Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues
24 kwietnia, 2023
Overview
On April 14, 2023, MITRE publicly disclosed researchers at Northeastern University in Boston and KU Leuven discovered a fundamental design flaw in the IEEE 802.11 WiFi protocol. The flaw allows access points to leak data in plaintext. "Framing Frames: Bypassing WiFi Encryption by Manipulating Transmit Queues," a design flaw that makes the 802.11 WiFi protocol insecure is in so-called 'network frames.' These WiFi frames are data containers with a header, a data payload, and a trailer. The information in these specific data containers includes source and destination MAC addresses and control and management information, among other things.
CVE-2022-4722 from MITRE discloses the following, "The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target's MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (such as authentication frames or re-association frames) to remove the target's original security context. This behaviour occurs because the specifications do not require an access point to purge its transmit queue before removing a client's pairwise encryption key."
D-Link became aware of this issue through its involvement with CERT/CC in December 2022, along with the industry. We have been studying its impacts on all WiFi products. Since this is a flaw within the standard, we are working with our component suppliers to investigate mitigation that isn't available now for WiFi.
Regardless of manufacture and brand, current WiFi routers and WiFi access points should be affected by this flaw. In the disclosure, a second vulnerability Fast Reconnect (FR) attacks, only affect WiFi devices supporting IEEE802.1X or SAE-PK. Most consumer devices do not support this feature; it is used in business/enterprise networks or available in Open Firmware like OpenWRT. This research report only points out a theoretically possible attack method. It can leak the IP address of the client or the website address of the visited destination, which is relatively difficult to achieve in the current natural environment.
The recommended current recommendation is implementing/using HTTPS (SSL/TLS) for all communications.
For all Wi-Fi Users:
- Use HTTPS or encryption throughout the entire process of using the internet. Currently, most websites only allow secure TLS protocols, and consumers can ensure that the website they are visiting is a legitimate HTTPS website without any issues.
- Visit D-Link's official website to keep updating the router's firmware to receive the official updated version to fix vulnerabilities once the WiFi protocol 802.11 standard has a revised version available.
For Business/Enterprise Network Managers:
- Ensure that all WiFi users are authenticated, such as policy enforcement mechanisms.
- Use VLAN isolation to separate networks.
- Keep updated with the router's newest firmware to address the vulnerability once available.
3rd Party Report information
- https://nvd.nist.gov/vuln/detail/CVE-2022-47522
- https://papers.mathyvanhoef.com/usenix2023-wifi.pdf
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0006
- https://www.wi-fi.org/discover-wi-fi/passpoint
Recommended Strong Security for all Network users:
Please ensure you frequently update the device's unique password to access its web configuration and always have WIFI encryption enabled with a unique password.