SIGTAM: A Tampering Attack on Wi-Fi Preamble Signaling and Countermeasures

The preamble is crucial for frame reception and interpretation in Wi-Fi networks. It carries essential information (e.g., length, rate, etc) in multiple Signal (SIG) fields that are needed to decode the payload portion of the frame. In this paper, we first use measurements and security analysis to identify the vulnerabilities of the SIG fields in terms of confidentiality, predictability, and integrity. Then, we introduce the SIG tampering attack (SIGTAM) in which the adversary exploits these vulnerabilities to craft and transmit a signal that tampers with legitimate SIG fields. This smart attack can pass the integrity validation including the even parity and cyclic redundancy check (CRC), hence deceiving the receiver(s). The resulting SIG fields not only lead to frame discard or decoding error at the receiver(s) but also channel access disorder at neighboring devices. We further strengthen this attack by making it robust to channel impairments and synchronization errors. The attack is quite stealthy in that it targets fewer than 20% of the subcarriers for a duration of $4\ \mu s$ only. Simulations and over-the-air (OTA) experiments are conducted on IEEE 802.11a/ax networks, which show that the proposed attack achieves almost 100% packet drop and packet error rates. Finally, we propose and evaluate schemes that detect the attack, identify impacted subcarriers, and retrieve the legitimate SIG fields based on their equalized frequency-domain symbols.