Cracking Wifi With Sleep Mode

The concept of queueing in networking devices is well-defined, and where a busy device might have to store data within a buffer before it…
Photo by David Clode on Unsplash

Cracking Wifi With Sleep Mode

The concept of queueing in networking devices is well-defined, and where a busy device might have to store data within a buffer before it is transmitted.

A more significant need to queue data is when a device goes to sleep, and where it is expected to go back to its state before it went to sleep. For example, a device could put itself to sleep for a short time in order to conserve its battery. If so, the wifi access point is likely buffer the data that it was going to send to the device for a defined time. Once the device wakes up, the access point can send the data to the device — as if it had never gone to sleep. Unfortunately, the data in the buffer will often unencrypted, and so, if an adversary can remove the encryption keys for a client in the time it is sleeping, the resulting data could be sent in a plaintext format. If unencrypted data is sent over the wifi connection, anyone which is associated with the access point can then easily read it in a plaintext form.

A significant weakness of many wifi systems is that the frame to send a request for a device to go into sleep mode can be easily spoofed, and is unprotected. This means that an access point could be tricked into believing a device is in sleep mode, but where it is generated from a spoofed frame from an adversary.

Framing frames

In a paper in Real-World Crypto 2023 [1], researchers from Northeastern University created two signficant compromises on open-source wifi frameworks. For this they were able to leak plaintext, and also to encryption data using an encryption key with all zeros (or for the group encryption key).

The main conclusion of the paper is that there is a general lack of how to deal with buffered frames in 802.11, especially in not protecting the power-save bit in a frame header. This can be used to implement a denial-of-service attack and force clients to disconnect from the network.

Along with this, the paper outlines a method of overriding the security context of frames that are queued with the adversary’s chosen encryption key:

The basic method involves three stages (Figure 1):

  • In the first stage, an attacker aims to put a target client into a power-save mode. This is done by sending a fake data frame to the access point that shows that the client is in sleep mode. The access point will then buffer all the data for the target client —this will be stored in a plaintext form, and without encryption.
  • In Stage 2, the attacker then removes the pairwise key for the authentication messages. This could be done by sending management frames, such as for reassociation requests.
  • And, finally, in Stage 3, the attacker sends a wake-up frame —and which can then cause the buffered data to be sent with unencrypted data frames (or sent with the group-addressed encryption). This will allow the attacker to read the buffered data sent to the target.

The researchers analysed two typical open source distributions for access points: FreeBSD 13.0/13.1, Linux 5.5.0-5.17.6, and also hardware dongles using the Atheros AR9271 hardware chipset.

Conclusions

WPA-2 is far from perfect, and the four-way handshake is still a significant weakness with weak passwords, and in a number of significant attacks. Overall, Fragment attacks have been well documented, such as for Kr00k [2] and FragAttacks [3], and where the access point can be tricked into processing in an incorrect way. In Kr00k, the hardware devices could be tricked into using an all-zero encryption key within the four-way handshake, while the paper presented at RWC 2023 managed to do using power-save mechanisms. An outline of Kr00k is here:

KRACK is Back … Meet KrØØk!
If you don’t already know, WPA-2 is not a good Wi-fi standard. Basically it can be breached through the flawed four way…medium.com

WPA-3 was also recently cracked with DoS (Denial of Service) on the Dragonfly handshake [4], and which recovers the network password through a side-channel attack:

WPA-3 Dragonfly: Out of the Frying Pan, and into the Fire
It’s a well-know secret, but the WPA-2 handshaking method used in your home Wi-fi system is flawed. The authentication…medium.com

References

[1] Schepers, D., Ranganathan, A., & Vanhoef, M. Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues [here].

[2] Nakajima, S., Inoue, T., Shiraishi, Y., & Morii, M. (2022, November). Attack Techniques and Countermeasures against Kr00k using CSA. In 2022 Tenth International Symposium on Computing and Networking (CANDAR) (pp. 130–136). IEEE.

[3] Vanhoef, M. (2021). Fragment and forge: Breaking Wi-Fi through frame aggregation and fragmentation. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21) (pp. 161–178). USENIX Association.

[4] de Almeida Braga, D., Fouque, P. A., & Sabt, M. (2020, December). Dragonblood is still leaking: Practical cache-based side-channel in the wild. In Annual Computer Security Applications Conference (pp. 291–303).