MIT Researchers Defend Against Wireless Attacks

← Back to Stories (view on slashdot.org)

MIT Researchers Defend Against Wireless Attacks

Posted by timothy on Thursday August 25, 2011 @11:20AM from the just-kill-anyone-in-any-sort-of-middle dept.

alphadogg writes "MIT researchers have devised a protocol to flummox man-in-the-middle attacks against wireless networks. The all-software solution lets wireless radios automatically pair without the use of passwords and without relying on out-of-band techniques such as infrared or video channels. Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas."

48 of 65 comments (clear)

Min score:

Reason:

Sort:

Nope by sexconker · 2011-08-25 11:23 · Score: 3, Insightful

Anything a legit user can do a MITM can do better.
This "all-software" solution is either bullshit, or relies on pre-shared keys (be they specific keys or hardware-derived).
Without keys / hardware, there is absolutely nothing a legit user can send out that a MITM can't.
1. Re:Nope by sexconker · 2011-08-25 11:33 · Score: 1
  
  ...and after reading... yup.
  All they've done is create a shouting match that is still vulnerable to race conditions, which, in the wireless world, is all MITM is about once you're authenticated with the other host or the AP.
  Prior to authentication, any MITM can cause a denial of service by just blarting out their own bullshit in the same fashion, so the victim won't know which one to trust.
  The only protection comes from tight timing windows, and who's louder. And in the wireless world, you can be a MITM without actually being in the middle.
2. Re:Nope by c0lo · 2011-08-25 19:10 · Score: 1
  
  Anything a legit user can do a MITM can do better.
  This "all-software" solution is either bullshit, or relies on pre-shared keys (be they specific keys or hardware-derived). Without keys / hardware, there is absolutely nothing a legit user can send out that a MITM can't.
  Connecting to multiple networks in the same time, launching the same request and comparing the content of the received answers?
  In the context of WiFI, unless you are surrounded by the MITM (in which case the appropriate term should be "Man All Over You"), you are bound to detect some tampering.
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
3. Re:Nope by ArsenneLupin · 2011-08-25 20:41 · Score: 3, Informative
  
  The only protection comes from tight timing windows, and who's louder.
  ... and that's where TEP kicks in: it depends on the ability to use periods of silence to communicate. The MITM cannot drown out the router's "energy" packets by silence.
4. Re:Nope by maxwell+demon · 2011-08-26 00:10 · Score: 1
  
  The MITM cannot drown out the router's "energy" packets by silence.
  Destructive interference?
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
5. Re:Nope by AJH16 · 2011-08-26 01:30 · Score: 1
  
  Right, but you can make it so that the client can see two messages that it should only see once and teach it not to trust them in that case. As mentioned in the summary, it says it can detect MItM and possibly prevent it. In most cases it would simply detect and not use. Personally, I'd be curious to see what asymetric cryptography could do to protect against MItM.
  
  --
  AJ Henderson
6. Re:Nope by Chuckstar · 2011-08-26 05:52 · Score: 1
  
  Not possible. Even for sound they can only get destructive interference to reduce apparent volume, not create silence. And that's with waves travelling a fraction of the speed of light (i.e. the waves travel pretty slowly compared to the time it takes to process the sound, calculate the inverse and send impulses to the speaker). You could interfere with a radio signal enough to make it unintelligible. Impossible to make it disappear altogether.
7. Re:Nope by sexconker · 2011-08-26 07:41 · Score: 1
  
  All MITM attacks then become DoS attacks.
  The user will just disable the extra security to get it to work.
  Alternatively, users will feel more secure when they hear only one (pair) of messages. But if it's a situation where a MITM is in range of the AP, and the victim is not, the victim is feeling more secure only because they don't hear the AP shouting, and they walk right into the MITM's trap.
  Preshared keys are the only way.
8. Re:Nope by sexconker · 2011-08-26 07:45 · Score: 1
  
  Victim --- MITM --- AP
  The MITM just sits at the edge of the AP's range and poses as the AP. Any victims in range of the MITM and NOT in the range of the AP will get fucked because they won't hear the AP screaming it's noise pattern, and they will trust the fact that they hear only ONE noise pattern as an indication that the scheme is working.
  Furthermore, a MITM can:
  - Use a triangulation scheme to only attack when the user is estimated to be outside of the AP's range (thus going unnoticed).
  - Use directional antennae to extend his own range, and thus his victim pool.
  - Use directional antennae to prevent the legitimate AP from hearing his attacks (thus going unnoticed).
9. Re:Nope by sexconker · 2011-08-26 07:47 · Score: 1
  
  The MITM doesn't have to surround you, he just has to prevent you from hearing the legit AP, the easiest way is to sit at the edge of the AP's range and then pose as the AP. People in the MITM's range, but outside the AP's range, will never hear the AP or it's tamper-evident screaming.
  People in range of both will see both and will be DoSd hard.
10. Re:Nope by marcosdumay · 2011-08-26 09:28 · Score: 1
  
  - Scream (DoS) all over the frequencies the real AP is talking, so that the victim will choose another channel.
  
  --
  Rethinking email
11. Re:Nope by marcosdumay · 2011-08-26 09:31 · Score: 1
  
  "Personally, I'd be curious to see what asymetric cryptography could do to protect against MItM."
  
  Assymetric cryptography not only can prevent a MITM, it is the normally preferred and accepted way.
  
  --
  Rethinking email
12. Re:Nope by maxwell+demon · 2011-08-26 19:36 · Score: 1
  
  Not possible. Even for sound they can only get destructive interference to reduce apparent volume, not create silence.
  You will never have absolute silence on any frequency. Any device which relied on absolute silence would inevitably fail. Therefore the question is not whether you can completely remove the signal, but only whether you can reduce it enough that it will be considered noise by the receiving device.
  It's obvious that a digital circuit won't be fast enough to significantly reduce the signal strength. However I have no idea how fast analog electronics may be (after all, reversing a wave form isn't that complicated; A receiving antenna, a simple amplifier and a sending antenna with opposite polarity should suffice, probably two such devices to cover both polarizations), therefore I don't know if it would be fast enough to give a significant reduction (the fact that you have GHz frequencies certainly gives very hard constraints).
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
13. Re:Nope by AJH16 · 2011-08-27 03:51 · Score: 1
  
  Saying that a user disabling security makes it ineffective isn't really a fair critique of a technology as the same is true of any security.
  As for the range issue, it is possible to overcome this outside of an extremely powerful attacker AP by encoding the response in such a way that it will be able to ecc at a substantially longer range than most wifi data transmissions. I'm not saying that this technique necessarily does it, but it could be done to greatly increase the additional range that a MiTM would need to have. The other issue it doesn't address though is true rogue APs that are free standing and claim to be part of a network that is not located near by, but that people will connect to anyway.
  That all said, the ideal is probably something that involves getting a CA for hotspots that can give an authenticated handshake, but we don't have the infrastructure for that set up yet.
  
  --
  AJ Henderson
Tamper Evident by bazald · 2011-08-25 11:28 · Score: 1

Maybe on a wired connection you'd be right. I'm inclined to think that wireless, doing something to detect tampering could be possible. You probably wouldn't be able to guarantee that you can create a connection at all, but it might be an improvement for some to be able to connect only if tampering can be ruled out with some probability.

--
Insert self-referential sig here.
1. Re:Tamper Evident by sexconker · 2011-08-25 11:38 · Score: 4, Informative
  
  If you RTFA you'd know their scheme works like this:
  Client says "Hey, let's connect and be secure.".
  Router says "Hey, let's connect and be secure using this key.".
  Router yells "BEEP .... BEEP BOOP BOOP BEEP .... BEEP BEEP!".
  Client says "That pointless noise lined up exactly with the 1s in the message about the key. And the little pauses of silence lined up with the 0s. I should trust it.".
  This does nothing.
  A MITM will be able to construct his own lie message about using his key instead, as well as be able to construct his own noise pattern.
  All a client can see is "Hey, there are TWO packets telling me which keys to use!".
  Exactly the same as current implementations that don't rely on pre-shared keys or out-of-band authentication.
2. Re:Tamper Evident by Lumpy · 2011-08-25 12:15 · Score: 3, Interesting
  
  A proper and real diversity system can detect the angle of the radio to the receiver. A properly designed setup with 4 antennas can give a 0-360 degree direction of the radio it is contacting and a crude distance. this added information and watching radio traffic in the spectrum. I.E see a packet transmitted from radio 3 to radio 4 and then the same packet is transmitted to the base, flag it as mitm and contact radio 3 directly.
  It would make a $299 AP cost about $3400 but it could be effective.
  
  --
  Do not look at laser with remaining good eye.
3. Re:Tamper Evident by LordLimecat · 2011-08-25 12:18 · Score: 3, Funny
  
  Yes, well, everyone knows TEP is insecure and hackable. Im waiting until TPA2 comes out, thats where the real security is.
4. Re:Tamper Evident by RobbieThe1st · 2011-08-25 12:54 · Score: 1
  
  Well, don't you have the solution there?
  Client sees two packets telling which keys to use = "error, someone's attempting to MITM me!, and either retry or give up.
5. Re:Tamper Evident by TBBle · 2011-08-25 16:21 · Score: 1
  
  The point is that you can't make a second overlapping noise pattern without changing the first. You can't yell anything that turns an existing yell into silence.
  You're bitwise-anding all the yelling together, and only if that validates the key you got, do you trust it.
  So MITM can't yell while the router's yelling unless its hash starts the way the router's ends (and it knows this in time and starts yelling at the right time) or the client will see a bad hash, tear down and try again.
  And if the MITM yells _after_ the router, then it's too late, the client has already gotten a key with a valid hash yelled with it, and is secure.
  And if the MITM tries to drown out the yelling (or the key) from the router, the client can see this unusually long yell, and know that a key was being sent at the time, and will tear down and try again.
  This was on page 2 of the article...
  
  --
  Paul "TBBle" Hampson
  Paul.Hampson@Pobox.Com
6. Re:Tamper Evident by sexconker · 2011-08-26 07:51 · Score: 1
  
  And on page one of thinking for 5 seconds, you'd know that such a MITM is a perfect DoS attack.
  Beyond that, a MITM can sit at the edge of an AP's range, pose as the AP, and target people within his own range, but outside of the AP's range.
7. Re:Tamper Evident by sexconker · 2011-08-26 07:54 · Score: 1
  
  Bending over and a taking a DoS up the ass is no solution.
  Using a preshared key (either a password or whatever other shit) works far better.
8. Re:Tamper Evident by TBBle · 2011-08-28 00:53 · Score: 1
  
  So you're saying that their "detect tampering" protocol fails to protect against a "just dumping noise into the air" DoS?
  I do grant you that if you can't hear the AP, you could be fooled into connecting to the MITM posing as the AP. But that's kind-of outside the scope of the protocol. This protocol is ensuring that the key you get from the AP comes from the AP you requested it from. If you can't hear the original AP, then you haven't really requested a key from it, but from the repeater.
  That's more of an identification issue than a 'packet modified in transit' issue.
  
  --
  Paul "TBBle" Hampson
  Paul.Hampson@Pobox.Com
wrong assumptions by Anonymous Coward · 2011-08-25 11:32 · Score: 1

They write "TEP begins by analyzing how an attacker mounts a man-in-the-middle exploit: In every case, the researchers say, the attack involves tampering with wireless messages.". But this is wrong - the man in the middle may simply be listening.
1. Re:wrong assumptions by rollingcalf · 2011-08-25 11:49 · Score: 2
  
  It's OK if the man-in-the-middle is only listening, because the Diffie-Hellman key exchange algorithm is designed so that the two legitimate parties can exchange encryption keys without a listener being able to determine the key, even if the listener records the whole transmission.
  
  --
  ---------
  There is inferior bacteria on the interior of your posterior.
2. Re:wrong assumptions by ArsenneLupin · 2011-08-25 20:44 · Score: 1
  
  But this is wrong - the man in the middle may simply be listening.
  Yeah right, and the purpose of an SSL certificate is to prove that you are a honorable person or business.
3. Re:wrong assumptions by maxwell+demon · 2011-08-26 00:01 · Score: 1
  
  Sure. Everyone knows that country music is the best weapon against attackers.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
4. Re:wrong assumptions by maxwell+demon · 2011-08-26 00:12 · Score: 1
  
  If he's only listening, he's not a man in the middle but an eavesdropper. And the existing protocols already protect against eavesdropping.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
5. Re:wrong assumptions by drpickett · 2011-08-26 00:54 · Score: 1
  
  No, it is how key exchange is accomplished in the South :)
Very poor summary by Mensa+Babe · 2011-08-25 11:35 · Score: 5, Insightful

I happen to have been following the work of Dina Katabi et al. for quite some time now and I have to admit that it is a very poor summary even for Slashdot. I can assure you that you can understand much more by skipping the summary, skipping the Original Source link and just reading the paper in question. It is a truly revolutionary idea that will soon change the way we perceive the risks in wireless communication.

--
Karma: Positive (probably because of superiour intellect)
1. Re:Very poor summary by John+Hasler · 2011-08-25 11:52 · Score: 1
  
  I don't think that this can be invulnerable and I think it opens up some DoS opportunities, but it looks pretty robust to me. I'll be interested in what Bruce Schneir has to say.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:Very poor summary by sdguero · 2011-08-25 12:43 · Score: 1
  
  MOD PARENT UP
3. Re:Very poor summary by complete+loony · 2011-08-25 21:28 · Score: 1
  
  Huh, by encoding some information in silences, you can tell if anyone is trying to drown out your signal. So if you hear a TEA transmission and respond to it, you can establish a secure link back to the sender. That seems reasonably achievable and could provide better link layer security than WEP or WPA for unicast traffic. Though it does require custom code to be implemented in each wifi driver, or in some cases perhaps in firmware.
  But this approach doesn't directly give you a way to authenticate the person you are talking to. Without authentication you can disable the radio of the victim, and then impersonate them.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Re:Collision Domain by sexconker · 2011-08-25 11:43 · Score: 2

An attacker can tamper with a wireless message in three ways: by altering a message sent by one party to match his own Diffie-Hellman key; by hiding the fact that Party A has sent a message at all; and by blocking a message from being sent. TEP is designed to defang each of these tampering techniques.
It does this by compelling Party A to follow its message transmission with another: a pattern of energy "pulses" and "silences." Party A's wireless radio computes a hash of the original message, creating a sequence of ones and zeros. For each one, the radio sends a random packet; for each zero, it sends nothing -- it's silent. This combined pattern is unique to the original message.
If the attacker alters the contents of Party A's message, he, too, has to follow up with a new "silence pattern" that corresponds to the altered contents. But the two silence patterns will be different: The attacker "cannot generate silence" from Party A's "one bits." Party B can detect that difference and in effect refuse the connection offered by the attacker.
Aha, using the fact that all this comm is occurring in the same collision domain to your advantage against MITM attacks, I wonder if this would actually stand up to scrutiny?
The client can't refuse the connection by the attacker.
The client can only refuse ALL connections when it suspect foul pay (by hearing two shits).
Just as before, it's a race/range condition. Sit at the edge of an AP's range with two radios and people connecting to yours will never even hear the router shouting shit at them as sit in the middle.
AP ---- You ---- Victim
Victim and AP can't hear eachother, and thus have no indication that what you're saying isn't coming from you.
"Lucifer" should be "Mallory" in that article. by khasim · 2011-08-25 11:47 · Score: 1

From the article you linked to:

To understand this, consider a key exchange between Alice and Bob, where Bob sends his Diffie-Hellman public key to Alice. Lucifer, the adversary, could tamper with this key exchange as follows:
They need to stick to established naming conventions to make their work easier to understand.
The malicious cracker is named "Mallory". Not "Lucifer".

The key characteristics of a TEA message is that an attacker can neither hide a TEA transmission from other nodes within radio range, nor can it modify the content of the TEA without being detected.
That's a problem. In THEORY, those characteristics exist for ALL wireless packets. If Alice transmits, Bob sees the transmission (if within range). Mallory has to resort to a means of interrupting the transmission or canceling the request or just being the MITM for clients that are at the edge of the wireless coverage area.
1. Re:"Lucifer" should be "Mallory" in that article. by marcosdumay · 2011-08-26 09:33 · Score: 1
  
  The malicious cracker is named "Mallory". Not "Lucifer".
  
  What has happened to Eve? I havent heard anything from her in for a long time.
  
  --
  Rethinking email
you miss the point by Chirs · 2011-08-25 12:09 · Score: 5, Insightful

The client sees the "lie", and doesn't trust either of the offers because it isn't sure which is real.
Based on this, it's possible to DOS a router by sending out connection offers, but you can't do a MITM attack.
1. Re:you miss the point by Co0Ps · 2011-08-25 22:13 · Score: 1
  
  Interesting. And it doesn't matter that it doesn't protect against DOS because all wireless communication is subject to DOS anyway.
2. Re:you miss the point by maxwell+demon · 2011-08-25 23:56 · Score: 1
  
  Interesting. And it doesn't matter that it doesn't protect against DOS because all wireless communication is subject to DOS anyway.
  But is it subject to Windows as well? :-)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
3. Re:you miss the point by sexconker · 2011-08-26 07:57 · Score: 1
  
  The client sees the "lie", and doesn't trust either of the offers because it isn't sure which is real.
  Based on this, it's possible to DOS a router by sending out connection offers, but you can't do a MITM attack.
  You can do a MITM attack just as you could with any other wireless system.
  Sit at the edge of the AP and pose as it, targeting people outside of the AP's range.
  If you used a preshared key, the attacker would have to know the key to do a MITM attack - be it a password or other authentication system.
  This idea is all about tossing out preshared keys. That's fundamentally not viable in terms of authentication.
Re:Collision Domain by RobbieThe1st · 2011-08-25 12:59 · Score: 1

But in that case, you are simply connecting to a compromised router. The fact that that router then connects to *another* router can be ignored.
That problem should be dealt with differently.
Paper looks interesting. by hechacker1 · 2011-08-25 13:05 · Score: 2

Reading the paper, it seems the proposed protocol for key exchange forces a wait time of 17ms, and then hashes the packet to ensure it doesn't get modified (forcing the use of slots and keeping the air open during attack).
The only problem I see is that you could easily use this mechanism to effectively DoS the network by making it wait for the CTS packets constantly while the protocol rejects the bad check-summed packets.
But I guess that's a minor flaw since it's already trivial to DoS wireless networks in general.
Here's to hoping this actually gets widely implemented.
This is specific to pairing by Animats · 2011-08-25 18:47 · Score: 1

The paper is about wireless pairing, which is a special case.
MITM attacks in general are not entirely invisible. Because the MITM is decrypting and reencrypting the message with a different key, the crypt bits received are different than those which were sent. If you ask "what were the crypto bits you received from bit N to M?", the MITM has to be prepared to intercept that query and formulate a lie. This can be made difficult for the MITM. The early STU-3 encrypted phone sets had a little 2-digit display, and the parties could verify over the voice link that both parties saw the same number. Faking that would require splicing words into a verbal conversation in real time.
It's thus possible to design protocols which require that a MITM tamper with the plaintext merely to listen in. This idea doesn't seem to have been developed enough, at least not in the unclassified community.
1. Re:This is specific to pairing by c0lo · 2011-08-25 19:19 · Score: 1
  
  Faking that would require splicing words into a verbal conversation in real time.
  Even more, in what language?
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
Re:Useless waste of entropy by maxwell+demon · 2011-08-26 00:20 · Score: 1

Is it really important that this data is unpredictable, or is "random" here used in the meaning of "arbitrary", i.e. it doesn't matter what that data is?

--
The Tao of math: The numbers you can count are not the real numbers.
Re:Collision Domain by maxwell+demon · 2011-08-26 00:25 · Score: 1

But in that case, you are simply connecting to a compromised router. The fact that that router then connects to *another* router can be ignored.
That problem should be dealt with differently.
But shouldn't any solution to that problem also solve the other problem?

--
The Tao of math: The numbers you can count are not the real numbers.
RTFA: Silence is golden by gustep12 · 2011-08-26 01:25 · Score: 1

I read the article, and part of the idea is that noise (radio activity) may contain falsehoods, but that silence (radio silence) is genuine and cannot be spoofed. So you first send out a hash, and then try to establish a series of radio silence periods which, when decoded, match your hash. If anything messes with this authentication, it is obvious, and the connection is refused.
CTS by tepples · 2011-08-26 03:48 · Score: 1

all wireless communication is subject to DOS anyway.
But is it subject to Windows as well? :-)
Yes, in fact. The second page of the article describes CTS (Clear To Send), a way of reserving windows of time for communication.