Wi-Fi routers (opens in new tab) share between them network frames – data containers that include things like the MAC address of the source and destination endpoints, or control and management data.
If a Wi-Fi device is in power-saving mode (sleep mode), the incoming frames will be queued, to be dequeued, encrypted, and transmitted to the destination, once it wakes up and leaves the power-saving mode.
In theory, a threat actor could spoof the MAC address of a network device and send a power-saving frame, essentially telling the destination device to start queuing frames. Then, they can transmit a wake-up frame and grab all of the frames that were queued in the meantime.
While the frames will be encrypted, the threat actors can send authentication and association frames to the destination endpoint, and in doing so change the security context of the frames. Consequently, the transmitted frames will come in plaintext, or with encryption to which the attackers have the decryption key.
Devices from Lancom, Aruba, Cisco, Asus, and D-Link, are just some of those affected by this flaw.
“Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic,” the researchers – Domien Schepers and Aanjhan Ranganathan of Northeastern University, and Mathy Vanhoef of imec-DistriNet, KU Leuven – said in their report.
“An adversary can use their own Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address.”
The vulnerability can be used to eavesdrop on Wi-Fi traffic, the researchers added, but the impact of the flaw should be somewhat limited.
“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network,” BleepingComputer cited Cisco. Yet, the company suggests business use policy enforcement mechanisms, to be on the safe side.
“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker.”
Via: BleepingComputer (opens in new tab)