Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack (2402.12716v5)

Published 20 Feb 2024 in cs.NI and cs.CR

Abstract: In this paper, we unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. Despite the various security mechanisms (e.g., WEP and WPA2/WPA3) implemented to safeguard Wi-Fi networks, our study reveals that an off path attacker can still extract sufficient information from the frame size side channel to hijack the victim's TCP connection. Our side channel attack is based on two significant findings: (i) response packets (e.g., ACK and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames containing these response packets have consistent and distinguishable sizes. By observing the size of the victim's encrypted frames, the attacker can detect and hijack the victim's TCP connections. We validate the effectiveness of this side channel attack through two case studies, i.e., SSH DoS and web traffic manipulation. Precisely, our attack can terminate the victim's SSH session in 19 seconds and inject malicious data into the victim's web traffic within 28 seconds. Furthermore, we conduct extensive measurements to evaluate the impact of our attack on real-world Wi-Fi networks. We test 30 popular wireless routers from 9 well-known vendors, and none of these routers can protect victims from our attack. Besides, we implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim's TCP connections in 75 (93.75%) evaluated Wi-Fi networks. We have responsibly disclosed the vulnerability to the Wi-Fi Alliance and proposed several mitigation strategies to address this issue.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (68)
  1. IEEE standard for information technology-telecommunications and information exchange between systems-local and metropolitan area networks-specific requirements-part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications: Amendment 6: Medium access control (mac) security enhancements. IEEE Std 802.11i-2004, pages 1–190, 2004.
  2. IEEE standard for information technology– local and metropolitan area networks– specific requirements– part 11: Wireless lan medium access control (mac)and physical layer (phy) specifications amendment 5: Enhancements for higher throughput. IEEE Std 802.11n-2009 (Amendment to IEEE Std 802.11-2007 as amended by IEEE Std 802.11k-2008, IEEE Std 802.11r-2008, IEEE Std 802.11y-2008, and IEEE Std 802.11w-2009), pages 1–565, 2009.
  3. IEEE standard for information technology–telecommunications and information exchange between systems - local and metropolitan area networks–specific requirements - part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications. IEEE Std 802.11-2020 (Revision of IEEE Std 802.11-2016), pages 1–4379, 2021.
  4. 360-ARP. 360 total security: Free antivirus protection for home and devices. http://www.360totalsecurity.com/en/, Accessed November 2023.
  5. Discrete event system framework for fault diagnosis with measurement inconsistency: Case study of rogue dhcp attack. IEEE/CAA Journal of Automatica Sinica, 6(3):789–806, 2017.
  6. Akamai. Ipv6 adoption visualization, 2023. https://www.akamai.com/internet-station/cyber-attacks/state-of-the-internet-report/ipv6-adoption-visualization.
  7. Detecting TCP/IP connections via IPID hash collisions. Proc. Priv. Enhancing Technol., 2019.
  8. Alliance. Discover wi-fi security, 2022. https://www.wi-fi.org/discover-wi-fi/security.
  9. Risk analysis of a fake access point attack against wi-fi network. International Journal of Scientific & Engineering Research, 2018.
  10. Chip Andrews. Dhcp sentry detection. https://www.sqlsecurity.com/downloads/dhcp-sentry, Accessed November 2023.
  11. Practical traffic analysis attacks on secure messaging applications.
  12. TCP Extensions for High Performance. RFC 1323, May 1992. https://www.rfc-editor.org/info/rfc1323.
  13. Padding ain’t enough: Assessing the privacy guarantees of encrypted DNS. In FOCI 2020, August 11, 2020.
  14. Off-path TCP exploits: Global rate limit considered dangerous. In USENIX Security 16, Austin, TX, USA, August 10-12, 2016.
  15. Off-path TCP exploits of the challenge ACK global rate limit. IEEE/ACM Trans. Netw., 2018.
  16. Off-path TCP exploit: How wireless routers can jeopardize your secrets. In USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018.
  17. Alexandru Chirila. Arp antispoofer. https://www.softpedia.com/get/Security/Firewall/ARP-AntiSpoofer.shtml, Accessed November 2023.
  18. Wesley Eddy. Transmission Control Protocol (TCP). RFC 9293, August 2022. https://www.rfc-editor.org/info/rfc9293.
  19. Detecting intentional packet drops on the internet via TCP/IP side channels. In PAM 2014, Los Angeles, CA, USA, March 10-11, 2014, Proceedings.
  20. Idle port scanning and non-interference analysis of network protocol stacks using model checking. In 19th USENIX Security Symposium, Washington, DC, USA, August 11-13, 2010, Proceedings.
  21. Off-path TCP exploits of the mixed IPID assignment. In CCS ’20, Virtual Event, USA, November 9-13, 2020.
  22. Man-in-the-middle attacks without rogue AP: when wpas meet ICMP redirects. In SP 2023, San Francisco, CA, USA, May 21-25, 2023.
  23. TCP Selective Acknowledgment Options. RFC 2018, October 1996. https://www.rfc-editor.org/info/rfc2018.
  24. Weaknesses in the key scheduling algorithm of RC4. In SAC 2001 Toronto, Ontario, Canada, August 16-17, 2001, Revised Papers.
  25. A nationwide census on wifi security threats: prevalence, riskiness, and the economics. In ACM MobiCom ’21, New Orleans, Louisiana, USA, October 25-29, 2021.
  26. Covert messaging through TCP timestamps. In PET 2002, San Francisco, CA, USA, April 14-15, 2002, Revised Papers.
  27. Spying in the dark: TCP and tor traffic analysis. In PETS 2012, Vigo, Spain, July 11-13, 2012. Proceedings.
  28. A timing-based scheme for rogue AP detection. IEEE Trans. Parallel Distributed Syst., 2011.
  29. k-fingerprinting: A robust scalable website fingerprinting technique. In USENIX Security 16, Austin, TX, USA, August 10-12, 2016.
  30. Is it still possible to extend tcp? In IMC ’11, Berlin, Germany, November 2-, 2011.
  31. An investigation on information leakage of DNS over TLS. In CoNEXT 2019, Orlando, FL, USA, December 09-12, 2019.
  32. Huawei. Rogue device detection. https://support.huawei.com/enterprise/en/doc/EDOC1100096321/3eb0a62e/example-for-configuring-rogue-device-detection-and-containment, Accessed November 2023.
  33. Smart retransmission and rate adaptation in wifi. In ICNP 2015, San Francisco, CA, USA, November 10-13, 2015.
  34. Counting packets sent between arbitrary internet hosts. In FOCI ’14, San Diego, CA, USA, August 18, 2014.
  35. The COVID-19 pandemic and remote working did not improve WLAN security.
  36. Linksys. How to enable rogue ap detection on your linksys wireless-ac access point. https://www.linksys.com/support-article?articleNum=135793, Accessed November 2023.
  37. Robert Moskowitz. Weakness in passphrase choice in wpa interface. http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface.html, 2003.
  38. Hypertext Transfer Protocol – HTTP/1.1. RFC 2616, June 1999.
  39. A practical message falsification attack on wpa. Proc. JWIS, 2009.
  40. Ryan Orsi. Understanding evil twin ap attacks and how to prevent them, 2019.
  41. Augur: Internet-wide detection of connectivity disruptions. In SP 2017, San Jose, CA, USA, May 22-26, 2017.
  42. Peel the onion: Recognition of android apps behind the tor network. In ISPEC 2019, Kuala Lumpur, Malaysia, November 26-28, 2019, Proceedings.
  43. Stateless load-aware load balancing in P4. In ICNP 2018, Cambridge, UK, September 25-27, 2018.
  44. Tranco: A research-oriented top sites ranking hardened against manipulation. In NDSS 2019, San Diego, California, USA, February 24-27, 2019.
  45. Investigation of triangular spamming: A stealthy and efficient spamming technique. In SP 2010, 16-19 May 2010, Berleley/Oakland, California, USA.
  46. Improving tcp’s robustness to blind in-window attacks. Technical report, 2010.
  47. Automated website fingerprinting through deep learning.
  48. Framing frames: Bypassing wi-fi encryption by manipulating transmit queues.
  49. Haya Schulmann. Pretty bad privacy: Pitfalls of DNS encryption. In WPES 2014, Scottsdale, AZ, USA, November 3, 2014.
  50. shARP. https://github.com/europa502/shARP, Accessed November 2023.
  51. Fine-grained webpage fingerprinting using only packet length information of encrypted traffic. IEEE Trans. Inf. Forensics Secur., 2021.
  52. Accurate decentralized application identification via encrypted traffic analysis using graph neural networks. IEEE Trans. Inf. Forensics Secur., 2021.
  53. Encrypted traffic classification of decentralized applications on ethereum using feature fusion. In IWQoS 2019, Phoenix, AZ, USA, June 24-25, 2019.
  54. Encrypted DNS -> privacy? A traffic analysis perspective.
  55. IEEE 802.11 n mac frame aggregation mechanisms for next-generation high-throughput wlans. IEEE Wireless Communications, 15(1):40–47, 2008.
  56. Improving TCP’s Robustness to Blind In-Window Attacks. RFC 5961, August 2010. https://www.rfc-editor.org/info/rfc5961.
  57. Practical attacks against WEP and WPA. In WISEC 2009, Zurich, Switzerland, March 16-19, 2009.
  58. Blind in/on-path attacks and applications to vpns. In USENIX Security 2021, August 11-13, 2021.
  59. Flowprint: Semi-supervised mobile-app fingerprinting on encrypted network traffic. In NDSS 2020, San Diego, California, USA, February 23-26, 2020.
  60. Mathy Vanhoef. Fragment and forge: Breaking wi-fi through frame aggregation and fragmentation. In USENIX Security 2021, August 11-13, 2021.
  61. Key reinstallation attacks: Forcing nonce reuse in WPA2. In CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017.
  62. Release the kraken: New kracks in the 802.11 standard. In CCS 2018, Toronto, ON, Canada, October 15-19, 2018.
  63. Dragonblood: Analyzing the dragonfly handshake of WPA3 and eap-pwd. In SP 2020, San Francisco, CA, USA, May 18-21, 2020.
  64. W3Techs. Usage statistics of default protocol https for websites, 2023. https://w3techs.com/technologies/details/ce-httpsdefault.
  65. Effective attacks and provable defenses for website fingerprinting. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014.
  66. Frame retransmissions considered harmful: improving spectrum efficiency using micro-acks. In Mobicom’12, Istanbul, Turkey, August 22-26, 2012.
  67. High fidelity off-path round-trip time measurement via TCP/IP side channels with duplicate syns. In GLOBECOM 2016, Washington, DC, USA, December 4-8, 2016.
  68. Original SYN: finding machines hidden behind firewalls. In INFOCOM 2015, Kowloon, Hong Kong, April 26 - May 1, 2015.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now