Security Flaw in Wireless Standard

Tuesday, July 7, 2015 @ 01:07 PM gHale

There is absolutely no doubt wireless is continuing its huge growth curve throughout the industry, but the question of security always is one of the first areas end users ask about.

Now that should be an area of deeper questioning because of a vulnerability in the 802.11n wireless networking standard.

Safety from a Safe Distance
Security from an Executive Level
Realize IIoT Benefits
Connecting, Securing Substations to Smart Grid

The 802.11n standard helps hike the speed of wireless networks, improve their reliability and security, and extend the range of wireless transmissions. This version introduces a frame aggregation mechanism to the media access control (MAC) layer that increases throughput by sending two or more data frames in a single transmission.

The catch now is in the frame aggregation mechanism in 802.11n suffers from a vulnerability attackers can take advantage of via Packet-In-Packet (PIP) to inject arbitrary frames into wireless networks, said Pieter Robyns, Peter Quax and Wim Lamotte, researchers from the Expertise Centre for Digital Media at the Hasselt University in Belgium. This allows an attacker to interact with services on the internal network.

“We will show how the frame aggregation algorithm provided by the 802.11n standard introduces a remote arbitrary frame injection vulnerability on MAC hardware that implements this algorithm,” the authors said in their paper.

These PIP attacks work against almost any modern Wi-Fi chipset as long as the target ends up connected via an open network, the researchers said. They also pointed out the attack can launch without being in proximity of the targeted wireless networks and without requiring a wireless interface card.

An attacker can use PIP to inject malicious beacon frames, perform host and port scans, bypass firewall rules, and conduct Address Resolution Protocol (ARP) spoofing. In some cases, the attacker needs to know the MAC address of the targeted access point, researchers said.

On the defensive side, there are methods security professionals can use to mitigate injection attacks. The list includes the use of MAC layer encryption, disabling Aggregated Mac Protocol Data Unit (A-MPDU) frame aggregation, configuring the system to drop corrupted A-MPDUs, the use of Language-theoretic security (LangSec) stacks, modulation switching, and the use of deep packet inspection.

A proof-of-concept (PoC) implementation of this attack and the complete research paper are available online.