Conference:  Black Hat Asia 2023

Authors: Mathy Vanhoef, Domien Schepers

2023-05-12

This presentation introduces two novel attacks that abuse the power-save (sleep) functionality of Wi-Fi. In our first attack, we target a protected Wi-Fi network and abuse sleep mode to leak frames in plaintext. The idea is that the adversary forces an Access Point to buffer frames, and then causes the buffered frames to be transmitted using the wrong or no key. For instance, some affected APs will leak buffered frames by encrypting them using an all-zero key, and some APs will even leak frames in plaintext. In our second attack, we introduce network disruption attacks based on the forced queueing of frames. As an example, we show how this can be used to block Fine Timing Measurements, which in turn may disrupt geofencing. Our attack can also be used to disconnect clients even when WPA3 and Protected Management Frames are enabled. We also explain how after disconnecting a client, a malicious insider can reconnect as the victim to subsequently bypass client isolation and intercept traffic towards the victim. We will demonstrate and release a tool that can detect if a network is vulnerable to this client isolation bypass method. To prevent our sleep-based attacks, the power-management bit in Wi-Fi frames must be authenticated, which is currently not the case even when using WPA3. Preventing our attack to bypass client isolation is non-trivial, and we will discuss the security and reliability trade-offs of possible mitigations.