A group of researchers from Northeastern University and KU Leuven have uncovered a fundamental design flaw in the IEEE 802.11 Wi-Fi protocol standard. This affects various devices running Linux, FreeBSD, Android, and iOS.
Researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef describe in a paper published this week that successful exploitation of this flaw could be used to hijack TCP connections and intercept client and web traffic. said that there is a possibility that
This approach takes advantage of the power saving mechanisms of the endpoint device to trick the access point into revealing plaintext data frames or to encrypt the access point with an all-zeros key.
“The unprotected nature of the power save bit in the frame header […] An adversary could also force a queue frame intended for a particular client, disconnecting the client and easily performing a denial-of-service attack,” the researchers said.
In other words, it is possible to take advantage of the fact that most Wi-Fi stacks do not properly dequeue or purge their transmit queue when the security context changes, to leak frames from the access point destined for the client station under attack. Goal.
In addition to manipulating the security context and leaking frames from the queue, an attacker can also invalidate the client security context used by the access point to receive packets destined for the victim. This attack assumes that the targeted party is connected to a hotspot-like network.
“The core idea behind the attack is that how a client is authenticated is independent of how packets are routed to the correct Wi-Fi client,” Vanhoef explains.
“A malicious insider can exploit this to intercept data to Wi-Fi clients by disconnecting the victim and connecting with the victim’s MAC address (using the adversary’s credentials). Packets that were still in progress to the victim, etc. Website data that the victim was still loading would be received by the attacker instead.”
In an Information Advisory, Cisco describes the vulnerability as “an opportunistic attack and the information obtained by the attacker is of minimal value in a securely configured network.”
However, the company does acknowledge that the attacks presented in the study may be successful against Cisco wireless access point and Cisco Meraki products with wireless capabilities.
To reduce the likelihood of such attacks, we recommend implementing Transport Layer Security (TLS) to encrypt data in transit and applying policy enforcement mechanisms to restrict network access.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
The findings come months after researchers Ali Abedi and Deepak Vasisht demonstrated a location-revealing privacy attack called Wi-Peep that exploits power-saving mechanisms in the 802.11 protocol to localize target devices. Arrived.
This research follows other recent work that leveraged the Google Geolocation API to launch location spoofing attacks in urban areas. It goes without saying that it also uses Wi-Fi signals to detect and map human movements in the room.
