SECURITY ATTACKS ON DIFFERENT Wi-Fi

PROTOCOLS
Prof.S. O. Rajankar
Dept. of Electronics and Telecommunication
Sinhgad College Of Engineering,
Vadgaon(Bk.), Pune-41,India

AbstractThis paper describes different

attacks that are possible on Wi-Fi protocols.
It mostly concentrates on attacks on WEP
and WPA as they are most popular protocols.
The third protocol is WPA 2 which is similar
to WPA except for some changes. This paper
is a study for the project of designing a
software for Wi-Fi audit.
Keywords- WEP, WPA, Packet building attacks,
Key Recovery attacks
I.INTRODUCTION

The security in Wi-Fi networks is a very

important subject, because nowadays Wi-Fi
networks are extensively used. Although there
are numerous protocols suggested for Wi-Fi
security, they fail to protect against various
attacks due to lack of upgradation. So to secure
the wi-fi that is deployed, first it has to be
checked for the vulnerability of it to the various
types of attacks that are popular and are
subjected to happen at present. Also the owner
of Wi-Fi need to know what type of security
measures he is currently provided with and what
type of security measures he needs to
incorporate in his Wi-Fi settings to ensure that
the deployed Wi-Fi is secure against various
attacks that may happen in the current scenario.
For this Attacks on Wi-Fi networks are
important to be deeply studied. In this seminar
the two prominently used Wi-Fi protocols and
attacks on them are studied.

There are total three protocols that

are deployed on the Wi-Fi:
1. WEP(Wired Equivalent Privacy)
2. WPA(Wireless Protected Access)
Mr. Nachiket Ketkar
Dept. of Electronics and Telecommunication
Sinhgad College Of Engineering,
Vadgaon(Bk.), Pune-41,India
nachiket.ketkar@gmail.com
.3 WPA2(Wireless Protected Access 2)

Out of these WEP is mostly used

protocol and thus many attacks are developed
against it. Though it is vulnerable, it is still
widely used because of its simplicity. The third
protocol i.e. WPA2 is similar to WPA in most
ways only a small difference makes it more
secure than WPA. Attacks on WPA and WPA2
are almost same with a more computational
complexity and less probability of success. So in
this seminar, only WEP and WPA are focused.
Aim of this paper is to study the attacks
on WEP and WPA and to see how WPA is better
than WEP. Also the seminar covers topics such
as encryption and decryption techniques used in
these protocols so it also covers the primary
knowledge of the protocols.
II. ATTACKS ON WEP
A. Key recovery attacks
1. FMS attack
Fluhrer, Mantin and Shamir published
the rst key recovery attack on WEP in 2001.
Their attack is based on the following ideas: An
attacker who listens passively to the trac of a
WEP protected network can record a lot of
encrypted packets including the initialization

vectors used for these packets. Because the rst

bytes of the plaintext of most packets are easily
predictable, the attacker is able to recover the
rst bytes of the keystreams used to encrypt
these packets. The initialization vector is
transmitted unprotected with the packets, so the
attacker initially also knows the rst 3 bytes of
the per packet key for all packets. All following
bytes of the per packet key are the same for all
packets, but are initially unknown to the
attacker.
This attack uses weaknesses in RC4. If
four conditions hold, he can then perform a
manipulation on RC4 that allows him to guess
with a five percent probability a byte of the key.
Using a system of vote, he can guess a probable
key and test it. If the key is not correct, he will
try another likely correct key and try again. To
be more specific, the attack works as follow: As
the attacker knows the first l bytes of the per
packet key, he can simulate the l first steps of
RC4-KSA.
The attack needs 4,000,000 to 6,000,000
packets to succeed with a success probability of
at least 50%, depending on the exact
environment and implementation .The reason for
this is that the resolved condition holds only for
a small amount of randomly chosen initialization
vectors.
2.Korek Attack
KoreK posted an implementation of an
advanced
WEP
attack
tool
to
the
netstumbler.org-forum. Basically this was an
advanced version of the FMS attack. FMS uses a
correlation between the rst x bytes of the preshared key, the rst byte of the key-stream and
the x + 1 byte of the pre-shared key. The Korek
attack uses several similar correlations,
including some that were previously discuss in
public, the one from the original FMS paper and
several ones that were found by KoreK himself.
The attack follows the same pattern as the FMS
attack: Correlations between the rst x preshared key bytes, the rst two bytes of the keystream and the byte x + 1 of the pre-shared key
are used to gather votes for dierent values for
the dierent bytes. The result is a decision tree
that allows the attacker to obtain the presahred

key with a trial and error method. With the

additional correlations the number of packets
with unique IVs necessary for a 50% success
chance is reduced to about 700000.
In 2004, a person under the pseudonym
KoreK posted an implementation of an advanced
WEP cracking tool in an internet forum. KoreK
used 16 additional correlations between the rst
l bytes of an RC4 key, the rst two bytes of the
generated keystream, and the next keybyte K[l].
Most of these correlations have been found by
KoreK himself, a few had been discussed in
public before. KoreK assigned names like A u15
or A s13 to these attacks, the original FMS
attack is called A s5 1 here. Nearly all
correlations found by KoreK use the approach
that the rst or second byte of the keystream
reveals the value of jl+1 under some conditions,
if 2-4 values in S have a special constellation
and are not changed during the remaining RC4KSA after step l + 1. An interesting exception is
the A_negative correlation, which doesnt vote
for a certain value of K[l]. Instead a value can be
excluded from the list of possible candidates for
K[l], which can be seen as a negative vote for
K[l]. The overall attack structure is the same
decision tree based approach as for the FMS
attack and let the attacker find the key faster..
The number of captured packets is reduced to
about 700,000 for 50% success probability.
Again, the exact numbers depend on the exact
environment and the implementation and
parameters used for the attack. One important
factor is if the initialization vectors are
generated by a PRNG algorithm or if they are
generated sequentially by a counter.
3.Kleins attack
In 2006, Klein showed a improved way
of attacking RC4 and WEP which does not
depend on any weak IV . The advantage of this
attack is the small number of packets required
for the recovery of the WEP key compared with
the FMS attack and the Korek attack.
Kleins attack is formed by the KSA and
PRGA rewinding. The attacker will then collect
the probed values for K[i], and finally select the
one with the highest vote. Note that to retrieve
the secret key byte K[i], this attack must
successfully recover the previous bytes

K[3],...,K[i 2],K[i 1]. Thus this attack has to

execute iteratively to retrieve the whole WEP
key. However this approach has a significant
disadvantage. If a wrong key byte is guessed by
the attack by mistake, the whole WEP key will
be probably mis-recovered due to the key byte
dependency. Thus, this attack has a problem of
the key byte dependency to retrieve the WEP
key.
4. PTW attack
To solve the Kleins computational
problem, Tews, Wein- mann and Pyshkin
proposed an attack which is reduced the
dependency among WEP bytes. Thus this attack
can independently recover the sum of the WEP
key bytes.
We describe the ow of the PTW attack.
To begin with, the PTW attack estimates the
internal state by only IV (Kleins attack uses IV
and the previous WEP key bytes), and
approximates this internal state as a later internal
state. After that it executes the KSA and PRGA
rewinding as same as Kleins attack to retrieve
the sum of the WEP key bytes.
This attack can retrieve the sum of the
WEP key bytes by using IV and the keystream
Z1 to Z15. Furthermore, the success probability
recovering the whole WEP key would increase
by utilizing the keystream Z16 to Z31, because
it can increase the number of vote counts.
However the success probability of the PTW
function decreases even if it guessed the correct
previous key byte. To solve this problem,
Teramura et al. proposed the TeAM-OK attack.

attack uses the access point (AP) to decipher

wireless Address Resolution Protocol (ARP)
packets. The attack chops off the packets last
byte and assumes that the encrypted byte is 0.
The attack corrects the packet on the basis of a
guess of 0, re-encrypts it, and sends it to the AP.
If the guess is correct, the AP retransmits the
packet because the attack is using a multicast
packet. In this case, the attacker knows the guess
was correct. If the AP drops the packet, the
attacker guesses 1 and restarts the process.
Consequently, the attacker can capture a WEP
encrypted frame and replay it multiple times to
decipher the payload one byte at a time.
Attackers can decode small ARP frames in 10 to
20 seconds without breaking the WEP key.

Fig.1 chopchop attack

B. Packet Building attacks
1.Chopchop attack
The Chopchop Attack The chopchop
attack
(www.aircrack-ng.org/doku.php?
id=korek_chopchop) exploits WEP encryption
by determining the PSK through trial and error,
rather than mathematically or cryptographically.
Figure 2 diagrams the attack. The chopchop

2. Fragmentation attack

Though a "fragmentation issue" had

already been mentioned before, the first
practical Fragmentation attack [1] was released
in 2005 by Bittau et al. in a paper called "The
final nail in WEP co-n". The attack works as
follow: At first, the attacker needs to eavesdrop
a packet. As all packet send in a 802.11 network
have similar headers, the attacker can
know/guess the first 8 bytes of clear text. By
XORing these 8 bytes with the 8 corresponding
bytes of cipher text we obtain 8 bytes of
keystream for a specific IV. Those 8 bytes of
keystream cannot be used to send a whole
packet on the network (it would be ridiculously
small). But the WEP protocol allows to send a
single packet in up to 16 fragments. Therefore,
we can use the 8 bytes of keystream we know to
broadcast a packet containing 64 bytes of know
text in 16 fragments. (We can only have 64 bytes
of known text because each fragment needs its 4
bytes long CRC32 checksum). When the AP
receives those 16 fragments, it will decipher
them, combine them into a single packet,
encrypt it and send it back on the network. This
packet is 68 bytes long (64 bytes of known text
and 4 bytes ICV). With a XOR, the attacker has
now 68 bytes of keystream for a given IV. By
repeating this process, the attacker can get up to
1500 bytes of keystream for a IV. When
knowing 1500 bytes of keystream for a given IV,
it is easy to get 1500 bytes of keystream for
other IVs by simply sending a broadcast packet
of 1500 bytes to the AP. The AP will then relay
this packet, but encrypted with a new IV.
As C M = K the attacker can get the
keystream for other IVs and build a dictionary,
allowing him to decipher every single packet on
the network, and also to create traffic.
3.Coolface attack
The Coolface attack uses the second
mode of WEP-authentication: Shared key. As
opposed to the Open System authentication, the
client has to resolve a challenge to be connected.
The AP sends to the client a challenge, and the
client will send back the encrypted challenge. If
it is correct, the AP accepts the connection. It is
a new opportunity for the attacker, who can get
both a plain- and an encrypted text. To switch

from Open System to Shared key mode, the

attacker can begin a denial of service against the
AP and then usurpate the AP's identity, thus
enabling the Shared key authentication.
Repeating this operation, the attacker builds an
IV-dictionary very fast !

4. Google replay attack

The Google Replay Attack is based on
the fact that any lambda user with an access to
the internet will do a Google search. A lot of
web users have the URL http://www.google.com
as home page. It means the Google logo, a 7330byte- image, is downloaded every time. With
this data, an attacker can easily recover a part of
the keystream, knowing plain- and encrypted
text. The main difficulty for the attacker is to
know exactly at which moment the client will
download the Google logo. He has to study the
structure of TCP/IP packets, and to wait for a
packet which size is exactly 7330 bytes.

II ATTACKS ON WPA
1. Beck and Tews' Improved Attack on
RC4
In 2008 Beck and Tews released an
attack on WPA. This is not a key recovery
attack, but still exploits weaknesses in TKIP to
allow the attacker to decrypt ARP packets and to
inject traffic into a network, even allowing him
to perform a DoS (Denial of Service) or an ARP
poisoning. In order to be practical, the attack
requires the Quality of Service (QoS) to be
enabled. The QoS is a feature of WPA standard
that allows several channels to be used. Each
channel has its own TSC. As channel 0 is used
for most of the traffic, it will be possible to
inject valid packets in other channels were the
TSC will likely be lower. The attack also
requires the Key Renewal Interval to be longer
than 15 minutes (the time needed to decrypt an
ARP packet with this attack). The attack works
as follow: First, the attacker deauthenticates a

station (STA). Then, the attacker can capture an

ARP packet. He will then perform a modified
Chopchop attack to recover the Integrity Check
Value (ICV) and MIC of the packet. When this
is done, the attacker will have to guess the last
part of the packet: the IP addresses. Eventually,
he reverses the MICHAEL algorithm and gets
the MIC key. Knowing the keystream and the
MIC key, the attacker can now inject custom
packets into the network, but only on channels
with a lower TSC. The reason why a modified
version of Chopchop must be used is that the
attack has to bypass the MIC countermeasure.
The modified Chopchop attack works as follow:
The attack works as an AP sending data to a
STA. It chops off the last byte of a packet as the
regular Chopchop attack does. When the correct
byte is guessed, the ICV of the truncated packet
is correct, but the MIC is not. This will cause the
STA to send a MIC failure report. So when the
attacker receives a MIC failure report, he knows
that his guess was correct. Then, he has to wait
for a minute in order to prevent the MIC
countermeasure from triggering. Eventually, he
can chop off a new byte, etc. Nevertheless, this
attack has limitations: the TSC limits the number
of packets that can be injected into the network
from 3 to 15 per QoS channel.

2. Ohigashi-Morii Attack
The Ohigashi-Morii Attack (2009) is an
improvement of the Beck-Tews attack on WPATKIP.Ohigashi and Morii developed a man-inthe- middle (MITM) attack that doesnt need
IEEE 802.11e QoS activated, thereby reducing
the overall attack time .Indeed, this new attack is
efficient for all modes of WPA and not just those
with QoS features. The time to inject a fake
packet is reduced to approximately 15 minutes
to 1 minute at the best. For this attack, a manin-the-middle attack is superposed to the BeckTews attack, with tips to reduce the execution
time of the attack. Figure 3 diagrams the basic
attack. This attack pre- vents chopchop packets
from reaching the client station and
disconnecting the victim station. It uses
directional antennas and selective packet replay.
It can relay or withhold packets from the station

or the AP as needed. (In this case, the TSC isnt

incremented by the received packets.) But in a
real-world scenario, finding a disconnected
client and getting between it and the AP is nearly
impossible. The attacker must be in range of the
station and the AP, and the station must be
outside the APs range. This severely limits ease
of use, raising the cost and exposure to the
attacker. However, difficult but not impossible
is just the type of opportunity well-funded
advanced persistent threats look for

Fig.2 Ohigashi-Morii Attack

3. The Hole196 Vulnerability

The Hole 196 vulnerability, found by
Sohail Ahmad (Airtight Networks) in 2010,
where the standard explains how the GTK is a
one-way key that protects multicast and
broadcast traffic. This attack isn't a keyrecovering attack, the attacker has to be an
authorized user of the network. First, he sends
an ARP request with his MAC-address and the
IP-address of the AP. So the other clients of the
AP will update their ARP tables, and will send
their packets to the MAC-address of the attacker.
So the attacker will receive the packets
decrypted by the AP and re-encrypted with his
key: he is also able to read them. It's a man-inthe-middle attack, and it works because
everyone can build and broadcast fake packets
with the GTK (shared group key).
All the wireless supplicants that have
joined the network know and store this key. The
standard mentions that the GTK doesnt provide
pair wise key support to protect from spoofing
or data forgery. Accordingly, a trusted insider
can spoof multicast messages protected by the
one-way GTK. The Hole 196 attack can enable
wireless ARP spoofing. Such spoofing monitors
all traffic and executes an MITM attack that uses
the AP to decode encrypted traffic. So, stations

acting on behalf of a malicious insider can forge

an ARP request packet that announces that their
machine is the gateway. Some call this a pickpocket attack (one person distracts the victim
while a third party easily empties the victims
pockets). This attack poisons the victim stations
ARP cache for the gateway.

begins the connection. The attacker can wait, or

launch a deauthenticate-attack against the client.
When he gets the hash, he can try to and the key
with a dictionary-attack, a rainbow-attack or one
of the multiple attacks that exist on hashed keys
in general.

4. Micheal attack
We wrote earlier that the Michael
algorithm is expected to produce a hash of some
plaintext. Nevertheless, in 2008, Beck and Tews
found a way of reversing the Michael algorithm.
And in 2010, Beck found a way to perform an
attack based upon the flaws in Michael.
Actually, he found that if the internal state of
Michael reaches a certain point, the Michael
algorithm resets. Therefore, we can inject some
text of our choice in a packet, add a string that
resets the Michael algorithm, then the packet is
changed but the Michael's result remains correct.
A complete protocol allowing to perform a
Michael Reset Attack is described in the Beck's
paper, but one has to notice that the
requirements of this attack are even tighter than
the requirements of a classic Beck and Tews
attack. Moreover, the simple fact of disabling
QoS renders this attack impossible.

Thus different Wi-Fi protocols and

attacks on them are studied. Also they are
classified so as to ensure that study becomes
simpler. It is observed that WEP is very much
vulnerable to the attacks as it is the simplest
protocol and hence very easy to crack. WPA is a
complex protocol and thus is hard to crack.
Previously the hardware was not supported for
WPA but nowadays hardware for WPA support
is also developed. Thus many of scientists
suggest that we should start using WPA and
WEP should not be used in the secure networks.

5. Dictionary attack against the

handshake

[1] Proposal of a Secure WEP Operation against

Existing Key Recovery Attacks and its
Evaluation by Tsubasa Tsukaune, Yasuke Todo
and Masakatu Morii, 2012 Seventh Asia joint
conference on information security.

It exists a key-recovery attack on WPA

(Pre-Shared Key version), when the key is a
word from a dictionary. Eavesdropping the
network, the goal of the attacker is to get a
handshake; the hash of the key swapped
between the client and the AP when the client

III CONCLUSION

IV. REFERENCES

[2] The insecurity of wireless networks by

Frederick T. Sheldon, John Mark Weber, SeongMoo Yoo and W. David Pan.