Researchers at Belgiumโs KU Leuven have discovered a new security vulnerability that exploits a design flaw in the IEEE 802.11 standard.
This vulnerability could potentially expose millions of users to traffic interception and manipulation.
The SSID Confusion Attack, identified under the identifier CVE-2023-52424, allows threat actors to trick Wi-Fi clients on any operating system into connecting to an untrusted network unknowingly.
In other words, this attack fools a victim into connecting to a different Wi-Fi network other than the one they had intended to.
VPN review site Top10VPN, which collaborated with researchers Hรฉloรฏse Gollier and Mathy Vanhoef from KU Leuven, released the inner workings of the SSID Confusion Attack this week, ahead of its presentation at the WiSec โ24 conference in Seoul, South Korea.
The CVE-2023-52424 vulnerability affects all Wi-Fi clients (home, enterprise, mesh, and others) on all platforms and operating systems.
It also impacts Wi-Fi networks based on the widely deployed WPA3 protocol, WEP, and 802.11X/EAP.
“In this paper we demonstrate that a client can be tricked into connecting to a different protected Wi-Fi network than the one it intended to connect to. That is, the client’s user interface will show a different SSID than the one of the actual network it is connected to,” KU Leuven researchers Mathy Vanhoef and Hรฉloรฏse Gollierย said in their paper.
The root cause for the new Wi-Fi design flaw lies in the IEEE 802.11 standard, which underpins how Wi-Fi works and does not require the network name (SSID) to always be authenticated during the connection process.
As a result, this lack of SSID authentication lures unsuspecting victims into connecting to a less trusted network by spoofing legitimate SSIDs, potentially leading to data interception and other security breaches.
According to Top10VPN, six universities (including institutions in the UK and U.S.) have been identified so far where staff and students are particularly at risk due to credential re-use.
To defend against the SSID Confusion Attack, the researchers have proposed several defenses, such as always including the SSID in key derivation during the 4-way handshake when connecting to protected networks, inclusion of the SSID as additional authenticated data in the 4-way handshake, improving beacon protection to help prevent spoofing, updating the 802.11 Wi-Fi standard to mandate authentication of the SSID when connecting to a protected network; and avoiding credential reuse across different SSIDs.