The IEEE 802.11 (WLAN) protocol contains the provision for a de-authentication frame. Sending the frame from the access point to a station is called a “sanctioned technique to inform a rogue station that they have been disconnected from the network”.
But, an attacker can send a wireless access point a de-authentication frame at any time, with a spoofed address for the victim. The protocol does not require any encryption for this frame (before the 802.11w-2009 update), even when the session was established with Wired Equivalent Privacy (WEP) for data privacy, and the attacker only needs to know the victim’s MAC address, which is available in the clear through wireless network sniffing.
Recently after testing this vulnerability with my router using a Kali-Linux installed PC and an RTL8192CU Adapter(WNA1000mV2) I wanted to perform the same without any computer and found this powerful library by Stefan Kremser for the ESP8266 Nodemcu version. I didn’t lose a second for it and bought it, then flashed it and tested it. Though it was very funny, interesting and adrenaline making, I feared that even normal people could abuse the system by easily using this flaw. (As, you need only some $5 and watching a 2 minutes of YouTube video)
Though the 802.11 System got an update (802.11w-2009 update) for encrypting management frames :
from Wikipedia :
Protected frames :
Protection-capable management frames are those sent after key establishment that can be protected using the existing protection key hierarchy in 802.11 and its amendments.
Only TKIP/AES frames are protected and WEP/open frames are not protected
- Disassociation and de-authentication
- Radio measurement action for infrastructure BSS (802.11k frames)
- QoS action frame (802.11e frames)
- Future 11v management frames (802.11v frames)
Protection-capable Management Frames are protected by the same cipher suite as an ordinary data MPDU.
- MPDU payload is TKIP or CCMP encrypted.
- MPDU payload and header are TKIP or CCMP integrity protected.
- The protected frame subfield of frame control field is set.
- Only cipher suites already implemented required.
- Sender’s pairwise temporal key (PTK) protects the unicast management frame, and the group temporal key (GTK) is used to protect the broadcast/multicast management frame.
- An RSN (802.11i) IE capability bit used to signal whether Protection-capable Management frames are protected.
BUT, from Stephan himself :
I tested it with different Wi-Fi networks and devices, it worked every time! It seems that even newer devices that support frame protection don’t use it by default.
I never support someone being the cause of the problem for someone. But, we can’t also protest against it, and after all, vulnerability is immutable.
Stephan also made a library for detecting running de-authentication attacks – find it here.
expx 