Some cybersecurity researchers they discovered a new security vulnerability resulting from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and spying on network traffic, making devices exposed to a “downgrade” attack.
The attack methods that concern this vulnerability on Wi-Fi
The attack SSID Confusionidentified as CVE-2023-52424, affects all Wi-Fi operating systems and clients, including home and mesh network ones that rely on WEP, WPA3, 802.11X/EAP, and AMPE protocols.
The method “involves downgrading victims to a less secure network by spoofing a trusted network name (SSID) so they can intercept their traffic or carry out further attacks“, has declared TopVPN, which collaborated with professor and researcher Mathy Vanhoef from KU Leuven University.
“A successful SSID Confusion attack also causes any VPN with the auto-disable feature on trusted networks to be automatically disabled, leaving the victim’s traffic exposed.”
The problem behind the attack is the fact that the Wi-Fi standard requires only the network name (SSID or service set identifier) is always authenticated and that security measures are only necessary when a device chooses to connect to a particular network.
The net effect of this behavior is that an attacker could trick a client into connecting to an untrusted Wi-Fi network instead of the intended one, performing an opponent’s interposition attack (AitM).
“In our attack, when the victim wants to connect to the TrustedNet network, we trick them into connecting to a different network, WrongNet, which uses similar credentials,” explained researchers Héloïse Gollier and Vanhoef. “As a result, the victim client will think, and will show the user, that they are connected to TrustedNet, while in reality they are connected to WrongNet.”
In other words, even if your passwords or other credentials are mutually verified when you connect to a secure Wi-Fi network, there is no guarantee that the user is connecting to the intended network.
There are certain prerequisites to successfully perform the downgrading attack:
- The victim wants to connect to a trusted Wi-Fi network
- There is a rogue network with the same authentication credentials as the first
- The attacker is within range to perform an AitM between the victim and the trusted network
Proposed mitigations to address SSID Confusion include an update to the 802.11 Wi-Fi standard by incorporating the SSID as part of the 4-way handshake when connecting to secure networks, as well as improvements to the security of beacons which allow a “client [di] store a reference beacon containing the network’s SSID and verify its authenticity during the 4-way handshake.”
Beacons refer to the management frames that a wireless access point periodically transmits to announce its presence and they contain information such as the SSID, beacon range, and network capabilities, among others.
“Networks can mitigate the attack by avoiding credential reuse across SSIDs“the researchers said. “Corporate networks should use distinct common names for the RADIUS server, while home networks should use a unique password for each SSID.“
The findings come about three months after two authentication bypass flaws in open-source Wi-Fi software such as wpa_supplicant and Intel’s iNet wireless daemon (IWD) were disclosed that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.
Last August, Vanhoef also revealed that the Windows client for Cloudflare WARP could be tricked into dropping all DNS requests, effectively allowing an adversary to spoof DNS responses and intercept almost all traffic.
#Downgrade #attack #WiFi #vulnerability
