WiFi Physical Layer Stays Awake and Responds When it Should Not

TL;DR

This paper uncovers widespread security and privacy vulnerabilities in WiFi devices, showing they respond to unauthorized packets and can be manipulated to stay awake, enabling battery drain and sensing attacks.

Contribution

It reveals fundamental flaws in WiFi's handling of unauthorized packets and power management, demonstrating practical attacks exploiting these vulnerabilities.

Findings

Over 5,000 devices from 186 vendors are vulnerable.

Unauthorized devices can keep WiFi radios awake using fake frames.

Practical attacks include battery drain and WiFi sensing.

Abstract

WiFi communication should be possible only between devices inside the same network. However, we find that all existing WiFi devices send back acknowledgments (ACK) to even fake packets received from unauthorized WiFi devices outside of their network. Moreover, we find that an unauthorized device can manipulate the power-saving mechanism of WiFi radios and keep them continuously awake by sending specific fake beacon frames to them. Our evaluation of over 5,000 devices from 186 vendors confirms that these are widespread issues. We believe these loopholes cannot be prevented, and hence they create privacy and security concerns. Finally, to show the importance of these issues and their consequences, we implement and demonstrate two attacks where an adversary performs battery drain and WiFi sensing attacks just using a tiny WiFi module which costs less than ten dollars.