Researchers have found a brand new security vulnerability stemming from a design flaw within the IEEE 802.11 Wi-Fi commonplace that tips victims into connecting to a much less safe wi-fi community and snoop on their community site visitors.
The SSID Confusion assault, tracked as CVE-2023-52424, impacts all working programs and Wi-Fi purchasers, together with residence and mesh networks which can be based mostly on WEP, WPA3, 802.11X/EAP, and AMPE protocols.
The tactic “entails downgrading victims to a much less safe community by spoofing a trusted community title (SSID) to allow them to intercept their site visitors or perform additional assaults,” TopVPN mentioned, which collaborated with KU Leuven professor and researcher Mathy Vanhoef.
“A profitable SSID Confusion assault additionally causes any VPN with the performance to auto-disable on trusted networks to show itself off, leaving the sufferer’s site visitors uncovered.”
The difficulty underpinning the assault is the truth that the Wi-Fi commonplace doesn’t require the community title (SSID or the service set identifier) to at all times be authenticated and that security measures are solely required when a tool opts to affix a specific community.
The web impact of this conduct is that an attacker might deceive a shopper into connecting to an untrusted Wi-Fi community than the one it meant to hook up with by staging an adversary-in-the-middle (AitM) assault.
“In our assault, when the sufferer desires to hook up with the community TrustedNet, we trick it into connecting to a special community WrongNet that makes use of comparable credentials,” researchers Héloïse Gollier and Vanhoef outlined. “Consequently, the sufferer’s shopper will suppose, and present the person, that it’s linked to TrustedNet, whereas in actuality it’s linked to WrongNet.”
In different phrases, regardless that passwords or different credentials are mutually verified when connecting to a protected Wi-Fi community, there isn’t any assure that the person is connecting to the community they wish to.
There are specific stipulations to pulling off the downgrade assault –
- The sufferer desires to hook up with a trusted Wi-Fi community
- There’s a rogue community out there with the identical authentication credentials as the primary
- The attacker is inside vary to carry out an AitM between the sufferer and the trusted community
Proposed mitigations to counter SSID Confusion embrace an replace to the 802.11 Wi-Fi commonplace by incorporating the SSID as a part of the 4-way handshake when connecting to protected networks, in addition to enhancements to beacon safety that enable a “shopper [to] retailer a reference beacon containing the community’s SSID and confirm its authenticity throughout the 4-way handshake.”
Beacons discuss with administration frames {that a} wi-fi entry level transmits periodically to announce its presence. It accommodates data such because the SSID, beacon interval, and the community’s capabilities, amongst others.
“Networks can mitigate the assault by avoiding credential reuse throughout SSIDs,” the researchers mentioned. “Enterprise networks ought to use distinct RADIUS server CommonNames, whereas residence networks ought to use a singular password per SSID.”
The findings come almost three months after two authentication bypass flaws have been disclosed in open-source Wi-Fi software program equivalent to wpa_supplicant and Intel’s iNet Wi-fi Daemon (IWD) that would deceive customers into becoming a member of a malicious clone of a reliable community or enable an attacker to affix a trusted community and not using a password.
Final August, Vanhoef additionally revealed that the Home windows shopper for Cloudflare WARP might be tricked into leaking all DNS requests, successfully permitting an adversary to spoof DNS responses and intercept almost all site visitors.