Protected Management Frames enhance Wi-Fi® network security
February 25, 2020 by Philipp Ebbecke
Have you ever asked yourself if very long and complex passwords are sufficient to secure your personal Wi-Fi® network? Or if enterprise networks with 802.1X authentication can be enhanced any further? In both cases, the security of the network can be improved by the use of Protected Management Frames.
Wi-Fi uses three different frame categories: Management, Control, and Data. Management frames such as authentication, de-authentication, association, disassociation, beacons, and probes frames are used by wireless clients to find and connect to the right Wi-Fi network and manage the client connection after a successful association. Without the Protected Management Frames feature, all management frames are sent unprotected in the open. Transmitting open frames make connections vulnerable to attack. Protected Management Frames is a feature currently included in several Wi-Fi CERTIFIED™ programs that, when enabled, provides integrity protection for both unicast and broadcast management frames, and also encrypts unicast management frames in the same way as data to provide confidentiality. Based on the IEEE 802.11w amendment, Protected Management Frames utilizes the Security Association teardown protection mechanism already in place for encrypted data frames and therefore improves the resiliency of a Wi-Fi network.
Defense mechanisms enabled through Protected Management Frames
Protected Management Frames are designed to prohibit attacks such as disconnect, honeypot, and evil twin attacks. Device vendors should ensure Protected Management Frames are activated automatically.
One of the most prominent attacks on Wi-Fi networks are injected De-authentication/Disassociation frames to disconnect a client or even multiple clients from the network. As long as an attacker is able to retrieve the MAC address of an Access Point (AP) and the Basic Service Set Identifier (BSSID) of a network, the attacker can spoof the AP and send out broadcast management frames to tell all clients that the AP will terminate their connection. With the additional information of a MAC address of a connected client, the attacker can terminate the specific client connection.
Since MAC addresses and BSSIDs can be obtained easily by sniffing packets on a Wi-Fi channel, this attack is (with Protected Management Frames disabled or not available) easy to execute. Some tools even offer automated ways to terminate active connections in range of the attack tool, and so make it easy to perform a Denial of Service (DoS) attack. From an end-user perspective, this results in an unstable connection or no connection at all, and might also cause the client to blacklist the spoofed AP (or the whole network) for an extended period.
In addition to a DoS attack, this approach can also be used to facilitate other types of attacks on a network. For example, while WPA3-Personal already incorporates Protected Management Frames and provides resistance against offline dictionary attacks on the passphrase, many deployments and devices still rely on WPA2-Personal. Against those networks and devices, disconnect attacks can be used to speed up offline dictionary attacks. The attack is performed for just a short period of time, interrupting the connection and forcing the clients to reconnect to the network. The attacker can then capture the authentication frames exchanged during the forced reconnections to execute a dictionary attack on the passphrase.
Protected Management Frames enforces the encryption of frames for disconnection, which enables APs and clients to detect forged disconnect frames and ignore them. Furthermore, if an AP reports the detection of attempted forged frames to a network monitoring tool, the network operator can be notified to quickly expose the attacker.
Honeypot and Evil Twin Attacks
For open (unauthenticated) networks, a more sophisticated attack involves the use of a so-called honeypot or evil twin AP that is operated by an attacker. For this attack scenario, the client(s) are manipulated to move away from the AP they are currently connected to and instead join the attacker’s honeypot. One way to achieve this is to send out forged Channel Switch Announcement directed to a client, with the operating channel of the honeypot announced in the body of the frame. The client will then try to look for an AP on the announced channel and might join the honeypot as it announces the same network as the valid APs. Another possible way is to forge BSS Transition Management Requests with the honeypot as the new connection target. In both cases, the attacker can become a so-called Man-in-the-middle, which allows him or her to decrypt/read and manipulate data transferred between the client and the network.
In the same way as for the disconnect attacks, Protected Management Frames enforce the encryption of management frames like Channel Switch Announcements and BSS Transition Management Requests, which enables APs and clients to detect, report, and ignore forged frames. This way clients stay connected to the desired APs.
To leverage Protected Management Frames, both the AP and the client need to be capable of using it and it must be activated for each encrypted Wi-Fi network of the AP. If that is the case, Protected Management Frames are automatically invoked during client association. No end-user interaction is required and from then on, management frames dealing with the client connection are encrypted.
Thanks to Wi-Fi Alliance making this feature a prerequisite for a broad range of certifications, mainstream devices of today support Protected Management Frames. It is a fundamental component and therefore required to always be used for Wi-Fi CERTIFIED WPA3™ and Wi-Fi CERTIFIED Enhanced Open™ networks. As of July 2020, WPA3™ will be mandatory for all Wi-Fi CERTIFIED devices. At this time, all certified devices will also support Protected Management Frames, including devices equipped with Wi-Fi CERTIFIED 6™, Wi-Fi CERTIFIED™ ac, Wi-Fi CERTIFIED Passpoint®, Wi-Fi CERTIFIED Agile Multiband™ and Wi-Fi CERTIFIED Optimized Connectivity™.
Three different configuration options exist for Protected Management Frames. They are listed and explained in detail below:
- Disable: Disables PMF for a network. It is not recommended to use this setting, only in case non-PMF-capable clients experience connection issues with the “Capable” option.
- Capable: This should be the default option for an encrypted Wi-Fi network based on WPA2. By selecting this option, both types of clients, capable of PMF or not, can connect to the network. Clients capable of PMF will negotiate it with the AP.
- Mandatory: Only PMF-capable clients can connect to the network, which makes this the safest option. WPA3-Personal only mode and WPA3-Enterprise with 192-bit security mode activate this option as default.
Solving another piece of the security puzzle
Protected Management Frames are another piece to the puzzle of a secure Wi-Fi network. They can prevent most of the attacks of today to disconnect clients or steer them to APs under an attacker’s control. Vendors need to make sure that devices, especially those certified for the Wi-Fi Alliance programs mentioned above, activate Protected Management Frames automatically. Network operators and end-users should look out for Wi-Fi CERTIFIED products to ensure Protected Management Frames are supported. Particularly network operators should ensure that Protected Management Frames are enabled on their networks as implementations are mature these days. By deploying Protected Management Frames, we can get rid of simple and well-known disconnect and steering attacks through modern, secure Wi-Fi networks.
FCC remarks from Ajit Pai, Chairman
What Wi-Fi trends are expected in 2020?
Wi-Fi Aware™: Discover the world nearby
|Industry Impact award winner: CommScope|
|Wi-Fi 6 is set to change the future of IoT—Here’s why|
|Demystifying security choices: Wi-Fi 6 and 5G|
|What is Wi-Fi and Why is it So Important?|
|5G vs. Wi-Fi: How They're Different, and Why You'll Need Both|
|Wi-Fi to the Rescue as Governments React to COVID Pandemic|
- Wi-Fi HaLow™: Wi-Fi® for IoT applications (2020)
- WPA3™ Specification Addendum DRAFT
- Wi-Fi 6E Highlights
- Wi-Fi 6 for Universities
- Wi-Fi 6 in Stadiums
- Wi-Fi 6: Advanced uses for a new era of connectivity (2019)
- WPA3™ Security Considerations
- Wi-Fi CERTIFIED 6™ Highlights
- Advanced Connectivity Era Highlights
- Next generation Wi-Fi®: The future of connectivity (2018)
- Wi-Fi CERTIFIED WPA3™ Technology Overview (2019)
- Wi-Fi CERTIFIED Enhanced Open™ Technology Overview (2018)
- Opportunistic Wireless Encryption Specification
- WPA3™ Specification
- Security Highlights
- Technical Note: Removal of TKIP from Wi-Fi® Devices
- What does “security” mean in the context of Wi-Fi?
In the context of Wi-Fi technology, security means two things. First, controlling who can connect to and configure your network and equipment. Second, it means securing the data travelling wirelessly across your Wi-Fi network from unauthorized view.
Wi-Fi security is just one aspect of security for networks. A protected Wi-Fi network is a great start, but you should also consider measures to protect your computer (virus software, firewall, etc.) and your communications across the internet virtual private network (VPN), etc.
- What is the KRACK attack?
This term refers to a potential key reinstallation vulnerability detected in late 2017. Wi-Fi Alliance took steps immediately to ensure users can continue to count on Wi-Fi to deliver strong security protections. For more information on this issue view our security update.
- What are Protected Management Frames?
Wi-Fi CERTIFIED WPA2™ with Protected Management Frames and Wi-Fi CERTIFIED WPA3™ provide protection for unicast and multicast management action frames. Unicast management action frames are protected from both eavesdropping and forging, and multicast management action frames are protected from forging. Wi-Fi CERTIFIED™ ac, WPA3™, Passpoint®, Wi-Fi Agile Multiband™ and Wi-Fi Optimized Connectivity™ devices require Protected Management Frames. They augment privacy protections already in place for data frames with mechanisms to improve the resiliency of mission-critical networks.
- Are Wi-Fi CERTIFIED products protected by security?
Yes. All Wi-Fi CERTIFIED products are tested for WPA2 or WPA3. The only way to be sure that a product meets the latest security standards is to purchase only Wi-Fi CERTIFIED products.
- What security measures should I take when working away from my home?
Configure Wi-Fi client devices (laptops, handsets, and other Wi-Fi enabled products) to enable security protections.
Configure for approved connections: Many devices are set by default to sense and automatically connect to any available wireless signal. Wi-Fi Alliance recommends that you configure your device to not automatically connect to an open network without your approval.
Disable sharing: Wi-Fi enabled devices may automatically enable themselves to sharing / connecting with other devices when attaching to a wireless network. File and printer sharing may be common in business and home networks, but this should be avoided in a public network such as a hotel, restaurant, or airport hotspot.
Users may also wish to use complementary security measures to improve the security of their activity over the internet including virtual private networks (VPNs), firewalls, etc.
- What are “legacy protocols”?
Other legacy protocols are earlier generations of Wi-Fi security, which have been updated or replaced over time due to the changing security landscape needs. The original security standard was Wired Equivalent Privacy (WEP). It was replaced by the original Wi-Fi Protected Access (WPA) in 2003 as an interim solution to the limited protection offered by WEP. The WPA program added support for Temporal Key Integrity Protocol (TKIP) encryption, an older form of security technology with some vulnerability to cryptographic attacks. WPA was replaced in 2004 with more advanced protocols of WPA2.
Though the threat of a security compromise is small, users should not purchase new equipment which supports only WPA with TKIP. Only devices supporting WPA2 and WPA3 security should be purchased and used.
- How does a user turn on WMM-Power Save?
If implemented correctly, WMM-Power Save will activate automatically when a Wi-Fi CERTIFIED™ for WMM-Power Save client device is communicating with a Wi-Fi CERTIFIED™ for WMM-Power Save access point. There is no action needed from a user.
Philipp has a 10-year work experience with Wi-Fi. He started his career in the Quality Management department of LANCOM Systems, designing and executing hard- & software tests of Access Points. His current role includes participation in various Wi-Fi Alliance task groups to monitor the future paths of the industry and representing LANCOM as the technical lead for Regulatory & Spectrum in Europe. Furthermore, he is sharing his expertise, knowledge, and opinion on various Wi-Fi related topics like new Wi-Fi generations, security, and spectrum policy within the company and at conferences.