A group of academic researchers from Northeastern University in Boston and KU Leuven in Belgium have devised a new attack that can intercept Wi-Fi traffic at the MAC (media access control) layer, even between clients that are not allowed to communicate with one another. The attack exploits a Wi-Fi client isolation bypass vulnerability tracked as CVE-2022-47522 and can be used to bypass Dynamic ARP inspection (DAI).
To set up an attack, an adversary first needs to wait for a client to connect to a vulnerable access point (AP), which is typically followed by a request sent to a server over the internet. The attacker then needs to forcibly disconnect the victim from the AP before the response arrives, spoof the MAC address of the victim to connect to the network using the adversary’s credentials, and then intercept the response from the server, which the AP will send to the spoofed MAC address.
The issue is related to the power-save mechanism that has been part of the IEEE 802.11 standard since the beginning, which can be exploited to leak frames in plaintext, allowing an attacker to force queue frames meant for a specific client, leading to device disconnection, and causing a denial-of-service (DoS) condition.
The researchers also released an open source tool called MacStealer, which tests Wi-Fi networks for CVE-2022-47522. In an advisory this week, Cisco confirmed that its wireless access point products and Meraki products with wireless capabilities are impacted by the vulnerability, noting that the attack is rather opportunistic, only providing an adversary with information “of minimal value in a securely configured network”.
To summarize, a new attack has been devised by a group of academic researchers that can intercept Wi-Fi traffic at the MAC layer. The attack exploits a Wi-Fi client isolation bypass vulnerability tracked as CVE-2022-47522 and is based on the power-save mechanism that has been part of the IEEE 802.11 standard since the beginning. An open source tool called MacStealer has been released to test Wi-Fi networks for the vulnerability and Cisco confirmed that its wireless access point products and Meraki products with wireless capabilities are impacted by the issue.
Key Points:
• A group of academic researchers have devised a new attack that can intercept Wi-Fi traffic at the MAC layer.
• The attack exploits a Wi-Fi client isolation bypass vulnerability tracked as CVE-2022-47522 and is based on the power-save mechanism of the IEEE 802.11 standard.
• An open source tool called MacStealer has been released to test Wi-Fi networks for the vulnerability.
• Cisco confirmed that its wireless access point products and Meraki products with wireless capabilities are impacted by the issue.