Wifi

tags : #area/watch #wifi #security
source :https://github.com/vanhoefm/macstealer
date : 2023-03-30

  1. Letting the victim request data: The adversary first waits until the victim (client) establishes a Wi-Fi connection with the vulnerable Access Point (AP). We assume the victim will then send a request to a server on the Internet. For instance, the victim may send a HTTP request to the (plaintext) website example.com. The goal of the adversary is to intercept the response that will be sent by the website.
  2. Connecting under the victim's MAC address: After the victim requested data, for instance by sending a HTTP Request packet, the adversary will forcibly disconnect the victim from the network before the response arrives at the vulnerable AP. In our example, this means the victim is disconnected before the response from example.com arrives at the AP. Once the victim is disconnected, the adversary spoofs the MAC address of the victim and the adversary will connect to the network using their own credentials. This means the adversary is a malicious insider that can connect using their own credentials to the network, for instance, using their own username and password in an Enterprise Wi-Fi network.
  3. Intercepting the response: Once the adversary connected under the MAC address of the victim, the AP will associate the adversary's newly generated encryption keys with the victim's MAC address. As a result, when the response from the server arrives at the Wi-Fi network, or any incoming traffic towards the victim in general, the router will forward these incoming packets to the victim's MAC address. In our example, this means the response from example.com is forwarded by the router to the victim's MAC address. However, the adversary is now using this MAC address. This means the AP will encrypt the response using the keys of the adversary. In other words, the adversary will now recieve any pending traffic that is still underway the victim.

    By default, the attack does not intercept traffic sent by the victim, but can only intercept traffic sent towards the victim. However, an adversary can attempt subsequent attacks to also intercept traffic sent by the victim. In particular, by intercepting a DNS reply to the victim, the adversary can spoof a DNS reply and intercept all IP traffic both sent towards and sent by victim

Possible mitigations

  • Preventing MAC address stealing
    To mitigate our attack, an AP can temporarily prevent clients from connecting if they are using a MAC address that was recently connected to the AP.

  • 802.1X authentication and RADIUS extensions

  • Protecting the gateway's MAC address
    the AP or controller can prohibit clients from using a MAC address equal to the default gateway. More generally, duplicate MAC address detection can be used when a Wi-Fi client is connecting to the network, to prevent Wi-Fi clients from using a MAC address that is also in use by other devices in the network.

  • Management Frame Protection (802.11w)

Using Management Frame Protection (MFP) would make the attack harder but not impossible. In previous work, we found some ways that clients can be disconnected/deauthenticated even when MFP is being used. Based on that experience, there always appears to be some method to forcibly disconnect a client from the network, even when MFP is being used. Put differently, it's hard to completely prevent disconnection and deauthentication attacks. That being said, MFP would be extra hurdle to overcome when performing the attack in practice, so it can be useful mitigation to make the attack harder (but not impossible) in practice.

  • Usage of VLANs

Based on preliminary experiments, the attack does not work across different VLANs.

Interactive Graph
Table Of Contents
Wifi