Off-Path TCP Exploit: How Wireless Routers Can Jeopardize Your Secrets

In this study, we discover a subtle yet serious timing side channel that exists in all generations of half-duplex IEEE 802.11 or Wi-Fi technology. Previous TCP injection attacks stem from software vulnerabilities which can be easily eliminated via software update, but the side channel we report is rooted in the fundamental design of IEEE 802.11 protocols. This design flaw means it is impossible to eliminate the side channel without substantial changes to the specification. By studying the TCP stacks of modern operating systems and their potential interactions with the side channel, we can construct reliable and practical off-path TCP injection attacks against the latest versions of all three major operating systems (macOS, Windows, and Linux). Our attack only requires a device connected to the Internet via a wireless router, and be reachable from an attack server (e.g., indirectly so by accessing to a malicious website). Among possible attacks scenarios, such as inferring the presence of connections and counting exchanged bytes, we demonstrate a particular threat where an off-path attacker can poison the web cache of an unsuspecting user within minutes (as fast as 30 seconds) under realistic network conditions.

[1]  Jeffrey Knockel,et al.  Counting Packets Sent Between Arbitrary Internet Hosts , 2014, FOCI.

[2]  Xiao Liu,et al.  CacheD: Identifying Cache-Based Timing Channels in Production Software , 2017, USENIX Security Symposium.

[3]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[4]  Donald F. Towsley,et al.  Exploiting the IPID Field to Infer Network Path and End-System Characteristics , 2005, PAM.

[5]  L. Kleinrock,et al.  Packet Switching in Radio Channels : Part Il-The Hidden Terminal Problem in Carrier Sense Multiple-Access and the Busy-Tone Solution , 2022 .

[6]  Yinglian Xie,et al.  Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[7]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[8]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  Per Larsen,et al.  Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity , 2015, NDSS.

[10]  Xu Zhang,et al.  High Fidelity Off-Path Round-Trip Time Measurement via TCP/IP Side Channels with Duplicate SYNs , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[11]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[12]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[13]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  Ling Huang,et al.  I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis , 2014, Privacy Enhancing Technologies.

[15]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[16]  Randall R. Stewart,et al.  Improving TCP's Robustness to Blind In-Window Attacks , 2010, RFC.

[17]  Jedidiah R. Crandall,et al.  Off-path round trip time measurement via TCP/IP side channels , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[18]  Amir Herzberg,et al.  Off-Path TCP Injection Attacks , 2014, TSEC.

[19]  Zhuoqing Morley Mao,et al.  Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks , 2015, CCS.

[20]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[21]  Nick Feamster,et al.  Augur: Internet-Wide Detection of Connectivity Disruptions , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[22]  Amir Herzberg,et al.  When tolerance causes weakness: the case of injection-friendly browsers , 2013, WWW '13.

[23]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[24]  Marco Conti,et al.  IEEE 802.11 protocol: design and performance evaluation of an adaptive backoff mechanism , 2000, IEEE Journal on Selected Areas in Communications.

[25]  Fang Yu,et al.  Investigation of Triangular Spamming: A Stealthy and Efficient Spamming Technique , 2010, 2010 IEEE Symposium on Security and Privacy.

[26]  Zhongjie Wang,et al.  Investigation of the 2016 Linux TCP Stack Vulnerability at Scale , 2017, Proc. ACM Meas. Anal. Comput. Syst..

[27]  Don J. Torrieri,et al.  Proactive restart as cyber maneuver for Android , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[28]  Michael K. Reiter,et al.  Static Evaluation of Noninterference Using Approximate Model Counting , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[29]  Jeffrey Knockel,et al.  Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels , 2014, PAM.

[30]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[31]  Xu Zhang,et al.  Original SYN: Finding machines hidden behind firewalls , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[32]  Parag Kulkarni,et al.  Protocol Design for Enabling Full-Duplex Operation in Next-Generation IEEE 802.11 WLANs , 2018, IEEE Systems Journal.

[33]  Amir Herzberg,et al.  Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.

[34]  Amir Herzberg,et al.  Off-Path Attacking the Web , 2012, WOOT.