New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

Top10VPN and cybersecurity researcher Mathy Vanhoef have identified a new vulnerability stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on and intercept their network traffic by spoofing a trusted network name (SSID) and utilizing similar-looking credentials. The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks that are based on WEP, WPA3, 802.11X/EAP, and AMPE protocols. Some VPN clients automatically disable the VPN connection when connecting to “trusted” WiFi networks specified by their SSID. A successful SSID Confusion attack can trick these VPNs into disabling, exposing the user’s traffic. At this point, the traffic can be inspected and man-in-the-middled by the WrongNetwork network operator.

Security Officer Comments:
A notable issue that highlights how vulnerable networks to these attacks is the fact that the Wi-Fi standard does not require the network name (SSID or the service set identifier) to always be authenticated and that security measures are only required when a device opts to join a particular network. This issue affects all operating systems and WiFi clients, making this vulnerability particularly severe. Even though passwords or other credentials are mutually verified when connecting to a protected Wi-Fi network, there is no guarantee that the user is connecting to the network they want to leading attackers to leverage this vulnerability to spoof a victim’s trusted network. For a successful attack to occur, the threat actor must meet a few preconditions. First, that the victim wants to connect to a trusted Wi-Fi network. Second, that there is a rogue network available with the same authentication credentials as the first. Lastly, The attacker must be within range to perform an AitM between the victim and the trusted network. Three months earlier, two authentication bypass flaws were disclosed in open-source Wi-Fi software such as wpa_supplicant and Intel's iNet Wireless Daemon (IWD) that could deceive users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.

Suggested Corrections:
Proposed mitigations to counter SSID Confusion include an update to the 802.11 Wi-Fi standard by incorporating the SSID as part of the 4-way handshake when connecting to protected networks, as well as improvements to beacon protection that allow a client to store a reference beacon containing the network's SSID and verify its authenticity during the 4-way handshake. Networks can mitigate the attack by avoiding credential reuse across SSIDs. Enterprise networks should use distinct RADIUS server CommonNames, while home networks should use a unique password per SSID.