Prominent security researchers have found a new vulnerability that endangers numerous WLANs around the world. The researchers have already identified other gaps. Attackers can read data and transmit malware.
Professor Mathy Vanhoef has already uncovered the WLAN vulnerabilities TunnelCrack, Krack Attack, and Dragonblood. Now the researcher has discovered the new vulnerability “SSID Confusion”. The SSID Confusion Attack affects all WiFi clients on all operating systems. Attackers can use it to read data and inject malware, even in supposedly secure networks.
Networks with WEP and WPA3 are at risk, but not WPA1 and WPA2. WLANs with 802.11X/EAP and mesh networks with AMPE authentication are also problematic. Only the new Wi-Fi 7 standard protects against this type of attack. WLAN operators can protect themselves by preventing the reuse of access data between different SSIDs and by enforcing special passwords for each WLAN.
Man-in-the-middle attacks on WLANs with SSI confusion
The vulnerability is exploited when there are multiple WLANs with the same SSID. This allows attackers to manipulate WLAN traffic. An attacker can fake an existing WLAN and redirect the connections to his WLAN. This is done by using identical SSIDs. An attacker scans data packets in an existing WLAN and uses them to set up his own WLAN.
The vulnerability results from a design flaw in the IEEE 802.11 standard that allows attackers to trick victims into connecting to insecure networks and intercept their traffic. It exploits the fact that WiFi clients do not authenticate a network’s SSID during connection establishment. This results in attackers being able to create a network with a fake SSID name that the WiFi clients trust. In particular, networks that use the same credentials for different SSIDs are at risk, as attackers can exploit this vulnerability to intercept and tamper with traffic.
In addition, the attack can exploit the auto-disconnect feature of certain VPN clients, which disables the VPN connection when the device connects to a pre-determined “trusted” WiFi connection. Once the victim is connected to a fake network, the VPN connection is disabled, leaving the victim’s traffic unprotected and vulnerable to eavesdropping and tampering attacks.