The wireless network appears to have been compromised and will be disabled for about a minute

macos networking security wireless-networking
11,290

That's the message you get when the AirPort card/driver detects two TKIP "MIChael" MIC (Message Integrity Check) failures within 60 seconds, or is notified of such failures by the AP.

TKIP encryption, which was the basis of original WPA and may still be enabled under WPA2 in what's known as "WPA2 Mixed Mode", had a tiny likelihood of random MIC failures, but two failures within 60 seconds is too unlikely to be randomness, so the WPA spec treats it as an attack, and requires the network to go down for a minute or two to thwart attackers.

The AES-CCMP encryption that is the basis of WPA2 also has a MIC (well, they call it a MAC -- Message Authentication Check -- it's the 'M' of CCMP), but I don't recall off the top of my head what's supposed to happen if there's an AES-CCMP MAC failure. I don't think it involves downing the network temporarily though.

By far the most likely scenario is that you just happened to hit some bug where either the AP or the client screwed up its MIC handling, or where the MIC-failure-handling code got accidentally triggered.

I've seen wireless cards have bugs in this area, especially running in promiscuous mode. You might want to make sure that Parallels or something else isn't putting your wireless card into promiscuous mode. Run ifconfig en1 (if en1 is your AirPort card, as it typically is) and look in the interface flag list ("UP,BROADCAST...") for the PROMISC flag. Some VM software uses Promiscuous mode to enable "bridged" or "shared" networking, at least for wired Ethernet interfaces. Because many wireless cards don't handle promiscuous mode well, most modern VM software is careful not to put a wireless interface into promiscuous mode.

It's possible, but unlikely, that someone was messing with you by forging an 802.11 de-auth frame with the relevant reason code, which the client then dutifully reported up the stack.

By far the least likely scenario is that someone was actually launching an attack on your network.

If the problem happens again, an 802.11 monitor-mode packet trace is probably the best way to record the attack. But I feel that explaining how to do a good 802.11 monitor-mode packet trace under 10.5.8 is beyond the scope of this answer. I will mention that /var/log/system.log might tell you more about what the AirPort client/driver software saw at the time, and you can increase the log level a bit with

sudo /usr/libexec/airportd -d

Snow Leopard has much better AirPort debug logging, so if you upgrade to Snow Leopard, the command is:

sudo /usr/libexec/airportd debug +AllUserland +AllDriver +AllVendor

Sniffing is easy on Snow Leopard:

sudo /usr/libexec/airportd en1 sniff 1

(That example assumes your AirPort card is en1, and your AP is on channel 1.)

Share:
11,290

Related videos on Youtube

Decent Dabbler
Author by

Decent Dabbler

Updated on September 17, 2022

Comments

  • Decent Dabbler
    Decent Dabbler over 1 year

    I just received a message on my Mac OS X system telling me:

    The wireless network appears to have been compromised and will be disabled for about a minute.

    (It's a wireless WPA2-PSK secured network BTW)

    Sample message:

    macOS - The wireless network appears to have been compromised and will be disabled for about a minute

    I looked in the logs of my router (a Zyxel P-2602HW-D1A) only to see a few (outbound) "syn flood TCP ATTACK" logs, but those were from like a week ago, other than that nothing. What tools on Mac OS X do I have to analyse this security breach occurence? Are there some security logs on Mac OS X that I can inspect?

    What other measurements should I take? And how serious should I take this warning from Mac OS X?

    System: Macbook Pro Intel Core 2 Duo 2.2 Ghz
    OS: Mac OS X 10.5.8
    Network: wireless WPA2-PSK
    Relevant software: Parallels Desktop with Windows XP (was open, but stopped at the time)

    Other systems on my network:
    Windows XP SP3 desktop (was running at the time)

    If you need any more info, don't hestitate to ask.

    The actual message was in Dutch, probably something like the following from /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/ ClientController.bundle/Contents/Resources/Dutch.lproj:

    Het draadloze netwerk wordt gedurende ongeveer een minuut uitgeschakeld omdat de beveiliging ervan is aangetast.

    • user3418803
      user3418803 about 14 years
      Do you have a screen shot of the error message?
    • Arjan
      Arjan about 14 years
      @Brian, this is quite an old question... :-)
    • user3418803
      user3418803 about 14 years
      Ha, so it is - I completely overlooked the date
    • kenorb
      kenorb over 6 years
      Still got this on macOS Sierra.
  • Arjan
    Arjan about 14 years
    I can't confirm all you state is true, but: +1 for a very interesting read.
  • Arjan
    Arjan about 14 years
    Given the resource bundle I added to the question, the same text is used for both wpaIsFailureMIC and wpaIsReplayAttack.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Mac OS X "Verify Certificate" every time connecting to secure wireless
Wi-Fi does not work on OS X Yosemite Beta 4
Someone keeps hacking my wifi router
How to secure HP Wireless printer?
can a router be hacked from across the internet? what are possible ways it can be hacked?
Router Intrusion in firewall's log
How can I share my Ethernet connection over Wi-Fi on OS X?
Sharing Android Phone's WiFi connection with OSX
Why can’t I see my Macs on LAN under “Network”?
Just updated to Mac OS X 10.10 Yosemite and Wi-Fi is always looking for a network