According to the researchers, the attack is based on the fact that security measures are only necessary when a device chooses to join a specific network, and the Wi-Fi standard does not need the network name (SSID or the service set identifier) to be authenticated at all times. This behavior has the overall effect of allowing an attacker to stage an adversary-in-the-middle (AitM) attack and trick a client into connecting to an untrusted Wi-Fi network instead of the one it was supposed to.

Put differently, there is no assurance that a user is connecting to the network they intend to, even though passwords and other credentials are mutually confirmed when logging into a protected Wi-Fi network. The downgrade attack requires the following conditions to be successful; the victim is trying to get on a reliable Wi-Fi network, a rogue network exists that uses the same login credentials as the original one, and the perpetrator is close enough to execute an AitM between the victim and the reliable network.

An update to the 802.11 Wi-Fi standard that includes the SSID as part of the 4-way handshake when connecting to protected networks is one proposed mitigation to address SSID confusion. Another is an improvement to beacon protection that permits a client to store a reference beacon containing the network's SSID and confirm its legitimacy during the 4-way handshake. A wireless access point will regularly broadcast management frames, or beacons, to communicate its existence. It includes details on the network's capabilities, beacon interval, and SSID, among other things.

Networks can lessen the impact of the attack by not reusing credentials between SSIDs. While home networks should use a different password for each SSID, enterprise networks should utilize unique RADIUS server CommonNames. The discoveries coincide with the revelation of two authentication bypass vulnerabilities that were found in open-source Wi-Fi programs like wpa_supplicant and Intel's iNet Wireless Daemon (IWD) and could trick users into joining a malicious clone of a genuine network or enable an attacker to join a trusted network without a password. These vulnerabilities were discovered almost three months ago.

Impact

• Exposure of Sensitive Data
• Security Bypass
• Cyber Espionage

Indicators of Compromise

CVE

• CVE-2023-52424

Remediation

• Update to the 802.11 Wi-Fi standard that includes the SSID as part of the 4-way handshake when connecting to protected networks.
• Refrain from reusing credentials between SSIDs.
• Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.