Researchers have discovered a new security flaw stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that could trick victims into connecting to less secure wireless networks and eavesdrop on their network traffic.
this SSID obfuscation attackThe vulnerability, tracked as CVE-2023-52424, affects all operating systems and Wi-Fi clients, including home and mesh networks based on WEP, WPA3, 802.11X/EAP and AMPE protocols.
TopVPN, working with KU Leuven professor and researcher Mathy Vanhoef, said the method “involves downgrading victims to less secure networks by spoofing trusted network names (SSIDs) so that they can intercept their traffic or conduct further attacks.” .
“A successful SSID obfuscation attack will also cause any VPN on a trusted network that has an auto-disable feature to shut itself down, leaving the victim’s traffic exposed.”
The problem that allowed the attack is that the Wi-Fi standard does not require that the network name (SSID or Service Set Identifier) be always authenticated, and security measures are only required when a device chooses to join a specific network.
The net effect of this behavior is that an attacker could launch an adversary-in-the-middle (AitM) attack to trick the client into connecting to an untrusted Wi-Fi network instead of the network it was originally intended to connect to.
“In our attack, when the victim wants to connect to the network TrustedNet, we trick it into connecting to a different network WrongNet using similar credentials,” researchers Héloïse Gollier and Vanhoef outline. “Thus, the victim’s The client will think and appear to the user that it is connected to TrustedNet, when in fact it is connected to WrongNet.”
In other words, even if you mutually authenticate passwords or other credentials when connecting to a protected Wi-Fi network, there’s no guarantee that users are connecting to the network they want.
There are certain prerequisites for completing a downgrade attack –
- The victim wants to connect to a trusted Wi-Fi network
- There is a malicious network with the same authentication credentials as the first network
- The attacker performs AitM within the scope between the victim and the trusted network
Proposed mitigations for SSID obfuscation include updating the 802.11 Wi-Fi standard to include the SSID as part of the four-way handshake when connecting to a protected network, and improving beacon protection to allow “client [to] A reference beacon containing the network SSID is stored and its authenticity is verified during the 4-way handshake.
A beacon is a management frame that a wireless access point transmits periodically to announce its presence. It contains information such as SSID, beacon interval and network capabilities.
“Networks can mitigate attacks by avoiding the reuse of credentials across SSIDs,” the researchers said. “Corporate networks should use different RADIUS server CommonNames, while home networks should use unique passwords for each SSID.”
Nearly three months ago, two authentication bypass flaws were revealed in open source Wi-Fi software such as wpa_supplicant and Intel’s iNet Wireless Daemon (IWD) that could trick users into joining malicious clones of legitimate networks or allow An attacker can join a trusted network without a password.
Last August, Vanhoef also revealed that Cloudflare WARP’s Windows client could be tricked into leaking all DNS requests, effectively allowing adversaries to spoof DNS responses and intercept nearly all traffic.
