AirEye has discovered a new vulnerability which can lead to a new generation of Rogue Access Point (APs). These new rogue APs go undetected by Wireless Intrusion Detection/ Prevention Systems (WIDS/ WIPS).
As part of our research, we found a vulnerability by-design in the Wi-Fi protocol that under OWE mode exposes Hidden Networks. This means that a hidden wireless network name is open to all, not just to a device attempting to access a pre-known hidden network.
As mentioned, this vulnerability allows an attacker to develop “The next generation of Rogue Access Points”, not detected by existing WIDS and WIPS.
Wi-Fi Protocol Background: OWE Transition Mode
The IEEE 802.11 has recently introduced a new standard known as “Enhanced Open authentication (OWE) Transition” which is being widely adopted by the industry. It allows the creation of secure connectivity for an open network without the need to establish a key sharing scheme.
This new standard comes with an authentication feature that makes use of two separate Basic Service Set Identifiers (BSSIDs) – one that’s open and the other that’s protected with OWE encryption. The beacon frame, which is used to advertise the existence of a wireless network, now includes a new tag that displays both the SSID and BSSID of the other network in the pair, allowing devices to effortlessly switch between the open and protected BSSIDs.
When implementing the OWE WLAN in transition mode, the access point (AP), as mentioned, sends out two distinct BSSIDs via two separate beacons. One BSSID is non-hidden and includes the user-defined SSID without encryption. The other BSSID is hidden and comes with OWE encryption. Each BSSID contains an Information Element (IE) which has the other BSSID and its corresponding SSID. The OWE Beacon, which uses the hidden SSID, employs the same SSID as the other network, but with an added prefix, usually the word “owe,” and in some cases, a random suffix.
The Vulnerability: Technical Details
There is a vulnerability in this network setup when it is set as a hidden network. One would expect that only when a station sends a Probe request with the actual SSID (whereas the user already knows the SSID), then the SSID would appear in the OWE IE.
As opposed though to this logic, the beacons still carry both SSIDs in the OWE IE. Since OWE and open networks do not require prior knowledge, anyone with a basic sniffing tool can easily connect to the hidden network. The AP does not broadcast the SSID in the SSID field when “wildcard” probe requests are made, but it does not do the same in the OWE IE, leading to potential security risks.
In other non-OWE Transition networks, an advisory sniffing the network would know of a hidden network only when there is a connection. In this scenario, the network’s details are known regardless of connection attempts.
Hence, this SSID leakage defeats the purpose of a hidden network.
To begin with, exposing a hidden network enables unauthorized users to connect to a network which was established under the premise that it should not be used.
Second, an attacker can create a rogue AP that is hidden yet broadcasts the name of an organizational network thus deceiving users into which network to connect to.
Bypassing WIDS/ WIPS Controls
While rogue APs that spoof the name of an organizational network are typically caught by Wireless Intrusion Detection/ Prevention Systems (WIDS/ WIPS) platforms, they would not catch this case as they are not aware of hidden networks.
Furthermore, most WIDS/ WIPS platforms prevent connections to rogue APs by manipulating the Wi-Fi protocol and stop the connection (i.e. injecting DeAuth frames). However, OWE encryption provides inherent protection against such manipulations (i.e. management frame protection) so that even were WIDS/ WIPS aware of these rogue APs they wouldn’t be able to prevent the connection.
We have notified the Wi-Fi Alliance on this vulnerability and received the following response:
“Wi-Fi Alliance considers ‘hidden SSIDs” to be a misnomer because the SSIDs are not actually hidden. Networks with the SSID broadcast disabled can still be discovered by an adversary by sniffing unencrypted traffic, for example in the probe request and probe response packets that contain the SSID. As a result, the inclusion of the SSID in the OWE beacon frame does not result in a new vulnerability as this information is already available to a potential attacker. Disabled SSID broadcast should not be considered a security feature.”
While we agree that “security by obscurity”, i.e. Hidden Networks, is not a security control, users still commonly create hidden networks as a measure to prevent unauthorized users from accessing a specific network. The fact that it bypasses current security controls, further makes this an issue that must be addressed.
What Can Organizations Do?
Organizations need to continuously monitor all their wireless network traffic in their airspace, including hidden networks, including those in OWE Transition mode. Once their network airspace is mapped, they need to identify the different entities, classify them and their interactions. Based on that, organizations can identify threats, detect unauthorized interactions and terminate the violating ones.
AirEye’s Network Airspace Control and Protection (NACP) platform provides out-of-the-box protection against wireless policy violations and attack scenarios. AirEye automatically discovers and alerts on hidden OWE networks and prevents any unauthorized connections to any encryption standard.