The wireless network appears to have been compromised and will be disabled for about a minute

Question

I just received a message on my Mac OS X system telling me:

The wireless network appears to have been compromised and will be disabled for about a minute.^†

(It's a wireless WPA2-PSK secured network BTW)

Sample message:

---

I looked in the logs of my router (a Zyxel P-2602HW-D1A) only to see a few (outbound) "syn flood TCP ATTACK" logs, but those were from like a week ago, other than that nothing. What tools on Mac OS X do I have to analyse this security breach occurence? Are there some security logs on Mac OS X that I can inspect?

What other measurements should I take? And how serious should I take this warning from Mac OS X?

System: Macbook Pro Intel Core 2 Duo 2.2 Ghz
OS: Mac OS X 10.5.8
Network: wireless WPA2-PSK
Relevant software: Parallels Desktop with Windows XP (was open, but stopped at the time)

Other systems on my network:
Windows XP SP3 desktop (was running at the time)

If you need any more info, don't hestitate to ask.

---

^† The actual message was in Dutch, probably something like the following from /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/ ClientController.bundle/Contents/Resources/Dutch.lproj:

Het draadloze netwerk wordt gedurende ongeveer een minuut uitgeschakeld omdat de beveiliging ervan is aangetast.

Answer 1

That's the message you get when the AirPort card/driver detects two TKIP "MIChael" MIC (Message Integrity Check) failures within 60 seconds, or is notified of such failures by the AP.

TKIP encryption, which was the basis of original WPA and may still be enabled under WPA2 in what's known as "WPA2 Mixed Mode", had a tiny likelihood of random MIC failures, but two failures within 60 seconds is too unlikely to be randomness, so the WPA spec treats it as an attack, and requires the network to go down for a minute or two to thwart attackers.

The AES-CCMP encryption that is the basis of WPA2 also has a MIC (well, they call it a MAC -- Message Authentication Check -- it's the 'M' of CCMP), but I don't recall off the top of my head what's supposed to happen if there's an AES-CCMP MAC failure. I don't think it involves downing the network temporarily though.

By far the most likely scenario is that you just happened to hit some bug where either the AP or the client screwed up its MIC handling, or where the MIC-failure-handling code got accidentally triggered.

I've seen wireless cards have bugs in this area, especially running in promiscuous mode. You might want to make sure that Parallels or something else isn't putting your wireless card into promiscuous mode. Run ifconfig en1 (if en1 is your AirPort card, as it typically is) and look in the interface flag list ("UP,BROADCAST...") for the PROMISC flag. Some VM software uses Promiscuous mode to enable "bridged" or "shared" networking, at least for wired Ethernet interfaces. Because many wireless cards don't handle promiscuous mode well, most modern VM software is careful not to put a wireless interface into promiscuous mode.

It's possible, but unlikely, that someone was messing with you by forging an 802.11 de-auth frame with the relevant reason code, which the client then dutifully reported up the stack.

By far the least likely scenario is that someone was actually launching an attack on your network.

If the problem happens again, an 802.11 monitor-mode packet trace is probably the best way to record the attack. But I feel that explaining how to do a good 802.11 monitor-mode packet trace under 10.5.8 is beyond the scope of this answer. I will mention that /var/log/system.log might tell you more about what the AirPort client/driver software saw at the time, and you can increase the log level a bit with

sudo /usr/libexec/airportd -d

Snow Leopard has much better AirPort debug logging, so if you upgrade to Snow Leopard, the command is:

sudo /usr/libexec/airportd debug +AllUserland +AllDriver +AllVendor

Sniffing is easy on Snow Leopard:

sudo /usr/libexec/airportd en1 sniff 1

(That example assumes your AirPort card is en1, and your AP is on channel 1.)

Answer 2

As per this thread, the message comes from the AirPort driver when it detects a problem with the TKIP Message Integrity Check or the associated checksum.

So basically either your network is compromised by TKIP injection attacks, or simply the router is incorrectly calculating the MIC or checksum, or the packets got corrupted during transmission due to interference from another routers operating on similar frequency ranges.

The suggested way of avoiding this is to change to a different router or, if possible, only use WPA2 encryption.

See: How to avoid the WPA wireless security standard attack?

TKIP was created as a quick fix for older APs and clients that were crippled by WEP. Instead of using the same key to encrypt every packet, TKIP uses RC4 with a different key for each packet. These per-packet keys neutralize WEP encryption crackers. In addition, TKIP uses a keyed Message Integrity Check (MIC) to detect packets that are replayed or forged. Anyone can send (that is, inject) a TKIP-encrypted packet that has been captured and modified, but those packets are dropped because the MIC and checksum do not match the data carried by the packet. APs using TKIP usually transmit an error report when the first bad MIC is received. If a second bad packet arrives within 60 seconds, the AP stops listening for another minute and then "rekeys" the WLAN, requiring all clients to start using a new "pairwise master key" to generate both the MIC key and those per-packet encryption keys.

This plugged the gaping holes left by WEP. All WPA-certified products can use TKIP and its MIC to resist 802.11 data eavesdropping, forgery, and replay attacks.