Active Members akkiliON Posted May 16 Active Members Report Share Posted May 16 Researchers have discovered a new security vulnerability stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on their network traffic. The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks that are based on WEP, WPA3, 802.11X/EAP, and AMPE protocols. The method "involves downgrading victims to a less secure network by spoofing a trusted network name (SSID) so they can intercept their traffic or carry out further attacks," TopVPN said, which collaborated with KU Leuven professor and researcher Mathy Vanhoef. "A successful SSID Confusion attack also causes any VPN with the functionality to auto-disable on trusted networks to turn itself off, leaving the victim's traffic exposed." The issue underpinning the attack is the fact that the Wi-Fi standard does not require the network name (SSID or the service set identifier) to always be authenticated and that security measures are only required when a device opts to join a particular network. The net effect of this behavior is that an attacker could deceive a client into connecting to an untrusted Wi-Fi network than the one it intended to connect to by staging an adversary-in-the-middle (AitM) attack. "In our attack, when the victim wants to connect to the network TrustedNet, we trick it into connecting to a different network WrongNet that uses similar credentials," researchers Héloïse Gollier and Vanhoef outlined. "As a result, the victim's client will think, and show the user, that it is connected to TrustedNet, while in reality it is connected to WrongNet." In other words, even though passwords or other credentials are mutually verified when connecting to a protected Wi-Fi network, there is no guarantee that the user is connecting to the network they want to. There are certain prerequisites to pulling off the downgrade attack - The victim wants to connect to a trusted Wi-Fi network There is a rogue network available with the same authentication credentials as the first The attacker is within range to perform an AitM between the victim and the trusted network Proposed mitigations to counter SSID Confusion include an update to the 802.11 Wi-Fi standard by incorporating the SSID as part of the 4-way handshake when connecting to protected networks, as well as improvements to beacon protection that allow a "client [to] store a reference beacon containing the network's SSID and verify its authenticity during the 4-way handshake." Beacons refer to management frames that a wireless access point transmits periodically to announce its presence. It contains information such as the SSID, beacon interval, and the network's capabilities, among others. "Networks can mitigate the attack by avoiding credential reuse across SSIDs," the researchers said. "Enterprise networks should use distinct RADIUS server CommonNames, while home networks should use a unique password per SSID." The findings come nearly three months after two authentication bypass flaws were disclosed in open-source Wi-Fi software such as wpa_supplicant and Intel's iNet Wireless Daemon (IWD) that could deceive users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password. Last August, Vanhoef also revealed that the Windows client for Cloudflare WARP could be tricked into leaking all DNS requests, effectively allowing an adversary to spoof DNS responses and intercept nearly all traffic. Source: https://thehackernews.com/2024/05/new-wi-fi-vulnerability-enabling.html 1 Quote Link to comment Share on other sites More sharing options...
Nytro Posted May 16 Report Share Posted May 16 1 hour ago, akkiliON said: There are certain prerequisites to pulling off the downgrade attack - Dap, interesant dar de citit partea asta. E la fel de "eficient" ca Evil Twin, doar ca aici cred ca se poate face conexiunea automat. Oricum in practica MiTM nu e asa de util, majoritatea clientilor valideaza certificatele. Sunt desigur exceptii urate care pot duce la probleme serioase, dar un atac cap-coada e destul de greu de pus la punct. 1 Quote Link to comment Share on other sites More sharing options...
Active Members akkiliON Posted May 16 Author Active Members Report Share Posted May 16 1 hour ago, Nytro said: Dap, interesant dar de citit partea asta. E la fel de "eficient" ca Evil Twin, doar ca aici cred ca se poate face conexiunea automat. Oricum in practica MiTM nu e asa de util, majoritatea clientilor valideaza certificatele. Sunt desigur exceptii urate care pot duce la probleme serioase, dar un atac cap-coada e destul de greu de pus la punct. Mi s-a parut interesant articolul + video-ul, de aceea am postat. Imi dau seama ca nu este usor un astfel de atac .... cum zici si tu. Quote Link to comment Share on other sites More sharing options...
Nytro Posted May 17 Report Share Posted May 17 Am vazut Twitter-ul plin despre asta, doar ca pare atat de simplu incat intrebarea e: de ce nu s-a facut mai demult? Quote Link to comment Share on other sites More sharing options...
