Channel switch and quiet attack: New DoS attacks exploiting the 802.11 standard

Network communication using unprotected air as a medium leads to unique challenges ensuring confidentiality, integrity and availability. While newer amendments of IEEE 802.11 provide acceptable confidentiality and integrity, availability is still questionable despite broad usage of Wi-Fi technologies for tasks where availability is critical. We will present new security weaknesses that we have identified in the 802.11 standard and especially the 802.11h amendment. Our results are underlined by an extensive analysis of attacks addressing the quiet information element and channel switch announcement in management frames. For some stations a complete DoS effect can be achieved with a single packet for more than one minute. This shows that the newly identified attacks are more efficient than earlier approaches like a deauthentication attack. Tests were performed with a large variety of network interface cards, mobile devices, and operating systems.

[1]  John Ioannidis,et al.  Using the Fluhrer, Mantin, and Shamir Attack to Break WEP , 2002, NDSS.

[2]  Erik Tews,et al.  Practical attacks against WEP and WPA , 2009, WiSec '09.

[3]  Chadi Assi,et al.  Vulnerability assessment of ad hoc networks to MAC layer misbehavior , 2007, Wirel. Commun. Mob. Comput..

[4]  David A. Wagner,et al.  Intercepting mobile communications: the insecurity of 802.11 , 2001, MobiCom '01.

[5]  Vallipuram Muthukkumarasamy,et al.  A Study of the TKIP Cryptographic DoS Attack , 2007, 2007 15th IEEE International Conference on Networks.

[6]  Xin Liu,et al.  Performance of IEEE 802.11 under Jamming , 2008, Mobile Networks and Applications.

[7]  Wenyuan Xu,et al.  The feasibility of launching and detecting jamming attacks in wireless networks , 2005, MobiHoc '05.

[8]  William A. Arbaugh,et al.  YOUR 802.11 WIRELESS NETWORK HAS NO CLOTHES , 2001 .

[9]  Laurent Butti,et al.  Discovering and exploiting 802.11 wireless driver vulnerabilities , 2008, Journal in Computer Virology.

[10]  Stefan Savage,et al.  802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions , 2003, USENIX Security Symposium.

[11]  Mithun Acharya,et al.  Intelligent Jamming in 802 . 11 b Wireless Networks , 2004 .

[12]  Massimo Bernaschi,et al.  Access points vulnerabilities to DoS attacks in 802.11 networks , 2008, Wirel. Networks.

[13]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[14]  Mithun Acharya,et al.  Intelligent Jamming Attacks , Counterattacks and ( Counter ) 2 Attacks in 802 . 11 b Wireless Networks , 2005 .

[15]  Harmonized European,et al.  Broadband Radio Access Networks ( BRAN ) ; 5 GHz high performance RLAN , 2022 .

[16]  Vallipuram Muthukkumarasamy,et al.  Denial of Service Attacks Against 802.11 DCF , 2006 .

[17]  William A. Arbaugh,et al.  Your 80211 wireless network has no clothes , 2002, IEEE Wirel. Commun..

[18]  John C. Mitchell,et al.  Security Analysis and Improvements for IEEE 802.11i , 2005, NDSS.

[19]  David J. Thuente,et al.  Intelligent jamming in wireless networks with applications to 802.11b and other networks , 2006 .

[20]  Qi Chen,et al.  Overhaul of ieee 802.11 modeling and simulation in ns-2 , 2007, MSWiM '07.

[21]  Srinivasan Seshan,et al.  Understanding and mitigating the impact of RF interference on 802.11 networks , 2007, SIGCOMM 2007.

[22]  Yihong Zhou,et al.  Analyzing and Preventing MAC-Layer Denial of Service Attacks for Stock 802 . 11 Systems , 2004 .

[23]  Mika Ståhlberg Radio Jamming Attacks Against Two Popular Mobile Networks , 2000 .

[24]  David J. Thuente,et al.  Jamming Vulnerabilities of IEEE 802.11e , 2007, MILCOM 2007 - IEEE Military Communications Conference.

[25]  M. Looi,et al.  A trivial denial of service attack on IEEE 802.11 direct sequence spread spectrum wireless LANs , 2004, 2004 Symposium on Wireless Telecommunications.