Vulnerability in WUR Beacon and Its Impacts on Wake-up Operation Month Year May 2018 Vulnerability in WUR Beacon and Its Impacts on Wake-up Operation Date: 2018-05-07 Authors: Yunsong Yang, Huawei Technologies Yunbo Han, et al., Huawei

Month Year May 2018 Background This contribution reveals some vulnerability found in the current WUR Beacon design, evaluates its impacts on the WUR wake-up operation, and suggests some remedies to mitigate the impacts. Yunsong Yang, Huawei Technologies

Vulnerability in the WUR Beacon Month Year May 2018 Vulnerability in the WUR Beacon Attack Model #1: Forgery attack on WUR Beacon containing no MIC A faked WUR Beacon can contain purposefully erroneous partial TSF value, aiming to cause the AP and the STAs to become out of time synchronization. Attack Model #2: Block-and-replay attack on WUR Beacon containing MIC Even protected by a MIC, a legitimate WUR Beacon can be replayed with a calculated delay, passing MIC verification and causing time-asynchrony. Anti-replay detection can be defeated by blocking the STAs from receiving legitimate WUR Beacons, e.g., by injecting interference, so that the anti-replay counter used by the STA isn’t updated by the legitimate WUR Beacon and the replayed WUR Beacon is received by the STA as a legitimate one. The WUR Beacon is replayed with a maximal delay that is within the margin allowed for clock drifting, thereby passing the TSF value range check. As the replayed WUR Beacon passes all verifications that the STA performs, the STA updates its timer using the delayed TSF value. Yunsong Yang, Huawei Technologies

Example Attack on WUR Beacons with MIC Month Year Example Attack on WUR Beacons with MIC Assuming WUR Beacons contain Bits[5-16] of AP’s TSF, WUR Beacon Period is 8192 TUs, max. clock drift is ±200ppm, AP and STAs are synchronized at time=0. At time=8192 TUs, the AP transmits 1st WUR Beacon including Partial TSF field=0 and a MIC calculated with the TSF Bits[5-16](=0) and Bits[17-63](=64) as the IPN. Attacker blocks STAs from receiving the 1st WUR Beacon by injecting interference. At time=(8192 TUs + 1536 usec), the attacker replays the 1st WUR Beacon. Assuming the STA’s clock is perfect, the STA’s local TSF reads (8192 TUs +1536usec), with Bits[0-4]=0, Bits[5-16]=48, Bits[17-63]=64. The STA creates a temporary TSF (TT) from its local TSF except Bits[5-16] are copied from the Partial TSF in the replayed WUR Beacon[1]. The STA uses Bits[5-16](=0) and Bits[17-63](=64) of the TT to compute MIC, which checks. If the STA uses TSF value as the replay counter (RC), its old RC value is 0 (from the previous WUR Beacon received at time=0), thus less than the TT value, passing the anti-replay detection. The adjustment of 1536 usec is less than the maximal clock drift of 1677 usec allowed over a WUR Beacon period, passing the TSF value range check. Thus, the STA sets its local TSF (and new RC) to Bits[0-4]=0; Bits[5-16]=0, Bits[17-63]=64. Meanwhile, the AP’s TSF is Bits[0-4]=0, Bits[5-16]=48, Bits[17-63]=64. Yunsong Yang, Huawei Technologies

Example Attack (Cont’d) Month Year Example Attack (Cont’d) At time=16384 TUs, the AP transmits 2nd WUR Beacon (including Partial TSF field =0 and a MIC calculated with TSF Bits[5-16](=0) and Bits[17-63](=128) as the IPN, which the STA missed again. The STA’s RC remains as Bits[0-4]=0; Bits[5-16]=0, Bits[17-63]=64. At time=(16384 TUs + 3072 usec), the attacker replays the 2nd WUR Beacon. The STA’s local TSF reads (16384 TUs + 1536 usec), with Bits[0-4]=0, Bits[5-16]=48, Bits[17-63]=128. The STA creates the TT from its local TSF except Bits[5-16] are copied from the Partial TSF in the replayed WUR Beacon. The STA uses Bits[5-16](=0) & Bits[17-63](=128) of the TT to compute MIC, which checks. The STA’s old RC value is Bits[0-4]=0; Bits[5-16]=0, Bits[17-63]=64, thus less than the TT value, passing the anti-replay detection, again. The adjustment of 1536 usec is less than the maximal clock drift of 1677 usec, passing the TSF value range check, again. The STA sets its local TSF (and new RC) to Bits[0-4]=0; Bits[5-16]=0, Bits[17-63]=128. Meanwhile, the AP’s TSF is Bits[0-4]=0, Bits[5-16]=96, Bits[17-63]=128. So, after the 2nd block-and-replay attack, the STA’s TSF lags behind the AP’s TSF by 3072 usec. Such an attack can go on and on without the STA detecting it. Yunsong Yang, Huawei Technologies

Example Attack (Cont’d) Month Year Example Attack (Cont’d) Assuming the STA’s “On” period is 10 msec, and its OFF period is longer than that, after 7 rounds of block-and-replay attacks, the STA’s TSF lags behind the AP’s TSF by 10.752 msec, completely offsetting the “On” periods between the AP and the STA. 7 rounds (x 8192 TUs) takes less than 1 minute. Assuming that TSF value is used in the MIC calculation in the WUR Wakeup frames as well, as suggested in [2], and the highest bit of the Partial TSF value explicitly transmitted in the WUR Wakeup frame is Bit[16], after 86 rounds of block-and- replay attacks, the STA’s TSF is lagging behind the AP’s TSF by 132.096 msec. Thus, Bits[17-63] of the AP’s TSF is greater than Bits[17-63] of the STA’s TSF by 1. 86 rounds (x 8192 TUs) takes about 12 minutes. From that point on, the value of hidden MSBs of the STA’s TSF (used for MIC reception) no longer matches with that of the hidden MSBs of the AP’s TSF (used for MIC transmission). The STA can no longer check the MIC successfully. As a result, any legitimate WUR Wakeup frames to the STA are discarded and the STA becomes non-responsive to the AP’s wake-up signals. Yunsong Yang, Huawei Technologies

Month Year Suggested Remedies The replay attack on WUR Beacons posts a threat to the wake-up operation that relies on time synchrony, e.g., for a WUR STA with a duty ratio <100%, because “On” periods can be completely offset between the AP and STA under the attacks. Therefore, 11ba should support a wake-up operation that can operate without the WUR Beacons, as a fallback solution when under the attack. For example, The AP configures the WURx with 100% duty ratio, thus is able to wake up the STA by transmitting a WUR Wakeup frame (WUF) at any time; or The AP configures the WURx with a duty ratio <100% and wakes up the STA by transmitting a sequence of WUFs, ensuring that at least one of which will be transmitted over an “On” period of the WURx. The AP knows how long “On” period is, thus how far apart two adjacent WUFs can be. The AP knows how long Duty-cycle Period is, thus how many WUFs are needed. The WURx operates its On and Off periods (as configured by the WUR Mode element), based on its TSF timer, which is simply not corrected. That’s all. The AP can indicate to WUR STAs not to use WUR Beacons for time synchronization or the AP can simply transmit no WUR Beacons [3]. Yunsong Yang, Huawei Technologies

Suggested Remedies (cont’d) Month Year Suggested Remedies (cont’d) Instead of using the Partial TSF, consider placing a sequence number in the WUR Wakeup frames and used it as the IPN for the MIC calculation, thus, isolating the impact of attacks on WUR Beacons from the MIC verification on the WUR Wakeup frames. Question: Why the sequence number works for the WUR Wakeup frames, but not the WUR Beacons? Answer: The short answer is that the attack models are different. To attack on the WUR Beacon, the attacker blocks the legitimate WUR Beacon then replays it only once (to delay the STA’s TSF timer). So, the sequence number fails as an anti-replay counter. To attack on the MIC-protected WUR Wakeup frame, the attacker wishes to replay a sniffed WUR Wakeup frame again and again (to drain the battery). Therefore, the STA is able to detect the replay with the sequence number. Whether the attacker blocks the legitimate Wakeup frame or not, the STA will wake up only once, leaving the attacker no motivation to launch such attacks. Yunsong Yang, Huawei Technologies

Reference Month Year [1]. 11-18-0087-01-00ba-computation-of-tsf-update. [2]. 11-18-0064-01-00ba-secure-wur-frames [3]. 11-18-0440-02-00ba-tbd-clarification-for-tgba-d0-1-wur-beacon Yunsong Yang, Huawei Technologies