Reaction score
In theory, attackers can intercept traffic and download malicious code remotely. Interestingly, this is not the first such vulnerability. We tell you what the problem is and what experts suggest doing to protect yourself.

Weak point - sleep mode​

A new vulnerability was discovered by a group of information security specialists from Northeastern University. The cornerstone of the attack was the power saving mechanism described in the IEEE 802.11 standard. When the receiver device goes into sleep mode, it sends a frame with a header containing a special bit to the access point. Next, all frames for the device are buffered pending. Researchers have shown that attackers can gain access to this queue.

The fact is that the IEEE 802.11 standard does not contain clear recommendations for protecting frames in a buffer. It also does not limit their storage time. An attacker may try to deceive the access point by replacing his own MAC address on the network and “take” the accumulated frames for himself.

They are typically encrypted using a group key or pairwise keys that are unique to each pair of devices. The hacker, in turn, can send authentication frames to the access point and ask that messages in the queue be encrypted with a new key. In general, the attack can be represented by the following diagram:

In theory, attackers could not only intercept payloads, but also inject JavaScript into TCP packets to exploit known vulnerabilities in victims' browsers.

Devices and networks at risk​

You can check which network devices are vulnerable using a special set of utilities - MacStealer (not to be confused with the malware of the same name for stealing data from personal computers). It allows you to enter several commands to check the network for vulnerabilities - here are a couple of them:
Code:Copy to clipboard
./ wlan0
./ wlan0 --c2c wlan1
The first tests a basic MAC address theft scenario where the attacker connects from the target system's AP/BSS. The second shows whether it is possible to send malicious ARP packets from the attacker to the victim.

According to researchers, a number of modern routers from major manufacturers are at risk. Attackers can target corporate networks, as well as hotspots with passpoint or SAE-PK. Home networks using WPA2 or WPA3 are also at risk.

However, it is worth understanding that the discovered vulnerability is not something radically new. It is based on “classic” spoofing. A similar attack method using the IEEE 802.11 protocol already exists and is called kr00k. It allows you to intercept some Wi-Fi traffic encrypted with WPA2.

Is it possible to fight​

So far there have been no confirmed cases of attacks using the new vulnerability. However, experts still recommend taking a number of measures to protect against potential abuse. Engineers from Northeastern University in their work suggest taking a closer look at systems that have recently gone into sleep mode and are now again active on the network.

Researchers also recommend not to forget about protecting control frames (MFP). Although the mechanism only complicates the work of hackers. Finally, you can distribute clients across different VLANs. This approach allows you to limit the damage that a hacker can cause.

At the same time, residents of Hacker News noted in a thematic thread that attacks of this kind are primarily oriented to steal frames, not protected by additional security measures. Even network equipment vendors call this vulnerability “opportunistic,” meaning it can be countered through proper network configuration. Since it involves stealing frames in a queue, they need to be encrypted before they get into it. One of the site users said that set up an architecture with frame encryption in the cloud and IP tunneling. In this case, the data was encrypted long before it entered the buffer queue.