WLAN attack: SSID mix-up attack makes users vulnerable

A new WLAN vulnerability has been discovered by Professor Mathy Vanhoef, who has also tracked down vulnerabilities such as TunnelCrack, KRACK Attack and Dragonblood. This is an "SSID Confusion" vulnerability (SSID confusion).

In simple terms, such an attack works by a malicious actor spoofing the SSID of the target network and then redirecting connections through itself so that the clients log on to the spoofed access point. If a victim wants to connect to a trusted network and a second network with the same authentication data – such as a WLAN mesh – is available, an attack is possible. The entire network traffic is then open to attackers: unencrypted connections can be viewed and further attacks on victims can be initiated. Attackers could try to infiltrate malware, for example.

The SSID confusion attack

The attack scenario looks a little more detailed as follows: An attacker in a man-in-the-middle position intercepts the WLAN packets between the real access point (AP) and the victim's WLAN client that occur during the normal network scan. It modifies the SSIDs of the trusted network with those of the "malicious" network before forwarding them to the original destinations. The victim sees response packets that appear to come from the trusted network, even though it is the attacker's malicious AP.

During authentication, the attacker intercepts the victim's packets and replaces the SSID of the trusted network with the fake network before forwarding them to the real AP, thus completing the authentication. What happens next depends on the WLAN protocol used - but as long as the SSID is not included in the PMK (Pairwise Master Key) derivation process, the attack succeeds. At this point, attackers can intercept and rewrite all the victim's instructions and forward them to the real AP.

Not all WLAN protocols are susceptible to the attack, for example because the SSID is included in the Pairwise Master Key (PMK). Vanhoef classifies WPA1 and WPA2, or FT authentication, as secure. WEP, which can no longer be used securely anyway, is vulnerable, as is the newer, otherwise more secure WPA3. According to the list, 802.11X/EAP and mesh networks with AMPE authentication are also vulnerable to SSID confusion.

Protection against SSID confusion attacks

In the overview of the SSID confusion vulnerability, the authors also list potential countermeasures to protect against attacks. These include changes to the Wi-Fi standards - Wi-Fi 7 includes the option of beacon protection, which thwarts such attacks. Specifically, however, network admins can prevent the reuse of access data between SSIDs. Enterprise networks should use their own common names for radius authentication, while a separate access password for each SSID would help in home networks. According to the list of affected protocols, however, switching back from WPA3 to WPA2 could also work as a quick and more practical interim solution.

When asked by heise online how the network experts assess the gap and whether the widespread mesh networks, for example with the Fritz repeaters, are affected, AVM has not yet responded. Lancom, on the other hand, is asking for a little more time to carry out a comprehensive assessment.

(dmk)