 So I welcome you all in this presentation. My name is Sohail Ahmed. I'm a security researcher at Airtight Networks. I'm going to talk about auto-immunity disorder in Valais lands. Before that I would like to have a polite request to hold your questions and queries for Q&A session. I'll ensure that this presentation would be full of fun and information. So many of you might be knowing about this auto-immunity. This is a quite popular terminology in medical science. This is a disease that exists in biological systems, say human bodies. In next couple of minutes you will be witnessing how the current generation of Valais networks or so-called self-defending networks got infected from this disease. So I'm starting my presentation with simple comparison between biological systems and Valais land systems. So here is a biological systems. There exists immune system. The purpose of immune system is to defend against attacks from Valais's jumps or foreign bodies. In the same way in Valais land systems, the purpose of WLAN software or security software is to defend attacks against intruders or hackers. So here the job of immune system is to keep foreign bodies away from healthy bodies. The same way the job of WLAN software is to keep unauthorized users or hackers away from authorized networks. When immune system mistakenly attacks and destroys healthy body cell or tissues, this condition is known as auto-immunity disorder. What we have discovered that similar condition also exists in Valais lands where access point mistakenly attacks and kills legitimate client connections. So I'll put few slides which will explain you or help you understand when and how the auto-immunity disorder occurs in Valais land systems. But before that, I would like to introduce or talk about a most quite popular attack in Valais land systems called denial of service attack. As we all know, it's very easy to launch a denial of service attack. You just send the authentication or disassociation frame on behalf of client to access point or access point to client and that's it, connection breaks. So what's new here? The new thing that we want to, we'd like to introduce here is called self-doss. In self-doss, attacker simply injects one stimulus in the network and network launches DOS attack against its own authorized clients. This is called self-doss. And these stimulus are nothing but a malfunction package which turns access point into connection killing device. So to understand self-doss in a much better way, here is one example. Let's assume that a client is actually connected with access point and doing some data transfer. So when client sends a data packet to access point, it keeps its own identity in that packet in the source MAC address. Let's assume that attacker sends data packet to access point without associating with that access point. What will happen? What will access point do? It will send a response message saying that you are not authorized to send data. Go away. And this message is nothing but a deauthentication notification frame. Now attacker is going to play a trick here. He's not going to put his own identity but it puts a broadcast MAC address. Now what will happen? The message which was sent by access point earlier to attacker, now this message will destined to a broadcast address and will reach to all associated client. And as soon as a client receives this message, it finds that access point is saying that you are not authorized to send data packets. So go away. All associated clients immediately disconnect from that network. So in this example, what exactly happened? Attacker simply injected one packet and was able to kill all the connections. Same attack can also be launched using multicast MAC address. We tested this particular attack against these access points. What do you found that? D-Link, Buffalo and open source smart Wi-Fi driver are actually vulnerable to this attack. So are you thinking that this attack is just because of some coding bug present in the access point? Answer is yes. You're right. Due to some improper sanity check present in the access point, we are able to trigger self-doss kind of condition in these access points. So are we saying that all these self-doss only depends on some bug present in access point software? The answer is no. Let's take another example. The client associated with access point and doing data transfer. An attacker at that point injects one request packet spoofing the identity of client and keeping invalid attributes in that packet. When that packet is actually received by access point, it finds that a client which was actually associated is sending a packet, fresh request packet with invalid attributes. Attributes which does not match with attribute of network or access point. So access point send a response message saying that I'm going to tear down this association because attributes are not matching on and the connection breaks. So in this example again, what exactly happened? A client connection was actually disconnected, attacker simply injected one packet and able to break the connection. Now interesting question comes in our mind that why access point send such response message why it breaks or deletes the existing connection? So if we see this response message, we'll find a special field called reason codes or status codes present in these packets. Let's take a look of these reason codes. There are several reason codes or status code mentioned in the standard. For example, let's say the reason code 21. It is saying that unsupported RSN information element version or element capabilities. So access point software, actually if they are implementing these reason codes in a state machine or packet processing logic, they are whenever it will receive an invalid RSN information element on behalf of a client, it is going to send a de-authentication packet to that client. And there are several reason codes mentioned. If you go through these reason codes or status code, you'll be actually able to simulate these stimulus packet very easily. You just go through these reason codes, see what they are saying and just craft your packet accordingly. For example, I take example of status code here, 1818, it is saying that association denied due to requesting a station, not supporting all of the data rates. So what you all have to do is just as request packet, keeping invalid rates it present in that packet and that will be processed by the access points software and it will send a response message with failure or sometimes it will send a de-authentication message and actually this message will reach to a client because in the current implementation of access point software, WLAN device software, there is no logic implemented to actually differentiate between a spoof frame and a legitimate or genuine frame. So that's how you are going to inject stimulus in the network. And the beauty here is that there are several reason codes mentioned, there are several status code mentioned in that standard. So you have several, so many packets which can actually trigger self-doss in the network. And here is a new member of this family, .11w, latest standard has introduced one more reason code saying that robust management frame policy violation. So what you all have to do is just send a packet which violates the robust management policy of that network and that network will send a de-authentication message with this particular reason code. If access point is actually implementing these reason codes in the software. So it's very easy to actually inject different system line in the network. When we tested this particular attributes based attacks again these access point, what we found that all of these access point are actually vulnerable to self-doss. Now the question that came in our mind is what's about Cisco MFP? Is Cisco MFP also vulnerable to self-doss? Let's try to understand it. Here is one example in which MFP client is actually associated with MFP access point. And now attacker is going to send one SOC request packet and it is a genuine request packet. No any attributes present in this packet is wrong or invalid. When access point receives a request packet it finds that a client which was already associated is sending a fresh connection establishment packet. So what should I do now? He has either it can ignore that packet or honor that packet. Access point cannot ignore this packet because it is also possible that the client got reported and trying to establish a fresh connection. So it has to honor that packet. As soon as access point honors this packet it deletes the old information, all old state information about the old connection. It deletes the key. And it sends a response message to client. Client which is not aware of the change in the state machine of access point simply ignores the unsolicited response message and keeps on sending data packet. Access point which is actually expecting of key establishment after seeing connection request packet sees that client is actually sending data encrypted data packet. Access point has no key to actually decrypt that packet. It is expecting a fresh key establishment. So it sends a deauthentication message to client which is unprotected message because access point does not have this time any key to protect this deauthentication message. So it sends open deauthentication which is actually ignored by MFP client. MFP client keeps on sending data. Access point keeps on sending deauthentication message to client, open deauthentication message. An actual communication between client and access point stops. And both client and access point have entered in a deadlock kind of environment situations. So if you notice the earlier DOS, you need to inject several packets to break the connections and keep a sustained disconnection between client and access point. MFP protocol was actually aiming to solve this DOS problem. Actually ended with making this situation even worse. Now you need to send simple one packet and client and access point communication is actually broken. It cannot communicate further now. Let's take another example in which attacker is actually trying to victimize MFP client. So it sends a SOC response message with failure status code present in that. The client honors that message. It honors that message and tears down the association. So when it receives this message, it sends a protected deauthentication message to access point. Since this message is protected, it is actually honored by access point as well and it also deletes its state. So in this example we have seen that actually attacker was able to break MFP connections, or protected connections. So these problems that we are seeing here is not a new problem. Actually, this was noticed when people have implemented a high level authentication in the protocol, .11i, and even .11w, working group is aware of this, these kind of design level problems, and even the latest draft contains one solution for this particular problem. But unfortunate stuff is that even the standard is not ratified, vendors are packaging these stuff in a proprietary protocol, ignoring these design level issues, and claiming a false security, that's not true. So here's the key points of this presentation. New avenues for launching DOS attacks are possible. Majority of these vulnerabilities reported here are implementation dependent and found to exist in select open source access point or commercial access point software. Even with MFP or .11w, DOS vulnerabilities could not be completely eliminated. Even currently available MFP implementation also found vulnerable. So the time to demonstrate something. So I have a video demo here, a client on left hand side, a packet analyzer which is showing data packet, a SOC request, and the authentication packet. DOS packet will appear in a red color, and a SOC request packet will appear in a green color. On the right hand side, black screen shows the client is actually doing ping traffic. Let's try to see if MFP works against the authentication, open the authentication, DOS attacks or not. So we send open the authentication message and see what happens. See, in red color, the authentication message are coming up, and still ping traffic is going on. So MFP is actually working. Now let's say send a SOC request packet. You can see in green color, SOC request packet is coming up, and the ping traffic stopped. DOS access point, client is still sending data packets. On the left hand side, you can see client is still sending data packets because he's not aware of the change in the state machine of access point. Access point is sending the authentication packet which appears in a red color. But actual communication is not happening. The communication is broken. So the claim that Cisco, MFP, the claim that people are making that it's not possible to launch DOS attack, it's not possible to have man-in-the-middle attack or offline dictionary attack is not true. So the bottom line of this talk is that DOS attacks are here to stay. That's it. That's all, folks. I have kept few stimuli that can trigger self-doss in wireless networks here in my presentation. So if you're interested, you can go through these stimuli and you can craft your own stimuli that can trigger self-doss. I have explained the logic. Thank you. In case of MFP, for several seconds, I mean it depends on upper layer. If it takes some actions, it detects that some packets are getting lost. The communication is not taking place. Then it takes some action. So we can say several seconds.