In this research, the authors investigate how Wi-Fi access points handle the security context of queued frames. By exploiting power-save features, they are able to trick access points into leaking frames in plaintext or encrypted with a group or all-zero key. This leads to various attacks against open-source network stacks. The authors attribute these vulnerabilities to a lack of explicit guidance in managing security contexts in the 802.11 standards. They also discover a fundamental design flaw in the power-save bit of a frame’s header, which allows adversaries to disconnect specific clients and launch denial-of-service attacks. Additionally, they demonstrate how an attacker can control the security context of frames yet to be queued, bypassing Wi-Fi encryption and intercepting web traffic. These attacks have a widespread impact on devices and operating systems such as Linux, FreeBSD, iOS, and Android. The research highlights the need for transparency and challenges in handling security context across network stack layers.
https://www.usenix.org/conference/usenixsecurity23/presentation/schepers