Our research resulted in a variety of vulnerabilities and weaknesses compromising the security and privacy of Wi-Fi FTM.
Due to the open and unprotected nature of Wi-Fi FTM, all vulnerabilities can be exploited remotely and pre-authentication.
Please note all findings are disclosed to their respective vendors, and published only after at least a 90-day period.
We identified the following characteristics and weaknesses in initiating stations.
| Wi-Fi Card | Firmware | Range 1 | Terminate 2 | PHY-Verif. 3 | Delta Verif. 4 | Retrans. 5 |
|---|---|---|---|---|---|---|
| Broadcom BCM4375B1 | Unknown | [0,+300] | Yes | No | Yes | Unknown |
| Qualcomm WCN3990 | Unknown | [-22.5,+∞] | Yes | No | No | Yes |
| Qualcomm QCA6390 | Unknown | [-22.5,+∞] | Yes | No | No | Yes |
| Intel AC-8260 | Version 31 | [-∞,+∞] | Yes | No | No | Yes |
| Intel AC-8260 | Version 36 | [-10,+100] | Yes | No | No | Unknown |
| Intel AC-8265 | Version 34, 36 | [-10,+100] | Yes | No | No | Unknown |
| Intel AX-200 | Version 53 | [0,+∞] | Yes | No | No | Yes |
| Intel AX-200 | Version 55 | [-∞,+∞] | Yes | No | No | Yes |
| Intel AX-200 | Version 57, 58, 59 | [0,+100] | Yes | No | Yes | Unknown |
| Intel AX-210 | Version 62, 63, 66-68, 71, 73 | [-∞,+∞] | Yes | No | Yes | Yes |
1 Receiver accepts distance measurements within these bounds, otherwise reports a failed measurement session.
2 Receiver accepts frames terminating the measurement session.
3 Receiver rejects frames transmitted under unexpected physical-layer parameters.
4 Receiver accepts frames only within the expected Min Delta FTM window, otherwise does not transmit acknowledgement.
5 Receiver accepts retransmissions and improperly manages timestamps.
We identified the following vulnerabilities in responding stations.
| Wi-Fi Card | Firmware | Wi-Fi FTM Resource Exhaust 1 | Denial-of-Service 2 |
|---|---|---|---|
| Qualcomm IPQ4018 | Unknown | After 16 Open Sessions | Force AP Reboot |
| Qualcomm IPQ4019 | Unknown | After 16 Open Sessions | Crash 5 GHz Band |
| Qualcomm QCS404 | Unknown | After 16 Open Sessions | Crash 5 GHz Band |
| Intel AC-8260 | Version 31, 36 | After 32 Open Sessions | No |
| Intel AC-8265 | Version 34, 36 | After 32 Open Sessions | No |
| Intel AX-200 | Version 53, 55 | After 32 Open Sessions | No |
| Intel AX-200 | Version 57, 58, 59 | After 10 Open Sessions | No |
| Intel AX-210 | Version 62, 63, 66-68, 71, 73 | After 10 Open Sessions | No |
1 Exhaust Wi-Fi FTM resources to perform a Denial-of-Service.
2 Denial-of-Service crashing the entire AP or targetted frequency band.
- For Qualcomm systems, the resource exhaust lasts indefinitely and requires a manual reboot.
- For Intel systems, the resource exhaust lasts half a minute, and a full minute for firmware Version 57 onwards.
We identified issues in the Linux kernel which incorrectly buffer Wi-Fi FTM frames when a station is in power-save mode.
This issue has been fixed since Linux kernel 6.4-rc1 in the following commit:
For more details, refer to our research paper in Section 4.2 (pdf, repository).
Our research resulted in a variety of vulnerabilities which were assigned the following CVE Identifiers.
| CVE Identifier | Description |
|---|---|
| CVE-2020-11270 | Possible denial of service due to RTT responder consistently rejects all FTMR by transmitting FTM1 with failure status in the FTM parameter IE. |
| CVE-2020-11280 | Denial of service while processing fine timing measurement request (FTMR) frame with reserved bits set in the FTM parameter IE due to improper error handling. |
| CVE-2020-11281 | Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. |
| CVE-2020-11287 | Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. |
| CVE-2021-0053 | Improper initialization in firmware for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi in Windows 10 may allow an authenticated user to potentially enable information disclosure via adjacent access. |
- Intel Security Advisory of November 2021.
- Qualcomm Security Bulletin of February 2021.
- Android Security Bulletin of February 2021, including the Qualcomm mitigations.
- ASUS RT-AC58U and ASUS RT-ACRH13 firmware updates mitigate their denial-of-service vulnerability.