Pages

Wednesday, 7 August 2024

The SSID Confusion Attack: Common Misconceptions

We've spotted some confusion about the SSID confusion attack. First, it's by no means something to panic about, but it's nice research to make one think about threat models. To address some common misconceptions:

The adversary doesn't need to know the pre-shared secret. The SSID Confusion attack can cause a victim to connect to a different SSID, as long as that SSID uses the same credentials as another SSID. However, the adversary doesn't need to know these credentials. After all, if the adversary, for instance, already has access to the password of a home network, they could simply perform a generic man-in-the-middle attack by spoofing the real SSID.

The adversary doesn't need access to the RADIUS server. To execute this attack against an Enterprise network, the adversary doesn't require any access to the RADIUS server. The attack doesn't require any Enterprise network credentials—no usernames, passwords, certificates, or RADIUS access. The adversary is always an outsider. Having some kind of additional access can increase the impact of the attack though. For example, in Section 4.3, the adversary is also assumed to have the capability to obtain the Wi-Fi decryption keys from a hotspot. However, even in this scenario, direct access to the RADIUS server is not required—only access to the Pairwise Master Key (PMK) is needed.

The attack applies to most, if not all, EAP methods. The attack isn't limited to MS-CHAPv2; it applies to all EAP methods. In the paper, we mentioned MS-CHAPv2 and EAP-PWD because they are often used by eduroam networks. Note that based on scraped public configuration profiles, MS-CHAPv2 is still the most common EAP method for eduroam networks.

The 2.4 GHz band can support management frame protection. Previous surveys (i.e., wardrives) of over 250,000 networks have found that, on average, 2.4 GHz networks are less likely to use management frame protection. So 2.4 GHz networks can certainly support management frame protection, but it's less common in practice compared to 5 GHz networks, especially on networks that only broadcast on the 2.4 GHz band.

Typically, the same equipment advertises 2.4 and 5 GHz SSIDs. Usually, the same router or access point advertises both the 2.4 and 5 GHz SSIDs. As we'll further discuss below, it's therefore less common for the 2.4 and 5 GHz SSIDs to have different security settings. However, previous research has found that this does occasionally occur. In particular, a separate SSID for the 2.4 GHz band can be created for backwards compatibility, in which case management frame protection is then also disabled to further enhance backwards compatibility.

Security of 2.4 vs. 5 GHz networks. The attack can make a client connect to the 2.4 GHz SSID of a network, even if the client is configured to connect only to the 5 GHz SSID. This might not seem useful, but real-world measurements have shown that the 2.4 GHz SSID is often less secure and more vulnerable to older attacks. That being said, due to the point discussed above, this difference in security is lower for networks that support both the 2.4 and 5 GHz band. Nevertheless, even for networks that support both 2.4 and 5 GHz, it does occasionally occur that the 2.4 GHz band is less secure, as mentioned above.

What's the real lesson? The most interesting part of the paper is not its practical impact. Given the specific threat model, I don't expect many real-world attacks. However, it highlights the importance of considering threat models. In particular, it shows that only verifying credentials without checking the SSID can impact security. Additionally, it highlights that some Enterprise networks with different purposes and different SSIDs, may actually share the same RADIUS server and security configuration. These scenarios may not be typical, but they represent how some use Wi-Fi in practice. We should consider these use cases or at least warn about their potential insecurity!