Warning: Your wireless networks may leak data thanks to Wi-Fi spec ambiguity
How someone can nab buffered info, by hook or by kr00k
Ambiguity in the Wi-Fi specification has left the wireless networking stacks in various operating systems vulnerable to several attacks that have the potential to expose network traffic.
The design oversight was described in a presentation this week at the 2023 Real World Crypto Symposium, in Tokyo, Japan, by Mathy Vanhoef, a professor at KU Leuven in Belgium. "Crypto" in this context stands for cryptography rather than notional currency.
Vanhoef and co-authors Domien Schepers and Aanjhan Ranganathan, both from Northeastern University in the US, describe their findings more fully in a paper [PDF] titled, "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues." The paper is scheduled to be presented at the Usenix Security Symposium later this year.
In a video presentation, Vanhoef explains that the kr00k attack, revealed by ESET in 2019 and described as a Wi-Fi implementation flaw, is related to the attacks he and his colleagues developed. Having now identified several similar vulnerabilities, he argues that the Wi-Fi standard (IEEE 802.11) is not specific enough about how to handle buffered frames.
Wi-Fi frames contain various kinds of data related to network traffic and routing. They include a header, a body, and a trailer, and they help move data from one point to another.
Wi-Fi access points will queue frames associated with various network layers, buffering them so they can be sent at an appropriate time, when network resources are available.
But according to the three researchers, the Wi-Fi specification fails to describe how to manage the security context in buffered frames. And this has implications for the security of devices connecting wirelessly over Linux, FreeBSD, iOS, and Android.
"The unprotected nature of the power-save bit in a frame’s header, which our work reveals to be a fundamental design flaw, also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack," the researchers explained in their paper.
- Tech industry quietly patches FragAttacks Wi-Fi flaws that leak data, weaken security
- Bug-hunters punch huge holes in WPA3 standard for Wi-Fi security
- Smart ovens do really dumb stuff to check for Wi-Fi
- Wi-Fi devices set to become object sensors by 2024 under planned 802.11bf standard
To exploit this flaw, an attacker can send a spoofed Power-Save frame (used to indicate a client is entering sleep mode) followed by an Authentication or Association frame to reset the wireless connection.
That makes the access point respond by removing the client's pairwise key. If followed by a Wake-Up frame, the access point resumes sending the buffered data – rather than dropping it – under an undefined security context.
The result is a data frame leak that can take different forms depending on the operating system involved. A successful attack may, for example, expose frame data in plain text or leave it protected only by a network group key or an all-zero encryption key.
A snoop would have to be in radio range of the wireless devices to exploit this weakness in the protocol design. In some forms of exploitation, they would effectively need to be on the network or able to join it to do so.
Schepers, Ranganathan, and Vanhoef also describe a security context override attack through which access points can be forced to encrypt frames that have not yet been queued using an adversary-chosen key, which renders the encryption ineffective.
Essentially, this attack boots the victim from the network and takes over the victim's MAC address. The researchers have published a proof-of-concept exploit tool called MacStealer that tests networks to see if they're vulnerable to a client isolation bypass (CVE-2022-47522).
Cisco, one of the vendors cited in the research paper, has issued an informational advisory that downplays the consequences of the wireless flaw by noting that "information gained by the attacker would be of minimal value in a securely configured network." By that we reckon Cisco means if you're encapsulating your wireless network traffic in transit using, say, SSH or TLS, it should remain protected by those protocols even if frames leak.
Lancom Systems has also acknowledged the researchers' findings.
Other vendors whose devices were tested by the researchers – Aruba, Asus, and D-Link – have yet to respond. ®