A recent study conducted by a group of academics from Northeastern University and KU Leuven has revealed a critical design flaw in the IEEE 802.11 Wi-Fi protocol standard. This flaw impacts a wide range of devices running Linux, FreeBSD, Android, and iOS. Successful exploitation of this vulnerability could allow an attacker to hijack TCP connections or intercept client and web traffic. In their paper, researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef explained how the attack works. The attacker takes advantage of power-save mechanisms in endpoint devices to trick access points into leaking data frames in plaintext, or encrypting them using an all-zero key. "The unprotected nature of the power-save bit in a frame's header [...] also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack," the researchers noted. In other words, the goal is to leak frames from the access point destined to a victim client station by taking advantage of the fact that most Wi-Fi stacks do not adequately dequeue or purge their transmit queues when the security context changes. Besides manipulating the security context to leak frames from the queue, an attacker can override the client's security context used by an access point to receive packets intended for the victim. This attack pre-supposes that the targeted party is connected to a hotspot-like network. This is a serious issue that needs to be addressed immediately. If you are using any type of device that is running Linux, FreeBSD, Android, or iOS, you should be aware of this vulnerability and take steps to protect yourself.
top of page
bottom of page