Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack
arxiv(2024)
摘要
In this paper, we unveil a fundamental side channel in Wi-Fi networks,
specifically the observable frame size, which can be exploited by attackers to
conduct TCP hijacking attacks. Despite the various security mechanisms (e.g.,
WEP and WPA2/WPA3) implemented to safeguard Wi-Fi networks, our study reveals
that an off path attacker can still extract sufficient information from the
frame size side channel to hijack the victim's TCP connection. Our side channel
attack is based on two significant findings: (i) response packets (e.g., ACK
and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames
containing these response packets have consistent and distinguishable sizes. By
observing the size of the victim's encrypted frames, the attacker can detect
and hijack the victim's TCP connections. We validate the effectiveness of this
side channel attack through two case studies, i.e., SSH DoS and web traffic
manipulation. Precisely, our attack can terminate the victim's SSH session in
19 seconds and inject malicious data into the victim's web traffic within 28
seconds. Furthermore, we conduct extensive measurements to evaluate the impact
of our attack on real-world Wi-Fi networks. We test 30 popular wireless routers
from 9 well-known vendors, and none of these routers can protect victims from
our attack. Besides, we implement our attack in 80 real-world Wi-Fi networks
and successfully hijack the victim's TCP connections in 75 (93.75
Wi-Fi networks. We have responsibly disclosed the vulnerability to the Wi-Fi
Alliance and proposed several mitigation strategies to address this issue.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要