Sign In

Off-Path TCP Hijacking in Wi-Fi Networks: Exploiting Encrypted Frame Size as a Side Channel Attack

Core Concepts
An off-path attacker can hijack a victim's TCP connection in Wi-Fi networks by exploiting the observable encrypted frame size as a side channel.
The paper unveils a fundamental side channel in Wi-Fi networks - the observable frame size of encrypted frames - which can be exploited by off-path attackers to conduct TCP hijacking attacks. The attack consists of four key steps: Identifying the victim supplicant in the Wi-Fi network by obtaining their MAC and IP address pair. Detecting the victim's TCP connections by analyzing the size of the encrypted frames. The attacker impersonates the victim and sends forged SYN/ACK packets to trigger challenge ACK responses, which have a distinct frame size. Inferring the exact sequence number of the target TCP connection by observing the size variations in the victim's encrypted frames in response to the attacker's guessed sequence numbers. Inferring an acceptable acknowledgment number by leveraging the challenge ACK mechanism, where the server's challenge ACK responses have a fixed frame size. With the inferred sequence and acknowledgment numbers, the attacker can hijack the victim's TCP connection to either terminate the connection or inject malicious data. The authors conduct extensive measurements on 30 popular wireless routers and 80 real-world Wi-Fi networks, demonstrating the effectiveness of the attack. The results show that 93.75% of the evaluated Wi-Fi networks are vulnerable to the proposed TCP hijacking attack.
The attack can terminate a victim's SSH session in 19 seconds and inject malicious data into the victim's web traffic within 28 seconds.
"We unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks." "Our side channel attack is based on two significant findings: (i) response packets (e.g., ACK and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames containing these response packets have consistent and distinguishable sizes."

Deeper Inquiries

How can the 802.11 standard be modified to prevent the leakage of TCP connection information through the encrypted frame size?

To prevent the leakage of TCP connection information through the encrypted frame size in the 802.11 standard, several modifications can be considered: Dynamic Padding: One approach could be to introduce dynamic padding of encrypted frames. By dynamically adjusting the size of encrypted frames, the side channel information leakage can be minimized. This padding could be implemented in a way that adds random bits to the frame size, making it harder for attackers to infer information from the frame size. Frame Size Randomization: Another strategy could involve randomizing the frame sizes within a certain range. By introducing variability in the frame sizes, attackers would find it more challenging to extract meaningful information from the encrypted frames. Frame Size Normalization: Implementing a mechanism to normalize frame sizes could also be beneficial. By ensuring that all encrypted frames have a consistent size, regardless of the actual data size, the side channel information leakage can be reduced. Encryption Enhancements: Enhancing the encryption algorithms used in Wi-Fi networks can also contribute to mitigating the leakage of TCP connection information. Stronger encryption methods can make it more difficult for attackers to extract meaningful data from the frame sizes. Protocol Updates: Regular updates and revisions to the 802.11 standard can address vulnerabilities and introduce new security measures to protect against side channel attacks. Including specific guidelines on frame size handling and encryption can enhance the overall security of Wi-Fi networks.

How could the TCP specification be revised to make it more resilient against attacks that leverage inconsistent responses, such as the challenge ACK mechanism?

To make the TCP specification more resilient against attacks that leverage inconsistent responses, such as the challenge ACK mechanism, the following revisions could be considered: Standardized Response Handling: Implementing standardized response handling mechanisms in the TCP specification can help ensure consistent behavior across different implementations. By defining clear rules for how TCP entities should respond to various scenarios, the protocol can become more robust against manipulation attempts. Enhanced Verification Mechanisms: Introducing enhanced verification mechanisms for TCP segments can help prevent attackers from exploiting inconsistencies in responses. By strengthening the validation process for incoming segments, the protocol can detect and mitigate malicious activities more effectively. Challenge ACK Refinement: Refining the challenge ACK mechanism to include additional checks or validations can enhance its security. By adding layers of verification or authentication to challenge ACK responses, the protocol can better defend against spoofing or manipulation attempts. Dynamic Window Adjustments: Implementing dynamic window adjustments based on network conditions and traffic patterns can help prevent blind injection attacks. By adapting the window size in response to changing circumstances, TCP connections can maintain a higher level of security. Improved Error Handling: Enhancing error handling mechanisms in TCP can improve the protocol's resilience against attacks. By providing clearer error messages and responses, TCP entities can better detect and respond to anomalous behavior, reducing the risk of exploitation. By incorporating these revisions and enhancements into the TCP specification, the protocol can strengthen its security posture and better defend against attacks that leverage inconsistent responses like the challenge ACK mechanism.