Researchers have discovered a new security vulnerability stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on their network traffic.
研究人员发现了一种新的安全漏洞,源于IEEE 802.11 Wi-Fi标准中的设计缺陷,欺骗受害者连接到一个不太安全的无线网络,窃听他们的网络流量。
The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks that are based on WEP, WPA3, 802.11X/EAP, and AMPE protocols.
称为CVE-2023-52424的SSID混淆攻击影响所有操作系统和Wi-Fi客户端,包括基于WEP、WPA3、802.11X/EAP和AMPE协议的家庭和网状网络。
The method "involves downgrading victims to a less secure network by spoofing a trusted network name (SSID) so they can intercept their traffic or carry out further attacks," TopVPN said, which collaborated with KU Leuven professor and researcher Mathy Vanhoef.
"该方法涉及通过欺骗受害者将其降级到一个较不安全的网络(伪造可信任网络名称(SSID)),从而可以拦截其流量或进行进一步的攻击," TopVPN 表示,该公司与KU Leuven教授兼研究员Mathy Vanhoef合作。
"A successful SSID Confusion attack also causes any VPN with the functionality to auto-disable on trusted networks to turn itself off, leaving the victim's traffic exposed."
"成功的SSID混淆攻击还会导致具有自动在受信任网络上禁用功能的任何VPN关闭自身,使受害者的流量暴露。"
The issue underpinning the attack is the fact that the Wi-Fi standard does not require the network name (SSID or the service set identifier) to always be authenticated and that security measures are only required when a device opts to join a particular network.
攻击的潜在问题在于Wi-Fi标准并不要求网络名称(SSID或服务集标识符)始终经过身份验证,而且只有在设备选择加入特定网络时才需要安全措施。
The net effect of this behavior is that an attacker could deceive a client into connecting to an untrusted Wi-Fi network than the one it intended to connect to by staging an adversary-in-the-middle (AitM) attack.
这种行为的最终效果是,攻击者可以通过进行中间人攻击欺骗客户端连接到一个不受信任的Wi-Fi网络,而不是它本来要连接的网络。
"In our attack, when the victim wants to connect to the network TrustedNet, we trick it into connecting to a different network WrongNet that uses similar credentials," researchers Héloïse Gollier and Vanhoef outlined. "As a result, the victim's client will think, and show the user, that it is connected to TrustedNet, while in reality it is connected to WrongNet."
"在我们的攻击中,当受害者想要连接到网络TrustedNet时,我们会欺骗它连接到一个使用类似凭据的不同网络WrongNet," 研究人员Héloïse Gollier和Vanhoef概述道。"结果,受害者的客户端会认为,并向用户显示,它已连接到TrustedNet,而实际上它连接到了WrongNet。"
In other words, even though passwords or other credentials are mutually verified when connecting to a protected Wi-Fi network, there is no guarantee that the user is connecting to the network they want to.
换句话说,即使在连接到受保护的Wi-Fi网络时密码或其他凭据是相互验证的,也不能保证用户正在连接到他们想要的网络。
There are certain prerequisites to pulling off the downgrade attack -
进行降级攻击的某些先决条件包括-
-
The victim wants to connect to a trusted Wi-Fi network
受害者想要连接到一个受信任的Wi-Fi网络
-
There is a rogue network available with the same authentication credentials as the first
有一个可用的恶意网络,其具有与第一个相同的认证凭据
-
The attacker is within range to perform an AitM between the victim and the trusted network
攻击者在受害者和受信任网络之间的范围内执行中间人攻击
Proposed mitigations to counter SSID Confusion include an update to the 802.11 Wi-Fi standard by incorporating the SSID as part of the 4-way handshake when connecting to protected networks, as well as improvements to beacon protection that allow a "client [to] store a reference beacon containing the network's SSID and verify its authenticity during the 4-way handshake."
提出的缓解方法包括通过将SSID作为连接到受保护网络时的4路握手的一部分来更新802.11 Wi-Fi标准,以及对允许"客户端[存储包含网络SSID的参考信标,并在4路握手期间验证其真实性。"的信标保护进行改进。
Beacons refer to management frames that a wireless access point transmits periodically to announce its presence. It contains information such as the SSID, beacon interval, and the network's capabilities, among others.
信标指的是无线接入点定期发送以宣布其存在的管理帧。它包含诸如SSID、信标间隔和网络功能等信息。
"Networks can mitigate the attack by avoiding credential reuse across SSIDs," the researchers said. "Enterprise networks should use distinct RADIUS server CommonNames, while home networks should use a unique password per SSID."
"网络可以通过避免跨SSID重用凭证来减轻攻击," 研究人员表示。"企业网络应该使用不同的RADIUS服务器通用名称,家庭网络应该为每个SSID使用唯一的密码。"
The findings come nearly three months after two authentication bypass flaws were disclosed in open-source Wi-Fi software such as wpa_supplicant and Intel's iNet Wireless Daemon (IWD) that could deceive users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.
这一发现发生在近三个月前,当时披露了关于开源Wi-Fi软件(如wpa_supplicant和Intel的iNet Wireless Daemon(IWD))中存在的两个身份验证绕过漏洞,这些漏洞可以欺骗用户加入一个恶意克隆的合法网络或允许攻击者无需密码加入受信任网络。
Last August, Vanhoef also revealed that the Windows client for Cloudflare WARP could be tricked into leaking all DNS requests, effectively allowing an adversary to spoof DNS responses and intercept nearly all traffic.
去年八月,Vanhoef还曝光了有关Cloudflare WARP的Windows客户端可能被欺骗泄露所有DNS请求的漏洞,从而使对手能够欺骗DNS响应并拦截几乎所有流量。
参考资料
[1]https://thehackernews.com/2024/05/new-wi-fi-vulnerability-enabling.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):新Wi-Fi漏洞:降级攻击使网络易遭窃听
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论