Security Vulnerabilities in IEEE 802.11ah-2016 and Proposed Solutions
Explore security vulnerabilities in the IEEE 802.11ah-2016 standard regarding Target Wake Time mode, including potential attacks on TWT through teardown and setup frames. Discover proposed solutions to mitigate these risks and enhance network security in wireless communication systems.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
November 2018 doc.: IEEE 802.11-18/1989r0 Security Issues in 802.11ah Date: 2018-11-12 Authors: Name Yunsong Yang Affiliations Huawei Technologies Address 10180 Telesis Court, STE 400, San Diego, CA 92121 Phone email yangyunsong@huawei.co m +1-858- 754-3638 Submission Slide 1 Yunsong Yang, Huawei Technologies
November 2018 doc.: IEEE 802.11-18/1989r0 Introduction In this contribution, we describe some security vulnerabilities found in 802.11ah-2016 and some proposed solutions at the high-level. Submission Slide 2 Yunsong Yang, Huawei Technologies
November 2018 doc.: IEEE 802.11-18/1989r0 Background of TWT Mode in 11ah Target Wake Time (TWT) is a technique that allows the AP to schedule a series of time slots for a STA, during which the STA wakes up for a period referred to as TWT Service Period (SP) and exchanges frames. Therefore, the STA can stay in the doze state always except for the TWT SPs. The STA isn t required to wake up even for the Beacons, thereby reducing energy consumption. o The TWT SPs are negotiated between the AP and the STA during TWT Setup procedure. o After the STA enters the TWT mode, the timing of the TWT SPs for the STA are derived by the AP and the STA based on the negotiated parameters and the TSF timers of the AP and STA, respectively. o Therefore, maintaining time synchronization between the local timers of the AP and the STA is important for the TWT operation. Submission Slide 3 Yunsong Yang, Huawei Technologies
November 2018 doc.: IEEE 802.11-18/1989r0 Attack on TWT through TWT Teardown Background: 802.11ah specifies that a TWT Teardown frame, sent by the AP or STA for tearing down the STA s TWT mode, is an Unprotected S1G action frame. Threat Model 1A: the attacker, impersonating the AP, sends a faked TWT Teardown frame to the STA to tear down the TWT operation so that the STA is unable to stay in the TWT mode as intended. As a result, its battery life is reduced significantly. Threat Model 1B: the attacker, impersonating the STA, sends a faked TWT Teardown frame to the AP, causing the AP to erase related parameters and consider that the STA has ceased its TWT operation, while the STA is still operating in the TWT mode. As a result, the AP may transmit data to the STA during its Doze state. Proposed Solution: define a protected version of TWT Teardown frame under the S1G action frame; a STA or AP may request protected TWT Teardown operation in its TWT Setup frame and subsequently ignore any unprotected TWT Teardown frame received; a STA or AP receiving a protected TWT Teardown frame is required to verify the MIC in the frame successfully before tearing down the TWT mode. Submission Slide 4 Yunsong Yang, Huawei Technologies
November 2018 doc.: IEEE 802.11-18/1989r0 Attack on TWT through TWT Setup Background: 802.11ah specifies that the TWT Setup frame, either sent by a STA for carrying TWT Setup Request or sent by an AP for carrying TWT Setup Response, is an Unprotected S1G action frame. Threat Model 2: the attacker may block the STA from receiving the legitimate TWT Setup Response and send the STA a faked TWT Setup Response carrying erroneous TWT parameters, such as the starting time of the SPs, causing the STA to be in Doze state when the AP thinks it is in Awake state. As a result, the STA is unable to receive data from the AP. Proposed Solution: define a protected version of TWT Setup frame under the S1G action frame; a STA may request protected TWT Setup operation in its TWT Setup (Request) frame and subsequently ignore any unprotected TWT Setup (Response) frame received; the STA receiving a protected TWT Setup frame is required to verify the MIC in the frame successfully before further processing the frame. Submission Slide 5 Yunsong Yang, Huawei Technologies
November 2018 doc.: IEEE 802.11-18/1989r0 Attack on TWT through Time De- synchronization Background: Beacon, DMG Beacon, and Announce frames contain the AP s (or PCP s) TSF value in order to synchronize the TSF timers of other STAs in the BSS. 802.11ah-2016 introduces additional frames that can carry the AP s TSF value, e.g., o S1G Beacon and PV1 Probe Response frames contain 32 LSBs of the TSF. (An S1G Beacon scheduled at TBTT or a PV1 Probe Response responding to specific request additionally contains 32 MSBs of the AP s TSF.) o Once entering the TWT mode, TWT STAs are not required to listen to S1G Beacons. The AP may send TACK, STACK or BAT frame to a TWT STA during its SP to maintain time synchronization. (The TACK and BAT frames contain 40 LSBs of the TSF value. The STACK frame contains 32 LSBs of the TSF value.) Treat Model 3: because none of these 8 types of frames is MIC-protected, an attacker can send a faked frame (of one of these 8 types) carrying an erroneous TSF value to completely offset the SP timing used by the AP and the STA, respectively, rendering the STA non-responsive to the AP s transmission to it. Proposed solution: provide time synchronization using MIC-protected frame(s). Submission Slide 6 Yunsong Yang, Huawei Technologies
November 2018 doc.: IEEE 802.11-18/1989r0 Straw Poll 1 Do you support that TGmd define a protected version of TWT Teardown frame under the category of S1G action frame? o a non-AP STA or AP may request protected TWT Teardown operation in its TWT Setup frame and subsequently ignore any unprotected TWT Teardown frames received; and o a non-AP STA or AP receiving a protected TWT Teardown frame is required to verify the MIC in the frame successfully before tearing down the TWT mode. Submission Slide 7 Yunsong Yang, Huawei Technologies
November 2018 doc.: IEEE 802.11-18/1989r0 Straw Poll 2 Do you support that TGmd define a protected version of TWT Setup frame under the category of S1G action frame? o a non-AP STA may request protected TWT Setup operation in its TWT Setup (Request) frame and subsequently ignore any unprotected TWT Setup (Response) frame received; and o a non-AP STA receiving a protected TWT Setup frame is required to verify the MIC in the frame successfully before further processing the frame. Submission Slide 8 Yunsong Yang, Huawei Technologies
November 2018 doc.: IEEE 802.11-18/1989r0 Straw Poll 3 Do you support that TGmd define a mechanism to provide time synchronization function using protected management frame(s)? Submission Slide 9 Yunsong Yang, Huawei Technologies
