Need to note that these are generic attacks. Proprietary solutions, such as those used to implement “roaming” across multiple access points, have their own vulnerabilities which are beyond the scope of this paper.
| Attack | Type | Layer | Mitigation | Comments |
|---|---|---|---|---|
| Interference (RF Jamming) | DoS | 1 (PHY) | None | Problem: Simple RF interference from a naturally occurring or intentional source. Examples include: flourescent lighting, wireless phones, RF generators. Mitigation: There is no automatic mitigation for the vulnerability. The victim user must track down and physically eliminate the source of the interference. If the source is naturally occuring, the network has to adapt (change frequencies, location, technologies, etc.) |
| Deauthentication Attacks | DoS | 2 (MAC) | Addition of a wait queue for deauthentication frames Authentication of management frames |
Problem: Deauthentication frames sent as clear text and without verification (authentication) are simple to spoof. Mitigation: Addition of a wait queue for deauthentication packets sets the request in “hold” status which subsequent legitimate traffic would invalidate. If no traffic is received for a certain period of time, the “hold” is assumed as valid and the client is deauthenticated from the access point. (Note: this protection is not currently part of standard implementations (but is easier to perfrom than below). Requires modification of on the AP firmware and/or use of third party software.) Mitigation: Authentication (cryptographic signing) of management frames (including deauthentication frames) limits the authority of the source of those frames. In other words, a specific client would be able to de-authenticate itself but not another client. (Note: this protection not currently part of standard implementations. Requires modification of firmware and/or use of third party software.) Source: http://ramp.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-color.pdf |
| Disassociation Attacks | DoS | 2 (MAC) | Authenitication of management frames | Problem: Association and disassociation frames sent as clear text, without authentication. Simple to spoof disassociation attacks. This is considered to be less effective than a deauthentication attack as recovery from disassociation requires the client to only reassociate with an access point it is already authenticated to. A deauthentication attack requires much more “work” on the client’s part to recover from. Mitigation: Authentication (cryptographic signing) of management frames (including disassociation frames) limits the authority of the source of those frames. In other words, only the specific client and the access point would be able to disassociate the client. (Note: this protection not currently part of standard implementations. Requires modification of firmware and/or use of third party software.) Source: http://ramp.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-color.pdf |
| Virtual Carrier Sense Attacks – Unreasonable NAV durations | DoS | 2 (MAC) | Requiring/enforcing reasonable NAV’s Authentication of management frames |
Problem: Request To Send (RTS) , Clear To Send (CTS), and Acknowledgement (ACK) frames have no limitations on their Network Allocation Vector (NAV) durations when requesting use of the media. NAV’s can be viewed as “time allotment requests” in RTS and CTS frames which reserve the broadcast medium for a specific amount of time. This causes other nodes to remain silent while the node with authority to “speak” transmits its data. By forging RTS or CTS frames with unreasonable NAV durations, an attack can tie up most (or all) of the available broadcast time in a broadcast space.Mitigation: Require/enforce reasonable NAV time requests. (Note: this protection is not currently part of standard implementations. Requires modification of firmware and/or use of third party software.) Mitigation: Authentication (cryptographic signing) of management frames (including deauthentication frames) limits the authority of the source of RTS, CTS, and ACK frames. (Note: this protection not currently part of standard implementations. Requires modification of firmware and/or use of third party software.) Source: http://ramp.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-color.pdf |
| Virtual Carrier Sense Attacks – RTS/CTS/ACK floods | DoS | 2 (MAC) | None | Problem: The CMDA/CS feature can be abused by flooding the broadcast space with RTS/CTS/ACK frames without waiting for responses from the AP or other clients. All other nodes in the broadcast space will politely remain quiet until the attacker “goes away”. Mitigation: |
| Power Save Mode Attacks - Spoofed poll messages | DoS | 2 (MAC) | Authentication of management frames | Problem: To save power, clients are allowed to enter “sleep” mode. Clients tell the access point they are doing this and then periodically “wake up” and poll the access point for any of its traffic buffered by the access point. By spoofing a client’s polling message before the client can do so, an attacker can cause an access point to effectively dump the buffered traffic “on the floor” while the client is still “sleeping”. Source: http://ramp.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-color.pdf |
| Power Save Mode Attacks – Spoofed TIM packets | DoS | 2 (MAC) | Authentication of management frames | Problem: Access points indicate buffered packets by transmitting Traffic Indication Map (TIM) packets which causes the “sleeping” client to wake up and collect the buffered data. An attacker can convince a victim client that there is no buffered traffic by forging the TIM packet and indicating “no traffic”. Then client would then remain sleep mode for a longer period of time. Mitigation: Authentication of management frames limits the source of TIM packets to the appropriate access point. (Note: this protection not currently part of standard implementations. Requires modification of firmware and/or use of third party software.) |
| Power Save Mode Attacks – Spoofed timestamp packets | DoS | 2 (MAC) | Authentication of management frames | Problem: An access point keeps its client(s) “in sync” by periodically transmitting timestamp broadcasts. These are used by the clients to decide how long to sleep in power save mode and for other functions. An attack can forge timestamp broadcasts and cause clients to drift “out of sync”. Mitigation: Authentication (cryptographic signing) of management frames limits the source of timestamp broadcasts to the appropriate access point. (Note: this protection not currently part of standard implementations. Requires modification of firmware and/or use of third party software.) Source: http://ramp.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-color.pdf |
| Man-in-the-middle (MITM) Attacks | Session Hijacking | 2 + | Authentication of frames | Problem: Similar to early versions of Ethernet, 802.11 performs like a wired “dumb” hub in that all nodes in a broadcast space can “see” traffic from all other nodes in that same broadcast space. Combined with the default trust of the client, any node that claims to be an Access Point will be as such. This allows an attacker to insert his node between the client and the actual Access Point and act as a intermediary. Even PPTP and IPSec are vulnerable to MITM attacks. Mitigation: Authentication (cryptographically signing) of frames at layer 2. |
| Plain old theft of service | Theft | 1-7 | Authentication of framesAuthentication to network | Problem: If there is no requirement for authentication or some form of encryption to join the wireless network, eventually someone will discover the network and use it for their own purposes (surfing, spamming, scanning/attacking other networks). Mitigation: Require authentication and/or the use of a VPN to join and/or access network assets. |
| Interception of traffic | Theft | 1-7 | Encryption of data or frames | Problem: Sometimes attackers are only intent on capturing the data traversing the network. Usernames/passwords, credit card numbers and Privacy Act data are common targets of this type of attack. Because of the hub-like nature of the broadcast space, attacks can passively “sniff” the traffic without joining the network. Mitigation: Use of encryption at layer 2 or above. Depending on the data and the “remoteness” of the receiving server, the type of suitable encryption will vary. (e.g., across a local “trusted” network or across the Internet.) |
| Impersonation of a node | Theft | 2+ | Authentication of frames | Problem: Limiting access via MAC address tables is ineffective as a protection because an attacker can passively sniff traffic to gather authorized MAC addresses and either wait until an authorized node goes offline or the attacker can knock an authorized node offline via one of the DoS attacks in this table. Mitigation: Authentication (cryptographic signing) of frames at Layer 2 requires that a node “know” the cryptographic key prior to being able to join the network. |
| Null probe attacks | DoS | 2 | Update firmware | Problem: Some APs will lock up if an attacker transmits a probe request containing a null SSID. Mitigation: Patch/upgrade the AP firmware. |
| Fake APs | DoS | 2 | Authentication of frames | Problem: This is both an attack and a defense in which the wireless network is flooded with beacon frames; make it appear to contain hundreds of access points. This is a defense if the nodes are statically assigned a SSID and the intent is to confuse any outsider trying to join the network. However, this defense will fail over time as passive monitoring of traffic will reveal the usuable SSID (unless its encrypted).This is an attack if the nodes dynamically join the wireless network. (The node will not be able to determine which SSID is the legitimate one.) Mitigation: Authentication (cryptographic signing) of frames at Layer 2. The node would then be able to detect the proper AP. This may or may not work as it requires the client to check each packet for the proper signature. |