Blit-Tech logo

WiFi Insecurity

A tour of common attacks on WiFi networks

Blit-Tech logo

Information Security Consultant @ Blit-Tech

Software Developer @ Shelter Insurance


What we are doing

Over of WiFi security standards and issues

Krack a network and read packets

No Physical Access Control

Maybe the only issue that is fundamental to wireless security

Most attacks use this to their advantage


Don't use this!!


The Core Problem is IV is used incorrectly

Key Reuse with RC4


Wi-Fi Protected Access

WPA Modes

  • WPA-Personal: Static pre-shared key (aka. password). Most common in homes and coffee shops.
  • WPA-Enterprise: Requires and authentication server, has lots of modes.
  • WPS: Wi-Fi Protected Setup. Uses and 8-digit PIN. Broken, disable if you can.

WPA's Keys

  • PMK: Pairwise Master Key, derived from the password (WPA-Personal) or the EAP parameters.
  • PTK: Pairwise Transient Key, PMK || ANonce || SNonce || AP MAC || Station MAC, used to encrypt traffic
  • GTK: Group Temporal Key, used to encrypt/decrypt broadcast traffic. Generated by the AP

The WPA Handshake

  1. The AP sends a nonce ANonce and a Key Replay Counter to the station.
  2. The station constructs the PTK. The station sends a nonce SNonce, a MIC and the Key Replay Counter to the AP.
  3. The AP verifies message 2 and then sends the GTK and another MIC to the station.
  4. The station verifies the AP's message and sends a confirmation


The Future!

Thank you Mathy Vanhoef

More Secure Handshake

Eliminates offline dictionary attacks and provides forward secrecy using SAE

Replace WPS

A little complicated, but is based on the devices wanting to connect providing a public key to the router

Unauthenticated Encryption

Not sure how this will work, but Opportunistic Wireless Encryption (OWE) is a strong candidate

What wasn't discussed

  • WPS Pin Brute forcing
  • TKIP Weaknesses
  • Captive Portals
  • Router-specific issues
  • Lesser known issues
  • "Regular" network attacks

Demo Time!