I recently read an interesting paper by Mathy Vanhoef about the next generation of Wi-Fi attacks. This paper, called framing frames, goes into detail on the following types of Wi-Fi attacks which can be done with beacon frames.
What is a beacon frame?
Wi-Fi networks periodically broadcast packets known as beacon frames to announce their presence to nearby clients. These beacon frames serve as a lighthouse, providing essential information about the network, such as its Service Set Identifier (SSID), supported data rates, and other parameters that assist devices in understanding and connecting to the network.
While beacon frames play a pivotal role in the establishment and management of Wi-Fi connections, they are transmitted openly, making them susceptible to various vulnerabilities if not properly secured.
As these frames are disseminated even before a security association is established between a client and an access point, their unprotected nature can be a potential avenue for adversaries to exploit and launch attacks on the network and its associated clients.
How can you attack Wi-Fi with Beacon Frames?
Reducing Throughput of Clients:
- Summary: The adversary spoofs beacon frames to instruct target devices to lower their transmission power, leading to diminished network connectivity and performance.
- Requirements: Ability to forge beacon frames.
- Attack Process: The adversary spoofs beacon frames that instruct the target device to lower its transmission power.
- Outcome: The network connection becomes unusable for the target, and other stations get an unfair share of the available airtime.
- Devices Affected: MacBook Pro, iPhone, iPad, Windows devices using Alfa and TP-Link dongles.
- Likelihood of Success: High for the mentioned devices. The Wi-Fi chip being used influences whether a device is affected. The precise impact of the attack depends on the target and the number of nearby clients. In general, if the target is the only active client, its throughput is significantly lowered. If other clients are active, the throughput of a vulnerable target can drop to almost zero.
- Summary: The adversary induces the target device into transmitting unnecessary frames, leading to battery drainage.
- Requirements: Ability to inject forged beacon frames immediately after legitimate ones.
- Attack Process: The adversary uses forged beacons to indicate to the AP that it's buffering unicast frames for all associated clients, causing the target to poll the AP for buffered frames.
- Outcome: The battery of resource-constrained devices gets drained faster.
- Devices Affected: Not specified, but the attack can affect any device that responds to malicious TIM elements in beacons.
- Likelihood of Success: High for devices that respond to the malicious TIM elements. The attack will drain the battery of resource-constrained devices faster.
Preventing Frame Delivery:
- Summary: The adversary spoofs timestamp values and Traffic Indication Map (TIM) elements inside beacons to hinder the delivery of broadcast and unicast frames.
- Requirements: Ability to spoof the timestamp parameter and TIM elements in beacon frames.
- Attack Process: Timing Information Forgery: The adversary spoofs the timestamp parameter, causing clients in sleep mode to wake up at the wrong time, missing legitimate beacons and broadcast/multicast frames.
- Outcome: Targeted clients no longer reliably receive broadcast, multicast, and unicast frames.
- Devices Affected: Not specified.
- Likelihood of Success: High for devices that rely on accurate timing information and TIM elements for frame delivery.
The "Silencing Stations" attack manipulates two primary elements:
- Quiet Information Element: The quiet information element of the 802.11h standard is abused to request clients to temporarily pause transmissions. This element was originally designed for 5 GHz access points to silence stations for accurate detection of nearby weather radars. It can cause clients to temporarily halt their transmissions.
- 802.11 Power Elements: The 802.11 standard contains elements that inform clients about the maximum transmit power. Adversaries can spoof these elements, and the power constraint element, to manipulate the transmission power used by the client. Devices like iPads and MacBooks will limit their transmission power, affecting their network communication.
- Requirements: Ability to forge beacon frames.
- Attack Process: The adversary uses forged beacon frames to manipulate the behavior of the target station.
- Outcome: The target station's communication is disrupted.
- Devices Affected: The known quiet attack did not affect any of the tested devices. However, the novel technique to make clients lower their transmission power affected devices like iPads and MacBooks. Android, iPhone, and Windows devices were found to be unaffected when connected to either a 2.4 or 5 GHz network.
- Likelihood of Success: The known quiet attack has negligible impact on modern devices. The novel technique has a high likelihood of success on devices like iPads and MacBooks.
These attacks are interesting because they take advantage of often overlooked and unsecured packets - beacon frames.
In the next year, I'll be experimenting with proof of concept designs to automate testing for these kinds of attacks.