Flaw in Wi-Fi Standard Can Enable SSID Confusion Attacks

Researchers at Belgium's KU Leuven discovered a fundamental design flaw in the IEEE 802.11 Wi-Fi standard that gives attackers a way to trick victims into connecting with a less secure wireless network than the one to which they intended to connect.

Such attacks can expose victims to higher risk of traffic interception and manipulation, according to VPN review site Top10VPN, which collaborated with one of the KU Leuven researchers to release flaw details this week ahead of a presentation at an upcoming conference in Seoul, South Korea.

A Design Flaw

The flaw, assigned as CVE-2023-52424, affects all Wi-Fi clients across all operating systems. Affected Wi-Fi networks include those based on the widely deployed WPA3 protocol, WEP, and 802.11X/EAP. The researchers have proposed updates to the Wi-Fi standard and also methods that individuals and organizations can employ to mitigate risk.

"In this paper we demonstrate that a client can be tricked into connecting to a different protected Wi-Fi network than the one it intended to connect to," KU Leuven researchers Héloïse Gollier and Mathy Vanhoef said in their paper. "That is, the client's user interface will show a different SSID than the one of the actual network it is connected to."

Vanhoef is a professor at KU Leuven whose previous work includes the discovery of several notable Wi-Fi vulnerabilities and exploits like Dragonblood in WPA3, the so-called Krack key reinstallation attacks involving WPA2, and the TunnelCrack vulnerabilities in VPN clients.

The root cause for the new Wi-Fi design flaw that the two researchers discovered stems from the fact that the IEEE 802.11 standard does not always require a network's Service Set Identifier — or SSID — to be authenticated when a client connects to it. SSIDs uniquely identify wireless access points and networks so they are distinguishable from others in the vicinity.

"Modern Wi-Fi networks rely on a 4-way handshake to authenticate themselves and the clients, as well as to negotiate keys to encrypt the connection," the researchers wrote. "The 4-way handshake takes a shared Pairwise Master Key (PMK), which can be derived differently depending on the version of Wi-Fi and the specific authentication protocol being used."

The problem is that IEEE 802.11 standard doesn't mandate that the SSID be included in the key derivation process. In other words, the SSID is not always part of the authentication process that happens when a client devices connects to an SSID. In these implementations, attackers have a opportunity to set up a rogue access point, spoof the SSID of a trusted network, and use it to downgrade the victim to a less trusted network.

Conditions for Exploitation

Certain conditions need to exist for an attacker to be able to exploit the weakness. It works only in situations where an organizations might have two Wi-Fi networks with shared credentials. This can happen, for example, when an environment might have a 2.4 GHz network and a separate 5 GHz band, each with a different SSID but the same authentication credentials. Typically, client devices would connect to the better-secured 5 GHz network. But an attacker that is close enough to a target network to perform a man-in-the-middle attack could stick a rogue access point with the same SSID as the 5 GHz band. They could then use the rogue access point to receive and forward all authentication frames to the weaker 2.4 GHz access point and have the client device connect with that network instead.

Such downgrading could put victims of higher risk of known attacks such as Krack and other threats, the researchers said. Significantly, in some situations it could also neutralize VPN protections. "Many VPNs, such as Clouldflare's Warp, hide.me, and Windscribe can automatically disable the VPN when connected to a trusted Wi-Fi network," the researchers said. That's because the VPNs recognize the Wi-Fi network based on its SSID, they noted.

Establishing the kind of a multichannel man-in-the-middle presence the report describes is feasible against all existing Wi-Fi implementations, the researchers said.

Top10VPN pointed to three defenses against SSID confusion attacks like those the researchers described. One of them is to update the IEEE 802.11 standard in order to make SSID authentication mandatory. The other is to better protect the beacons that an access point transmits periodically to advertise its presence so connected clients can detect when the SSID changes. The third is to avoid credential reuse across different SSIDs.