Ethical Hacking

Proximoth & Control Frame Attack

Standards and architecture designs build up to systems which surround the world, pushing the information age to the future. Every produced device gets a share from these standards and they generally share same properties even though the branding differs. With this similarity, comes the opportunity to conquer the far away lands without going a journey. In terms of this article, we will focus on the Control Frame Attack vulnerability due to Wi-Fi chips that use the similar standards, end up violating your privacy; and we will see the tool Proximoth for vulnerability analysis and detection.

Did you know that your device might tell the Oscar whether you are near without you even realize? Trust to the machine has consequences.

Disclaimer

Proximoth is created for the sake of vulnerability detection and raising awareness of the Control Frame Attack vulnerability which was discovered by U.S. Naval Academy. I encourage anyone to not use this tool for any action which can be illegal. I do not take any responsibility for any use which might cause Denial of Service or data loss.

Notion Behind Proximoth

Exploit Cafe - Idea was born
And the idea was born

Idea first came to my mind when I thought whether I can determine a friend of mine is in a cafe I am passing by. The method had to be undetectable by a normal person, which means they should not even suspect any virus/spyware activity and had to require at most single information of the target which I must be able to be find without making the target suspicious.

One can realize that with this method being successful, it might lead to scenarios where the target could be important people. So I thought it would be beneficial to share and spread this vulnerability.

Control Frame Attack

What information does the attack require to know?

  • Global MAC Address of the target device’s Wi-Fi chip. (Learn More About MAC addresses)

What equipment does the attacker need?

  • A Wi-Fi Antenna with packet injection AND packet sniffing capabilities (Monitor Mode).
  • A computer with Debian based operating system.

How the attack process work?

U.S. Naval Academy states in their article [1] that:

“The result of sending a RTS frame to the global MAC address of a device performing randomization was that the target device responded with a CTS frame.”

RTS and CTS

Wireless protocols ensure that no device collides with one other in the communication medium. This prevention is provided with frames specialized for this task, two of them are RTS and CTS. RTS stands for Request to Send and CTS stands for Clear to Send. When a device wants to send frames over the medium, it asks for availability(RTS), other devices permit this communication by saying that they are not using the medium(CTS). These two are responsible for this vulnerability.

Control Frame Attack process diagram
Control Frame Attack diagram

Fake RTS Frames contains fraud MAC addresses as transmitter and the target’s Global MAC address as the receiver. In order to get a reply from the target, the threat actor’s Wi-Fi chip must be on the same channel as the target’s Wi-Fi chip. When a device connects to a Wi-Fi network, its Wireless chip stays on the same channel with the router, but when the device is on passive network search mode, it hops between channels, so listening on the same channel for a device that is hopping channels is a correct choice. In the end, the threat actor gets a CTS frame from the target on the same channel the threat actor is listening to.

The vulnerability which Proximoth uses is called Control Frame Attack by the U.S. Naval Academy in their article [1] because RTS and CTS frames are in the “Control Frames” section of Wi-Fi frames.

Defense Against The Vulnerability

Defense against a hardware vulnerability is hard
Vulnerability is burned into hardware

U.S. Naval Academy states in their article [1] that:

“…This leads us to believe that RTS/CTS responses are not a function of the OS, but of the underlying IEEE 802.11 chipset. Manufacturers have configured their chipset hardware with default RTS/CTS operation which may not even be accessible to configure at the OS level. If we are correct, this derandomization issue can not be fixed with a simple patch or OS update.”

After using Proximoth myself, I could say that some devices turn off their Wi-Fi chips when you lock their screen. This prevents any CTS response to the threat actor; on the other hand, some devices still send CTS responses even if you lock their screens and turn them off. This variety depends on how the operating system manages the chipset; but, once the chipset is open, inevitable it is the CTS responses.

According to my research, devices which are released in 2020 or later do not have this vulnerability. Considering the article [1] was released in 2017, this vulnerability was patched after 3 years. I will continue investigating devices and publish the vulnerable devices list on the Proximoth GitHub page. You can contribute to this list via sending your findings to me.

Since the vulnerability cannot be patched by operating system updates, possible certain solution to this vulnerability is buying a device which was released after 2020. If you are a smartphone user, then turning off Wi-Fi when not used is another option.

Proximoth And Vulnerability Detection

Proximoth is a Wi-Fi tool to replicate Control Frame Attack to determine whether the subject device is vulnerable.

Tool Features

  • Colorful panel to view analysis information ( +Narrowed mode )
  • Output time/period/signal information to a file
  • Output of all CTS Frames to a pcap file
  • RTS Frame injection speed control
  • Wait until no previously injected RTS frames remain
  • Custom MAC address as fraud address (First 3 pairs are arbitrary)

Source Code/Releases/Usage

You can find Proximoth GitHub page down below.

References

[1] Martin, J., Mayberry, T., Donahue, C., Foppe, L., Brown, L., Riggins, C., … & Brown, D. (2017). A Study of MAC Address Randomization in Mobile Devices and When it Fails. Proc. Priv. Enhancing Technol., 2017(4), 365-383.

https://www.researchgate.net/publication/314361145_A_Study_of_MAC_Address_Randomization_in_Mobile_Devices_and_When_it_Fails

More From TechnicalUserX

Website: https://technicaluserx.wordpress.com/

GitHub: https://github.com/TechnicalUserX

2 thoughts on “Proximoth & Control Frame Attack

Leave a Reply