Securing Wi-Fi 6 Connection Establishment Against Relay and Spoofing Threats

TL;DR

This paper introduces a backward-compatible physical-layer scheme with digital signatures to secure Wi-Fi 6 connection establishment against relay and spoofing attacks, demonstrating high detection accuracy and formal security validation.

Contribution

A novel PHY-layer signature embedding method for Wi-Fi 6 CE phase that enables concurrent verification and robust attack detection without increasing frame size.

Findings

Achieves 96-100% true positive rate in relay attack detection

Supports concurrent connection establishment with high accuracy

Validated security and correctness through formal analysis

Abstract

Wireless local area networks remain vulnerable to attacks initiated during the connection establishment (CE) phase. Current Wi-Fi security protocols fail to fully mitigate attacks like man-in-the-middle, preamble spoofing, and relaying. To fortify the CE phase, in this paper we design a backward-compatible scheme using a digital signature interwoven into the preambles at the physical (PHY) layer with time constraints to effectively counter those attacks. This approach slices a MAC-layer signature and embeds the slices within CE frame preambles without extending frame size, allowing one or multiple stations to concurrently verify their respective APs' transmissions. The concurrent CEs are supported by enabling the stations to analyze the consistent patterns of PHY-layer headers and identify whether the received frames are the anticipated ones from the expected APs, achieving 100% accuracy without needing to examine their MAC-layer headers. Additionally, we design and implement a fast relay attack to challenge our proposed defense and determine its effectiveness. We extend existing open-source tools to support IEEE 802.11ax to evaluate the effectiveness and practicality of our proposed scheme in a testbed consisting of USRPs, commercial APs, and Wi-Fi devices, and we show that our relay attack detection achieves 96-100% true positive rates. Finally, end-to-end formal security analyses confirm the security and correctness of the proposed solution.