Intercepting Mobile Communications: The Insecurity of 802.11 —DRAFT— Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Systems UC Berkeley Abstract to that of wired ones. The primary goal of WEP is to protect the confidentiality of user data from eavesdrop- ping. WEP is part of an international standard; it has The 802.11 standard for wireless networks includes a been integrated by manufacturers into their 802.11 hard- Wired Equivalent Privacy (WEP) protocol, used to pro- ware and is currently in widespread use. tect link-layer communications from eavesdropping and other attacks. We have discovered several serious secu- Unfortunately, WEP falls short of accomplishing its se- rity flaws in the protocol, stemming from misapplication curity goals. Despite employing the well-known and of cryptographic primitives. The flaws lead to a number believed-secure RC4 [12] cipher, WEP contains several of practical attacks that demonstrate that WEP fails to major security flaws. The flaws give rise to a number of achieve its security goals. In this paper, we discuss in attacks, both passive and active, that allow eavesdrop- detail each of the flaws, the underlying security princi- ping on, and tampering with, wireless transmissions. In ple violations, and the ensuing attacks. this paper, we discuss the flaws that we identified and describe the attacks that ensue. The following section is devoted to an overview of WEP 1 Introduction and the threat models that it is trying to address. Sec- tions 3 and 4 identify particular flaws and the corre- sponding attacks, and also discuss the security principles In recent years, the proliferation of laptop computers that were violated. Section 5 describes potential coun- and PDA’s has caused an increase in the range of places termeasures. Section 6 suggest some general lessons people perform computing. At the same time, network that can be derived from the WEP insecurities. Finally, connectivity is becoming an increasingly integral part Section 7 offers some conclusions. of computing environments. As a result, wireless net- works of various kinds have gained much popularity. But with the added convenience of wireless access come new problems, not the least of which are heightened se- 2 The WEP Protocol curity concerns. When transmissions are broadcast over radio waves, interception and masquerading becomes trivial to anyone with a radio, and so there is a need to The Wired Equivalent Privacy protocol is used in 802.11 employ additional mechanisms to protect the communi- networks to protect link-level data during wireless trans- cations. mission. It is described in detail in the 802.11 standard [11]; we reproduce a brief description to enable the fol- The 802.11 standard [11] for wireless LAN communi- lowing discussion of its properties. cations introduced the Wired Equivalent Privacy (WEP) protocol in an attempt to address these new problems WEP relies on a secret key shared between the com- and bring the security level of wireless systems closer municating parties to protect the body of a transmitted 1 RC4 encryption algorithm, and the term ciphertext ( # ) £ Plaintext to refer to the encryption of the plaintext as it is trans- ¢ ¡ Message CRC mitted over the radio link. ¤ XOR To decrypt a frame protected by WEP, the recipient sim- Keystream = RC4(v,k) ply reverses the encryption process. First, he regenerates the keystream '§(' and XORs it against the cipher- ¢ text to recover the initial plaintext: ¥ v Ciphertext # "7§(' Transmitted Data 546 §( 8"&9'§ ! :"7!§ ! Figure 1: Encrypted WEP Frame. ;) Next, the recipient verifies the checksum on the de- frame of data. Encryption of a frame proceeds as fol- © 3¦ 4 4 crypted plaintext 4 by splitting it into the form , lows: ¦¨§ © re-computing the checksum 4 , and checking that ¦ it matches the received checksum 4 . This ensures that Checksumming: First, we compute an integrity check- only frames with a valid checksum will be accepted by © sum ¦¨§ © on the message . We concatenate the the receiver. two to obtain a plaintext ©¦§© , which will be used as input to the second stage. Note that ¦§© , and thus , does not depend on the key . 2.1 Security Goals Encryption: In the second stage, we encrypt the plain- text derived above using RC4. We choose an ini- The WEP protocol is intended to enforce three main se- tialization vector (IV) . The RC4 algorithm gen- curity goals [11]: erates a keystream—i.e., a long sequence of pseu- dorandom bytes—as a function of the IV and the key . This keystream is denoted by § ! . Confidentiality: The fundamental goal of WEP is to Then, we exclusive-or (XOR, denoted by " ) the prevent casual eavesdropping. plaintext with the keystream to obtain the cipher- Access control: A second goal of the protocol is to text: protect access to a wireless network infrastructure. # The 802.11 standard includes an optional feature to $ %"&'§(' *) discard all packets that are not properly encrypted Transmission: Finally, we transmit the IV and the ci- using WEP, and manufacturers advertise the ability phertext over the radio link. of WEP to provide access control. Data integrity: A related goal is to prevent tampering Symbolically, this may be represented as follows: with transmitted messages; the integrity checksum field is included for this purpose. +$,-/. 12 ©3¦§ © *) !0§ %"&'§ ! where The format of the encrypted frame is also shown picto- In all three cases, the claimed security of the protocol rially in Figure 1. “relies on the difficulty of discovering the secret key through a brute-force attack” [11]. We will consistently use the term message (symboli- cally, © ) to refer to the initial frame of data to be pro- There are actually two classes of WEP implementation: tected, the term plaintext ( ) to refer to the concatena- classic WEP, as documented in the standard, and an ex- tion of message and checksum as it is presented to the tended version developed by some vendors to provide 2 larger keys. The WEP standard specifies the use of 40- dustry. However, such a position is dangerous. First, bit keys, so chosen because of US Government restric- it does not safeguard against highly resourceful attack- tions on the export of technology containing cryptogra- ers who have the ability to incur significant time and phy, which were in effect at the time the protocol was equipment costs to gain access to data. This limitation is drafted. This key length is short enough to make brute- especially dangerous when securing a company’s inter- force attacks practical to individuals and organizations nal wireless network, since corporate espionage can be with fairly modest computing resources [1, 5]. How- a highly profitable business. ever, it is straightforward to extend the protocol to use larger keys, and several equipment manufacturers of- Second, the necessary hardware to monitor and inject fer a so-called “128-bit” version (which actually uses 802.11 traffic is readily available to consumers in the 104-bit keys, despite its misleading name). This ex- form of wireless Ethernet interfaces. All that is needed tension renders brute-force attacks impossible for even is to subvert it to monitor and transmit encrypted traffic. the most resourceful of adversaries given today’s tech- We were successfully able to carry out passive attacks nology. Nonetheless, we will demonstrate that there are using off-the-shelf equipment by modifying driver set- shortcut attacks on the system that do not require a brute- tings. Active attacks appear to be more difficult, but force attack on the key, and thus even the 128-bit ver- not beyond reach. The PCMCIA Orinoco cards pro- sions of WEP are not secure. duced by Lucent allow their firmware to be upgraded; a concerted reverse-engineering effort should be able to In the remainder of this paper, we will argue that none of produce a modified version that allows injecting arbi- the three security goals are attained. First, we show prac- trary traffic. The time investment required is non-trivial; tical attacks that allow eavesdropping. Then, we show however, it is a one-time effort—the rogue firmware can that it is possible to subvert the integrity checksum field then be posted on a web site or distributed amongst un- and to modify the contents of a transmitted message, vi- derground circles. Therefore, we believe that it would olating data integrity. Finally, we demonstrate that our be prudent to assume that motivated attackers will have attacks can be extended to inject completely new traffic full access to the link layer for passive and even active into the network. attacks. Further supporting our position are the WEP documents themselves. They state: “Eavesdropping is a familiar problem to users of other types of wireless tech- 2.2 Attack Practicality nology” [11, p.61]. We will not discuss the difficulties of link layer access further, and focus on cryptographic properties of the attacks. Before describing the attacks, we would like to discuss the feasibility of mounting them in practice. In addi- tion to the cryptographic considerations discussed in the sections to follow, a common barrier to attacks on com- 3 The Risks of Keystream Reuse munication subsystems is access to the transmitted data. Despite being transmitted over open radio waves, 802.11 traffic requires significant infrastructure to intercept. An WEP provides data confidentiality using a stream cipher attacker needs equipment capable of monitoring 2.4GHz called RC4. Stream ciphers operate by expanding a se- frequencies and understanding the physical layer of the cret key (or, as in the case of WEP, a public IV and a 802.11 protocol; for active attacks, it is also necessary to secret key) into an arbitrarily long “keystream” of pseu- transmit at the same frequencies. A significant develop- dorandom bits. Encryption is performed by XORing the ment cost for equipment manufacturers lies in creating generated keystream with the plaintext.