Researchers have identified a new security vulnerability in the IEEE 802.11 Wi-Fi standard that exploits a design flaw, leading to users unknowingly connecting to a less secure wireless network and allowing attackers to eavesdrop on their network traffic.
The SSID Confusion attack, identified as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks using WEP, WPA3, 802.11X/EAP, and AMPE protocols.
The attack involves tricking victims into connecting to a less secure network by impersonating a trusted network name (SSID), enabling the interception of their traffic and potential further attacks, as per findings from TopVPN, partnering with researcher Mathy Vanhoef from KU Leuven.
An successful SSID Confusion attack can cause VPNs with auto-disable functionality on trusted networks to turn off, exposing the victim’s traffic.
The vulnerability lies in the fact that the Wi-Fi standard does not always require authentication of the network name (SSID) and implements security measures only when a device connects to a specific network.
This flaw can lead to an attacker deceiving a client into connecting to a different Wi-Fi network than intended by executing a man-in-the-middle attack.
When a victim intends to connect to the network TrustedNet, the attack tricks them into connecting to a different network, WrongNet, that uses similar credentials, displaying a false connection while actually being connected to WrongNet.
Even when connecting to secure Wi-Fi networks with mutual verification of credentials, there is no guarantee that users connect to the desired network.
To carry out the attack, certain conditions must be met:
- The victim intends to connect to a trusted Wi-Fi network
- A rogue network with similar authentication credentials is available
- The attacker is within range to perform a man-in-the-middle attack between the victim and the trusted network
Recommendations to mitigate SSID Confusion include updating the 802.11 Wi-Fi standard to incorporate the SSID in the 4-way handshake for connecting to secure networks and enhancing beacon protection to verify the authenticity of a network during the handshake.
Beacons are management frames transmitted by wireless access points that announce their presence and contain information such as SSID and network capabilities.
Networks can avoid the attack by using unique credentials for each SSID in enterprise networks and unique passwords for each SSID in home networks.
These findings follow the disclosure of two authentication bypass flaws in open-source Wi-Fi software and a vulnerability in the Windows client for Cloudflare WARP that could potentially leak DNS requests, emphasizing the importance of securing Wi-Fi networks.