1.1 Motivation and Contribution

1.1.4 Advanced Stealth Man-in-the-Middle (ASMiTM) Attack

An attacker launches a MiTM attack in order to place itself between two communicating parties. By establishing a MiTM, an attacker can sniff the entire communication taking place between them. Traditionally MiTM has been achieved via Address Resolution Proto- col (ARP) spoofing. When two hosts want to communicate with each other, they need to know the MAC address of each other. Given the IP address of a host, the ARP is used to determine its MAC or physical address. If the sender does not know the MAC address of

the destination, it sends a broadcast ARP request asking for the MAC address correspond- ing to the destination host’s IP address. All the hosts receiving this broadcast ARP request frame check the IP address whose MAC address is requested. Only the destination host identifies that the ARP request is meant for its IP address and sends back its corresponding MAC address in a unicast ARP reply frame. The ARP request/response frame exchange is unauthenticated. The IP-MAC mapping in the request/response frame is sent in plain text and hence is susceptible to attacks. As ARP has no mechanism for checking the authenticity of the information being sent, a host receiving an ARP frame directly updates the ARP cache entry without verifying the genuineness of the source. In addition, hosts also cache all ARP replies sent to them even if no explicit ARP request is initiated by the host

In ARP spoofing attack [58, 59, 60], an attacker crafts and sends spoofed ARP frames (i.e., ARP frames having wrong IP:MAC mapping) to victim host thereby poisoning victim’s ARP cache. This is called ARP spoofing. ARP spoofing leads to many other attacks. In the ARP based Man-in-the-Middle Attack, the attacker spoofs ARP frames and inserts itself between the communication path of two target systems. This allows the attacker to sniff all the frames transferred between the target systems and paves way for the attacker to alter the messages (if it desires). An attacker can also use the ARP spoofing methods to launch DoS attack, MAC Flooding attacks etc.

ARP spoofing is still possible in open Wi-Fi networks. However, it was presumed that ARP spoofing would not be possible in Wi-Fi Protected Access II (WPA2) encrypted Wi-Fi net- works. In WPA2 encrypted Wi-Fi network, two different set of keys are used for encryption purposes. A ‘Pairwise Transient Key’ (PVTKY) and a ‘Group Transient Key’ (GRPKY). All uni- cast messages are encrypted using the PVTKY. Both clients and the AP can encrypt as well as decrypt frames using PVTKY. The PVTKY is unique for every client that is associated with the AP. A client gets a fresh PVTKY for every new association with the same AP. The GRPKY can only be used by the AP for encryption purposes while the clients use it for decryption purposes. GRPKY cannot be used by clients for encryption purposes and is common among all clients associated with the same AP.

We propose a novel attack termed as ‘ASMiTM attack’ that exploits the Hole 196 vulnera- bility [61] and in addition breaks the replay counter synchronization between the genuine AP and the client. The combination of exploiting the Hole 196 vulnerability and break- ing the replay counter (hence ‘advanced’), results in MiTM attack and a prolonged ARP cache poisoning without the knowledge of genuine AP (hence ‘stealth’). To prevent re- play attacks in the WPA2 encrypted Wi-Fi networks, each frame contains a packet number which is monotonically increasing. Frames received with lesser packet number than the current packet number are dropped by the client assuming them to be replay frame(s).

As the spoofed ARP frame does not reach the genuine AP because of exploitation of Hole 196 vulnerability, the AP continues to send frame(s) with the old packet number which are dropped by the client. Thus, in ASMiTM attack the attacker not only is able to sniff the frames between two communicating parties but also causes frame losses between the client and the AP due to out of sync packet number value. Currently, WPA2 is the best known and widely used encryption algorithm for Wi-Fi networks. As ASMiTM attack makes it possible to launch an insider attack in a WPA2 enabled Wi-Fi network, it possesses serious secu- rity concerns for organizations. Surveys have shown that insider threats have caused more damage to an organization than outsider threats [62, 63, 64, 65]. Keeping this in mind, ASMiTM attack is a serious threat in WPA2 enabled Wi-Fi networks.

In ASMiTM attack, if ARP spoofing can be prevented/detected, the ASMiTM attack cannot take place. We now see various measures that have been suggested in the literature to defend against the ARP spoofing attacks. The best way to prevent ARP attacks is to manually assign static IPs to all the systems and maintain static IP-MAC pairings at all the systems [66]. As Wi-Fi networks are mostly deployed in dynamic environments, this scheme is not suitable. It is quite cumbersome to physically go to every new machine and perform its IP configuration. For wired networks, port based solutions have been suggested to counter ARP spoofing [67]. In this approach, each port of the switch is tied to a fixed MAC address.

A change in the transmitter’s MAC address can result in port shutdown or ignoring the change. The problem with this approach is that if the first sent packet itself has a spoofed MAC address then the whole system fails. In Wi-Fi networks, the clients connect to AP over the air rather than switches. Software based solutions like ARPWATCH [68], COLASOFT- CAPSA [69] keep a watch on changes in the IP-MAC pairs on the switch and report for changes in IP-MAC mapping. If any ambiguity is observed in the IP-MAC mapping it is reported to the administrator. These software solutions are inexpensive as compared to the switches having advanced port security features. However, their response time is slow making them ineffective. Several cryptography based techniques have been suggested to prevent ARP attacks namely S-ARP [70], TARP [71]. Addition of cryptographic features in ARP lead to various issues like performance penalty, faster battery draining and changes in basic ARP protocol.

Signature-based IDSs like Snort [15] can be used to detect ARP attacks and inform the administrator with an alarm. However, if signature-based IDSs are used for detection of ARP attacks it leads to large number of false positives. Only one ARP request/response frame is needed to poison the ARP cache. So, ARP spoofing does not induce any sort of anomaly in terms of frame injection, bandwidth utilization etc. So using anomaly-based IDS might prove in-effective in detecting the ARP spoofing attacks. One obvious solution for ASMiTM

attack is to never use GRPKY and always use PVTKY even for broadcast messages. However, if PVTKY is used for broadcast message, the AP has to send the same message encrypted using the PVTKY of every client that is associated with the AP. This not only adds a huge burden on the AP but also necessitates protocol changes in WPA2.

From the earlier observations it can be concluded that detecting or preventing ARP spoof- ing attack is difficult. As ASMiTM attack is based on ARP spoofing, detection of ASMiTM attack is a challenging task. For the evil twin attack, the system is found to be diagnosable using a simple DES framework. This means that if an evil twin attack occurs it is possible to confirm its occurrence by analyzing frame sequence and frame characteristics within finite amount of time after the evil twin attack takes place. ASMiTM attack is detectable under certain network conditions while non-detectable under other network conditions. In certain circumstances it is not possible to detect the occurrence of ASMiTM attack within finite time after the ASMiTM attack occurs. This attack can be detected using active probing. Here an IDS (actively) sends specially crafted ‘probe’ frames to ascertain the presence of an attacker.

A ‘probe’ frame is a normal network frame injected with special parameters. Crafting of the

‘probe’ frame is vital as improper crafting may lead to an attacker escaping detection. The design philosophy of active probing is that, after the injection of ‘probe’ frame, both the attacker and the genuine client/server are forced to reply to the ‘probe’ frame. Based on the ‘probe’ response, the presence/absence of the attacker is ascertained.

In [72], authors have given a DES framework called I-diagnosability for partial diagnosis problems. Here some indicator events are defined and failure diagnosis (attack detection) is tested only in those paths where a fault (attack) is followed by an indicator event. The paths where there are no indicator events, may contain some (fault or normal) uncertain states, but that does hinder diagnosis of the system as a whole. For ASMiTM attack, the paths where smaller packet number is sent in the ‘probe’ frame than the current packet number synchronized at the AP and client, no indicator event is available. The I-diagnosability cannot be directly applied for the detection of ASMiTM attack as I-diagnosability requires that the fault (attack) must be diagnosable whenever the fault is followed by an indicator event. However, if a probe is sent with a smaller packet number than the current packet number synchronized at the AP and client, ASMiTM attack cannot be ascertained as the genuine client drops the frame having smaller packet number assuming it to be replay frame. So, the ‘probe’ response from the genuine client is not possible, hampering fault diagnosis (attack detection). As a result, the I-diagnosability framework fails to detect the ASMiTM attack. Hence, we propose an I²-diagnosability (Induced I-diagnosability) DES framework that improves over I-diagnosability framework [72] and is adopted for modeling and designing IDS for the detection of ASMiTM attack. The proposed IDS detects ASMiTM

attack and does not require any sort of encryption, protocol changes, software or hardware upgrades etc. The contributions of this scheme are enumerated below:

1. An new DES paradigm termed as I²-diagnosability (Induced I-diagnosability) frame- work based IDS has been designed to detect the ASMiTM attack. Like the previous DES framework, we have made used of DES model state variables in order to deal with very large size of the domains of the variables.

2. The I²-diagnosability framework based IDS has a high detection rate and accuracy while at the same time adds minimal overhead in terms of probes injected.