Concepts de base
An off-path attacker can hijack a victim's TCP connection in Wi-Fi networks by exploiting the observable encrypted frame size as a side channel.
Résumé
The paper unveils a fundamental side channel in Wi-Fi networks - the observable frame size of encrypted frames - which can be exploited by off-path attackers to conduct TCP hijacking attacks.
The attack consists of four key steps:
- Identifying the victim supplicant in the Wi-Fi network by obtaining their MAC and IP address pair.
- Detecting the victim's TCP connections by analyzing the size of the encrypted frames. The attacker impersonates the victim and sends forged SYN/ACK packets to trigger challenge ACK responses, which have a distinct frame size.
- Inferring the exact sequence number of the target TCP connection by observing the size variations in the victim's encrypted frames in response to the attacker's guessed sequence numbers.
- Inferring an acceptable acknowledgment number by leveraging the challenge ACK mechanism, where the server's challenge ACK responses have a fixed frame size.
With the inferred sequence and acknowledgment numbers, the attacker can hijack the victim's TCP connection to either terminate the connection or inject malicious data.
The authors conduct extensive measurements on 30 popular wireless routers and 80 real-world Wi-Fi networks, demonstrating the effectiveness of the attack. The results show that 93.75% of the evaluated Wi-Fi networks are vulnerable to the proposed TCP hijacking attack.
Stats
The attack can terminate a victim's SSH session in 19 seconds and inject malicious data into the victim's web traffic within 28 seconds.
Citations
"We unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks."
"Our side channel attack is based on two significant findings: (i) response packets (e.g., ACK and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames containing these response packets have consistent and distinguishable sizes."