

Remote frame injection PoC by exploiting an A-MPDU vulnerability in 802.11n - el_duderino
https://github.com/rpp0/aggr-inject

======
cesarb
Very interesting. It's a fault injection attack causing content from the
highest layers to be misinterpreted as coming from the lowest layers, with the
"fault injection" part being done by the noisy wireless medium itself!

This reminds me of the classic "+++ATH0" attack, where sending that string in
for instance an IRC message caused some modems to hang up.

One solution is to scramble the data, so parts of it cannot be misinterpreted
as lower-level framing, even if a few bits are corrupted. One good way to
scramble the data is encryption, so even a trivially encrypted network (for
instance, the password being the same as the SSID) would be immune to this
attack.

~~~
userbinator
_One solution is to scramble the data, so parts of it cannot be misinterpreted
as lower-level framing_

Since the scrambling must be reversible, it would still be possible to
generate the framing sequence with a different stream of data. It also only
reduces the chances of the framing sequence appearing, but doesn't eliminate
it completely.

The real solution is to ensure that the framing sequence is impossible to
produce with normal data, by making it out-of-band with e.g. a different
frequency or modulation.

------
thekaleb
It says this is for unencrypted networks, so do most coffee shops use n?

~~~
falcolas
Given that this can affect anyone from a web page, any coffee shop which uses
"n" is vulnerable. And I know of a few I frequent which use 'n'.

~~~
userbinator
If this is 'n'-only, would going down to 'a' or 'g' mitigate it completely?
Especially in a coffee shop where the outbound connection is unlikely to be
very fast anyway, the bandwidth difference probably won't be noticeable.

~~~
wtallis
Since 802.11n was the first standard to support packet aggregation, then
dropping back to a/g will probably work, unless clients cannot be told by the
AP to not treat the network as a mixed a/g/n network.

