"Management frame protection" - 802.11w compatibility

RouterOS Wireless Networking
1

While browsing for techniques to protect against media level attacks, I found the 802.11w specification which protects management frames like deauth. This prevents an attacker from being able to kick clients off the network either to capture the WPA2 4-way handshake for password cracking or as a denial of service attack. https://en.wikipedia.org/wiki/IEEE_802.11w-2009

I saw that Mikrotik implements “Management frame protection” in the wireless settings, but according to the wiki “RouterOS implements proprietary management frame protection algorithm”. I am assuming that proprietary means that this is only compatible with other MT devices? Is there a chance to see the standardized 802.11w specification implemented as well? This would be a superior solution as standard wireless clients that support 802.11w such as laptops and phones would be able to benefit from the management frame protection and be resistant to deauth attacks and other nefarious behavior.

2

Good post - i’d like to find out more about the implementation of management frame protection too.

TonyJr

3

Bump - was wondering if there was any update or comment about this. With tools like WifiJammer[1] and scripts like [2] becoming more accessible, it’s becoming very easy for anyone with a laptop to cause havoc on networks that lack 802.11w. It wouldn’t surprise me if someone comes out with a USB Killer[3] style tool at some point to automate the process to a button press.

[1] https://github.com/DanMcInerney/wifijammer
[2] https://github.com/veerendra2/wifi-deauth-attack
[3] https://www.usbkill.com/

4

It’s getting far too easy to perform deauth attacks these days. Maybe someone should scatter some devices like this around Mikrotik HQ and then we will see a solution? :slight_smile:

https://github.com/spacehuhn/esp8266_deauther

https://www.aliexpress.com/store/product/WiFi-Deauther-ESP8266-preflashed-development-board/2996024_32814740638.html?spm=2114.12010608.0.0.G3Ymlk)

BTW: The wireless chips in MT devices should already have full support for this, just need to add it in software. “It is an optional feature in 802.11 and is required for 802.11 implementations that support TKIP or CCMP.” “The 802.11w standard is implemented in Linux and BSD’s as part of the 80211mac driver code base, which is used by several wireless driver interfaces; i.e., ath9k. The feature is easily enabled in most recent kernels and Linux OS’s using these combinations.”

5

I only can support this request, especially when using capsman!

Took me 3 bucks for a WeMos D1 and 5 minutes for flashing to start sending deauth packets.

„most recent kernels“ might be the problem :wink:

6

This sounds like a needed feature.

7

bump for this feature, i hope it gets on the todo list

8

Is it there yet?

9

Anyone has any news about this issue?

I’m surprised how neglected this feature was for this whole time, and now just became one of the top priority features that Mikrotik MUST go for.

Specially these days, where any newbie can buy an extremely inexpensive WiFi Deauther anywhere…

Any way to push Mikrotik for this?

10

Show up to a MUM with a deauther, might get some attention :smiley:

11

No, really. It seriously stinks that it’s not supported yet. I’m going to keep deauth myself for next 2 months and complain that my RB2011 wifi doesn’t work as manifest.

12

Hey Mikrotik,
please implement dot11w PMF in the next ROS release! It’s about time …

13

Yearly bump :slight_smile:

14

Maybe in ROS 7 ?.. About time.

15

Any news on this?

16

Yeah, welcome time traveller. wifi-qcom and wifi-qcom-ac have it. Legacy wireless most probably will never get 802.11w.

https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-Benefits