Researchers Discovers Critical Wi-Fi Vulnerability: All OS Affected

The Belgian university KU Leuven has identified a vulnerability in the Wi-Fi IEEE 802.11 standard, which allows an attacker to deceive victims into connecting to a fake Wi-Fi network and intercepting traffic.

According to the service Top10VPN, which collaborated with one of the KU Leuven researchers, the vulnerability was disclosed this week ahead of an upcoming conference in Seoul, South Korea. The flaw, CVE-2023-52424, affects all Wi-Fi clients on all operating systems, including networks based on the widely used WPA3 protocol, as well as WEP and 802.11X/EAP.

The issue lies in the fact that the IEEE 802.11 standard does not always require SSID authentication when a client connects. SSID identifies access points and networks, distinguishing them from others. In modern Wi-Fi networks, authentication uses a four-way handshake that includes encryption keys. However, the IEEE 802.11 standard does not mandate including the SSID in the key generation process, allowing an attacker to create a fake access point and trick the victim into connecting to a less secure network.

The vulnerability can be exploited only under certain conditions, such as when an organization has two Wi-Fi networks with shared credentials. In such cases, an attacker can set up a fake access point with the same SSID as the secure network and redirect the victim to a less secure network.

The flaw compromises user security, exposing them to known attacks such as the Key Reinstallation Attack (KRACK) and other threats. In some cases, the attack can neutralize VPN protection. Some VPNs automatically disconnect when connecting to a trusted Wi-Fi network based on the SSID.

Researchers from KU Leuven suggest several measures to protect against attacks related to SSID confusion:

  • The IEEE 802.11 standard should be updated to make SSID authentication mandatory.
  • Better protection should be applied to the beacons transmitted by access points to announce their presence, allowing connected clients to detect SSID changes.
  • The reuse of credentials for different SSIDs should be avoided.

It is worth noting that KRACK is a replay attack on any Wi-Fi network using WPA2 encryption. All secure Wi-Fi networks use a four-step handshake to generate a cryptographic key. The attacker forces the victim to reinstall an already-in-use cryptographic key during the third step of the four-step handshake. Due to the use of the AES-CCMP stream cipher in the WPA2 protocol, key reinstallation significantly weakens encryption.