Skip Links

MIT researchers craft defense against wireless man-in-middle attacks

Protocol can detect message tampering essential to these exploits

By , Network World
August 24, 2011 05:35 PM ET

Network World - MIT researchers have devised a protocol to flummox man-in-the-middle attacks against wireless networks. The all-software solution lets wireless radios automatically pair without the use of passwords and without relying on out-of-band techniques such as infrared or video channels.

Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas.

MORE RESEARCH: With SSL, who can you really trust?

TEP was devised by a quartet of MIT researchers: Shyamnath Gollakota, Nabeel Ahmed, Nickolaik Zeldovich and Dina Katabi, all with the Department of Electrical Engineering and Computer Science. Their research paper, "Secure in-band wireless pairing," was presented at the recent Usenix Security Symposium and MIT has its own story about the research online

The group says TEP can be used to protect communications between devices, or between devices and base stations or access points, for any type of wireless connection.

Today, two wireless devices create a secure channel by swapping cryptographic keys, typically using what's known as the Diffie-Hellman Exchange. DHE is a cryptographic protocol designed to let two parties who don't know each other agree on a shared secret cryptographic key over an unsecured channel. Then, they use the key to encrypt their exchanges. (More on recent recognitions for Whitfield Diffie and Martin Hellman)

But Diffie-Hellman suffers from a well-known problem: An attacker inserts himself between the two parties and, for each one, pretends to be the other, sending each one his own Diffie-Hellman message. Both parties end up sharing their secret key with the attacker, who then has full access to the communications between them.

Passwords can be used to block such attacks, but there are problems. On public networks, users often have the same password. Other networks are protected with very weak passwords, or with none at all. Some use such standards as the Wi-Fi Alliance's Wi-Fi Protected Setup or Bluetooth's simple wireless pairing, a kind of push-button approach to secure connections. But these, too, are based on the Diffie-Hellman Exchange and remain vulnerable to the man-in-the-middle attack.

Another solution is to use "non-wireless" or out-of-band channels, such as audio or infrared, to authenticate and secure the channel. But these, the researchers say, can be costly and hard to adapt to small, resource-constrained wireless devices.

TEP begins by analyzing how an attacker mounts a man-in-the-middle exploit: In every case, the researchers say, the attack involves tampering with wireless messages. The researchers say they've identified these tampering techniques and can detect when they're being used. "Since we can [now] detect tampering, we can [now] trust messages which are untampered with," according to the group's Usenix presentation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News