Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack

• URL: http://arxiv.org/abs/2402.12716v5
• Date: Tue, 01 Oct 2024 04:22:34 GMT
• Title: Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack
• Authors: Ziqiang Wang, Xuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, Mengyuan Li, Ganqiu Du, Ke Xu, Jianping Wu,
• Abstract summary: We unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. We validate the effectiveness of this side channel attack through two case studies. We implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim's TCP connections in 75 (93.75%) evaluated Wi-Fi networks.
• Score: 33.68960337314623
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: In this paper, we unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. Despite the various security mechanisms (e.g., WEP and WPA2/WPA3) implemented to safeguard Wi-Fi networks, our study reveals that an off path attacker can still extract sufficient information from the frame size side channel to hijack the victim's TCP connection. Our side channel attack is based on two significant findings: (i) response packets (e.g., ACK and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames containing these response packets have consistent and distinguishable sizes. By observing the size of the victim's encrypted frames, the attacker can detect and hijack the victim's TCP connections. We validate the effectiveness of this side channel attack through two case studies, i.e., SSH DoS and web traffic manipulation. Precisely, our attack can terminate the victim's SSH session in 19 seconds and inject malicious data into the victim's web traffic within 28 seconds. Furthermore, we conduct extensive measurements to evaluate the impact of our attack on real-world Wi-Fi networks. We test 30 popular wireless routers from 9 well-known vendors, and none of these routers can protect victims from our attack. Besides, we implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim's TCP connections in 75 (93.75%) evaluated Wi-Fi networks. We have responsibly disclosed the vulnerability to the Wi-Fi Alliance and proposed several mitigation strategies to address this issue.

Related papers

• Red Pill and Blue Pill: Controllable Website Fingerprinting Defense via Dynamic Backdoor Learning [93.44927301021688]
  Website fingerprint (WF) attacks covertly monitor user communications to identify the web pages they visit. Existing WF defenses attempt to reduce the attacker's accuracy by disrupting unique traffic patterns. We introduce Controllable Website Fingerprint Defense (CWFD), a novel defense perspective based on backdoor learning.
  arXiv  Detail & Related papers  (2024-12-16T06:12:56Z)
• Exploiting Cross-Layer Vulnerabilities: Off-Path Attacks on the TCP/IP Protocol Suite [26.96330717492493]
  We investigate cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages. We uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing. These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks.
  arXiv  Detail & Related papers  (2024-11-15T02:41:53Z)
• Attacking Slicing Network via Side-channel Reinforcement Learning Attack [9.428116807615407]
  We introduce a reinforcement learning-based side-channel cache attack framework specifically designed for network slicing environments. Our framework dynamically identifies and exploit cache locations storing sensitive information, such as authentication keys and user registration data. Experimental results showcase the superiority of our approach, achieving a success rate of approximately 95% to 98%.
  arXiv  Detail & Related papers  (2024-09-17T15:07:05Z)
• Seeing is (Not) Believing: Practical Phishing Attacks Targeting Social Media Sharing Cards [4.835306415626808]
  In this study, we investigate the construction and dissemination mechanisms of sharing cards for link previews. Our investigation reveals a novel type of attack, i.e., Sharing Card Forgery (SCF) attack that can be exploited to create forged benign sharing cards for malicious links. Our findings indicate a significant risk, as the deceptive cards can evade detection and persist on social platforms.
  arXiv  Detail & Related papers  (2024-05-17T13:13:23Z)
• Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks [22.72218888270886]
  We uncover a new side-channel vulnerability in the widely used NAT port preservation strategy and an insufficient reverse path validation strategy of Wi-Fi routers. Off-path attackers can infer if there is one victim client in the same network communicating with another host on the Internet using TCP. We test 67 widely used routers from 30 vendors and discover that 52 of them are affected by this attack.
  arXiv  Detail & Related papers  (2024-04-06T11:59:35Z)
• Tamper-Evident Pairing [55.2480439325792]
  Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard. TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent. This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
  arXiv  Detail & Related papers  (2023-11-24T18:54:00Z)
• Efficient and Low Overhead Website Fingerprinting Attacks and Defenses based on TCP/IP Traffic [16.6602652644935]
  Website fingerprinting attacks based on machine learning and deep learning tend to use the most typical features to achieve a satisfactory performance of attacking rate. To defend against such attacks, random packet defense (RPD) with a high cost of excessive network overhead is usually applied. We propose a filter-assisted attack against RPD, which can filter out the injected noises using the statistical characteristics of TCP/IP traffic. We further improve the list-based defense by a traffic splitting mechanism, which can combat the mentioned attacks as well as save a considerable amount of network overhead.
  arXiv  Detail & Related papers  (2023-02-27T13:45:15Z)
• TANTRA: Timing-Based Adversarial Network Traffic Reshaping Attack [46.79557381882643]
  We present TANTRA, a novel end-to-end Timing-based Adversarial Network Traffic Reshaping Attack. Our evasion attack utilizes a long short-term memory (LSTM) deep neural network (DNN) which is trained to learn the time differences between the target network's benign packets. TANTRA achieves an average success rate of 99.99% in network intrusion detection system evasion.
  arXiv  Detail & Related papers  (2021-03-10T19:03:38Z)
• Practical Detection of Trojan Neural Networks: Data-Limited and Data-Free Cases [87.69818690239627]
  We study the problem of the Trojan network (TrojanNet) detection in the data-scarce regime. We propose a data-limited TrojanNet detector (TND), when only a few data samples are available for TrojanNet detection. In addition, we propose a data-free TND, which can detect a TrojanNet without accessing any data samples.
  arXiv  Detail & Related papers  (2020-07-31T02:00:38Z)
• An Embarrassingly Simple Approach for Trojan Attack in Deep Neural Networks [59.42357806777537]
  trojan attack aims to attack deployed deep neural networks (DNNs) relying on hidden trigger patterns inserted by hackers. We propose a training-free attack approach which is different from previous work, in which trojaned behaviors are injected by retraining model on a poisoned dataset. The proposed TrojanNet has several nice properties including (1) it activates by tiny trigger patterns and keeps silent for other signals, (2) it is model-agnostic and could be injected into most DNNs, dramatically expanding its attack scenarios, and (3) the training-free mechanism saves massive training efforts compared to conventional trojan attack methods.
  arXiv  Detail & Related papers  (2020-06-15T04:58:28Z)
• A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
  Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems. This paper proposes a self-supervised adversarial training mechanism in the input space. It provides significant robustness against the textbfunseen adversarial attacks.
  arXiv  Detail & Related papers  (2020-06-08T20:42:39Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.