A flaw in the design of the Wi-Fi standard could, under certain circumstances, allow an attacker to divert a user's connection to a less secure network, disable the VPN and intercept traffic.
The vulnerability, identified as CVE-2023-52424, allows for Service Set Identifier confusion attacks on enterprise, mesh, and some home Wi-Fi networks. The SSID confusion attack itself provides an attacker with a way to trick users into connecting to a network that is less secure than the one they think they are connected to.
If credential reuse is involved, users may be vulnerable to traffic interception. Additionally, this exploit may force-off VPNs that have an auto-disable mode for trusted networks.
What is CVE-2023-52424 and how does it work?
The vulnerability, discovered by renowned security researcher Professor Mathy Vanhoef and published in collaboration with Top10VPN, is caused by a design flaw in the IEEE 802.11 Wi-Fi standard and therefore affects all Wi-Fi clients and all operating systems, provided certain requirements are met. The research found that credential reuse puts both staff and students at particular risk in at least six universities in the UK and US.
A full research paper will explain all the technical details, but the root cause is that the IEEE 802.11 standard does not necessarily require authentication of the network name or SSID.
Wi-Fi access points use beacon frames (containing the SSID) to announce their wireless network to nearby devices, and to make this as easy as possible, Wi-Fi clients do not try to authenticate these SSIDs in the beacons, following the old cliche of balancing security and ease of use.
That would be fine if such security measures were only required after a device joined a network. But CVE-2023-52424 proves that's not the case at all. “As a result of this fundamental design flaw, all WiFi clients on all platforms and operating systems are vulnerable to SSID confusion attacks,” the report states.
An SSID confusion attack will only work if these requirements are met:
The only version of the Wi-Fi Protected Access security protocol that is vulnerable to this SSID confusion attack is WPA3, which is generally considered to be more secure than the older WPA1 and WPA2 protocols. To be successful, the following requirements must be met:
- The victim is connected to a trusted network.
- A second network is available with the same credentials as the first network.
- The attacker is close enough to perform a man-in-the-middle attack.
“The victim does not need to have ever connected to an untrusted network, and the attacker does not need to know the victim's credentials,” the study states. Most VPNs should prevent traffic eavesdropping, but some have the ability to automatically disable the VPN if a trusted network is connected. In these circumstances, “if this attack is successful, the victim's traffic would be compromised.”
Cybersecurity experts discuss potential impact of SSID confusion vulnerability
Daniel Card, founder of cybersecurity consultancy PwnDefend, said successful exploits must take into account the costs and challenges that come with proximity requirements: “Someone close enough to have Wi-Fi is close enough to punch you in the face,” Card said. So while this works well in a lab environment, a successful exploit in the real world is much harder.
Ian Thornton-Trump, chief information security officer at threat intelligence consultancy Cyjax, thinks the impact of this attack on IoT devices is very interesting. “It could be possible to 'hijack' wireless device connections and potentially perform covert surveillance,” Thornton-Trump said. “For this reason, IoT devices should be placed on isolated segments and heavily restricted by port/protocol and destination to limit lateral movement and compromise.” While acknowledging that this is not a devastating discovery, given that most Wi-Fi implementations use WPA1 and WPA2, Thornton-Trump said that such research is “very important.” He said that such a detailed analysis was long overdue, since Wi-Fi is the foundation of our mobile digital lives.
Finally, here's a quote from Jake Moore, global cybersecurity advisor at security vendor ESET: “This connectivity flaw, which affects all Wi-Fi clients, is far from trivial. Public Wi-Fi has had a bad reputation for years, but as more people discover that VPNs and security software are standard, threat actors have no choice but to take action.”
Moore said the exploit fundamentally makes it clear that security depends on trust, and that users should always think carefully about the shared networks they connect their devices to. “It goes without saying that users should never reuse credentials and should ensure that any auto-disable features on their VPNs are turned off,” he said.