Wi-Fi de-authentication attacks and how you can prevent them using 802.11w or WPA3

TL; DR. Most of us today may have the perception that the use of Wi-Fi (IEEE 802.11) comes with an inherent risk; an attacker in close proximity could perform an attack which continuously disconnects a client from the Wi-Fi network. Such an attack is often termed as a non-persistent denial of service attack, as the victim device will regain access to the Wi-Fi network once the attacker stops the attack. However, do you know that the use of 802.11w or WPA3 standards can help to prevent such an attack from happening? To enable this feature, both the router and the client device have to support the standard.

Background

Today, the use of wireless technology could be ranging from products used in your smart homes, or even in life critical scenarios such as medical devices in hospital. Wi-Fi also known as wireless fidelity, brings convenience as it does not rely on traditional wired method to provide internet connectivity. As the Wi-Fi standards continue to evolve, consumers are enjoying faster upload & download speed.

Figure 1: State transition for Wi-Fi connections (Image from: https://www.researchgate.net/figure/Deauthentication-and-disassociation-procedure_fig2_304561923)

Why is de-authentication (a.k.a deauth) attacks dangerous?

As Wi-Fi uses the 2.4GHz and 5GHz frequency band of the radio spectrum, anyone in close proximity with the proper hardware gear could eavesdrop or transmit malicious packets on these band. In today’s Wi-Fi network, we can be assured that the data frames travelling in the air are often encrypted. Unlike the data frame, management frame which does the (de) authentication, (de) association, beacons and probes cannot be encrypted as these frames must be heard and understood by all clients. Because of that, an attacker could spoof Wi-Fi packets and send de-authentication packets to continuously disconnect a client device from a network.

Figure 2: Use ‘EAPOL’ as the keyword to filter 4-way handshake in Wireshark
Figure 3: De-authentication packets in the ‘air’

Is there anything we can do about the management frames?

Yes, use 802.11w or WPA3! Noting that the management frame could result in potential attacks, the 802.11w standard was published in 2008 to address the issue. Its key objective was to increase security by providing data confidentiality of management frames, mechanisms that enable data integrity, data origin authenticity, and replay protection. In WPA3, this feature is built in, however, it will likely take some time for (~10 years) all the products and devices to shift from WPA2 to WPA3. I have played with a Google Nest that supports WPA3, but upon enabling this new standard, some smart devices were unable to connect to the AP. In summary, both the 802.11w and WPA3 must be supported by both the AP and the client device.

How 802.11w/WPA3 works?

As mentioned earlier, management frames such as deauthentication, disassociation, beacons, and probes are always unauthenticated and unencrypted. With 802.11w/WPA3 enabled, the AP adds Message Integrity Check Information Element (MIC IE) to each management frame it transmits. This is achieved by introducing a new key called Integrity Group Temporal Key (IGTK), which is used to protect broadcast/multicast management frames. The key is derived during the four-way key handshake process. Any attempt to copy, alter, or replay the frame invalidates the MIC. In addition, some information in the management frame are encrypted.

How does it look like?

To determine if an AP supports management frame protection, simply head to any beacon packets and view the RSN capabilities. The box highlighted in red below shows two settings for management frame protection. If the required bit is set, any clients that wishes to connect to it needs to support Management Frame Protection (MFP) capabilities. If the capable bit is set, MFP is used if the client supports it.

Figure 4: Management Frame Protection Flags in a beacon frame
Figure 5: Example of a failed de-authentication attack sequence with MFP (no EAPOL packets)
Figure 6: Frame 115 de-authentication frame detail
Figure 7: A legitimate de-authentication packet

Why isn’t WPA3 or 802.11w enabled and made available by default?

With the introduction of management frame protection in 2008, the question arises, why do the majority of APs today not support this feature? If it can help prevent such trivial attack, shouldn’t it be a default feature? Furthermore, MFP are only supported on higher end and more expensive (250 USD and above) router models today. I couldn’t find any answers on the Internet on why is 802.11w not a default standard today. My personal take suggests the following to be the potential reasons:

Tips on Wi-Fi security

· Use a long and complex password for your Wi-Fi PSK. Even though the WPA2 standard now requires a minimum of 8-character long password, consumers often put a simple dictionary word or just digits. Best recommendations for your PSK is to have a minimum length of 20 characters, and enforce sufficient complexity (special characters, upper/lowercase, numbers)

Cyber-Enthusiast | IoT Specialist | Penetration Testing | Red Teaming