What are the ways to prevent a deauthentication attack?

724    Asked by alexGONZALEZ in Cyber Security , Asked on Oct 19, 2022

Is there a way to prevent deauthentication attacks? 


After facing such an attack, I tried finding more details about it and through Wikipedia, I now know that -  Unlike most radio jammers, deauthentication acts in a unique way. The IEEE 802.11 (Wi-Fi) protocol contains the provision for a deauthentication frame. Sending the frame from the access point to a station is called a "sanctioned technique to inform a rogue station that they have been disconnected from the network".


An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim. The protocol does not require any encryption for this frame, even when the session was established with Wired Equivalent Privacy (WEP) for data privacy, and the attacker only needs to know the victim's MAC address, which is available in the clear through wireless network sniffing.

Answered by Amit Sinha

Cisco spearheaded a method of detecting a deauthentication attack and even protecting this type of attack if it is enabled and the client device supports it (minimum support of CCXv5). The Cisco feature is called "Management Frame Protection" and full details can be found on the Cisco website.


In essence, the process adds a hash value to all management frames that are sent.

This process was standardized with the IEEE 802.11w amendment released in 2009, and is supported by most modern Linux/BSD distributions in the kernel. Windows 8 was introduced with 802.11w support by default (which did cause some initial problems in some environments). AFAIK, OS X still lacks 802.11w support. For reference, 802.11w was rolled up in the 802.11-2012 maintenance release of the 802.11 standard. Someone gave me an upvote which refreshed this answer in my mind and figured this was due an update.  The Wi-Fi Alliance (WFA) has made support of Protected Management Frames (PMF) mandatory to pass 802.11ac or Passpoint (aka HotSpot2.0) certifications. This has pushed support for 802.11w significantly and you can even find it in most consumer devices today.

Unfortunately, Apple still appears to be the holdout. Let me lead off by saying that I was surprised to find that Apple has not certified a single device with the WFA since early 2014. I know this is a voluntary process for vendors, but not taking part in the certification process seems like a bad idea to me for such a large manufacturer of wireless devices. While Apple has added 802.11w support, there are still issues. Namely, I came across this post earlier this year detailing issues with Apple connecting to a network with 802.11X authentication and 802.11w required. Networks that use a PSK (with 802.11w either optional or required) seem to work as do 802.1X networks with 802.11w optional.

So we are getting there, but still have some way to go.



Your Answer

Interviews

Parent Categories