The attack was performed using 802.11 de-authentication messages. These were unicast messages sent from the (fake) STA to the AP. An AP would ignore this message unless it comes from a previously associated STA, and the way to identify the STA is with
the MAC address. The way to perform this attack is by "stealing" the source MAC address of an authenticated/associated STA (i.e. user) and send it to the target AP.
Both source and destination MAC addresses are relevant, as otherwise the message would be ignored.
I agree that ciphering/signing the state message would overcome the problem, and there are other wireless technologies that provide this feature.
-----Original Message-----
Sent: Friday, October 03, 2014 3:06 PM
Subject: Re: [STDS-802-Privacy] FW: [802SEC] Marriott agrees to $600k
payment to resolve FCC investigation into Wi-Fi blocking
Agree. And no, Juan Carlos, I do not agree that "this is an issue that is in
scope for our SG and should be considered when making the threat
analysis." In that case, the attack was analyzing the content of messages to
find out access points, and the particular MAC used by these access points
was irrelevant.
There is a slightly related attack using the OUI in the MAC to derive device
type, and then selectively do something bad to a class of devices. That would
be in scope, I believe.
-----Original Message-----
Sent: Friday, October 3, 2014 11:58 AM
Subject: Re: [STDS-802-Privacy] FW: [802SEC] Marriott agrees to $600k
payment to resolve FCC investigation into Wi-Fi blocking
Hi,
I am in agreement with Phillip. While this particular regulatory/legal domain
settlement is interesting on its own, I don't see how this particular "de-
authentication frame attack" would be different if the system used short-
lived identifiers as opposed to long-lived identifiers. It is a security issue as
opposed to a privacy issue. And in this case layer 8 of the stack is doing the
enforcement instead of our technical protocols.
Regards,
-James
On Fri, Oct 3, 2014 at 2:33 PM, Phillip Barber
> It is a common problem in wireless networks that permit
> non-authenticated state change messaging (for stateful technologies).
> Most modern wireless networking technologies overcome this problem by
> requiring either ciphering of state change messaging or at the very
> least authenticated signatures on state change messaging (hash of CMAC
or HMAC digest, for instance).
>
>
>
> I would consider this more of a security issue than a privacy issue.
> The attacker may have no interest in the specific identity of a true
> user, only the need to sniff traffic out of the air and be able to
> identify a consistent identity of the true user such that the attacker
> can create a bogus state change message. I am not sure that privacy
> could or should attempt to address this problem. Security, certainly.
>
>
>
> Thanks,
> Phillip Barber
>
>
>
> Sent: Friday, October 03, 2014 1:05 PM
> Subject: Re: [STDS-802-Privacy] FW: [802SEC] Marriott agrees to $600k
> payment to resolve FCC investigation into Wi-Fi blocking
>
>
>
>
>
> I used to work at a wireless mesh company that was putting up a free
> mesh network
>
> in Mountain View, CA. We received complaints about trouble getting on
> the network
>
> when people were in a certain public park. After much investigation it
> turned out that a
>
> company across the street from the park did not want their employees
> to connect to
>
> the free mesh network and set their APs to disassociate anyone that
> tried to associate
>
> to it— it was the "attack rogue AP" option. They apparently thought
> this would only
>
> affect people in their building but it actually affected a large
> portion of the park itself.
>
>
>
> Sounds like what Marriott was doing. And I'm sure Marriott thought
> it was a feature.
>
>
>
> Dan.
>
>
>
> On 10/3/14 10:35 AM, "Zuniga, Juan Carlos"
>
>
>
> FYI, another misuse of long-lived identifiers. In this case, the
> Privacy Threat is the use of MAC addresses to impersonate users and
> send the wrong packets to the network:
>
>
>
> “After conducting an investigation, the Enforcement Bureau found that
> employees of Marriott, which has managed the day-to-day operations of
> the Gaylord Opryland since 2012, had used features of a Wi-Fi
> monitoring system at the Gaylord Opryland to contain and/or
> de-authenticate guest-created Wi-Fi hotspot access points in the
> conference facilities. In some cases, employees sent
> de-authentication packets to the targeted access points, which would
> dissociate consumers’ devices from their own Wi-Fi hotspot access
> points and, thus, disrupt consumers’ current Wi-Fi transmissions and
prevent future transmissions”
>
>
>
> Regards,
>
>
>
> Juan Carlos
>
>
>
> On Behalf Of John H Notor
> Sent: Friday, October 03, 2014 12:09 PM
> To: 802_EC; RR-TAG; REG_SC
> Subject: [802SEC] Marriott agrees to $600k payment to resolve FCC
> investigation into Wi-Fi blocking
>
>
>
> FYI,
>
>
>
> MARRIOTT TO PAY $600,000 TO RESOLVE WIFI-BLOCKING INVESTIGATION.
Hotel
> Operator Admits Employees Improperly Used Wi-Fi Monitoring System to
> Block Mobile Hotspots; Agrees to Three-Year Compliance Plan. News
Release.
> Adopted: 10/03/2014. News Media Contact: Neil Grace at (202)
>
>
>
>
> John
>
>
>
> John Notor
> President/Chief Technologist
> Notor Research
>
> Mobile: 1.408.316.8312
>
> Web: www.notor.com
>
> ---------- This email is sent from the 802 Executive Committee email
> reflector. This list is maintained by Listserv.
--
James Lepp
Standards Manager
BlackBerry Limited
1001 Farrar Road - Ottawa - Canada