Wi-Fi design flaw makes networks vulnerable to hijacking

Researchers have discovered a flaw in the Wi-Fi standard that allows SSID confusion attacks.

Researcher Mathy Vanhoef, an Assistant Professor at KU Leuven University in Belgium, has shared some details about a new vulnerability in the Wi-Fi standard, ahead of his presentation at WiSec 2024 later this month.

The research has uncovered a design flaw in the IEEE 802.11 Wi-Fi standard that makes it possible to trick users into connecting to a less secure wireless network. As the paper, SSID Confusion: Making Wi-Fi Clients Connect to the Wrong Network, explains:

In our attack, when the victim wants to connect to the network TrustedNet, we trick it into connecting to a different network WrongNet that uses similar credentials. As a result, the victim’s client will think, and show the user, that it is connected to TrustedNet, while in reality it is connected to WrongNet.

Fooling a target into connecting to a less secure network makes it easier for threat actors to perform other attacks, trick their victims into installing malware, or spy on their internet traffic. Also, any VPN with the functionality to auto-disable when connected to trusted networks will be fooled into turning itself off.

The problem lies in the fact that the standard does not require authentication of the network name—known as the Service Set Identifier (SSID).

To carry out an attack, a threat actor establishes a hostile network that uses the same authentication credentials as the network it’s attempting to spoof. They then establish a machine-in-the-middle position on a rogue access point that advertises the hostile network. The rogue access point is used to rewrite the name of their hostile network on-the-fly. Traffic passing from the hostile network to the victim is rewritten to so that it contains the name of the SSID the victim trusts, and traffic passing back from the victim to the hostile network is rewritten so that the SSID matches the name of the hostile network.

Contrary to what you might expect, routers that support the latest WPA3 encryption standard are potentially vulnerable rather than those using WPA1 or WPA2. This is because WPA3 has an optional mode where the SSID is not used to derive the Pairwise Master Key (PMK) in the SAE (Simultaneous Authentication of Equals) handshake.

Avoiding the use of the SSID made WPA3 better protected against some cyberattacks but makes it more vulnerable to SSID confusion attacks. Enterprise networks are always vulnerable as they authenticate using 802.1X and variations of the EAP protocol, none of which make use of the SSID to derive the PMK.

Networks can mitigate the attack by avoiding credential reuse across SSIDs.

Different enterprise networks should use a different CommonName (CN) for the RADIUS server. RADIUS is an acronym that stands for “Remote Authentication Dial-In User Service.” RADIUS servers use an authentication protocol that grants or denies users access to a range of services, including Wi-Fi, VPN, and applications. Using different CNs will thwart credential reuse.

Home networks should use a unique password per SSID. Admittedly, this will result in slightly reduced usability: When a network uses separate SSIDs for 2.4GHz and 5GHz bands, each would then require different credentials.

With the introduction of Wi-Fi 7 all access points must support beacon protection. With beacon protection, a connected client can detect when an adversary changes the SSID in beacons. This leads to a possible defense against SSID confusion attacks: Beacon protection must be enabled so that a client can verify the SSID after connecting to the network.

Configure VPN connections to remain active even when they’re connected to a trusted network will prevent threat actors from intercepting unencrypted traffic even if they successfully execute this attack.