In this repository, we present deauthentication techniques bypassing Wi-Fi Management Frame Protection (pdf).
The identified vulnerabilities lead to denial-of-service and network disruptions, and can help an adversary to execute other attacks (for example, when the adversary requires the execution of a new handshake).
Wi-Fi Management Frame Protection (MFP), defined in IEEE 802.11w, protects robust management frames by providing data confidentiality, integrity, origin authenticity, and replay protection. One of its key goals is to prevent deauthentication attacks in which an adversary forcibly disconnects a client from the network.
We identified the following vulnerabilities, disconnecting the client and access point.
| Vulnerability | hostap-2.9 | hostap-2.10 | iwd-1.27 |
|---|---|---|---|
| Corrrupt 4-Way Handshake Message 1/4 | ✔️ | ✔️ | ✔️ |
| Vulnerability | Android 12 |
|---|---|
| Incorrect IGTK Installation | ✔️ |
| Vulnerability | hostap-2.9 | hostap-2.10 | iwd-1.27 |
|---|---|---|---|
| EAPoL Logoff | ✔️ | ✔️ | |
| EAP Failure | ✔️ | ✔️ | ✔️1 |
| Maximum Number of EAP Rounds | ✔️ | ✔️ | |
| Maximum Number of Re-Authentications | ✔️ | ✔️ |
1 Also successful against personal network configurations such as WPA3-Personal.
| Vulnerability | Linux 5.15.0 | macOS 12.3 | iOS 15.4 |
|---|---|---|---|
| Invalid Channel Switch Announcement | ✔️ | ✔️ | ✔️ |
| Unsupported Bandwidth Change | ✔️ |
As proof-of-concepts we provide test cases for the Wi-Fi Framework (see usage instructions).
Note that not all proof-of-concepts are available due to ongoing disclosures and security updates.
As an example, we provide instructions for the pmf-deauth-pmkid-tag-length test case.
Using the Wi-Fi Framework, start two virtual radio interfaces:
./setup/setup-hwsim.sh
Then load the appropriate network configuration to use WPA3-Personal with Management Frame Protection (MFP):
cd setup; ./load-config.sh wpa3-personal-pmf
Start the access point which will execute the pmf-deauth-pmkid-tag-length test case:
./run.py wlan0 pmf-deauth-pmkid-tag-length
Finally, we can connect a client with the access point, which will initiate the attack:
./hostap.py wlan1
After successful execution, the test case will detect the protected deauthentication frame from the client.
Example output for the invalid PMKID Tag Length using Linux 5.15.0 and hostap 2.10.
The following commit in hostap discards corrupted messages:
In example-pmf-deauth-pmkid-tag-length.pcapng, we provide a network capture demonstrating the attack.
- Frame 34: Spoofed handshake frame which contains the corrupted RSN PMKID tag length.
- Frame 36: The victim client transmits a protected deauthentication frame.
The Pixel Update Bulletin of March 2023 addressed the IGTK vulnerability (CVE-2023-21061).
Patches were applied to ensure EAPOL-Key frames containing invalid field values are silently discarded:
| Patch | |
|---|---|
| hostap | WPA: Discard EAPOL-Key msg 1/4 with corrupted information elements |
| IWD | [PATCH] eapol: Silently discard invalid EAPoL frames |
This work is published at the 2022 ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022).
On the Robustness of Wi-Fi Deauthentication Countermeasures (pdf, acm)
With the introduction of WPA3 and Wi-Fi 6, an increased usage of Wi-Fi Management Frame Protection (MFP) is expected. Wi-Fi MFP, defined in IEEE 802.11w, protects robust management frames by providing data confidentiality, integrity, origin authenticity, and replay protection. One of its key goals is to prevent deauthentication attacks in which an adversary forcibly disconnects a client from the network.
In this paper, we inspect the standard and its implementations for their robustness and protection against deauthentication attacks. In our standard analysis, we inspect the rules for processing robust management frames on their completeness, consistency, and security, leading to the discovery of unspecified cases, contradictory rules, and revealed insecure rules that lead to new denial-of-service vulnerabilities. We then inspect implementations and identify vulnerabilities in clients and access points running on the latest versions of the Linux kernel, hostap, IWD, Apple (i.e., macOS, iOS, iPadOS), Windows, and Android. Altogether, these vulnerabilities allow an adversary to disconnect any client from personal and enterprise networks despite the usage of MFP.
Our work highlights that management frame protection is insufficient to prevent deauthentication attacks, and therefore more care is needed to mitigate attacks of this kind. In order to address the identified shortcomings, we worked with industry partners to propose updates to the IEEE 802.11 standard.
@inproceedings{schepers2022robustness,
title={On the Robustness of {Wi-Fi} Deauthentication Countermeasures},
author={Schepers, Domien and Ranganathan, Aanjhan and Vanhoef, Mathy},
booktitle={Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks},
pages={245--256},
year={2022}
}