A team of scholars from Northeastern University and KU Leuven have revealed a significant flaw in the IEEE 802.11 Wi-Fi protocol standard, which affects numerous devices that operate on Linux, FreeBSD, Android, and iOS.
According to a recently published paper by researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef, the identified flaw could potentially be used to take control of TCP connections or intercept both client and web traffic. Exploiting this weakness can lead to successful attacks.
The method takes advantage of power-saving features in devices at the endpoints to deceive access points into divulging data frames in clear text or encoding them with a key composed entirely of zeros.
According to the researchers, the lack of protection for the power-save bit in a frame's header can be exploited by an attacker to manipulate and disconnect a specific client's queued frames, causing a simple denial-of-service attack.
To put it differently, the aim is to intercept data packets sent from a wireless access point to a targeted user device by exploiting the vulnerability of many Wi-Fi systems that do not fully clear their send queues when there is a change in security settings.
Apart from using security context manipulation to reveal frames from the queue, an assailant may also take control of the access point's security context that a client utilizes to obtain packets intended for the victim. This type of assault assumes that the victim is connected to a network resembling a hotspot.
According to Vanhoef, the attack is based on the concept that the method of client authentication has no correlation with how packets are directed to the appropriate Wi-Fi client.
receiving can be intercepted by a malicious insider who disconnects the victim's Wi-Fi connection and then reconnects using the victim's MAC address, obtained through the adversary's stolen credentials. The attacker can then capture any packets of data that were meant for the victim, such as website data that was still being received. The opponent will now receive the loading instead.
According to Cisco's advisory, the vulnerabilities are considered to be a type of "opportunistic attack," but if the network is configured securely, any information obtained by the attacker would not be very useful.
Nevertheless, the company conceded that the techniques demonstrated in the research could potentially prove effective against both Cisco Wireless Access Point products and Cisco Meraki products that possess wireless functionalities.
To decrease the likelihood of such attacks, it is advised to utilize transport layer security (TLS) to encode data during transportation, and enforce policy mechanisms to limit network entrance.
The results come several months after Ali Abedi and Deepak Vasisht, researchers who revealed a privacy attack named Wi-Peep, which exploits the power-saving mechanism of the 802.11 protocol to locate specific devices.
The study also follows other contemporary investigations that have used the Google Geolocation API for launching location spoofing attacks in city areas, while also utilizing Wi-Fi signals to identify and chart human motion inside a confined space.