Today in Edworking News we want to talk about the post and paper co-authored by Xuewei Feng, Qi Li, Kun Sun, Ziqiang Wang, and Ke Xu. Wi-Fi has emerged as one of the most popular technologies for providing Internet access, but it is also frequently exploited by malicious actors to launch various attacks. With the deployment of wireless security mechanisms like WPA2/WPA3 and the adoption of other protective strategies such as Access Point (AP) isolation, Address Resolution Protocol (ARP) protection, and rogue AP detection, off-path attackers (those unable to control the router) are finding it increasingly difficult to obtain confidential information of Wi-Fi users.
Our recent discovery in router firmware exposes a security flaw in routers’ Network Address Translation (NAT) mapping handling, which can be exploited by attackers to bypass TCP’s built-in randomization. This facilitates off-path TCP hijacking attacks, intercepting Wi-Fi TCP traffic. Our research paper detailing the attack has been accepted by NDSS 2024.
Attack Scenario
Image description: Diagram of an attacker and a victim client connected to the same Wi-Fi network accessing Internet services.
Figure 1 illustrates the scenario where an attacker and a victim client are connected to the same Wi-Fi network to access Internet services (for example, consider strangers connecting to the same Wi-Fi network of a coffee shop). For the attacker to hijack the TCP connection between the victim and the server offering common services such as social media or online finance, the attacker must first detect the existence of the TCP connection. Upon confirmation, the attacker then proceeds to infer the sequence and acknowledgment numbers of the ongoing bidirectional communication.
Attack Steps
We’ve observed that routers often employ port preservation strategies during NAT and lack reverse path validation as required by RFC 3704, enabling attackers to deduce the source ports of other client connections.
First Step: Deducing Source Ports
Following the method illustrated in Figure 2, the attacker can deduce the source port of other clients by altering the source port numbers specified in forged SYN and SYN/ACK packets, then observing if it can receive the SYN/ACK sent by itself until identifying the correct port used by the victim client for subsequent attacks.
Second Step: Exploiting Sequence Numbers
Image description: Attack steps for stealing sequence number and acknowledgment number from TCP connection.
We’ve found that most routers, for performance reasons, do not rigorously inspect the sequence numbers of TCP packets. Consequently, this poses serious security vulnerabilities as attackers can exploit by crafting forged reset (RST) packets to maliciously clear NAT mappings in the router. In the second attack step, the attacker proceeds to steal the sequence number (SEQ) and acknowledgment number (ACK) of the normal TCP connection between the victim client and the server, as depicted in Figure 3. Once the attacker has obtained the source port, sequence number, and acknowledgment number used by the client connection, it can initiate TCP connection manipulation attacks.
Known Issues and Their Consequences
The TCP protocol is a critical foundational protocol of the Internet, carrying important network application protocols such as SSH, HTTP, and FTP. Therefore, hijacking attacks targeting TCP can be applied across various scenarios. For instance, SSH denial of service attacks and HTTP cache pollution, among others.
Empirical Study
We conducted tests on 67 mainstream routers from 30 different manufacturers, including 360, Aruba, ASUS, and more. Among these, we found that 52 routers from 24 manufacturers were susceptible to this attack. Additionally, we conducted measurement studies on 93 real-world Wi-Fi networks and found that 75 (81%) of them were vulnerable.
Case Studies
Our case studies indicate that terminating SSH connections, downloading private files from FTP servers, and injecting false HTTP response packets on average took 17.5, 19.4, and 54.5 seconds, respectively, with success rates of 87.4%, 82.6%, and 76.1%.
Mitigation Efforts and Recommendations
We have registered the issue with affected manufacturers by submitting vulnerability reports and contacting them via email. As of now, we have received a positive response from the OpenWrt community, confirming our findings and releasing patches to fix the vulnerability. Seven router vendors (namely TP-Link, Huawei, Xiaomi, 360, Mercury, Ubiquiti, and Linksys) have acknowledged our report and are actively working to fix their products. We have been assigned 10 CVE identifiers for different vendors. Other vendors are still investigating the vulnerability. To mitigate this attack, we suggest three countermeasures.
Quick Recap for Startups
Security Flaws: Stay updated on security vulnerabilities in widely used technologies like Wi-Fi and routers. Proactively monitoring and deploying patches can prevent potential security breaches.
Empirical Data: Thoroughly test your products and services under various conditions to understand and mitigate potential security risks. This practice not only ensures safety but also enhances customer trust.
Collaborative Efforts: Engage with the broader community and industry partners to quickly identify and address security issues. Collaboration accelerates the development and deployment of necessary patches and updates.
Edworking is the best and smartest decision for SMEs and startups to be more productive. Edworking is a FREE superapp of productivity that includes all you need for work powered by AI in the same superapp, connecting Task Management, Docs, Chat, Videocall, and File Management. Save money today by not paying for Slack, Trello, Dropbox, Zoom, and Notion.
For more details, see the original source.
