Document Overview (5) General adversary goals in CAPWAP Eavesdrop on AC-WTP traffic WTP impersonation AC impersonation Sub-goals (which may be building blocks for other attacks) Control which AC associates with which WTP Cause (CAPWAP) de-association of WTP/AC Cause (802.11) de-association of authorized user Facilitate (802.11) association of unauthorized user (e.g. by impersonating AC) Inject/Modify 802.11 user traffic Remotely take control of WTP Modify WTP configuration, firmware Remotely take control of AC And indirectly control WTP(s) and 802.11 user traffic as a result Protocol DoS attacks Inject MiM requests/replies which terminate AC-WTP connection Delete session establishment requests/replies Repeatedly initiate sessions, leaving them dangling |