Vigil@nce: 802.11, packet injection via WPA TKIP
November 2008 by Vigil@nce
SYNTHESIS
A vulnerability of the WPA TKIP protocol can be used by an
attacker to decode an ARP query and to inject 7 packets.
Gravity: 1/4
Consequences: data creation/edition
Provenance: radio connection
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 24/11/2008
IMPACTED PRODUCTS
– 802.11
DESCRIPTION
The Wi-Fi Protected Access protocol is used to secure exchanges in
a Wi-Fi 802.11 network:
– WPA(1) :
– encryption via RC4 (simple migration from WEP)
– key exchange via TKIP (Temporal Key Integrity Protocol)
– integrity check via Michael, a MIC (Message Integrity Code)
– WPA2 : encryption, key exchange and integrity check via AES in
CCMP (Counter-Mode/CBC-Mac protocol) mode
An attack can be created against WPA(1), in the following case:
– usage of WPA(1) and TKIP
– the IPv4 network range is known by the attacker
– the rekeying (key change) duration is longer than 30 minutes
– the network supports 802.11e (Quality of Service) with 8 channels
An attacker can detect an ARP packet thanks to its size. As the
MAC address is in clear form, the attacker knows most of data (MAC
+ IPv4 range) which are encrypted in the ARP packet. To obtain the
MIC, he can use a rarely used channel. The attacker can then send
one packet to each of the 7 left channels.
A vulnerability of the WPA TKIP protocol can therefore be used by
an attacker to decode an ARP query and to inject 7 packets.
CHARACTERISTICS
Identifiers: 108472, cisco-sr-20081121-wpa, VIGILANCE-VUL-8266