A group of researchers from the Catholic University of Leuven (Belgium), revealed architectural vulnerability (CVE-2023-52424) in the IEEE 802.11 Wi-Fi standard, allowing connect to an attacker-controlled wireless network instead of the trusted network the user intended to connect to. The problem appears in the wireless stacks of any operating system and affects the WPA3, WEP, EAP, AMPE and FILS authentication methods.
The proposed attack technique, which is named SSID Confusion, allows you to bypass the access point authentication methods present in the protocol, which protect against substitution of the SSID network identifier and do not allow the creation of fake networks with the name of the network to which the client connects. The cause of the problem is the definition in standard situations where the SSID may not be authenticated. In particular, to indicate its presence, the access point broadcasts beacon frames that include information about the SSID network. To simplify the network discovery process, clients do not authenticate the SSID in these frames, since it is assumed that verification will be required after the client decides to connect to the network.
To successfully carry out an attack, it is required that the user initiates a connection to a specific wireless network, and there is another wireless network nearby with the same connection parameters as the first network (this is practiced, for example, when different networks are created for the 2.4GHz and 5GHz bands, or used in some university networks that support the Eduroam service). The attacker must be within range of the signal in order to interpose itself between the user and the target network (MitM). To carry out an attack, an attacker does not need to know the victim's credentials.
The attack boils down to the attacker creating an access point (WrongAP in the diagram), which ensures the operation of a dummy network (WrongNet) on another channel, to which the client must connect instead of the desired network (TrustedNet). The access point can be created on a regular laptop and is used to organize a multi-channel MitM attack on the victim (MC MitM). The attack is carried out in three stages:
- Network Discovery. The MitM system intercepts packets sent over the air by the real access point (TrustedNet) and the victim, replacing the SSID in them – in packets from the access point, the SSID is replaced with a fake one, and in the victim’s responses with the real one, in order to simulate the interaction between the client and the real access point. As a result, the victim's device receives the responses and believes that the desired network is nearby, despite the fact that these responses are broadcast by the attacker's access point.
- Authentication hijacking. The attacker feigns successful authentication and forces the client to connect to a fake network instead of the real one. As at the previous stage, the attacker intercepts frames sent during authentication by the client, replaces the SSID in them and re-sends them to the access point.
- MitM. After negotiating a communication channel, the attacker replaces the SSID from WrongNet with TrustedNet, creating the impression that the user is working through a trustworthy network and not through a fake network.
By taking advantage of the vulnerability, an attacker can force a client to connect to the wrong protected network, and the interface will display the SSID of the network to which the user originally intended to connect, and not the one to which he is actually connected. Having achieved a user connection through their network, the attacker can analyze and wedge into unencrypted traffic flows. However, with some VPNs, such as WARP, hide.me and Windscribe, the VPN will not be activated when connecting to networks that are marked as trustworthy in the settings.
The attack is applicable to wireless authentication protocols using EAP (Extensible Authentication Protocol), SAE (Simultaneous Authentication of Equals) and 802.1X, as well as in the optional WPA3 protocol mode, in which the SSID is not used when generating the PMK (Pairwise Master Key), what is done to exclude initially known data when generating a key in order to protect against various crypto-attacks. The FILS (Fast Initial Link Setup) protocol is vulnerable when using the PMK generated during EAP-based connection negotiation. The WPA1, WPA2 and FT (Fast BSS Transition) protocols are not affected by the problem, as they require the correct SSID when negotiating a connection.
To protect against an SSID Confusion attack on the access point side, the 802.11 standard mentions requiring SSID authentication at connection, which can be implemented by adding the SSID to the key generation function or including the SSID as an additional data checked during connection negotiation. On the client side, protection can be organized by protecting beacon frames (will be used in WiFi 7). Network builders can prevent attacks by not using shared credentials across networks with different SSIDs. Users can protect themselves by using reliable VPNs when connecting through any wireless networks.
Thanks for reading: