Researchers crack Wi-Fi security protocol
- 15 February, 2002 15:01
A University of Maryland professor and his graduate student have apparently uncovered serious weaknesses in the next-generation Wi-Fi (Wireless Fidelity) security protocol known as 802.1x.
In a paper, "An Initial Security Analysis of the IEEE 802.1X Standard" funded by the National Institute of Standards, Professor William Arbaugh and his graduate assistant Arunesh Mishra outline two separate scenarios that nullify the benefits of the new standard and leave Wi-Fi networks wide open to attacks.
The use of public access "hot spots" are particularly vulnerable to session hijacking because these locations do not even deploy the rudimentary WEP (Wired Equivalent Privacy) protocol.
"This problem exists whether you use WEP or not, but it is trivial to exploit if not using WEP," said Arbaugh.
Dubbed "session hijacking" and "man-in-the-middle," both attacks basically exploit inherent problems in Wi-Fi as well as exploiting how the new 802.1x standard is designed.
"Here's how session hijacking works. The hacker waits for someone to finish successfully the authentication process. Then you as the attacker send a disassociate message, forging it to make it look like it came from the AP [access point]. The client [user] thinks they have been kicked off, but the AP thinks the client is still out there. As long as WEP is not involved you can start using that connection up until the next time out, usually about 60 minutes," said Arbaugh.
A session hijacking can occur because of the so-called race conditions between the 802.1x and 802.11 state machines. Arbaugh uses the analogy of a thief and a store owner racing for the front door at the same time. If the owner gets there first he locks the thief out, if the thief gets there first he steals everything. Because the client and the AP aren't synchronized, "loose consistency," the thief can tell the owner/client to go away and the AP still thinks he is there.
"The robber gets there first," said Arbaugh.
The second form of attack is called man-in-the-middle, and while Brian Grimm, a spokesman for WECA [Wireless Ethernet Compatibility Alliance] said that the Wi-Fi association was aware of the problem and that it had already been fixed, Arbaugh said he had not heard from WECA but that he "would be shocked if they solved the problem."
The man-in-the-middle attack works because 802.1x uses only one-way authentication. In this case, the attacker acts as an AP to the user and as a user to the AP.
"The trust assumption that is reflected from this design is that the access points are trusted entities, which is a misjudgement. The entire framework is rendered insecure if the higher-layer protocol also performs a one-way authentication," according to the Arbaugh, Mishra paper.
One industry analyst was not surprised by the lack of security that 802.1x offers.
"It [802.1x] is a security feature but everybody already knew it wasn't really the only thing you need to do," said Gemma Paulo, an industry analyst specializing in networks at Instat in Scottsdale, Ariz.
(Other than the initial response downplaying the seriousness of the security breach from the WECA spokesman, no other response was given. Grimm said an expert would return InfoWorld's call, but no additional response was received at press time.)The real problem is the fundamental way in which Wi-Fi works, according to Arbaugh. Although rapid rekeying of WEP keys, for example, which will be implemented in the next security standard called TKIP [Temporal Key Integrity Protocol], makes it more difficult to crack, Arbaugh said the entire design is just not good security.
"You are relying on a confidentiality mechanism, and in general that is considered bad design," he said.
The next generation of security is TKIP and is backward-compatible with current Wi-FI products and upgradeable with software. TKIP is a rapid re-keying protocol that changes the encryption key about every 10,000 packets, according to Dennis Eaton, WECA chairman.
TKIP will be available in the second quarter, said Eaton.
But Arbaugh says TKIP does not eliminate the fundamental flaw in Wi-Fi security.
"If anybody breaks TKIP, they not only break the confidentiality but they also break the access control and authentication so one break breaks everything. That is not good design. Each security mechanism should stand on its own," he said.
Longer term, the IEEE Standards body intends to adopt AES [Advanced Encryption Standard], the same security protocol sponsored by the National Institute of Standards.
"AES is state of the art encryption technology," said WECA chairman Eaton.
But AES requires hardware acceleration using a co-processor to off-load the encryption and decryption or it would slow the throughput down to an unacceptable level, according to Eaton as well as Instat's Paulo. It also requires new Wi-Fi cards in the client devices. AES will be available in the first quarter of 2003.
Arbaugh said the 802.1x specification proves what he and Mishra say in their paper is correct.
"If you look at the 802.1x, they tell you the 1x protocol is insecure when used in a shared medium environment unless a security association is established. Since 802.11 doesn't do that, so by IEEE's own words it is insecure," Arbaugh said.
The specification reads as follows on page 35, section 7.9, lines 34-39.
"However, it should be noted that such use can only be made secure if communications between the Supplicant [Client] and Authenticator [Access Point] systems takes place using a secure association.
Attempting to use EAPOL in a shared medium environment that does not support the use of secure associations renders Port-based network access control highly vulnerable to attack ..."
See www.drizzle.com/~aboba/IEEE/802-1x-d11.pdf for the entire specification.