Malicious Attacks

Deauthentication Attack

Deauthentication attack is a disruptive technique against wireless connections. It belongs to the denial-of-service family, abruptly rendering networks temporarily inactive. These tactics are usually low-key as they do not require unique skills or elaborate equipment. For some, deauthentication attacks are innocent pranks on coworkers, friends, or neighbors. However, it can be a component of a bigger ruse, such as an evil twin attack. As a result, perpetrators overwhelm networks with deauthentication requests, forcing them to drop their clients’ connections.

How a Deauthentication Attack Works

Deauthentication attacks represent fraudulent requests that interfere with the communication between routers and devices. The strategy attacks 802.11-based wireless networks, as they require deauthentication frames whenever users terminate connections. The dilemma here is that access points might not recognize that requests originate from a fraudulent source. Since networks do not validate incoming frames, hackers can imitate them. Lack of encryption adds fuel to the fire, even if sessions feature WEP.

Wi-Fi networks also do not have effective mechanisms for verifying MAC addresses. Perpetrators could spoof addresses and perform deauthentication attacks. Forged frames terminate connections. If attackers continue to send requests, users won’t be able to reconnect. While the attack could focus on a single target, all clients could lose connection to the access point.

As the attack forces clients to abandon the authentic AP, they might consider connecting to other hotspots. Rogue access points known as evil twins are highly prominent in the free Wi-Fi landscape. Nowadays, many popular hangouts supply free internet. Hackers could generate fake hotspots by mimicking the details of an official access point. So, after a deauthentication attack terminates clients’ connections, they could connect to a rogue network. Then, its owners can monitor all activities. This surveillance covers all communications, visited websites, financial transactions, and more. Hence, free Wi-Fi in crowded locations poses severe threats, especially if hackers set up evil twins nearby.

Scenarios When Deauthentication Attacks Occur

Disturbingly, there are articles and special tools for performing deauthentication attacks. While this strategy is prevalent in hackers’ communities, its purpose could be benign. Let’s discuss several scenarios that force networks to drop connections.

  • Terminating hidden cameras. Airbnb clients always wonder whether accommodation providers follow the rules regarding surveillance through cameras. Over the years,frequent disputes forced Airbnb to forbid the use of cameras in rented apartments or rooms. However, more cunning homeowners can conceal cameras from their guests. White hackers emphasize that deauthentication attacks can reveal whether a rented apartment conceals cameras.

  • Hotels pushing their paid Wi-Fi plans. There have been incidents when hotels employed deauthentication to promote their Wi-Fi services. In fact, the Federal Communications Commission (FCC)issued documents stating that blocking or interfering with Wi-Fi hotspots is illegal. One of the first offenders was the Marriott hotel with financial motives for disrupting visitors’ access points. However, charging perpetrators with deauthentication attacks is a rare sight. Usually, victims might blame the interruptions on unstable Wi-Fi.

  • A prank on neighbors or friends. Ethical computer hackers could employ deauthentication for testing purposes. In other cases, tech-savvy users might make their neighbors stop stealing their Wi-Fi. However, deauthentication attacks can participate in evil twin attacks, highly damaging to victims’ privacy.

Why does a deauth attack work on WPA2 despite encryption?

The use of encryption in 802.11 is limited to data payloads only. Encryption does not apply to the 802.11 frame headers, and cannot do so as key elements of 802.11 headers are necessary for normal operations of 802.11 traffic. Since 802.11 management frames largely work by setting information in the headers, management frames are not encrypted and as such are easily spoofed.

To prevent deauthentication/disassociation attacks, the IEEE implemented the 802.11w amendment to 802.11. This provides a mechanism to help prevent the spoofing of management frames, but both client and infrastructure need to support it (and have it enabled) for it to function.

Good to know:

Not all WiFi clients, especially iot devices, supports 802.11w well. For maximum compatibility, network providers tend to turn off 802.11w today. That's why de-auth attacks are still popular.

Detecting Malicious Attacks

AirGuard is capable of detecting two types of Malicious Attacks:

  1. De-auth attack to AP The attacker mimics a client by sending an excessive number of De-auth messages to managed APs and makes the AP disconnect the client.

  2. De-auth attack to client The attacker mimics an AP by sending an excessive number of De-auth messages to a client associating with managed AP. This also results in the disconnection of the attacked client.

AirGuard shows the details of a Malicious Attack.

Last updated