SSID Confusion, a WiFi vulnerability that tricks victims into connecting to less secure networks

SSID Confusion, vulnerability exploits a design flaw in the WiFi standard

Equipment researchers from the Catholic University of Louvain in Belgium made known, through a blog post, information about "SSID Confusion", an attack method that allows victims to be fooled so that they connect to less secure networks and thus intercept their traffic

This attack exploits a design flaw in the IEEE 802.11 standard, allowing attackers to trick victims into connecting to a fake network by using a spoofed network name (SSID). Once connected, the victim is exposed to the risk of traffic interception and manipulation. Additionally, some VPN clients that have the automatic deactivation function when connecting to "trusted" WiFi networks can be disabled by this attack.

Educational institutions, including universities in the United Kingdom, the United States and other countries, are particularly at risk due to credential reuse. Additionally, home and business WiFi networks are affected, especially those that use the WPA3 protocol, among others.

About SSID Confusion

Discovered in May 2024 and cataloged under CVE-2023-52424, SSID Confusion, is a vulnerability in the IEEE 802.11 Wi-Fi standard that allows you to trick a user into connecting to a less secure wireless network instead of the trusted network it was intended to connect to, making it easier to intercept and manipulate traffic. This vulnerability affects the wireless stacks of any operating system and compromises WPA3, WEP, EAP, AMPE, and FILS authentication methods.

SSID Confusion, allows you to bypass access point authentication methods in the protocol, which protect against substitution of the SSID network identifier and prevent the creation of fake networks with the same name as the network to which the client connects. It is mentioned that The root of the problem lies in the standard definition of situations in which an SSID may not be authenticated. In particular, to indicate its presence, the access point emits beacon frames that include information about the network's SSID. To facilitate the network discovery process, clients do not authenticate the SSID in these frames, as it is assumed that verification will be required after the client decides to connect to the network.

To carry out this attack, the user must initiate a connection to a specific wireless network and there must be another wireless network nearby with the same parameters connection than the first network. This can occur, for example, when different networks are created for the 2,4 GHz and 5 GHz bands, one of them being weakly protected and vulnerable to typical traffic interception attacks such as KRACK or Frag. The attacker must be within range of the signal to get between the user and the target network (MitM). Importantly, to carry out this attack, the attacker does not need to know the victim's credentials.

The attack is based on the attacker creating an access point (called WrongAP) that broadcasts signals on a different channel to a less secure fictitious network, to which the client connects instead of the desired network. This access point can be created using a conventional laptop and is used to carry out a multi-channel MitM attack against a victim.

The attack takes place in three stages:

  1. Network discovery: The MitM system intercepts packets sent over the air by the victim and a trusted access point (TrustedNet), replacing the SSID in them. In packets from the access point, the SSID is replaced by the identifier of a less secure network, and in responses from the victim to the real network, to simulate the interaction between the client and the trusted access point. As a result, the victim's device receives the responses and believes that the desired network is nearby, even though these responses are transmitted by the attacker's access point.
  2. Authentication hijacking: The attacker fakes a successful authentication and forces the client to connect to a less secure network instead of the trusted network. At this stage, the attacker intercepts the frames sent during authentication by the client, replaces the SSID in them and forwards them to the access point.
  3. MitM: After establishing a communication channel, the attacker replaces the WrongNet SSID with TrustedNet, creating the impression that the user is operating over a trusted network rather than a less secure network.

To protect against this type of attack on the access point side, the 802.11 standard mentions the need for SSID authentication on the connection, which can be achieved by adding the SSID to the key generation or including it as additional data verified during connection negotiation. Network administrators can avoid these types of attacks by avoiding sharing credentials between networks with different SSIDs. For their part, users can protect themselves by using reliable VPNs when connecting over any wireless network.

Finally, if you are interested in being able to know more about it, you can consult the details in the following link.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.