Omar Nakhila

Parallel active dictionary attack on WPA2-PSK Wi-Fi networks

Wi-Fi network offers an inexpensive and convenient way to access the Internet. It becomes even more important nowadays as we are moving from the traditional computer age to the current mobile devices and Internet-of-Things age. Wi-Fi Protected Access II (WPA2) - Pre-shared key (PSK) is the current security standard used to protect small 802.11 wireless networks. Most of the available dictionary password-guessing attacks on WPA2-PSK are based on capturing the four-way handshaking frames between an authorized wireless client and the Access Point (AP). These attacks will fail if an attacker is unable to capture the four-way handshaking frames of a legitimate client. An attacker also can apply an active dictionary attack by sending a pass-phrase to the AP and waiting for the response. However, this attack approach could only achieve a low attack intensity of testing a few pass-phrases per minute. In this paper, we develop a new scheme to speed up the active pass-phrase guessing trials intensity based on two novel ideas: First, the scheme mimics multiple Wi-Fi clients connecting to the AP at the same time-each emulated Wi-Fi client has its own spoofed MAC address; Second, each emulated Wi-Fi client could try many pass-phrases using a single wireless session without the need to pass the 802.11 authentication and association stages for every pass-phrase guess. We have developed a working prototype and our experiments show that the proposed scheme can improve active dictionary pass-phrase guessing speed by 100-fold compared to the traditional single client attack.

User-side Wi-Fi Evil Twin Attack detection using SSL/TCP protocols

Evil Twin Attack (ETA) refers to a rogue Wi-Fi Access Point (AP) that appears to be a legitimate one but actually has been set up to eavesdrop on wireless communications [1]. Most of existing detection techniques assume that the attacker will use the same legitimate wireless network gateway to pass through victims wireless data. These detection methods will fail if the attacker uses a different gateway, such as using his own broadband cellular connection through his own smartphone. In this paper, we present a new client-side detection method to detect such an ETA that uses a different gateway from the legitimate one. It relies on SSL/TCP connection to an arbitrary remote web server to avoid attackers misleading message, and trying to detect the changing of gateways public IP address by switching from one AP to another in the middle of the SSL/TCP connection. The detection method is on the client side which makes it more convenient for users to deploy and ensure their security.

User-side Wi-Fi evil twin attack detection using random wireless channel monitoring

Free open wireless Internet access is a complimentary Wi-Fi service offered by most coffee shops, fast food restaurants and airports to their customers. For ease of access, these Wi-Fi networks are inherently insecure where no authentication/ encryption is used to protect customers wireless data. An attacker can easily deceive a wireless customer (WC) by setting up a rogue access point (RAP) impersonating the legitimate access point (LAP). The WC connecting to the RAP becomes an easy target to the Man-In-the-Middle Attack (MIMA) and data traffic snooping. In this paper, we present a real-time client-side detection scheme to detect evil twin attack (ETA) when the attacker relies on the LAP to direct WC data to the Internet. The WC can detect ETA by monitoring multiple Wi-Fi channels in a random order looking for specific data packets sent by a dedicated sever on the Internet. Once an ETA is detected, our scheme can clearly identify whether a specific AP is a LAP or a RAP. The effectiveness of the proposed detection method was mathematically modeled, prototyped and evaluated in real life environment with a detection rate approximates to 100%.

Parallel active dictionary attack on IEEE 802.11 enterprise networks

One of the greatest challenges facing 802.11 wireless local area network (WLAN) is to provide equivalent security to wired local area network (LAN). Wi-Fi Protected Access II (WPA-II), also referred to as IEEE 802.11i standard, is the current security mechanism for enterprise wireless networks. IEEE 802.11i standard depends upon IEEE 802.1X standard to authenticate and generate the main cryptographic key used to secure wireless network traffic. In a WPA-II enterprise network, capturing wireless frames during the authentication phase between the Access Point (AP) and an authorized wireless client will not compromise the security of the WLAN. However, an attacker can apply active dictionary attack by guessing the credentials used to access the wireless network. In this case, the attacker communicates directly with the Authentication Server (AS). The main downside of this attack is the low intensity of password guessing trials that the attacker can achieve, thus security community usually does not pay attention to such an attack. In this paper, we present a new attack scheme that can increase the intensity of guessing trials against WPA-II enterprise. The new scheme is based on using one wireless interface card to create multiple virtual wireless clients (VWCs), each VWC communicates with the Authentication Server as a standalone wireless client. We have developed a working prototype and our experiments show that the proposed scheme can improve the active dictionary guessing speed by more than 1700% compared to the traditional single wireless client attack.

Gateway independent user-side wi-fi evil twin attack detection using virtual wireless clients

Abstract Complimentary open Wi-Fi networks offered by most coffee shops, fast food restaurants and airports are inherently insecure. An attacker can easily deceive a wireless client (WC) by setting up a rogue access point (RAP) impersonating the legitimate access point (LAP), which is usually referred as Evil Twin Attack (ETA). To pass a victims wireless data through to the Internet, an attacker may use the same LAPs gateway, or use a different gateway, such as broadband cellular connection. Most of the existing ETA detection techniques assume that the attacker will use a specific wireless network gateway to pass victims wireless data. In this paper, we present a real-time client-side detection scheme to detect ETA regardless of the attackers gateway selection. The proposed ETA detection system considers both ETA scenarios in parallel by creating two Virtual Wireless Clients (VWCs). The first VWC monitors multiple Wi-Fi channels in a random order looking for specific data packets sent by a server on the Internet. Meanwhile, the second VWC warns the WC when the wireless network uses two different gateways by switching from one AP to another in the middle of a secure connection. The effectiveness of the proposed detection method has been mathematically modeled, prototyped and evaluated in real-life environment with a detection rate close to 100%.

Evolutionary non-cooperative spectrum sharing game: long-term coexistence for collocated cognitive radio networks†

Collocated cognitive radio networks (CRNs) employ coexistence protocols to share the spectrum when it is not being used by the licensed primary users. These protocols work under the assumption that all spectrum bands provide the same level of quality of service, which is somewhat simplistic because channel conditions as well as the licensees usage of allocated channels can vary significantly with time and space. These circumstances dictate that some channels may be considered better than others; therefore, CRNs are expected to have a preference over the choice of available channels. Because all CRNs are assumed to be rational and select the best available channels, it can lead to an imbalance in contention for disparate channels, degraded quality of service, and an overall inefficient utilization of spectrum resource. In this paper, we analyze this situation from a game theoretic perspective and model the coexistence of CRNs with heterogeneous spectrum as an evolutionary anti-coordination spectrum-sharing game. We derive the evolutionarily stable strategy (ESS) of the game by proving that it cannot be invaded by a greedy strategy. We also derive the replicator dynamics of the proposed evolutionary game, a mechanism with which players can learn from their payoff outcomes of strategic interactions and modify their strategies at every stage of the game and subsequently converge to ESS. Because all CRNs approach ESS based solely upon the common knowledge payoff observations, the evolutionary game can be implemented in a distributed manner. Finally, we analyze the game from the perspective of fairness using Jains fairness index under selfish behavior from CRNs. Copyright

Exposing Vulnerabilities in Mobile Networks: A Mobile Data Consumption Attack

Smartphone carrier companies rely on mobile networks for keeping an accurate record of customer data usage for billing purposes. In this paper, we present a vulnerability that allows an attacker to force the victims smartphone to consume data through the cellular network by starting the data download on the victims cell phone without the victims knowledge. The attack is based on switching the victims smartphones from the Wi-Fi network to the cellular network while downloading a large data file. This attack has been implemented in real-life scenarios where the tests outcomes demonstrate that the attack is feasible and that mobile networks do not record customer data usage accurately.

Circumvent traffic shaping using virtual wireless clients in IEEE 802.11 wireless local area network

Accessing the Internet through Wi-Fi networks offers an inexpensive alternative for offloading data from mobile broadband connections. Businesses such as fast food restaurants, coffee shops, hotels, and airports, provide complimentary Internet access to their customers through Wi-Fi networks. Clients can connect to the Wi-Fi hotspot using different wireless devices. However, network administrators may apply traffic shaping to control the wireless clients upload and download data rates. Such limitation is used to avoid overloading the hotspot, thus providing fair bandwidth allocation. Also, it allows for the collection of money from the client in order to have access to a faster Internet service. In this paper, we present a new technique to avoid bandwidth limitation imposed by Wi-Fi hotspots. The proposed method creates multiple virtual wireless clients using only one physical wireless interface card. Each virtual wireless client emulates a standalone wireless device. The combination of the individual bandwidth of each virtual wireless client results in an increase of the total bandwidth gained by the attacker. Our proposed technique was implemented and evaluated in a real-life environment with an increase in data rate up to 16 folds.

SPS: An SMS-based push service for energy saving in smartphone's idle state

Despite of all the advances in smartphone technology in recent years, smartphones still remain limited by their battery life. Unlike other power hungry components in a smartphone, the cellular data and Wi-Fi interfaces often continue to be used even when the phone is in its idle state in order to accommodate background (necessary or unnecessary) data traffic produced by some applications. In addition, bad reception has been proven to greatly increase energy consumed by the radio, which happens frequently when smartphone users are inside buildings. In this paper, we present a Short message service Push based Service (SPS) system to save unnecessary power consumption when smartphones are in idle state, especially in bad reception areas. First, SPS disables a smartphones data interfaces whenever the phone is in idle state. Second, to preserve the real-time notification functionality required by some apps, such as new email arrivals and social media updates, when a notification is needed, a push server will deliver a wakeup text message to the phone (which does not rely on data interfaces), and then SPS enables the phones data interfaces to connect to the corresponding server to retrieve notification data via the normal data network. Once the notification data has been retrieved, SPS will disable the data interfaces again if the phone is still in idle state. We have developed a complete SPS prototype for Android smartphones. Our experiments show that SPS consumes less energy than the current approaches. In areas with bad reception, the SPS prototype can double the battery life of a smartphone.