Extending Automated Protocol State Learning for the 802.11 4-Way Handshake

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11098)


We show how state machine learning can be extended to handle time out behaviour and unreliable communication mediums. This enables us to carry out the first fully automated analysis of 802.11 4-Way Handshake implementations. We develop a tool that uses our learning method and apply this to 7 widely used Wi-Fi routers, finding 3 new security critical vulnerabilities: two distinct downgrade attacks and one router that can be made to leak some encrypted data to an attacker before authentication.



This work has been supported by the Netherlands Organisation for Scientific Research (NWO) through Veni project 639.021.750.

Supplementary material


  1. 1.
    Banks, G., Cova, M., Felmetsger, V., Almeroth, K., Kemmerer, R., Vigna, G.: SNOOZE: toward a stateful NetwOrk prOtocol fuzZEr. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 343–358. Springer, Heidelberg (2006). Scholar
  2. 2.
    Butti, L., Tinnes, J.: Discovering and exploiting 802.11 wireless driver vulnerabilities. J. Comput. Virol. 4(1), 25–37 (2008)CrossRefGoogle Scholar
  3. 3.
    Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., Pretschner, A. (eds.): Model-Based Testing of Reactive Systems. LNCS, vol. 3472. Springer, Heidelberg (2005). Scholar
  4. 4.
    Vanhoef, M., Schepers, D., Piessens, F.: Discovering logical vulnerabilities in the Wi-Fi handshake using model-based testing. In: Asia Conference on Computer and Communications Security. ACM (2017)Google Scholar
  5. 5.
    Aarts, F., de Ruiter, J., Poll, E.: Formal models of bank cards for free. In: Sixth International Conference on Software Testing, Verification and Validation Workshops, ICSTW. IEEE (2013)Google Scholar
  6. 6.
    Fiterău-Broştean, P., Lenaerts, T., Poll, E., de Ruiter, J., Vaandrager, F., Verleg, P.: Model learning and model checking of SSH implementations. In: 24th International SPIN Symposium on Model Checking of Software, SPIN 2017 (2017)Google Scholar
  7. 7.
    de Ruiter, J., Poll, E.: Protocol state fuzzing of TLS implementations. In: USENIX Security, vol. 15 (2015)Google Scholar
  8. 8.
    Grinchtein, O., Jonsson, B., Leucker, M.: Learning of event-recording automata. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS/FTRTFT 2004. LNCS, vol. 3253, pp. 379–395. Springer, Heidelberg (2004). Scholar
  9. 9.
    Fiterău-Broştean, P., Janssen, R., Vaandrager, F.: Combining model learning and model checking to analyze TCP implementations. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 454–471. Springer, Cham (2016). Scholar
  10. 10.
    Tappler, M., Aichernig, B.K., Bloem, R.: Model-based testing IoT communication via active automata learning. In: 2017 IEEE International Conference on Software Testing, Verification and Validation, ICST 2017, pp. 276–287 (2017)Google Scholar
  11. 11.
    Raffelt, H., Steffen, B., Berg, T., Margaria, T.: LearnLib: a framework for extrapolating behavioral models. Int. J. Softw. Tools Technol. Transf. (STTT) 11(5), 393–407 (2009)CrossRefGoogle Scholar
  12. 12.
    Isberner, M., Howar, F., Steffen, B.: The open-source LearnLib. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 487–495. Springer, Cham (2015). Scholar
  13. 13.
    Margaria, T., Niese, O., Raffelt, H., Steffen, B.: Efficient test-based model generation for legacy reactive systems. In: Ninth IEEE International High-Level Design Validation and Test Workshop, pp. 95–100. IEEE (2004)Google Scholar
  14. 14.
    Janssen, M.: Combining learning with fuzzing for software deobfuscation (2016)Google Scholar
  15. 15.
    Aarts, F., Schmaltz, J., Vaandrager, F.: Inference and abstraction of the biometric passport. In: Margaria, T., Steffen, B. (eds.) ISoLA 2010. LNCS, vol. 6415, pp. 673–686. Springer, Heidelberg (2010). Scholar
  16. 16.
    Jonsson, B., Vaandrager, F.: Learning mealy machines with timers.
  17. 17.
    Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001). Scholar
  18. 18.
    Tews, E., Beck, M.: Practical attacks against WEP and WPA. In: Proceedings of the Second ACM Conference on Wireless Network Security, pp. 79–86. ACM (2009)Google Scholar
  19. 19.
    He, C., Mitchell, J.C.: Analysis of the 802.11 i 4-way handshake. In: Proceedings of the 3rd ACM Workshop on Wireless Security, pp. 43–50. ACM (2004)Google Scholar
  20. 20.
    Mitchell, C.: Security analysis and improvements for IEEE 802.11 i. In: 12th Annual Network and Distributed System Security Symposium, NDSS (2005)Google Scholar
  21. 21.
    He, C., Sundararajan, M., Datta, A., Derek, A., Mitchell, J.C.: A modular correctness proof of IEEE 802.11 i and TLS. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 2–15. ACM (2005)Google Scholar
  22. 22.
    Wang, L., Srinivasan, B.: Analysis and improvements over DoS attacks against IEEE 802.11 i standard. In: 2nd Conference on Networks Security Wireless Communications and Trusted Computing, NSWCTC. IEEE (2010)Google Scholar
  23. 23.
    Vanhoef, M., Piessens, F.: Predicting, decrypting, and abusing WPA2/802.11 group keys. In: USENIX Security Symposium (2016)Google Scholar
  24. 24.
    Mendonça, M., Neves, N.: Fuzzing Wi-Fi drivers to locate security vulnerabilities. In: 7th Dependable Computing Conference, EDCC. IEEE (2008)Google Scholar
  25. 25.
    Vanhoef, M., Piessens, F.: Key reinstallation attacks: Forcing nonce reuse in WPA2. In: 24th ACM Conference on Computer and Communication Security (2017)Google Scholar
  26. 26.
    Group, I.W., et al.: IEEE standard for information technology–Telecommunications and information exchange between systems–Local and metropolitan area networks–Specific requirements–Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications. IEEE Std 802(11) (2010)Google Scholar
  27. 27.
    Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Niese, O.: An integrated approach to testing complex systems. Ph.D. thesis. Universität Dortmund (2003)Google Scholar
  29. 29.
    Shahbaz, M., Groz, R.: Inferring mealy machines. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 207–222. Springer, Heidelberg (2009). Scholar
  30. 30.
    Raffelt, H., Steffen, B., Berg, T.: LearnLib: a library for automata learning and experimentation. In: Proceedings of the 10th International Workshop on Formal Methods for Industrial Critical Systems. ACM (2005)Google Scholar
  31. 31.
    Aarts, F., Vaandrager, F.: Learning I/O automata. In: Gastin, P., Laroussinie, F. (eds.) CONCUR 2010. LNCS, vol. 6269, pp. 71–85. Springer, Heidelberg (2010). Scholar
  32. 32.
    Chow, T.S.: Testing software design modeled by finite-state machines. IEEE Trans. Softw. Eng. 3, 178–187 (1978)CrossRefGoogle Scholar
  33. 33.
    Chothia, T., de Ruiter, J., Smyth, B.: Modeling and analysis of a hierarchy of distance bounding attacks. In: 27th USENIX Security Symposium, USENIX Security 2018. USENIX Association, Baltimore (2018).

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.School of Computer ScienceUniversity of BirminghamBirminghamUK
  2. 2.Radboud UniversityNijmegenThe Netherlands

Personalised recommendations