Researchers at Belgium’s KU Leuven found a basic design flaw within the IEEE 802.11 Wi-Fi customary that offers attackers a option to trick victims into connecting with a much less safe wi-fi community than the one to which they meant to attach.
Such assaults can expose victims to increased danger of site visitors interception and manipulation, in response to VPN evaluation web site Top10VPN, which collaborated with one of many KU Leuven researchers to launch flaw particulars this week forward of a presentation at an upcoming convention in Seoul, South Korea.
A Design Flaw
The flaw, assigned as CVE-2023-52424, impacts all Wi-Fi purchasers throughout all working methods. Affected Wi-Fi networks embody these primarily based on the broadly deployed WPA3 protocol, WEP, and 802.11X/EAP. The researchers have proposed updates to the Wi-Fi customary and in addition strategies that people and organizations can make use of to mitigate danger.
“On this paper we exhibit {that a} shopper may be tricked into connecting to a unique protected Wi-Fi community than the one it meant to connect with,” KU Leuven researchers Héloïse Gollier and Mathy Vanhoef mentioned of their paper. “That’s, the shopper’s person interface will present a unique SSID than the one of many precise community it’s linked to.”
Vanhoef is a professor at KU Leuven whose earlier work consists of the invention of a number of notable Wi-Fi vulnerabilities and exploits like Dragonblood in WPA3, the so-called Krack key reinstallation assaults involving WPA2, and the TunnelCrack vulnerabilities in VPN purchasers.
The foundation trigger for the brand new Wi-Fi design flaw that the 2 researchers found stems from the truth that the IEEE 802.11 customary doesn’t all the time require a community’s Service Set Identifier — or SSID — to be authenticated when a shopper connects to it. SSIDs uniquely determine wi-fi entry factors and networks so they’re distinguishable from others within the neighborhood.
“Fashionable Wi-Fi networks depend on a 4-way handshake to authenticate themselves and the purchasers, in addition to to barter keys to encrypt the connection,” the researchers wrote. “The 4-way handshake takes a shared Pairwise Grasp Key (PMK), which may be derived otherwise relying on the model of Wi-Fi and the particular authentication protocol getting used.”
The issue is that IEEE 802.11 customary would not mandate that the SSID be included in the important thing derivation course of. In different phrases, the SSID isn’t all the time a part of the authentication course of that occurs when a shopper units connects to an SSID. In these implementations, attackers have a chance to arrange a rogue entry level, spoof the SSID of a trusted community, and use it to downgrade the sufferer to a much less trusted community.
Situations for Exploitation
Sure situations must exist for an attacker to have the ability to exploit the weak point. It really works solely in conditions the place an organizations might need two Wi-Fi networks with shared credentials. This will occur, for instance, when an surroundings might need a 2.4 GHz community and a separate 5 GHz band, every with a unique SSID however the identical authentication credentials. Usually, shopper units would hook up with the better-secured 5 GHz community. However an attacker that’s shut sufficient to a goal community to carry out a man-in-the-middle assault may stick a rogue entry level with the identical SSID because the 5 GHz band. They may then use the rogue entry level to obtain and ahead all authentication frames to the weaker 2.4 GHz entry level and have the shopper machine join with that community as an alternative.
Such downgrading may put victims of upper danger of recognized assaults reminiscent of Krack and different threats, the researchers mentioned. Considerably, in some conditions it may additionally neutralize VPN protections. “Many VPNs, reminiscent of Clouldflare’s Warp, cover.me, and Windscribe can mechanically disable the VPN when linked to a trusted Wi-Fi community,” the researchers mentioned. That is as a result of the VPNs acknowledge the Wi-Fi community primarily based on its SSID, they famous.
Establishing the form of a multichannel man-in-the-middle presence the report describes is possible in opposition to all current Wi-Fi implementations, the researchers mentioned.
Top10VPN pointed to a few defenses in opposition to SSID confusion assaults like these the researchers described. One among them is to replace the IEEE 802.11 customary in an effort to make SSID authentication obligatory. The opposite is to raised defend the beacons that an entry level transmits periodically to promote its presence so linked purchasers can detect when the SSID adjustments. The third is to keep away from credential reuse throughout completely different SSIDs.
