Practical Verification of WPA-TKIP Vulnerabilities
The authors describe three attacks on the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). The first attack is a Denial of Service attack that can be executed by injecting only two frames every minute. The second attack demonstrates how fragmentation of 802.11 frames can be used to inject an arbitrary amount of packets, and they show that this can be used to perform a portscan on any client. The third attack enables an attacker to reset the internal state of the Michael algorithm. They show that this can be used to efficiently decrypt arbitrary packets sent towards a client. They also report on implementation vulnerabilities discovered in some wireless devices. Finally, they demonstrate that their attacks can be executed in realistic environments.