Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Securing Wi-Fi 6 Connection Establishment Against Relay and Spoofing Threats

Naureen Hoque, Hanif Rahbari

TL;DR

This work addresses pre-authentication vulnerabilities in Wi‑Fi CE by introducing a backward-compatible scheme that interleaves cryptographic signature slices within PHY preambles under tight time constraints, enabling concurrent CE verification across multiple APs. The asymmetric scheme uses a single per-AP signature distributed across CE frames, with channel/sequence binding and time-bounded checks to detect relay and spoof attacks, while supporting roaming and extra EAP frames. Extensive real‑world experiments with 802.11ax devices and a USRP relay, plus formal verification (Symbolic Model Checking and ProVerif), show high relay-detection accuracy (∼97–100%), near-zero CE overhead (≈2.2%), and robust PHY-layer frame-type discrimination, validating practicality and security. The approach significantly strengthens the CE phase against multi‑channel MitM, preamble spoofing, and relay threats, with scalable applicability to enterprise and public WLANs.

Abstract

Wireless local area networks remain vulnerable to attacks initiated during the connection establishment (CE) phase. Current Wi-Fi security protocols fail to fully mitigate attacks like man-in-the-middle, preamble spoofing, and relaying. To fortify the CE phase, in this paper we design a backward-compatible scheme using a digital signature interwoven into the preambles at the physical (PHY) layer with time constraints to effectively counter those attacks. This approach slices a MAC-layer signature and embeds the slices within CE frame preambles without extending frame size, allowing one or multiple stations to concurrently verify their respective APs' transmissions. The concurrent CEs are supported by enabling the stations to analyze the consistent patterns of PHY-layer headers and identify whether the received frames are the anticipated ones from the expected APs, achieving 100% accuracy without needing to examine their MAC-layer headers. Additionally, we design and implement a fast relay attack to challenge our proposed defense and determine its effectiveness. We extend existing open-source tools to support IEEE 802.11ax to evaluate the effectiveness and practicality of our proposed scheme in a testbed consisting of USRPs, commercial APs, and Wi-Fi devices, and we show that our relay attack detection achieves 96-100% true positive rates. Finally, end-to-end formal security analyses confirm the security and correctness of the proposed solution.

Securing Wi-Fi 6 Connection Establishment Against Relay and Spoofing Threats

TL;DR

This work addresses pre-authentication vulnerabilities in Wi‑Fi CE by introducing a backward-compatible scheme that interleaves cryptographic signature slices within PHY preambles under tight time constraints, enabling concurrent CE verification across multiple APs. The asymmetric scheme uses a single per-AP signature distributed across CE frames, with channel/sequence binding and time-bounded checks to detect relay and spoof attacks, while supporting roaming and extra EAP frames. Extensive real‑world experiments with 802.11ax devices and a USRP relay, plus formal verification (Symbolic Model Checking and ProVerif), show high relay-detection accuracy (∼97–100%), near-zero CE overhead (≈2.2%), and robust PHY-layer frame-type discrimination, validating practicality and security. The approach significantly strengthens the CE phase against multi‑channel MitM, preamble spoofing, and relay threats, with scalable applicability to enterprise and public WLANs.

Abstract

Wireless local area networks remain vulnerable to attacks initiated during the connection establishment (CE) phase. Current Wi-Fi security protocols fail to fully mitigate attacks like man-in-the-middle, preamble spoofing, and relaying. To fortify the CE phase, in this paper we design a backward-compatible scheme using a digital signature interwoven into the preambles at the physical (PHY) layer with time constraints to effectively counter those attacks. This approach slices a MAC-layer signature and embeds the slices within CE frame preambles without extending frame size, allowing one or multiple stations to concurrently verify their respective APs' transmissions. The concurrent CEs are supported by enabling the stations to analyze the consistent patterns of PHY-layer headers and identify whether the received frames are the anticipated ones from the expected APs, achieving 100% accuracy without needing to examine their MAC-layer headers. Additionally, we design and implement a fast relay attack to challenge our proposed defense and determine its effectiveness. We extend existing open-source tools to support IEEE 802.11ax to evaluate the effectiveness and practicality of our proposed scheme in a testbed consisting of USRPs, commercial APs, and Wi-Fi devices, and we show that our relay attack detection achieves 96-100% true positive rates. Finally, end-to-end formal security analyses confirm the security and correctness of the proposed solution.
Paper Structure (38 sections, 8 figures, 7 tables, 1 algorithm)

This paper contains 38 sections, 8 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Secure Connection Establishment
  4. Relevant Wi-Fi Frame Elements
  5. Frame Preamble
  6. Channel Switch Announcement Element
  7. Frame Sequence Number, Timeout, Retransmission
  8. Device Location Element
  9. Spoofing/Relay Attacks in Wi-Fi
  10. Embedding Bits in the Preamble Signal
  11. System & Adversary Model
  12. Proposed Verification Techniques
  13. Symmetric vs. Asymmetric Key Approach
  14. Proposed (Asymmetric Key) Scheme
  15. Design Details
  16. ...and 23 more sections

Figures (8)

  • Figure 1: Wi-Fi connection establishment (virtual controller and authentication hub are present in Passpoint® networks).
  • Figure 2: Each CE frame from the AP carries one signature slice embedded in the preamble $P_n$.
  • Figure 3: The adversary (relay) tries to establish a rogue AP.
  • Figure 4: SR and BER across different numbers of CE Frames.
  • Figure 5: Relay attack and detection experiment.
  • ...and 3 more figures