Recently, access to public Wi-Fi networks is easily feasible due to their availability in most common public places.
The nature of Wi-Fi networks is such that supplicants, or end hosts, can come from all corners of the world and be owned by individuals from diverse organizations.
This contrasts wired LANs like Ethernet, where the end hosts typically belong to the same organization.
With the rapid evolution of wireless networks, threat actors now have a greater opportunity to intercept other users’ traffic in the same network.
That’s why the security mechanisms for wireless networks are constantly evolving, from the outdated Wired Equivalent Privacy (WEP) to the latest standard of Wi-Fi Protected Access 3 (WPA3).
New MITM Attack
The open-access nature of public Wi-Fi networks makes them particularly vulnerable to MITM (Man-in-the-Middle) attacks.
In Evil Twins attacks, also known as “Rogue Access Point attacks,” threat actors can deploy a fake wireless access point (AP) to intercept the traffic of unsuspecting victims.
While this complete research study was conducted by the security researchers from the following universities:-
- Tsinghua University (China)
- Zhongguancun Lab (China)
- George Mason University (USA)
A new MITM attack has been discovered by security analysts that can bypass the security mechanisms present in Wi-Fi networks.
The attack operates by imitating the genuine access point and transmitting a forged ICMP redirect message to a targeted supplicant. This enables the hackers to covertly hijack traffic from the supplicant without deploying fake access points (AP).
This attack primarily exploits the cross-layer vulnerabilities between ICMP protocols and WPAs that result in cross-layer interactions. This allows the threat actors to bypass the security mechanisms on the WPA link layer.
Access points (APs) use security mechanisms developed by the Wi-Fi Alliance to encrypt the network traffic of connected supplicants.
Depending on the network environment, the AP can enforce WPA2 or WPA3 security mechanisms.
Here below, we have mentioned all the security modes used by the AP:-
To access remote servers on the Internet, the victim subscribes to a wireless access point (AP) in the public network.
Attackers, in this case, are malicious supplicants who do not have any particular demands regarding the hardware or software of the system.
An attacker needs to satisfy the following requirements to intercept victim traffic:-
- The Wi-Fi network of the target must be configured to allow ICMP redirects.
- To receive the victim supplicant’s traffic, supplicants in the Wi-Fi network must communicate with each other.
- An attacker can identify the victim’s IP address and the server the supplicant is attempting to communicate with.
- It could be possible for the threat actor to identify the open UDP ports on the victim supplicant.
- The attacker can send spoofed packets using the source IP address of the AP.
Researchers found a critical vulnerability in the NPUs of the AP routers 2 during their research, and the flaws have been tracked as CVE-2022-25667.
There is a possibility that ICMP error messages can be forged and transferred in a Wi-Fi network through the use of this vulnerability by a malicious supplicant.
From 10 popular AP vendors, over 55 popular wireless routers were examined by security experts. This vulnerability makes it impossible for these routers to protect themselves from malicious, forged ICMP redirect messages.
In addition to their in-depth analysis of 122 Wi-Fi networks in real-world settings, encompassing all commonly used security modes, they conducted an extensive measurement study.
According to the experimental findings, their attack exploited vulnerabilities in 109 of the 122 Wi-Fi networks tested, indicating an 89% success rate.
This study aims to illustrate how a MITM attack can effectively launch across different Wi-Fi networks, resulting in significant real-world consequences.
Why do Organizations need Unified endpoint management – Download Free E-books & Whitepapers