Researchers at Belgium's KU Leuven discovered a fundamental design flaw in the IEEE 802.11 Wi-Fi standard that gives attackers a way to trick victims into connecting with a less secure wireless network than the one to which they intended to connect.
Such attacks can expose victims to higher risk of traffic interception and manipulation, according to VPN review site Top10VPN, which collaborated with one of the KU Leuven researchers to release flaw details this week ahead of a presentation at an upcoming conference in Seoul, South Korea.
A Design Flaw The flaw, assigned as CVE-2023-52424, affects all Wi-Fi clients across all operating systems.
Affected Wi-Fi networks include those based on the widely deployed WPA3 protocol, WEP, and 802.11X/EAP. The researchers have proposed updates to the Wi-Fi standard and also methods that individuals and organizations can employ to mitigate risk.
Vanhoef is a professor at KU Leuven whose previous work includes the discovery of several notable Wi-Fi vulnerabilities and exploits like Dragonblood in WPA3, the so-called Krack key reinstallation attacks involving WPA2, and the TunnelCrack vulnerabilities in VPN clients.
The root cause for the new Wi-Fi design flaw that the two researchers discovered stems from the fact that the IEEE 802.11 standard does not always require a network's Service Set Identifier - or SSID - to be authenticated when a client connects to it.
SSIDs uniquely identify wireless access points and networks so they are distinguishable from others in the vicinity.
The problem is that IEEE 802.11 standard doesn't mandate that the SSID be included in the key derivation process.
In other words, the SSID is not always part of the authentication process that happens when a client devices connects to an SSID. In these implementations, attackers have a opportunity to set up a rogue access point, spoof the SSID of a trusted network, and use it to downgrade the victim to a less trusted network.
It works only in situations where an organizations might have two Wi-Fi networks with shared credentials.
This can happen, for example, when an environment might have a 2.4 GHz network and a separate 5 GHz band, each with a different SSID but the same authentication credentials.
Typically, client devices would connect to the better-secured 5 GHz network.
An attacker that is close enough to a target network to perform a man-in-the-middle attack could stick a rogue access point with the same SSID as the 5 GHz band.
They could then use the rogue access point to receive and forward all authentication frames to the weaker 2.4 GHz access point and have the client device connect with that network instead. Such downgrading could put victims of higher risk of known attacks such as Krack and other threats, the researchers said.
That's because the VPNs recognize the Wi-Fi network based on its SSID, they noted.
Establishing the kind of a multichannel man-in-the-middle presence the report describes is feasible against all existing Wi-Fi implementations, the researchers said.
Top10VPN pointed to three defenses against SSID confusion attacks like those the researchers described.
One of them is to update the IEEE 802.11 standard in order to make SSID authentication mandatory.
The other is to better protect the beacons that an access point transmits periodically to advertise its presence so connected clients can detect when the SSID changes.
The third is to avoid credential reuse across different SSIDs.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 15 May 2024 21:35:26 +0000