Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs)

Published byHadian Susman Modified over 6 years ago

Similar presentations

Presentation on theme: "Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs)"— Presentation transcript:

1 Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs)
Vulnerabilities Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs) Northwestern Lab for Internet and Security Technology (LIST) Lab for Internet & Security Tech, Northwestern Univ.

2 Project Objective Study the system specifications with the goal of identifying any security vulnerability present in various functions/ processes documented. Report any discovered vulnerability along with any proposed solutions. Change the circle

3 Project Tasks Study of 802.16 (2004) Specifications
Discovery of security vulnerability (ies) (If practical) Simulation of vulnerability situation (s) Proposal of solution (s)

4 Vulnerabilities discovered
Initial Ranging based Denial-of-Service attack Service Interruption/ Denial-of-Service attack using TEK invalid message vulnerability Talk about outline

5 Initial Ranging based Denial-of-Service attack

6 What can an attacker do? If successful, the attacker can deny all Subscriber Stations, serviced by a BS within one of its sectors, entry into the network to send and receive user data

7 Network Entry and Synchronization

8 Initial ranging process
BS allocates contention-based initial ranging slots Entering SS waits for its transmission opportunity and sends range request BS evaluates ranging parameters and sends its response If all is well, SS moves onto the next step, else it continues the ranging process till it has fine tuned all parameters.

9 Frame Structure

10 Attack Procedure (1) Rogue SS adjusts its ranging parameters
Communication link between BS and its SS is brought down (e.g.: thru jamming) Rogue SS waits for contention-based initial ranging slot announcement by the BS Rogue SS sends a valid RNG-REQ message at every transmission opportunity of the initial ranging slot Talk about outline

11 Attack Procedure (2) 4.Normal SSs detect collision whenever they attempt to send their RNG-REQ and hence, back off each time 5.This continues until the normal SS has exhausted ranging attempts in all valid channels, in the end, reports MAC initialization error

12 Limitations of the Attack
Need to modify the MAC To ignore the requirements of exponential back-off algorithm and transmit data in each transmission opportunity Need tools for jamming Need to fine tune the parameters Much harder for OFDMA as it uses many ranging codes

13 Attack Detection Not straightforward
Need sophisticated detection mechanism based on data patterns from normal network behavior As with other detection schemes, may not be always accurate

14 Service Interruption/ Denial-of-Service attack using TEK invalid message vulnerability
Measuring the distance to landmarks, then estimate the distance between two nodes

15 What can an attacker do? If successful, the attacker can either severely disrupt communication between an SS and BS or totally deny the SS a chance to communicate with the BS.

16 Authorization State Machine of PKM protocol

17 TEK State Machine of PKM protocol

18 TEK invalid message properties
BS sends a TEK invalid message to an SS when it cannot decrypt an encrypted data frame sent by the SS TEK invalid is unsolicited TEK invalid is authenticated with the use of HMAC-Digest TEK invalid message content may not change for a given SA session when AK and CID do not change

19 State diagram for the attack

20 Limitations of the Attack
Capability to inject messages both in uplink and downlink. The messages injected should be capable of both overriding and corrupting valid messages coming from valid sources Spoof packets Can only attack one SS at a time

21 Attack Detection Stealthier than ranging based attack, hence harder to detect Need sophisticated detection mechanism based on data patterns from normal network behavior

22 Backup slides

23 OFDM frame structure Build virtual coordinates and define a special distance metric

24 OFDMA frame structure with ranging sub-channel

25 TEK invalid message structure
|AB| <= |AL| + |BL| L->C

Download ppt "Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs)"

Similar presentations

Nick Feamster CS 4251 Computer Networking II Spring 2008

Nick Feamster CS 4251 Computer Networking II Spring 2008
An Alternative Approach for Enhancing Security of WMANs using Physical Layer Encryption By Arpan Pal Wireless Group Center of Excellence for Embedded Systems.

An Alternative Approach for Enhancing Security of WMANs using Physical Layer Encryption By Arpan Pal Wireless Group Center of Excellence for Embedded Systems.
New NS-2 model developed for the IEEE 802.16 specifications is now publicly available. This model was developed as part of the Seamless and Secure Mobility.

New NS-2 model developed for the IEEE specifications is now publicly available. This model was developed as part of the Seamless and Secure Mobility.
A Centralized Scheduling Algorithm based on Multi-path Routing in WiMax Mesh Network Yang Cao, Zhimin Liu and Yi Yang International Conference on Wireless.

A Centralized Scheduling Algorithm based on Multi-path Routing in WiMax Mesh Network Yang Cao, Zhimin Liu and Yi Yang International Conference on Wireless.
Multiple Access Methods. When nodes or stations are connected and use a common link (cable or air), called a multipoint or broadcast link, we need a.

Multiple Access Methods. When nodes or stations are connected and use a common link (cable or air), called a multipoint or broadcast link, we need a.
12.1 Chapter 12 Multiple Access Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

12.1 Chapter 12 Multiple Access Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.

1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.
MAC Protocols Media Access Control (who gets the use the channel) zContention-based yALOHA and Slotted ALOHA. yCSMA. yCSMA/CD. TDM and FDM are inefficient.

MAC Protocols Media Access Control (who gets the use the channel) zContention-based yALOHA and Slotted ALOHA. yCSMA. yCSMA/CD. TDM and FDM are inefficient.
Distributed systems Module 1 -Basic networking Teaching unit 1 – LAN standards Ernesto Damiani University of Bozen-Bolzano Lesson 4 – Ethernet frame.

Distributed systems Module 1 -Basic networking Teaching unit 1 – LAN standards Ernesto Damiani University of Bozen-Bolzano Lesson 4 – Ethernet frame.
Hidden Terminal based Attack, Diagnosis and Detection Yao Zhao, Leo Zhao, Yan Chen Lab for Internet & Security Tech, Northwestern Univ.

Hidden Terminal based Attack, Diagnosis and Detection Yao Zhao, Leo Zhao, Yan Chen Lab for Internet & Security Tech, Northwestern Univ.
1 Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL Z. Judy Fu Motorola Labs, Schaumburg IL Funded by.

1 Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL Z. Judy Fu Motorola Labs, Schaumburg IL Funded by.
Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu.

Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu.
Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic.

Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic.
ECE358: Computer Networks Spring 2012

ECE358: Computer Networks Spring 2012
Ad Hoc Wireless Routing COS 461: Computer Networks

Ad Hoc Wireless Routing COS 461: Computer Networks
802.16 Vulnerabilities Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs) Lab for Internet & Security Tech, Northwestern Univ.

Vulnerabilities Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs) Lab for Internet & Security Tech, Northwestern Univ.
CIS 725 Media Access Layer. Medium Access Control Sublayer MAC sublayer resides between physical and data link layer Broadcast/multiacess channels N independent.

CIS 725 Media Access Layer. Medium Access Control Sublayer MAC sublayer resides between physical and data link layer Broadcast/multiacess channels N independent.
1 IEEE 802.16 Wireless MAN Air Interface for Fixed Broadband Wireless Access Systems

1 IEEE Wireless MAN "Air Interface for Fixed Broadband Wireless Access Systems"
Wireless Medium Access. Multi-transmitter Interference Problem  Similar to multi-path or noise  Two transmitting stations will constructively/destructively.

Wireless Medium Access. Multi-transmitter Interference Problem  Similar to multi-path or noise  Two transmitting stations will constructively/destructively.
LECTURE9 NET301. DYNAMIC MAC PROTOCOL: CONTENTION PROTOCOL Carrier Sense Multiple Access (CSMA): A protocol in which a node verifies the absence of other.

LECTURE9 NET301. DYNAMIC MAC PROTOCOL: CONTENTION PROTOCOL Carrier Sense Multiple Access (CSMA): A protocol in which a node verifies the absence of other.

Similar presentations

Ads by Google