Researchers have identified a major security vulnerability in the design of the IEEE 802.11 WiFi protocol standard.
The flaw enables attackers to extract network frames in plaintext form by manipulating the transmission of queued/buffered frames, client spoofing, frame redirection, and capturing.
Adversaries can use these attacks to hijack TCP connections, intercept client and web traffic, and inject malicious content into TCP packets, such as JavaScript. The researchers warn that network device models from Lancom, Aruba, Cisco, Asus, and D-Link are vulnerable to these attacks.
The IEEE 802.11 standard includes power-saving mechanisms that allow WiFi devices to conserve power by buffering or queuing frames destined for sleeping devices. The standard does not provide adequate guidance on managing the security of these queued frames and does not set limitations like how long the frames can stay in this state.
Attackers can spoof the MAC address of a device on the network and send power-saving frames to access points, forcing them to start queuing frames destined for the target. Then, the attacker transmits a wake-up frame to retrieve the frame stack.
The researchers created custom tools called MacStealer to test WiFi networks for client isolation bypasses and intercept traffic destined for other clients at the MAC layer.
They report that various devices and operating systems (Linux, FreeBSD, iOS, and Android) are affected by these attacks. Cisco is the first vendor to acknowledge the impact of the WiFi protocol flaw, admitting that the attacks outlined in the paper may be successful against Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities.
While there are no known cases of malicious use of the flaw discovered by the researchers, Cisco recommends applying mitigation measures like using policy enforcement mechanisms through a system like Cisco Identity Services Engine (ISE) to restrict network access by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.
Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible.
The researchers will present their findings at the upcoming BlackHat Asia conference in May 2023.
