Advanced Wi-Fi attacks using commodity hardware

  title={Advanced Wi-Fi attacks using commodity hardware},
  author={M. Vanhoef and Frank Piessens},
  journal={Proceedings of the 30th Annual Computer Security Applications Conference},
  • M. Vanhoef, F. Piessens
  • Published 8 December 2014
  • Computer Science
  • Proceedings of the 30th Annual Computer Security Applications Conference
We show that low-layer attacks against Wi-Fi can be implemented using user-modifiable firmware. Hence cheap off-the-shelf Wi-Fi dongles can be used carry out advanced attacks. We demonstrate this by implementing five low-layer attacks using open source Atheros firmware. The first attack consists of unfair channel usage, giving the user a higher throughput while reducing that of others. The second attack defeats countermeasures designed to prevent unfair channel usage. The third attack performs… 

Figures and Tables from this paper

Exploiting Race Condition for Wi-Fi Denial of Service Attacks
Three attacks on Wi-Fi availability are presented, adopting the evil twin scheme and exploit a race condition-based vulnerability to generate the attacks and proposing countermeasures to fix the exploited vulnerability and mitigate the attacks.
Operating Channel Validation: Preventing Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks
An extension to the 802.11 standard that authenticates parameters that define the currently in-use channel to prevent multi-channel man-in-the-middle attacks and a method to securely verify dynamic channel switches that may occur while already connected to a network.
Denial of Service Attacks Against the 4-Way Wi-Fi Handshake
This work finds that, in practice, many implementations of the 4-way Wi-Fi handshake are vulnerable to denial-of-service attacks, and proposes countermeasures against three new attacks.
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing
We use model-based testing techniques to detect logical vulnerabilities in implementations of the Wi-Fi handshake. This reveals new fingerprinting techniques, multiple downgrade attacks, and Denial
Characterizing Wi-Fi Man-In-the-Middle Attacks
This research work aims to develop detection techniques, for Man-in-The-Middle attacks against Wi-Fi networks, by analyzing the Electromagnetic activity, i.e. the physical layer of the OSI model by identifying combinations or sequences of signals which can be indicative of the presence of such attacks.
Scan-Based Self Anomaly Detection: Client-Side Mitigation of Channel-Based Man-in-the-Middle Attacks Against Wi-Fi
This paper proposes a scan-based self anomaly detection (SSAD), which is a client-side solution to detect and mitigate channel-based man-in-the-middle attacks using access point (AP) scans, and implemented it into an open source Wi-Fi client software and evaluated the effectiveness.
Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks: A State of the Art Review
The capabilities of Multi-Channel MitM are evaluated and every reported attack in the state of the art is reviewed, including cipher downgrades, denial of service, key reinstallation attacks, and recently FragAttacks in 2021 are reviewed.
Key Reinstallation Attacks : Breaking the WPA 2 Protocol
The 4-way handshake is shown to be vulnerable to key reinstallation attacks, and it is shown that the PeerKey, group key, and Fast BSS Transition (FT) handshake are broken.
Truncate after preamble: PHY-based starvation attacks on IoT networks
It is shown that an attacker can cause over 90% packet loss on a Zigbee or Wi-Fi channel, using respectively six or five orders of magnitude less energy than a constant jammer would.
Bad-token: denial of service attacks on WPA3
This work describes a vulnerability that is discovered in WPA3 authentication protocol, named bad-token, that can be exploited by an attacker in a race condition to cause a denial of service to Wi-Fi clients and proposes countermeasures to mitigate them.


A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication
This paper presents a novel, highly practical, and targeted variant of a wireless evil twin attack against WPA Enterprise networks, and shows significant design deficiencies in wireless management user interfaces for commodity operating systems, and highlights the practical importance of the weak binding between wireless network SSIDs and authentication server certificates.
Cryptanalysis for RC4 and Breaking WEP/WPA-TKIP
This paper presents a different interpretation and the relation between other attacks and the TeAM-OK attack against WEP, and presents an attack that is executable in a realistic environment against WPA-TKIP.
Practical verification of WPA-TKIP vulnerabilities
Three attacks on the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP) are described and it is demonstrated how fragmentation of 802.11 frames can be used to inject an arbitrary amount of packets, and the internal state of the Michael algorithm is reset.
Falsification Attacks against WPA-TKIP in a Realistic Environment
Two new falsification attacks against Wi-Fi Protected Access Temporal Key Integrity Protocol (WPATKIP) are proposed, one of which reduces the execution time for recovering a MIC key and the other expands its targets that can be attacked.
Carving secure wi-fi zones with defensive jamming
A novel approach to the problem that forges a walled wireless coverage, a secure Wi-Fi zone in particular, inspired by the fact that jamming as an attack is inherently difficult to defeat is proposed.
Practical attacks against WEP and WPA
An improved key recovery attack on WEP, which reduces the average number of packets an attacker has to intercept to recover the secret key.
A Practical Message Falsification Attack on WPA
This paper applies the Beck-Tews attack to the man-in-the-middle attack, and gives methods for reducing the execution time of the attack.
802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions
This paper provides an experimental analysis of 802.11-specific attacks - their practicality, their efficacy and potential low-overhead implementation changes to mitigate the underlying vulnerabilities.
The feasibility of launching and detecting jamming attacks in wireless networks
This paper proposes four different jamming attack models that can be used by an adversary to disable the operation of a wireless network, and evaluates their effectiveness in terms of how each method affects the ability of a Wireless node to send and receive packets.
Gaining insight on friendly jamming in a real-world IEEE 802.11 network
This work implemented a reactive and frame-selective jammer on a consumer grade IEEE 802.11 access point, and observed an effect that aggravates the known hidden station problem when the number of jammers increases and also finds evidence that this effect can be alleviated by collaboration between jammers, which enables effective and minimally invasive friendly jamming.