MITM detection

Attack detection by detecting modified 802.11 sequence numbers.

  • Each 802.11 frame has a sequence number and number of fragments (0 in case of no fragments)

  • Frames with forged MAC address have the sequence number out of sequence order of the correct frames

  • The sequence number is usually generated by firmware of the wireless adapter, therefore it is complicated for the attacker to spoof it.

  • But it is still possible (!) - by modification of the reverse engineered code of the wireless adapter firmware, allowing the attacker to modify a sequence number

  • Most of the wireless manufacturers use various modifications of the Intersil driver - possible leakage of firmware source code