MIT researchers have devised a protocol to flummox man-in-the-middle attacks against wireless networks. The all-software solution lets wireless radios automatically pair without the use of passwords and without relying on out-of-band techniques such as infrared or video channels.
Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas.
TEP was devised by a quartet of MIT researchers: Shyamnath Gollakota, Nabeel Ahmed, Nickolaik Zeldovich and Dina Katabi, all with the Department of Electrical Engineering and Computer Science. Their research paper, "Secure in-band wireless pairing," was presented at the recent Usenix Security Symposium and MIT has its own story about the research online.
The group says TEP can be used to protect communications between devices, or between devices and base stations or access points, for any type of wireless connection.
Today, two wireless devices create a secure channel by swapping cryptographic keys, typically using what's known as the Diffie-Hellman Exchange. DHE is a cryptographic protocol designed to let two parties who don't know each other agree on a shared secret cryptographic key over an unsecured channel. Then, they use the key to encrypt their exchanges. (More on recent recognitions for Whitfield Diffie and Martin Hellman)
But Diffie-Hellman suffers from a well-known problem: An attacker inserts himself between the two parties and, for each one, pretends to be the other, sending each one his own Diffie-Hellman message. Both parties end up sharing their secret key with the attacker, who then has full access to the communications between them.
Passwords can be used to block such attacks, but there are problems. On public networks, users often have the same password. Other networks are protected with very weak passwords, or with none at all. Some use such standards as the Wi-Fi Alliance's Wi-Fi Protected Setup or Bluetooth's simple wireless pairing, a kind of push-button approach to secure connections. But these, too, are based on the Diffie-Hellman Exchange and remain vulnerable to the man-in-the-middle attack.
Another solution is to use "non-wireless" or out-of-band channels, such as audio or infrared, to authenticate and secure the channel. But these, the researchers say, can be costly and hard to adapt to small, resource-constrained wireless devices.
TEP begins by analyzing how an attacker mounts a man-in-the-middle exploit: In every case, the researchers say, the attack involves tampering with wireless messages. The researchers say they've identified these tampering techniques and can detect when they're being used. "Since we can [now] detect tampering, we can [now] trust messages which are untampered with," according to the group's Usenix presentation.
An attacker can tamper with a wireless message in three ways: by altering a message sent by one party to match his own Diffie-Hellman key; by hiding the fact that Party A has sent a message at all; and by blocking a message from being sent. TEP is designed to defang each of these tampering techniques.
It does this by compelling Party A to follow its message transmission with another: a pattern of energy "pulses" and "silences." Party A's wireless radio computes a hash of the original message, creating a sequence of ones and zeros. For each one, the radio sends a random packet; for each zero, it sends nothing -- it's silent. This combined pattern is unique to the original message.
If the attacker alters the contents of Party A's message, he, too, has to follow up with a new "silence pattern" that corresponds to the altered contents. But the two silence patterns will be different: The attacker "cannot generate silence" from Party A's "one bits." Party B can detect that difference and in effect refuse the connection offered by the attacker.
The second type of tampering is when a man-in-the-middle attacker hides Party A's transmission simply be sending its own packets and creating a collision with it. Party B sees this as a known and common event and ignores the attempted transmission by Party A.
TEP counters this by adding an unusually long, and random, synchronization packet to Party A's transmission. The packet length in effect causes it to "stand out" as not being a collision. Party B looks for these unusually long energy periods and treats them as an attempt by another party to pair with it. The attacker can't hide it by generating collisions, and if he sends his own long packet, Party B can detect it as an "unusual message."
The third tampering technique involves an attacker blocking transmissions by occupying continuously the radio channel, in effect, not giving Party A the chance to "talk" to Party B. TEP counters this by having Party A's radio time out after a known interval and transmit its message even if the channel is occupied.
"Thus we have a [transmit] message which can't be altered, hidden, or prevented without being detected at the receivers," say the MIT researchers.
But there's a potential flaw in this approach, as they note: TEP uses silent periods to authenticate communications. Other Wi-Fi devices listening on the channel would assume the silences mean the channel is open, and attempt their own transmission in keeping with the 802.11 protocol. To prevent this, TEP uses an optional mechanism in 802.11, called "clear to send" or CTS, which is a frame that reserves the channel for a given transmitter. Other Wi-Fi devices seeing the CTS frame would hold off on transmitting until Party A completes its hash transmission.
Having created this "tamper evident message," the MIT team created a protocol to implement it as part of setting up a secure wireless pairing between radios, riding on top of the push-button technique adopted via the Wi-Fi Alliance. Party A sends out a request message using the TEP primitive; Party B must reply using the same primitive within 120 seconds. If Party A receives only one reply in that time frame, and via TEP detects no tampering, the pairing goes forward.
But if an attacker tries to insert himself between the two parties, two things can happen to frustrate his attempt. First, Party A sees two replies to the original request, one from Party B and one from the attacker, and refuses to connect. Second, if the attacker tries to tamper with the Party B's reply message, TEP lets Party A detect the tampering and, again, refuse to connect.
The researchers streamlined this entire process of exchanging tamper-evident messages in order to set up a secure channel. They say that the hash and the longer synchronization packet add less than 23 milliseconds of overhead to the transmission.