Framing Frames: Bypassing wi-fi encryption by manipulating transmit queues

I swear Mathy Vanhoef has dedicated his life to making my life miserable. Every time he finds these wifi security problems, we get to spend weeks/months integrating and testing vendor patches.

&gt; This exploits a design flaw in hotspot-like networks and allows the attacker to force an access points to encrypt yet to be queued frames using an adversary-chosen key, thereby bypassing Wi-Fi encryption entirely. Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic<p>Interesting approach, that seems to be limited to Hotspots or am I getting this wrong?

For the life of me I don&#x27;t understand either of these:<p>- Why, after so many darn versions of Wi-Fi security standards, we still have attacks that just bypass encryption entirely. How do these not get caught during the design&#x2F;implementation with so many people studying the specs for decades?<p>- Why 99% of end-users should even care about these issues from a security standpoint, given they already have https and such (because the transport is already assumed to be untrusted), and given that people have been connecting to &quot;unsecured&quot; networks for decades now, without the sky falling. Is the added security of each version of WPA even relevant to normal people?

Wireless stuff has some bad times recently - bluetooth keyboard injection: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38661182">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38661182</a>

Security-wise, Wi-Fi has always been a steaming heap. And probably always will be.

So if the underlying connection isn&#x27;t encrypted (like https) it essentially became open to anyone of the same network?

I thought we didn&#x27;t rely on WiFi encryption since...long ago? Most hotspots don&#x27;t even have encryption enabled.

It&#x27;s written in the paper that the PoC code has been published. But there is no link anywhere?

Maybe one should note that this was reported 9 month ago: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35353264">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35353264</a>

Wi-Fi Alliance: Fixed management frame deauth in WPA3.<p>Also Wi-Fi Alliance: Refactored(-ish) deauth to unprotected power-save bit.

I can&#x27;t quite see how this can be a spec bug...<p>I mean, why would client A be able to change the key used for communicating with client B?<p>Does this rely on some kind of confusion between clients? ie. force a client to disconnect, then the attacker connects using its mac address, and receives all the queued frames?

Source: &quot;Interesting Links&quot; at <a href="https:&#x2F;&#x2F;old.reddit.com&#x2F;r&#x2F;termux&#x2F;comments&#x2F;19573gg&#x2F;encryption_decryption_android_11_operating_system&#x2F;" rel="nofollow">https:&#x2F;&#x2F;old.reddit.com&#x2F;r&#x2F;termux&#x2F;comments&#x2F;19573gg&#x2F;encryption_...</a> (&quot;Encryption, Decryption, Android 11 Operating System, Termux, And proot-distro Using Alpine Linux minirootfs: cryptsetup v2.6.1 And LUKS&quot;, old.reddit.com&#x2F;r&#x2F;termux&#x2F;comments&#x2F;19573gg&#x2F;encryption_decryption_android_11_operating_system&#x2F;).