Apple’s decision to support MAC Address Randomization across its platforms may provide some degree of protection against a newly-identified Wi-Fi flaw researchers say could let attackers hijack network traffic. iOS, Linux, and Android devices may be vulnerable.
The problem is how the standard handles power-saving
The researchers have identified a fundamental flaw in the design of the IEEE 802.11 Wi-Fi standard attackers could exploit to trick access points (Wi-Fi base stations) into leaking information. The researchers do not claim the vulnerability is being actively exploited, but warn that it might enable the interception of network traffic.
The attack exploits an inherent vulnerability in the data containers (network frames) routers rely on to move information across the network and how access points handle devices that enter power-saving mode.
To achieve the attack, miscreants must forcibly disconnect the victim device before it properly connects to the network, spoof the MAC address of the device to connect to the network using the attacker’s credentials, then grab the response. The vulnerability exploits on-device power-save behavior within the Wi-Fi standard to force data to be shared in unencrypted form.
The researchers have published an open source tool called MacStealer to test Wi-Fi networks for the vulnerability.
Cisco downplayed the report, saying “information gained by the attacker would be of minimal value in a securely configured network.”
The company does, however, recommend that network admins take action: “To reduce the probability that the attacks that are outlined in the paper will succeed, Cisco recommends using policy enforcement mechanisms through a system like Cisco Identity Services Engine (ISE), which can restrict network access by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.
“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” the company said.
The security researchers point out that denial-of-service attacks against Wi-Fi access points have been around forever, arguing that the 802.11 standard needs to be upgraded to meet new security threats. “Altogether, our work highlights the need for the standard to consider queuing mechanisms under a changing security context,” they wrote.
MAC Address Randomization
Apple recently extended its MAC Address Randomization feature across iPhones, iPads, Macs, and the Apple Watch. This additional layer of security helps mask devices by using randomly generated MAC addresses to connect to networks.
The MAC address is a device specific 12-character number that can reveal information concerning the device and is used as an intrinsic part of the Wi-Fi standard. The router will use this to ensure requested data goes to the correct machine, as without that address it would not recognize which machine to send information to.
As explained here, MAC Address Randomization helps mask the exact device on the network in a way that also makes data transmitted over that network a little more complex to decode. Security experts agree that, in a broad sense, it might help make the form of attack identified by the researchers a little harder to pull off. It isn’t foolproof protection, in part because it can be disabled by network providers who might insist on an actual address for use of the service.
MAC Address Randomization is also not enforced when a device connects to a preferred wireless network, and if an attacker is able to identify the random address and connect it to the device they could still mount an attack.
Every step you take to protect your devices, particularly when using Wi-Fi hotspots, is becoming more essential, rather than less.
Watching the Watchguards
Watchguard’s latest Internet Security Report confirms that while there has been some decline in the frequency of network-based attacks, many Wi-Fi networks might be vulnerable to the exploit. The report also reveals that endpoint ransomware increased a startling 627%, while malware associated with phishing campaigns continues to be a persistent threat.
“A continuing and concerning trend in our data and research shows that encryption — or, more accurately, the lack of decryption at the network perimeter — is hiding the full picture of malware attack trends,” said Corey Nachreiner, chief security officer at WatchGuard. “It is critical for security professionals to enable HTTPS inspection to ensure these threats are identified and addressed before they can do damage.”
Copyright © 2023 IDG Communications, Inc.