Owfuzz: WiFi Nightmare

Conference:  BlackHat USA 2021



Discovering vulnerabilities in Wi-Fi protocol implementation through various methods
  • Wi-Fi protocol stack consists of three parts: application in user layer, Wi-Fi driver in kernel, and hardware
  • Different methods can be used to discover vulnerabilities in Wi-Fi implementation, such as through air interface, driver interface, simulation, and reverse engineering
  • Forcing Wi-Fi using air interface can generate all types of frames and elements, and can simulate the process of internal erection
  • Forced Wi-Fi frames can be used to disconnect or connect devices from hotspot, and to cause DoS attacks
  • Block ack mechanism and channel switch announcement element can also be exploited to cause DoS attacks
An attacker can disconnect a connected device from an access point by sending a malformed association frame, as discovered in Botcom chips, Roadster devices, and Huawei 390 mobile phones hotspot. The attacker can also disconnect the device from the access point by sending a malformed beacon frame with false information, as discovered in Qualcomm Killer Wireless AC5035 wireless card and Intel AX200 Wi-Fi 6 chip device. Incomplete CSA element can also cause DoS attack, as the ESP32 device will keep crashing and the connection can only be recovered by rebooting.


WiFi, which uses unprotected air as a medium, faces unique challenges in ensuring the security and availability of communication. Throughout the development process of WiFi protocol, it is also the evolution process of WiFi security protocol. Even with the popularization of WIFI6 and WPA3, there are still many flaws in the security of WiFi protocol and its implementation.Owfuzz is a WiFi fuzzing tool. It can perform fuzzing tests to any WiFi device, including client and AP. Over the past few months, I've used owfuzz to fuzz WiFi chips of different vendors and found many WiFi vulnerabilities, the affected vendors include Qualcomm, Intel, Espressif, Broadcom, Huawei and others. These vulnerabilities include both design and implementation flaws, some even affect multiple vendors at the same time.WiFi vulnerabilities can cause remote zero-click attacks, and will affect a large number of users. Therefore, chip vendors need to pay more attention to the security and robustness of WiFi. This talk will cover the practice and thinking about owfuzz and the vulnerabilities discovered by owfuzz.