Wi-Fi protocol vulnerability allows traffic decryption
The ubiquitous 802.11 protocol has a vulnerability that allows an attacker to bypass encryption for some traffic.
According to the academic researchers who discovered it, the bug gives an attacker a way to “trick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key”.
Because it’s a protocol bug, it affects multiple Wi-Fi implementations.
One of the researchers, Dr Mathy Vanhoef of New York University Abu Dhabi, has published a proof-of-concept, called MacStealer, at GitHub.
In their paper, “Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues” [pdf], Dr Vanhoef and Northeastern University’s Domien Schepers and Aanjhan Ranganathan and KU Lueven’s Mathy Vanhoef, wrote that the vulnerability occurs because of “the lack of explicit guidance in managing security contexts of buffered frames in the 802.11 standards.
“The unprotected nature of the power-save bit in a frame’s header, which our work reveals to be a fundamental design flaw, also allows an adversary to force queue frames intended for a specific client,” the researchers wrote.
This, they said, can force disconnection of the target, creating a trivial denial-of-service attack.
Examples of vulnerable networks, the paper stated, include enterprise networks using client isolation or ARP inspection; public hotspots that use the Passpoint login mechanism; home networks using WPA2 or WPA3 with client isolation enabled; and public hotspots using WPA3 SAE-PK.
Cisco was the first vendor to acknowledge the issue.
The networking giant is somewhat dismissive, saying: “This attack is seen as an opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network.”
Nonetheless, it said, “the attacks that are outlined in the paper may be successful when leveraged against Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities.”
Cisco said policy enforcement via its Identity Services Engine can mitigate the attacks, and said users should implement transport layer security to encrypt data traversing the network.