Researchers have found a brand new safety vulnerability stemming from a design flaw within the IEEE 802.11 Wi-Fi normal that methods victims into connecting to a much less safe wi-fi community and snoop on their community visitors.
The SSID Confusion assault, tracked as CVE-2023-52424, impacts all working techniques and Wi-Fi shoppers, together with house and mesh networks which can be primarily based on WEP, WPA3, 802.11X/EAP, and AMPE protocols.
The strategy “involves downgrading victims to a less secure network by spoofing a trusted network name (SSID) so they can intercept their traffic or carry out further attacks,” TopVPN mentioned, which collaborated with KU Leuven professor and researcher Mathy Vanhoef.
“A successful SSID Confusion attack also causes any VPN with the functionality to auto-disable on trusted networks to turn itself off, leaving the victim’s traffic exposed.”
The difficulty underpinning the assault is the truth that the Wi-Fi normal doesn’t require the community identify (SSID or the service set identifier) to at all times be authenticated and that safety measures are solely required when a tool opts to hitch a selected community.
The web impact of this habits is that an attacker might deceive a consumer into connecting to an untrusted Wi-Fi community than the one it meant to connect with by staging an adversary-in-the-middle (AitM) assault.
“In our attack, when the victim wants to connect to the network TrustedNet, we trick it into connecting to a different network WrongNet that uses similar credentials,” researchers Héloïse Gollier and Vanhoef outlined. “As a result, the victim’s client will think, and show the user, that it is connected to TrustedNet, while in reality it is connected to WrongNet.”
In different phrases, regardless that passwords or different credentials are mutually verified when connecting to a protected Wi-Fi community, there is no such thing as a assure that the consumer is connecting to the community they need to.
There are specific conditions to pulling off the downgrade assault –
- The sufferer desires to connect with a trusted Wi-Fi community
- There’s a rogue community accessible with the identical authentication credentials as the primary
- The attacker is inside vary to carry out an AitM between the sufferer and the trusted community
Proposed mitigations to counter SSID Confusion embrace an replace to the 802.11 Wi-Fi normal by incorporating the SSID as a part of the 4-way handshake when connecting to protected networks, in addition to enhancements to beacon safety that permit a “client [to] store a reference beacon containing the network’s SSID and verify its authenticity during the 4-way handshake.”
Beacons discuss with administration frames {that a} wi-fi entry level transmits periodically to announce its presence. It comprises info such because the SSID, beacon interval, and the community’s capabilities, amongst others.
“Networks can mitigate the attack by avoiding credential reuse across SSIDs,” the researchers mentioned. “Enterprise networks should use distinct RADIUS server CommonNames, while home networks should use a unique password per SSID.”
The findings come almost three months after two authentication bypass flaws had been disclosed in open-source Wi-Fi software program similar to wpa_supplicant and Intel’s iNet Wi-fi Daemon (IWD) that would deceive customers into becoming a member of a malicious clone of a professional community or permit an attacker to hitch a trusted community with out a password.
Final August, Vanhoef additionally revealed that the Home windows consumer for Cloudflare WARP could possibly be tricked into leaking all DNS requests, successfully permitting an adversary to spoof DNS responses and intercept almost all visitors.
