Traffic Hijacking in Wi-Fi Networks via ICMP Redirects

Abstract

This paper uncovers a vulnerability involving identity spoofing through cross-layer interactions among Wi-Fi, IP, and ICMP protocols. The discovered vulnerability enables an off-path attacker to impersonate the Access Point (AP) of a Wi-Fi network, allowing the attacker to hijack plaintext traffic transmitted by wireless stations. We identify a design flaw in the Network Processing Units (NPUs) of widely-used chip manufacturers, which can be exploited by the attacker to spoof the AP and send ICMP redirect messages. By deceitfully mimicking a new AP within the network, the attacker successfully tricks other supplicants into believing that the attacker is a legitimate AP within the network. Consequently, the victim supplicants unknowingly forward their plaintext traffic to the attacker, leading to a successful Man-In-The-Middle (MITM) attack. Through extensive experimentation, we demonstrate that 55 popular AP routers and over 89% of real-world Wi-Fi networks are susceptible to the identified MITM attack.