Forcing MIC failures, again

Jouni Malinen j at
Wed May 30 22:14:18 EDT 2007

On Wed, May 30, 2007 at 11:39:33PM -0000, Queisser, Andrew (VfB Stuttgart '07!!) wrote:

> if (corruptCondition)
>   pos[0]++;
> at the end of the function ieee80211_michael_mic_add, just before the
> return 0 statement.

> - Would the contents of pos match the bytes in the sniffer or is there
> another level of encryption that happens?

No, they should not match. Michael MIC value is encrypted with rest of
the frame.

> - Why doesn't the change to the MIC cause a MIC failure on the AP? Do I
> have the code in the wrong spot?

If your driver is only using software encryption for TKIP, this would be
suitable place to change the MIC value. Are you sure the AP implements
TKIP countermeasures correctly?

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list