Bl0ck: Paralyzing 802.11 connections through Block Ack frames

TL;DR

This paper presents two new denial of service attacks on Wi-Fi 5 and 6 networks that exploit control frames, specifically Block Ack frames, to disable access points and affect many commercial devices with low effort.

Contribution

It introduces novel attack methods targeting control frames in Wi-Fi, revealing vulnerabilities in current standards and commercial access points, and provides detailed analysis and disclosure.

Findings

Attacks can disable Wi-Fi access points using inexpensive equipment.

Most commercial access points are vulnerable to these control frame exploits.

The vulnerabilities are linked to specific shortcomings in the 802.11-2020 standard.

Abstract

Despite Wi-Fi is at the eve of its seventh generation, security concerns regarding this omnipresent technology remain in the spotlight of the research community. This work introduces two new denial of service attacks against contemporary Wi-Fi 5 and 6 networks. Differently to similar works in the literature which focus on 802.11 management frames, the introduced assaults exploit control frames. Both the attacks target the central element of any infrastructure-based 802.11 network, i.e., the access point (AP), and result in depriving the associated stations from any service. We demonstrate that, at the very least, the attacks affect a great mass of off-the-self AP implementations by different renowned vendors, and it can be mounted with inexpensive equipment, little effort, and a low level of expertise. With reference to the latest standard, namely, 802.11-2020, we elaborate on the root cause of the respected vulnerabilities, pinpointing shortcomings. Following a coordinated vulnerability disclosure process, our findings have been promptly communicated to each affected AP vendor, already receiving positive feedback as well as a - currently reserved - common vulnerabilities and exposures (CVE) id, namely CVE-2022-32666.