Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi wireless network protocol standard that allows attackers to trick Internet-connected devices into leaking network frames in plain text.
Wi-Fi frames are data containers consisting of a header, a payload and a slave, which include information such as source, destination MAC address, management and control data.
These frames are queued and sent in a controlled manner to avoid collisions and to increase data exchange performance by monitoring the busy and idle states of the receiving points.
Researchers have found that queued or cached frames are not adequately protected from threat actors, who can manipulate data transmission, impersonate the client, and forward and capture frames.
The technical paper released by the researchers states: “The attacks have a broad impact because they affect many devices and operating systems, such as: Linux, (FreeBSD) FreeBSD, (iOS) and Android, and because they can be used to hijack TCP communications protocol, o Intercepting Clients and Web Traffic».
IEEE 802.11 includes power-saving mechanisms that allow Wi-Fi devices to conserve power by caching or organizing frames for idle devices.
When the client station (receiver) goes into sleep mode, it sends a frame to the access point with a header containing the power save bit, so that all frames assigned to it are queued.
However, the standard does not provide clear guidance on how to handle these queued frames safely, nor does it set restrictions such as how long frames can remain in this state.
After the client station comes back online, the access point or Internet-connected device removes the cached frames, applies encryption to them, and transmits them to the destination.
An attacker could spoof the MAC address of a device on the network and send power-saving frames to access points, forcing them to start queuing expected frames from the target. Then, the attacker sends an alert frame to recover the frame packet.
Transmitted frames are typically encrypted using a group-oriented encryption key shared between all devices on a Wi-Fi network, or using a dual encryption key, which is unique to each device and is used to encrypt the frames exchanged between two devices.
However, an attacker could change the security context of the frames by sending authentication and association frames to the access point, then forcing it to send the frames in plain text or by encrypting them with an attacker-provided key.
This attack can be accomplished using custom tools created by the researchers called MacStealers, which can test Wi-Fi networks to bypass client isolation and intercept traffic destined for other clients in the MAC layer.
There are currently no known cases of malicious use of the vulnerability discovered by the researchers.