Skip to content

Repository for the Framing Frames publication: security context and transmit queue manipulations, client isolation bypasses, and more.

Notifications You must be signed in to change notification settings

domienschepers/wifi-framing

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 

Repository files navigation

Wi-Fi Framing

This repository summarizes information for the 'Framing Frames' publication at USENIX Security 2023 (pdf).

Furthermore, we provide proof-of-concepts implemented as test cases for the Wi-Fi Framework:

Wi-Fi Client Isolation Bypass

The MacStealer repository provides a tool to test Wi-Fi networks for client isolation bypasses (CVE-PENDING). Our attack can intercept (steal) traffic toward other clients at the MAC layer, even if clients are prevented from communicating with each other.

More information is available on the MacStealer: Wi-Fi Client Isolation Bypass repository.

Leaking Frames from the FreeBSD Queue

As a proof-of-concept we provide a test case for the Wi-Fi Framework (see usage instructions - tested with commit 1f0a7f71).

Description

In this test case, we transmit an encrypted echo request frame with the sleep-bit set causing its echo reply frame to be buffered by the access point. We then start an optimized reconnection (that is, skipping authentication) and after the association (that is, prior to the 4-Way handshake) we wake up the client with an arbitrary frame without setting the sleep-bit. Since we did not yet derive a new pairwise encryption key using the 4-Way handshake, the buffered data (in this case an echo reply frame) should not be transmitted. However, since the FreeBSD AP leaks frames by falling back on the group encryption key, we can now listen for such frames using the group key from our first session and verify if the access point is vulnerable.

Patch

The following commit prevents FreeBSD from falling back on the multicast encryption key:

Start the FreeBSD Access Point

First, we need to set up a FreeBSD AP. A configuration file for WPA2-Personal is provided in freebsd-hostapd.conf.

To start the access point, as well as a DHCP daemon, we provide the freebsd-setup-ap.sh script:

./freebsd-setup-ap.sh rum0

Run the Wi-Fi Framework Test Case

Using the Wi-Fi Framework, load the appropriate network configuration to use WPA2-Personal:

cd setup; ./load-config.sh wpa2-personal

Finally, we can run the client to execute the queue-leak-freebsd test case:

/run.py wlan0 queue-leak-freebsd

After successful execution, the test case will report our echo reply frame was encrypted using the group key.


Example output for the queue leak attack using a FreeBSD 13.1 AP and Sitecom WL-172 with Ralink (rum) driver.

Troubleshooting

  • For supported hardware and practical information, refer to Wi-Fi in FreeBSD.
  • Verify the client can connect to the FreeBSD AP and successfully issue ping commands:
./hostap.py wlan0
dhclient wlan0
ping -I wlan0 192.168.0.1

Queueing SA Query Requests

As a proof-of-concept we provide a test case for the Wi-Fi Framework (see usage instructions - tested with commit 1f0a7f71).

Note the proof-of-concept also results in a Wi-Fi Deauthentication or denial-of-service attack.

Description

In this test case, we transmit an association request with the sleep-bit set causing frames to be buffered by the access point. Note that not all frames are bufferable (IEEE 802.11-2020; "11.2.2 Bufferable MMPDUs") and the association response will be transmitted. Since our association request is rejected, the access point will initiate the SA Query procedure. The SA Query request is a bufferable frame and therefore it will be buffered by the access point's kernel, consequently causing the procedure to time out. Then, we transmit a second association request which will now be accepted by the access point since the security association expired. When the connection establishment fails to proceed (since we are only transmitting an association request), the client will be deauthenticated by the access point. Finally, the test case listens for the unprotected deauthentication frame (that is, unprotected since the access point no longer posseses a pairwise key) which proves the SA Query procedure has timed out.

Start the Access Point

Using the Wi-Fi Framework, load the appropriate network configuration to use WPA3-Personal with Management Frame Protection (MFP):

cd setup; ./load-config.sh wpa3-personal-pmf

Then start the access point:

./hostap.py wlan0 --ap

Run the Wi-Fi Framework Test Case

Using the Wi-Fi Framework, load the appropriate network configuration to use WPA3-Personal with Management Frame Protection (MFP):

cd setup; ./load-config.sh wpa3-personal-pmf

Finally, we can run the client to execute the queue-saquery test case:

./run.py wlan1 queue-saquery

After successful execution, the test case will report an unprotected deauthentication frame from the AP.


Example output for the queueing of SA Query requests on a system using Linux 5.17.6 and hostapd 2.10.

Security Advisories and Patches

The Wi-Fi Alliance and affected parties were informed on all discovered issues.

At the time of writing, the following security advisories are available:

The following patches address our security issues:

The following standard changes have been proposed:

  • Reassociating STA recognition (docx).

Talks

Parts of this work are presented at the following symposiums and industry conferences.

Real World Crypto 2023:

Centre for Cybersecurity Belgium | Connect & Share 2023:

Black Hat Asia 2023:

Workshop on Attacks in Cryptography 6:

Publication

This work is published at USENIX Security 2023.

Title

Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues (pdf)

Abstract

Wi-Fi devices routinely queue frames at various layers of the network stack before transmitting, for instance, when the receiver is in sleep mode. In this work, we investigate how Wi-Fi access points manage the security context of queued frames. By exploiting power-save features, we show how to trick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key. We demonstrate resulting attacks against several open-source network stacks. We attribute our findings to the lack of explicit guidance in managing security contexts of buffered frames in the 802.11 standards. The unprotected nature of the power-save bit in a frame’s header, which our work reveals to be a fundamental design flaw, also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack.

Furthermore, we demonstrate how an attacker can override and control the security context of frames that are yet to be queued. This exploits a design flaw in hotspot-like networks and allows the attacker to force an access point to encrypt yet to be queued frames using an adversary-chosen key, thereby bypassing Wi-Fi encryption entirely.

Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic. Overall, we highlight the need for transparency in handling security context across the network stack layers and the challenges in doing so.

BibTeX

@inproceedings{schepers2023framing,
  title={Framing Frames: Bypassing {Wi-Fi} Encryption by Manipulating Transmit Queues},
  author={Schepers, Domien and Ranganathan, Aanjhan and Vanhoef, Mathy},
  booktitle={32nd USENIX Security Symposium (USENIX Security 23)},
  year={2023}
}

About

Repository for the Framing Frames publication: security context and transmit queue manipulations, client isolation bypasses, and more.

Resources

Stars

Watchers

Forks