WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Black Hat USA 2017

Presented by: Mathy Vanhoef
Date: Thursday July 27, 2017
Time: 15:50 - 16:40
Location: Lagoon ABCGHI

Encrypted Wi-Fi networks are increasingly popular. This is highlighted by new standards such as Hotspot 2.0 and Opportunistic Wireless Encryption. Hotspot 2.0 streamlines network discovery and selection, creating an authenticated roaming experience matching that of cellular phones. On the other hand, Opportunistic Wireless Encryption introduces unauthenticated encryption for Wi-Fi networks. However, these advancements are meaningless if there are implementation flaws in the cryptographic 4-way Wi-Fi handshake that negotiates the fresh session keys. In this talk we show how to detect and abuse logical flaws in implementations of this handshake.

Our goal is not to detect common programming errors such as buffer overflows or double frees, but to detect logical vulnerabilities. An example of a logical vulnerability is that some message(s) in a handshake can be skipped, causing it to use or negotiate an uninitialized (all-zero) cryptographic key. Clearly such vulnerabilities void all security guarantees. To detect these types of logical vulnerabilities, we first build a model of the Wi-Fi handshake that describes the expected behavior of an implementation. We then automatically generate invalid executions of the handshake, and check whether an implementation correctly reacts to these invalid executions.

We tested 12 Wi-Fi access points, and found irregularities in all of them. These consist of authentication bypasses, fingerprinting techniques, downgrade attacks, denial-of-service (DoS) attacks, and so on. Most prominently, we discovered two critical vulnerabilities in OpenBSD. The first can be abused as a DoS against the AP, and the second can be exploited to perform a man-in-the-middle attack against WPA1 and WPA2 clients. We also discovered downgrade attacks against MediaTek and Broadcom that force usage of TKIP and RC4. Additionally, we discovered a targeted DoS against Windows 7. We also found other irregularities in Airohive, Apple, Cisco, Hostapd, and Windows 10.

Mathy Vanhoef

Mathy Vanhoef is a postdoctoral researcher at KU Leuven, where he currently performs research on automatically discovering logical vulnerabilities in network protocol implementations. Previously he performed research on streamciphers, and discovered a new attack on RC4 that made it possible to exploit RC4 as used in TLS in practice (the RC4 NOMORE attack). He also focuses on wireless security, where he turns commodity wifi cards into state- of-the art jammers, defeats MAC address randomization, and breaks protocols like WPA-TKIP. He also did research on information flow security to assure cookies don't fall in the hands of malicious individuals. Apart from research, he knows a thing or two about low-level security, reverse engineering, and binary exploitation. He regularly participates in CTFs with KU Leuven's Hacknamstyle CTF team.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats