Currently, there are no known cases of malicious use of the vulnerability discovered by the researchers
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi wireless networking protocol standard that allows attackers to trick Internet-connected devices into leaking network frames in plain text.
Wi-Fi frames are data containers consisting of a header, payload, and slave. These containers include information such as source, destination MAC address, control, and management data.
These frames are queued and sent in a controlled manner to avoid collisions, and to increase data exchange performance by monitoring the busy and idle states of receiving points.
The researchers found that queued or cached frames are not adequately protected from threat actors, who can manipulate data transmission, impersonate the client, and forward and capture frames.
The technical paper published by the researchers stated: “The attacks have a wide impact because they affect many devices and operating systems, such as: Linux, (FreeBSD) FreeBSD, (iOS) and Android, and because they can be used to hijack protocol communications. TCP, or Intercepting Client and Web Traffic».
IEEE 802.11 includes power-saving mechanisms that allow Wi-Fi devices to conserve power by caching or arranging frames for idle devices.
When the client station (receiver) goes into sleep mode, it sends a frame to the access point with a header containing the power-saving bit, so that all frames assigned to it are queued.
However, the standard does not provide clear guidance on the security management of these queued frames, nor does it set restrictions such as how long frames can remain in this state.
After the client station comes back online, the access point or device connected to the Internet removes the cached frames, applies encryption to them, and transmits them to the destination.
An attacker can spoof the MAC address of a device on the network and send power-saving frames to access points, forcing them to start queuing the target’s intended frames. Then, the attacker sends an alert frame to retrieve the frame packet.
Transmitted frames are usually encrypted using a group-oriented encryption key and shared between all devices in a Wi-Fi network, or using a double encryption key, which is unique to each device and is used to encrypt frames exchanged between two devices.
However, an attacker can change the security context of the frames by sending authentication and association frames to the access point, and then forcing it to send the frames in plain text or encrypting them with a key provided by the attacker.
This attack can be accomplished using custom tools created by the researchers called MacStealer, which can test Wi-Fi networks to bypass client isolation and intercept traffic destined for other clients in the MAC layer.
Currently, there are no known cases of malicious use of the vulnerability discovered by the researchers.