Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack
arxiv(2024)
Abstract
In this paper, we unveil a fundamental side channel in Wi-Fi networks,
specifically the observable frame size, which can be exploited by attackers to
conduct TCP hijacking attacks. Despite the various security mechanisms (e.g.,
WEP and WPA2/WPA3) implemented to safeguard Wi-Fi networks, our study reveals
that an off path attacker can still extract sufficient information from the
frame size side channel to hijack the victim's TCP connection. Our side channel
attack is based on two significant findings: (i) response packets (e.g., ACK
and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames
containing these response packets have consistent and distinguishable sizes. By
observing the size of the victim's encrypted frames, the attacker can detect
and hijack the victim's TCP connections. We validate the effectiveness of this
side channel attack through two case studies, i.e., SSH DoS and web traffic
manipulation. Precisely, our attack can terminate the victim's SSH session in
19 seconds and inject malicious data into the victim's web traffic within 28
seconds. Furthermore, we conduct extensive measurements to evaluate the impact
of our attack on real-world Wi-Fi networks. We test 30 popular wireless routers
from 9 well-known vendors, and none of these routers can protect victims from
our attack. Besides, we implement our attack in 80 real-world Wi-Fi networks
and successfully hijack the victim's TCP connections in 75 (93.75
Wi-Fi networks. We have responsibly disclosed the vulnerability to the Wi-Fi
Alliance and proposed several mitigation strategies to address this issue.
MoreTranslated text
AI Read Science
Must-Reading Tree
Example
Generate MRT to find the research sequence of this paper
Chat Paper
Summary is being generated by the instructions you defined