802.16 Vulnerabilities

Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu

(Motorola Labs)Lab for Internet & Security Tech, Northwestern Univ.

Project Objective

• Study the 802.16 system specifications with the goal of identifying any security vulnerability present in various functions/ processes documented.

• Report any discovered vulnerability along with any proposed solutions.

Project Tasks

• Study of 802.16 (2004) Specifications

• Discovery of security vulnerability (ies)

• (If practical) Simulation of vulnerability situation (s)

• Proposal of solution (s)

Vulnerabilities discovered

• Initial Ranging based Denial-of-Service attack

• Service Interruption/ Denial-of-Service attack using TEK invalid message vulnerability

Initial Ranging based Denial-of-Service attack

What can an attacker do?

If successful, the attacker can deny all Subscriber Stations, serviced by a BS within one of its sectors, entry into the network to send and receive user data

Network Entry and Synchronization

Initial ranging process• BS allocates contention-based initial ranging

slots

• Entering SS waits for its transmission opportunity and sends range request

• BS evaluates ranging parameters and sends its response

• If all is well, SS moves onto the next step, else it continues the ranging process till it has fine tuned all parameters.

Frame Structure

DL SubframeContention-based initial ranging slot

UL PHY PDU from SS1

UL PHY PDU from SS2

Attack Procedure (1)

1. Rogue SS adjusts its ranging parameters

2. Communication link between BS and its SS is brought down (e.g.: thru jamming)

3. Rogue SS waits for contention-based initial ranging slot announcement by the BS

4. Rogue SS sends a valid RNG-REQ message at every transmission opportunity of the initial ranging slot

Attack Procedure (2)

4.Normal SSs detect collision whenever they attempt to send their RNG-REQ and hence, back off each time

5.This continues until the normal SS has exhausted ranging attempts in all valid channels, in the end, reports MAC initialization error

Limitations of the Attack

• Need to modify the MAC– To ignore the requirements of exponential back-off

algorithm and transmit data in each transmission opportunity

• Need tools for jamming• Need to fine tune the parameters• Much harder for OFDMA as it uses many

ranging codes

Attack Detection

• Not straightforward

• Need sophisticated detection mechanism based on data patterns from normal network behavior

• As with other detection schemes, may not be always accurate

Service Interruption/ Denial-of-Service attack using TEK invalid message

vulnerability

What can an attacker do?

If successful, the attacker can either severely disrupt communication between an SS and BS or totally deny the SS a chance to communicate with the BS.

Authorization State Machine of PKM protocol

TEK State Machine of PKM protocol

TEK invalid message properties• BS sends a TEK invalid message to an SS when it cannot decrypt an

encrypted data frame sent by the SS• TEK invalid is unsolicited• TEK invalid is authenticated with the use of HMAC-Digest• TEK invalid message content may not change for a given SA session when

AK and CID do not change

State diagram for the attack

Operational

Op Wait

TEK invalid/Key Request

Key Reply

Timeout/Key Request

Rekey WaitTEK invalid/Key Request

Op Reauth Wait

Auth Pend

Limitations of the Attack

• Capability to inject messages both in uplink and downlink. – The messages injected should be capable of both

overriding and corrupting valid messages coming from valid sources

• Spoof packets• Can only attack one SS at a time

Attack Detection

• Stealthier than ranging based attack, hence harder to detect

• Need sophisticated detection mechanism based on data patterns from normal network behavior

Backup slides

OFDM frame structure

OFDMA frame structure with ranging sub-channel

TEK invalid message structure