The WiFi flaw discovered by researchers from Northeastern University and KU Leuven can impact a wide range of operating systems, including Linux, iOS, and Android, leaving them vulnerable to potential interception of network traffic if exploited by hackers.
Wireless networking stacks found in a wide range of operating systems were left vulnerable due to an ambiguity in the WiFi specification, explained academics from Northeastern University and KU Leuven in a paper (PDF) titled “Framing Frames: Bypassing WiFi Encryption by Manipulating Transmit Queues.” The ambiguity can allow exposure of network traffic if exploited by threat actors.
According to researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef, the issue is caused by a fundamental design flaw detected in the IEE 802.11 WiFi protocol standard. The devices impacted by this issue include those running FreeBSD, Linux, iOS, and Android. Aruba, Asus, and D-Link devices were also examined for this research.
If exploited successfully, it can allow attackers to hijack TCP connections. Additionally, they can intercept client and web traffic. Vanhoef shared these findings at the 2023 Real World Crypto (cryptography) Symposium in Tokyo, Japan. The paper is to be presented at the Usenix Security Symposium.
- Securing your Spectrum-compatible WiFi routers
- How To Keep Your Router, WiFi Safe From Hackers
- Wireless Router Security: Set up a WiFi router securely
What’s The Issue?
Vanhoef explained the findings in a video presentation, sharing that an attack called kr00k revealed by ESET in 2019 shares similarities with the attack his team had developed as both involve similar vulnerabilities, indicating that the IEEE 802.11 WiFi standard cannot articulately handle buffered framed.
WiFi frames contain different types of data related to network routing and traffic and include a header, body, and trailer, which allow data to move from one point to another. WiFi access points queue frames linked with different network layers and buffers them until the right network sources are available to send them. In this case, researchers noted that the WiFi specification didn’t describe how to manage the security context in buffered frames.
How Can The Flaw Be Abused?
Researchers wrote that attackers would exploit power-save mechanisms in endpoint devices to trick access points into exposing data frames in plaintext. Or else an all-zero key would allow them to encrypt it. Due to the power-save bit’s “unprotected nature” in a frame’s header, the issue allows an attacker to enforce queue frames for a particular client.
This would result in disconnecting and executing a DoS (denial of service) attack. The objective is to leak the frame from the access point linked to the victim’s client station. It works because, during the security context changes, most WiFi stacks didn’t appropriately dequeue/purge their transmit queues.
The attacker can send a spoofed power-save frame with an Association or Authentication frame and successfully reset the wireless connection by making the access point respond by removing the client’s pairwise key. If the adversary uses a Wake-Up frame, the access point will send the buffered data under an undefined security context and prompt a data frame leak.
Furthermore, in a security context override attack, the access points can encrypt unqueued frames through the attacker’s chosen key, thus, rendering the encryption ineffective. Researchers have published a proof-of-concept exploit titled MacStealer. This tool tests networks to identify vulnerability to a client isolation bypass.