A fundamental security issue in the design of the IEEE 802.11 WiFi protocol standard, according to a technical study written by Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef of imec-DistriNet, KU Leuven, allows attackers to deceive access points into exposing network frames in plaintext.
When the receiver is in sleep mode, for example, Wi-Fi devices routinely queue frames at different tiers of the network stack before sending.
WiFi frames are data packages comprising a header, data payload, and trailer containing data like the MAC addresses of the source and destination and control and management information.
By keeping track of the busy/idle states of the receiving points, these frames are broadcast in a regulated manner to prevent collisions and maximize data exchange performance.
“Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic,” researchers.
According to the researchers, queued/buffered frames are not sufficiently protected from attackers, who can control data transmission, client spoofing, frame redirection, and capturing.
Adversary Can Abuse the Power-Save Mechanisms
The initial version of the 802.11 standards already included power-saving features that let clients go into a sleep or doze mode to use less power. All frames intended for a client station are queued when it goes into sleep mode because it sends a frame to the access point with a header that includes the power-saving flag.
Nevertheless, the standard does not specify how to manage the security of these queued frames and does not impose any time restrictions on how long the frames may remain in this state.
The access point dequeues the buffered frames, adds encryption, and transmits them to the target after the client station has awakened.
In this case, a hacker might impersonate a network device’s MAC address and transmit power-saving frames to access points, making them queue up frames for the intended target. To obtain the frame stack, the attacker then sends a wake-up frame.
Typically, the WiFi network’s group-addressed encryption key or a pairwise encryption key, specific to each device and used to encrypt frames sent between two devices, are used to encrypt the transmitted frames.
By providing authentication and association frames to the access point, the attacker can force it to transmit the frames in plaintext or encrypt them using a key provided by the attacker, changing the security context of the frames.
“As a result of the attack, anyone within the communication range of the vulnerable access point can intercept the leaked frames in plaintext or encrypted using the group-addressed encryption key, depending on the respective implementation of the stack (i.e., user-space daemon, kernel, driver, firmware).”, explain the researchers.
Network Device Models That Are Known To Be Vulnerable:
“An adversary can use their Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” researchers warn.
Cisco is the first firm to recognize the significance of the WiFi protocol weakness, acknowledging that the attacks described in the paper may be effective against Cisco wireless access point products and Cisco Meraki products.
“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network.” – Cisco.
The company advises implementing mitigating strategies such as employing software like Cisco Identity Services Engine (ISE), which can impose network access restrictions by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.
“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” Cisco.
Are You a Pentester? – Try Free Automated API Penetration Testing For Developers & Testers