Tuesday, April 29, 2025
HomeCyber Security NewsNew WiFi Flaw Let Attackers Hijack Network Traffic

New WiFi Flaw Let Attackers Hijack Network Traffic

Published on

SIEM as a Service

Follow Us on Google News

A fundamental security issue in the design of the IEEE 802.11 WiFi protocol standard, according to a technical study written by Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef of imec-DistriNet, KU Leuven, allows attackers to deceive access points into exposing network frames in plaintext.

When the receiver is in sleep mode, for example, Wi-Fi devices routinely queue frames at different tiers of the network stack before sending.

WiFi frames are data packages comprising a header, data payload, and trailer containing data like the MAC addresses of the source and destination and control and management information.

- Advertisement - Google News

By keeping track of the busy/idle states of the receiving points, these frames are broadcast in a regulated manner to prevent collisions and maximize data exchange performance.

“Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic,” researchers.

According to the researchers, queued/buffered frames are not sufficiently protected from attackers, who can control data transmission, client spoofing, frame redirection, and capturing.

Adversary Can Abuse the Power-Save Mechanisms

The initial version of the 802.11 standards already included power-saving features that let clients go into a sleep or doze mode to use less power. All frames intended for a client station are queued when it goes into sleep mode because it sends a frame to the access point with a header that includes the power-saving flag.

Nevertheless, the standard does not specify how to manage the security of these queued frames and does not impose any time restrictions on how long the frames may remain in this state.

The access point dequeues the buffered frames, adds encryption, and transmits them to the target after the client station has awakened.

Attack Diagram

In this case, a hacker might impersonate a network device’s MAC address and transmit power-saving frames to access points, making them queue up frames for the intended target. To obtain the frame stack, the attacker then sends a wake-up frame.

Typically, the WiFi network’s group-addressed encryption key or a pairwise encryption key, specific to each device and used to encrypt frames sent between two devices, are used to encrypt the transmitted frames.

By providing authentication and association frames to the access point, the attacker can force it to transmit the frames in plaintext or encrypt them using a key provided by the attacker, changing the security context of the frames.

“As a result of the attack, anyone within the communication range of the vulnerable access point can intercept the leaked frames in plaintext or encrypted using the group-addressed encryption key, depending on the respective implementation of the stack (i.e., user-space daemon, kernel, driver, firmware).”, explain the researchers.

Network Device Models That Are Known To Be Vulnerable:

“An adversary can use their Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” researchers warn.

“This can, for instance, be abused to send malicious JavaScript code to the victim in plaintext HTTP connections with as goal to exploit vulnerabilities in the client’s browser.”

The researchers warn that these attacks may be exploited to inject malicious content, such as JavaScript, into TCP packets.

Cisco is the first firm to recognize the significance of the WiFi protocol weakness, acknowledging that the attacks described in the paper may be effective against Cisco wireless access point products and Cisco Meraki products.

“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network.” – Cisco.

The company advises implementing mitigating strategies such as employing software like Cisco Identity Services Engine (ISE), which can impose network access restrictions by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.

“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” Cisco.

Are You a Pentester? –

Related Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...