The recent discovery of a critical vulnerability in the NPU chipset by Tsinghua University and George Mason University researchers allows attackers to eavesdrop on data transmitted over 89% of real-world Wi-Fi networks by exploiting it.
Hardware acceleration, such as using NPU chipsets in Wi-Fi networks, improves data transmission rate and reduces latency but also introduces security concerns due to the direct transmission of wireless frames by Access Point (AP) routers.
Wi-Fi MITM Attack Model
The recently discovered flaw in the NPU’s wireless frame forwarding procedure allows attackers to launch Man-in-the-Middle (MITM) attacks on Wi-Fi networks without requiring rogue APs.
The attack, capable of bypassing link-layer security mechanisms such as WPA3 and intercepting plaintext traffic, has been detailed in a research paper accepted by the 2023 IEEE Symposium on Security and Privacy.
An attacker is connected to a Wi-Fi network at this point so that the attacker has access to the Internet in order to attack the victim.
After passing phone authentication, imagine accessing the Wi-Fi network of a cafeteria secured with WPA2 or WPA3, where each session to the AP router is protected by the Pairwise Transient Key (PTK) session key.
Experts found that the victim supplicant’s traffic in plaintext could be intercepted easily by evading the security mechanisms like WPA2 and WPA3.
Attackers Spoofing IP
Here the attacker spoofs the source IP address by impersonating the AP and then sends an ICMP redirect message (type=5) to the victim.
To prioritize performance, the NPU in AP routers like Qualcomm IPQ5018 and HiSilicon Gigahome Quad-core will directly transmit the received fake ICMP redirect messages to the victim seeker.
When the victim supplicant receives the message, it is deceived into updating its routing cache and substituting the next hop with the attacker’s IP address, causing subsequent IP packets meant for the server to be directed to the attacker at the IP layer, enabling packet forwarding by the attacker.
Silently and without employing any rogue AP, the attacker effectively performs a MITM attack, enabling the interception and modification of the victim supplicant’s traffic.
The vulnerability preventing AP devices from blocking forged ICMP redirect messages has been confirmed by Qualcomm and Hisilicon, with Qualcomm assigning CVE-2022-25667 to this specific problem.
Security analysts conducting a large-scale empirical study on mainstream AP routers and real-world Wi-Fi networks discovered that the vulnerability in embedded NPUs affects almost all mainstream AP routers.
Out of the 55 vulnerable AP routers tested from 10 well-known AP vendors, the experts found that over 89% of the 122 real-world Wi-Fi networks tested were exposed to already known attacks.
While as a mitigatory recommendation, experts have affirmed that to enhance security, APs should throttle crafted ICMP redirects, and supplicants should verify received ICMP messages.
Common Security Challenges Facing CISOs? – Download Free CISO’s Guide