A tour of common attacks on WiFi networks
Information Security Consultant @ Blit-Tech
Software Developer @ Shelter Insurance
What we are doing
Over of WiFi security standards and issues
Krack a network and read packets
No Physical Access Control
Maybe the only issue that is fundamental to wireless security
Most attacks use this to their advantage
The Core Problem is IV is used incorrectly
Key Reuse with RC4
Wi-Fi Protected Access
- WPA-Personal: Static pre-shared key (aka. password). Most common in homes and coffee shops.
- WPA-Enterprise: Requires and authentication server, has lots of modes.
- WPS: Wi-Fi Protected Setup. Uses and 8-digit PIN. Broken, disable if you can.
- PMK: Pairwise Master Key, derived from the password (WPA-Personal) or the EAP parameters.
- PTK: Pairwise Transient Key,
PMK || ANonce || SNonce || AP MAC || Station MAC, used to encrypt traffic
- GTK: Group Temporal Key, used to encrypt/decrypt broadcast traffic. Generated by the AP
The WPA Handshake
- The AP sends a nonce
ANonce and a Key Replay Counter to the station.
- The station constructs the
PTK. The station sends a nonce
SNonce, a MIC and the Key Replay Counter to the AP.
- The AP verifies message 2 and then sends the
GTK and another MIC to the station.
- The station verifies the AP's message and sends a confirmation
More Secure Handshake
Eliminates offline dictionary attacks and provides forward secrecy using SAE
A little complicated, but is based on the devices wanting to connect providing a public key to the router
Not sure how this will work, but Opportunistic Wireless Encryption (OWE) is a strong candidate
What wasn't discussed
- WPS Pin Brute forcing
- TKIP Weaknesses
- Captive Portals
- Router-specific issues
- Lesser known issues
- "Regular" network attacks