existing Wi-Fi fuzzers are either vendor- or ecosystem-specific. Besides, they only cover a subset of 802.11 protocols and frame types. The growing complexity of Wi-Fi protocols, which have evolved to Wi-Fi6 and WPA3 already, calls for a free and comprehensive fuzzing tool for modern Wi-Fi devices. In this paper, we present such a fuzzing tool named Owfuzz. Unlike previous works using mostly firmware emulation fuzzing or driver fuzzing, Owfuzz takes the over-the-air fuzzing approach. It can perform fuzzing tests on arbitrary Wi-Fi devices from any vendor and can fuzz all three types of Wi-Fi frames (management, control, and data) defined in all versions of the 802.11 standards. It can be easily extended to support interactive testing of various protocol models. With Owfuzz, we have tested the products of mainstream Wi-Fi chip and device vendors, leading to the discovery of 23 flaws. We have reported most of these flaws to the related vendors with 8 CVE IDs assigned. Moreover, we have open-sourced Owfuzz to the community to facilitate future research.

Supplementary Material

MP4 File (WiSec23-wisecfp016.mp4)
Presentation video for Owfuzz: Discovering Wi-Fi Flaws in Modern Devices through Over-The-Air Fuzzing

References

[1]
IEEE 802.11. 2009. IEEE Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 4: Protected Management Frames. IEEE Std 802.11w-2009 (Amendment to IEEE Std 802.11--2007 as amended by IEEE Std 802.11k-2008, IEEE Std 802.11r-2008, and IEEE Std 802.11y-2008) (2009), 1--111.
[2]
IEEE 802.11. 2016. Wi-Fi Peer-to-Peer (P2P) Technical Specification Version 1.7. 25--58. https://www.wi-fi.org/download.php?file=/sites/default/files/private/Wi-Fi%20P2P%20Technical%20Specification%20v1.7.pdf
[3]
IEEE 802.11. 2021a. IEEE 802.11--2020. 761. https://ieeexplore.ieee.org/document/9363693
[4]
IEEE 802.11. 2021b. IEEE 802.11--2020. 2656--2747. https://ieeexplore.ieee.org/document/9363693
[5]
Aircrack-ng. 2009a. Compatible cards. https://www.aircrack-ng.org/doku.php?id=compatible_cards
[6]
Aircrack-ng. 2009b. Osdep. https://github.com/aircrack-ng/aircrack-ng/tree/master/lib/osdep
[7]
Aircrack-ng. 2016. Rtl8812au. https://github.com/aircrack-ng/rtl8812au
[8]
Aircrack-ng. 2021. What is the best wireless card to buy. https://www.aircrack-ng.org/doku.php?id=faq#what_is_the_best_wireless_card_to_buy
[9]
Wi-Fi Alliance. 2020. WPA3 Specification v3.0. https://www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Specification_v3.0.pdf
[10]
John Bellardo and Stefan Savage. 2003. 802.11 $$Denial-of-Service$$ Attacks: Real Vulnerabilities and Practical Solutions. In 12th USENIX Security Symposium (USENIX Security 03).
[11]
Laurent Butti. 2013. wifuzzit: a 802.11 wireless fuzzer. https://github.com/0xd012/wifuzzit
[12]
Laurent Butti and Julien Tinnes. 2008. Discovering and exploiting 802.11 wireless driver vulnerabilities. In Journal in Computer Virology.
[13]
N. Cam-Winget, D. Smith, and J. Walker. 2008. IEEE 802.11-07/2163r0 -- A-MPDU security issues. IEEE. https://mentor.ieee.org/802.11/file/07/11-07--2163-01-000n-a-mpdu-security-issues.ppt
[14]
Martin Eian. 2009. Fragility of the robust security network: 802.11 denial of service. In International Conference on Applied Cryptography and Network Security. Springer, 400--416.
[15]
Abdallah Elhigazi, Shukor Abd Razak, Mosab Hamdan, Bushra Mohammed, Ibrahim Abaker, and Abubakar Elsafi. 2020. Authentication Flooding DOS Attack Detection and Prevention in 802.11. In 2020 IEEE Student Conference on Research and Development (SCOReD). IEEE. https://doi.org/10.1007/978--3--642--29219--4_69
[16]
Garbelini, Matheus E., Chundong Wang, and Sudipta Chattopadhyay. 2020a. Greyhound: Directed Greybox Wi-Fi Fuzzing. In IEEE Transactions on Dependable and Secure Computing. IEEE. https://doi.org/10.1109/TDSC.2020.3014624
[17]
Matheus E. Garbelini, Chundong Wang, Sudipta Chattopadhyay, Sumei Sun, and Ernest Kurniawan. 2020b. SweynTooth: Unleashing Mayhem over Bluetooth Low Energy. In USENIX Annual Technical Conference (USENIX ATC). https://asset-group.github.io/papers/SweynTooth.pdf
[18]
Google. 2016. LibFuzzer. https://llvm.org/docs/LibFuzzer.html
[19]
Andy Green. [n.,d.]. How to use packet injection with mac80211. https://docs.kernel.org/networking/mac80211-injection.html
[20]
Fanglu Guo and Tzi-cker Chiueh. 2006. Sequence Number-Based MAC Address Spoof Detection. In Recent Advances in Intrusion Detection, Alfonso Valdes and Diego Zamboni (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 309--329.
[21]
Sönke Huster. 2022. Various Linux Kernel WLAN security issues. https://www.openwall.com/lists/oss-security/2022/10/13/5
[22]
JiaoXianjun. 2019. Openwifi quick-start. https://github.com/open-sdr/openwifi#quick-start
[23]
Hongil Kim. 2019. Dynamic security analysis of the LTE control plane with LTEFuzz. In Qualcomm Product Security Summit. https://www.qualcomm.com/sites/ember/files/uploads/qpss-hongil-kim.pdf
[24]
Bastian K¨onings, Florian Schaub, Frank Kargl, and Stefan Dietzel. 2009. Channel Switch and Quiet Attack: New DoS Attacks Exploiting the 802.11 Standard. In 2009 IEEE 34th Conference on Local Computer Networks. IEEE. https://ieeexplore.ieee.org/document/5355149
[25]
Seemoo lab. 2019. Frankenstein. https://github.com/seemoo-lab/frankenstein
[26]
Arockiam Li, Vani B, Sivagowry S, and Persia A. 2011. A Solution to Prevent Resource Flooding Attacks in 802.11 WLAN. In Communications in Computer and Information Science. https://doi.org/10.1007/978--3--642--29219--4_69
[27]
Chibiao Liu and James Yu. 2007. A Solution to WLAN Authentication and Association DoS Attacks. In IAENG International Journal of Computer Science. http://www.iaeng.org/IJCS/issues_v34/issue_1/IJCS_34_1_4.pdf
[28]
Constantinos Louca, Adamantini Peratikou, and Stavros Stavrou. 2020. 802.11 Man-in-the-Middle Attack Using Channel Switch Announcement. In International Networking Conference. https://link.springer.com/chapter/10.1007/978--3-030--64758--2_5
[29]
Asier Mart'inez, Urko Zurutuza, Roberto Uribeetxeberria, Miguel Fernández, Jesus Lizarraga, Ainhoa Serna, and I naki Vélez. 2008. Beacon frame spoofing attack detection in IEEE 802.11 networks. In 2008 Third International Conference on Availability, Reliability and Security. IEEE, 520--525.
[30]
Asier Martínez, Urko Zurutuza, Roberto Uribeetxeberria, Miguel Fernández, Jesus Lizarraga, Ainhoa Serna, and Iñaki Vélez. 2008. Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks. In 2008 Third International Conference on Availability, Reliability and Security. 520--525.
[31]
Manuel Mendonc¸a and Nuno Neves. 2008. Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities. In Seventh European Dependable Computing Conference. IEEE.
[32]
OpenRCE. 2014. Sulley. https://github.com/OpenRCE/sulley
[33]
Roberto Paleari. 2011. wifuzz. https://code.google.com/archive/p/wifuzz
[34]
L. Qian, N. Cam-Winget, and D. Smith. 2020. IEEE 802.11-08/0755r1 -- review of 802.11n A-MPDU DoS issues. IEEE. https://mentor.ieee.org/802.11/file/08/11-08-0755-01-000n-review-of-a-mpdu-dos-issues.ppt
[35]
Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. 2020. Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 19--36. https://www.usenix.org/conference/usenixsecurity20/presentation/ruge
[36]
Domien Schepers, Mathy Vanhoef, and Aanjhan Ranganathan. 2021. DEMO: A Framework to Test and Fuzz Wi-Fi Devices. In In 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21), June 28--July 2, 2021, Abu Dhabi, United Arab Emirates. https://doi.org/10.1145/3448300.3468261
[37]
Y. Sheng, K. Tan, G. Chen, D. Kotz, and A. Campbell. 2008. Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength. In IEEE INFOCOM 2008 - The 27th Conference on Computer Communications. 1768--1776. https://doi.org/10.1109/INFOCOM.2008.239
[38]
Milan Stute, David Kreitschmann, and Matthias Hollick. 2018. One Billion Apples' Secret Sauce: Recipe for the Apple Wireless Direct Link Ad Hoc Protocol. ACM, 5--6.
[39]
Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, Guevara Noubir David Kreitschmann, and Matthias Hollick. 2019. A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. In 28th USENIX Security Symposium (USENIX Security '19).
[40]
Mathy Vanhoef, Prasant Adhikari, and Christina Pöpper. 2020. Protecting wi-fi beacons from outsider forgeries. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 155--160.
[41]
Mathy Vanhoef, Nehru Bhandaru, and Thomas Derham. 2018. Operating Channel Validation: Preventing Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks. In WiSec. https://dl.acm.org/doi/10.1145/3212480.3212493
[42]
Li Wang and Balasubramaniam Srinivasan. 2010. Analysis and improvements over DoS attacks against IEEE 802.11 i standard. In 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing, Vol. 2. IEEE, 109--113.
[43]
Wangyu. 2020a. Dive into Apple IO80211FamilyV2. BlackhatUSA. https://i.blackhat.com/USA-20/Thursday/us-20-Wang-Dive-into-Apple-IO80211FamilyV2.pdf
[44]
Wangyu. 2020b. Kemon. https://github.com/didi/kemon
[45]
J. Wright. 2008. High speed risks in 802.11n networks. In RSA Conference. http://www.willhackforsushi.com/presentations/rsa2008-wright.pdf
[46]
Jiao Xianjun. 2019. Openwifi. https://github.com/open-sdr/openwifi io

Cited By

View all
  • (2024)A Multi-layered Framework for Informing V2I Deployment Decisions Using Commercial Hardware-in-the-Loop Testing of RSUs2024 IEEE Vehicular Networking Conference (VNC)10.1109/VNC61989.2024.10575957(313-320)Online publication date: 29-May-2024
  • (2024)iTieProbe: How Vulnerable Your IoT Provisioning via Wi-Fi AP Mode or EZ Mode?IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.347108019(10058-10070)Online publication date: 2024
  • (2023)Wireless Security Protocols WPA3: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2023.332293111(112438-112450)Online publication date: 2023

Index Terms

  1. Owfuzz: Discovering Wi-Fi Flaws in Modern Devices through Over-The-Air Fuzzing

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    WiSec '23: Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks
    May 2023
    394 pages
    ISBN:9781450398596
    DOI:10.1145/3558482
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 28 June 2023

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. 802.11 fuzzing
    2. wi-fi flaws
    3. wi-fi security

    Qualifiers

    • Research-article

    Conference

    WiSec '23

    Acceptance Rates

    Overall Acceptance Rate 98 of 338 submissions, 29%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)225
    • Downloads (Last 6 weeks)21
    Reflects downloads up to 09 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)A Multi-layered Framework for Informing V2I Deployment Decisions Using Commercial Hardware-in-the-Loop Testing of RSUs2024 IEEE Vehicular Networking Conference (VNC)10.1109/VNC61989.2024.10575957(313-320)Online publication date: 29-May-2024
    • (2024)iTieProbe: How Vulnerable Your IoT Provisioning via Wi-Fi AP Mode or EZ Mode?IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.347108019(10058-10070)Online publication date: 2024
    • (2023)Wireless Security Protocols WPA3: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2023.332293111(112438-112450)Online publication date: 2023

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media