TKIP is vulnerable to an attack similar to the WEP "ChopChop" attack.
TKIP uses MIC for guaranteeing the integrity of an encrypted
frame. If more than two MIC failures are observed
in a 60 second window, both the Access Point (AP)
and client station shut down for 60 seconds. The newer
TKIP attack uses a mechanism similar to the
“chopchop” WEP attack to decode one byte at a
time by using multiple replays and observing the
response over the air. When a MIC failure occurs,
the attacker can observe the response and waits for
60 seconds to avoid MIC countermeasures. Using
the mechanism, the attacker can decode a packet at
the rate of one byte per minute. Small packets like
ARP frames can typically be decoded in about 15
minutes by leveraging this exploit.
TKIP also includes a sequence counter that could
detect if a packet is being sent out of sequence.
However, with the introduction of QoS based on the
WMM standard, the sequence enforcement across
multiple QoS queues was relaxed for performance
reasons. This creates another security flaw. Once
a TKIP frame has been decoded, the attacker can
use the obtained key sequence to further inject
up to 15 additional arbitrary frames using different
QoS queues without triggering a sequence number
violation that would have lead to the injected packet
being dropped.
Summary of TKIP Vulnerabilities
This is not a key recovery attack. TKIP keys
are not compromised and it does not lead to
decryption of all subsequent frames.
The attack affects all TKIP deployments (WPA
and WPA2) regardless of whether they
use Pre-Shared Keys (PSK) or the more
robust enterprise mode with 802.1x
authentication.
The attack can reveal one byte per minute of
a TKIP encrypted packet. Small frames like
ARPs are good candidates for the attack.
- If QoS is enabled, the attack can also lead
to injection of up to 15 arbitrary frames for
every decrypted packet. Potential attack
scenarios include ARP decoding followed by
ARP poisoning, DNS manipulation, etc.
- WPA and WPA2 networks that use the more
robust AES-CCMP encryption algorithm are
immune to the attack.
- The attack is capable of decrypting a TKIP
frame sent from an AP to a station
(not station to AP).