Securing the WUR Date: Authors: July 2016 March 2014

Slides:



Advertisements
Similar presentations
Submission doc.: IEEE /1108r0 Technical Feasibility for LRLP September 2015 Chittabrata Ghosh, IntelSlide 1 Date: Authors:
Advertisements

Doc.: IEEE /0840r1 Submission AP Assisted Medium Synchronization Date: Authors: September 2012 Minyoung Park, Intel Corp.Slide 1.
Doc.: IEEE /0568r0 Submission May 2012 Young Hoon Kwon, Huawei Slide 1 AP Discovery Information Broadcasting Date: Authors: NameAffiliationsAddressPhone .
Supporting Low Power Operation
Jamming for good: a fresh approach to authentic communication in WSNs
AP Power Saving Date: Authors: May 2017 Month Year
ANQP-SD Response When Service Mismatches
WUR Reconnection Usage Model
Spatial Discovery in 60 GHz
On AP Power Saving Usage Model
Discussion of Duty-Cycled Wake-Up Receivers
WUR Usage Model Date: Authors: Nov 2016
P802.11aq Waiver request regarding IEEE RAC comments
Verifying 11ax’s PAR by UL MU-MIMO
AP Discovery Information Broadcasting
Public Transit Agency Use Case
Wireless LAN Security 4.3 Wireless LAN Security.
WUR Discovery Frame Content
TGaq Pre-Association Summary
WUR Discovery Frame Content
Advertising WUR Discovery Frame Related Info for Fast Scanning
WUR Discovery Frame Content
Channel Access for WUR FDMA
Consideration on Wake-Up Receiver Security
Improvement on Active Scanning
Uplink Broadcast Service
Assign and Update Wake-Up Signals in WLAN with Wake-Up Radio Receivers
2840 Junction Ave, San Jose, CA 95134, USA
Multiple Frequency Channel Scanning
Secure WUR frames Date: Authors: January 2018
WUR Discovery Frame Content
WUR Use Cases and Requirements
2840 Junction Ave, San Jose, CA 95134, USA
WUR Discovery Frame Content
WUR Discovery Frame Content
Beacon Protection Date: Authors: July 2018 July 2018
Beacon Protection Date: Authors: May 2018 January 2018
Group Delay for Group Addressed Wake Up Frames
Providing Faster GAS Response
Listen to Probe Request from other STAs
Low Latency and Low Medium Utilization
WUR Use Cases and Requirements
Local Administrator Advertisements
Reducing Overhead in Active Scanning with Simulation Results
WUR Discovery Frame Content
Consideration on Max Idle Period Extension for ah Power Save
Reducing Overhead in Active Scanning with Simulation Results
Power Efficiency for Individually Addressed Frames Reception
Advertising WUR Discovery Frame Related Info for Fast Scanning
Beacon Protection Date: Authors: July 2018 July 2018
Random Access UL MU Resource Allocation and Indication
WUR Security Proposal Date: Authors: September 2017
WUR Security Proposal Date: Authors: September 2017
P802.11aq Waiver request regarding IEEE RAC comments
Power Efficient WUR AP Discovery
On AP Power Saving Usage Model
Channel Access for WUR FDMA
Spatial Discovery in 60 GHz
Potential L2 security options for UL BCS
Considerations on post wake-up sequences
Security Attacks Network Security.
TGaq Protocol Name Date: Authors: February 2014 March 2014
Review of n A-MPDU DoS Issues – Progress and Status
Multiple Frequency Channel Scanning
Reducing Overhead in Active Scanning
Providing Faster GAS Response
Extending WUR sync sequence
Vulnerability in WUR Beacon and Its Impacts on Wake-up Operation
Request for Legacy IE ID for RSN Extension
Discussion on TESLA Based Frame Authentication
Presentation transcript:

Securing the WUR Date: 2016-07-26 Authors: July 2016 March 2014 doc.: IEEE 802.11-14/0216r0 July 2016 Securing the WUR Date: 2016-07-26 Authors: Yunsong Yang, Huawei Stephen McCann, Blackberry

March 2014 doc.: IEEE 802.11-14/0216r0 July 2016 Abstract The WUR concept has been introduced in [1-3]. This contribution describes some attacks that may be launched on a WUR-capable station, potentially with an effect equivalent to that of denial-of-service (DoS) attacks. Certain high level WUR design requirements for countering such attacks have been suggested. Yunsong Yang, Huawei Stephen McCann, Blackberry

Vulnerability of WUR (I) July 2016 Vulnerability of WUR (I) A main target area of WUR includes sensors running on coin batteries. Malicious attacks on these devices using wake-up packets can cause the WUR receiver to falsely wake up the main radio. Frequently repeating such attacks can quickly drain the battery and ultimately disable the device. E.g., a security motion sensor may be designed to normally wake up once a day (e.g., to report battery status) and to last for years. But if a hacker can successfully wake up the main radio on the sensor once per second, the sensor may be disabled within one to a few days (see appendix for the estimation). Imagine the home owner who installed this sensor is on a Christmas trip … Yunsong Yang, Huawei

Vulnerability of WUR (I) - Brute-force Attack July 2016 Vulnerability of WUR (I) - Brute-force Attack Threat model: the attacker sends one or more Wake-up packets with randomly or sequentially selected WUR addresses until one matches the right address (the attacker can see the STA is waked up). Then, the attacker sends the right wake-up packet repeatedly to kill the battery. The attacker can send several Wake-up packets at a time to speed it up. Difficulty to perform: relatively easy unless the WUR address is long enough. Requirements to counter the attack: The WUR address should be long enough to make it hard to guess right. The WUR address should be changed frequently (preferably changed during every wake-up) so that a random success in guessing it right doesn’t lead to repeated successes, making the brute-force attack less rewarding. Yunsong Yang, Huawei

Vulnerability of WUR (I) - Replay Attack July 2016 Vulnerability of WUR (I) - Replay Attack Threat model: the attacker obtains a legitimate wake-up packet by eavesdropping then replays the wake-up packet repeatedly to kill the battery. Difficulty to perform: easy unless the WUR address is changed during every wake-up. Requirements to counter the attack: The WUR address should be changed frequently (preferably changed during every wake-up) so that the replay attack won’t work, as a legitimate WUR address is used only once (for a long while). Yunsong Yang, Huawei

Vulnerability of WUR (II) July 2016 Vulnerability of WUR (II) If the WUR address is changed during every wake up event as a counter-measure against attacks on the battery as described previously, a second type of vulnerability may arise, i.e., an attacker may impersonate the AP or the STA to cause the AP and the STA out of synch in terms of the WUR address that each use. Threat model I: the attacker impersonates a legitimate STA who falsely detects a wake-up packet (i.e., a faked false positive event) and starts to communicate with the AP on its main radio (while the legitimate STA is still in deep sleep), triggering the AP to assign a new WUR address to the legitimate STA, thus causing the AP and the legitimate STA out of synch in terms of the WUR address being used. Difficulty to perform: easy to hard depending on security measures. Requirements to counter the attack: During every wake-up event, the AP should verify the authenticity of the message(s) from the STA before using a new WUR address for the STA. Yunsong Yang, Huawei

Vulnerability of WUR (II) – Cont’d July 2016 Vulnerability of WUR (II) – Cont’d Threat model II: the attacker impersonates the legitimate AP and wakes up the STA (through interception/eavesdropping then replay, or brute- force attack), and then assigns a faked WUR address to the STA before putting the STA into deep sleep. As a result, the STA’s WUR keeps monitoring the wrong WUR address and won’t be waked up by the legitimate AP again. Difficulty to perform: medium to hard depending on security measures. Requirements to counter the attack: During every wake-up event, the STA should verify the authenticity of the message(s) from the AP before the STA uses the new WUR address. Yunsong Yang, Huawei

July 2016 Summary It is NOT our intention to suggest that the WUR SG addresses the security issues that might already exist in 802.11 PHY and MAC today. Rather, we want to narrowly focus on preventing an attacker from effectively achieving the same goal of denial-of-service (DoS) attacks through disabling a device’s battery or causing the device to be unable to be waked up by a legitimate counterpart. Thus, we suggest that the WUR SG considers counter-measures in the WUR design to mitigate the potential impacts of such attacks on the WUR. Following WUR design requirements may be considered as a starting point: The WUR address should be long enough. The WUR address should be changed frequently, preferably changed during every wake- up event. During every wake-up event, the STA and the AP should verify the authenticity of the message(s) from each other before assigning or using the new WUR address for the STA’s next wake-up event. Yunsong Yang, Huawei

July 2016 Appendix: Estimation of battery capacity consumed per day under repeated attacks Assumptions: Wake up frequency: once per second (continually for 24 hrs). Average wake up duration (considering message exchanges needed to correct the situation): 50 msec. Estimated average current during wake up period: 50 mA (Doc. 11-14-0980-15-00ax- simulation-scenarios). Result: 24 x 3600 x 0.05 x 50 / 3600 = 60 mAh [4, 5] suggest that the effective capacity can be significantly reduced (by as much as one half ) under high discharge rate. Conclusion: Most coin batteries would last less than a day under such repeated attacks. Yunsong Yang, Huawei

July 2016 References [1]. 11-15-1307r1 [2]. 11-16-0027r0 [3]. 11-16-0341r0 [4]. http://www.low-powerdesign.com/121312-article-extending-battery-life.htm. [5]. http://www.eetimes.com/document.asp?doc_id=1279311. Yunsong Yang, Huawei

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.