Malicious Data Frame Injection Attack Without Seizing Association in IEEE 802.11 Wireless LANs

Abstract

In the infrastructure mode of IEEE 802.11 wireless local area networks (LANs), an access point (AP) provides wireless networking to multiple wireless client nodes in the shared medium. Client nodes that have established an association with an AP fully trust the AP, and exchange data packets with other nodes on the Internet through the associated AP. If the AP has malicious intent or an attacker deprives the AP, the associated nodes are exposed to the potential danger of security attacks such as a denial of service, data traffic sniffing and spoofing, and malware attacks. These association extortion based attacks can be detected by monitoring frames at the medium access control (MAC) layer. In this article, we propose a malicious-frame-injection based attack without seizing the association between an AP and client nodes. The proposed attack performs wireless jamming, MAC frame sniffing, and spoofing successively in the shared wireless medium. We have implemented the proposed attack using software-defined radio (SDR) on a real-world experimental testbed with off-the-shelf nodes and performed the attack on hypertext transfer protocol (HTTP) communication using transmission control protocol (TCP) transport protocol to demonstrate its wireless LAN security risk.