Association Attacks in IEEE 802.11: Exploiting WiFi Usability Features

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11739)


Association attacks in IEEE 802.11 aim to manipulate wireless clients into associating with a malicious access point, usually by exploiting usability features that are implemented on the network managers of modern operating systems. In this paper we review known association attacks in IEEE 802.11 and we provide a taxonomy to classify them according to the network manager features that each attack exploits. In addition, we analyze the current applicability status of association attacks, by implementing them using the well-known Wifiphisher tool and we review the security posture of modern network managers against known association attacks and their variations. Our results show that association attacks still pose an active threat. In particular, we analyze various strategies that may be implemented by an adversary in order to increase the success rate of association attacks, and we show that even though network managers have hampered the effectiveness of some known attacks (e.g. KARMA), other techniques (e.g. Known Beacons) are still an active threat.



This research has been co-financed by the European Union and Greek national funds through the Operational Program Competitiveness, Entrepreneurship and Innovation, under the call RESEARCH-CREATE-INNOVATE (project code: T1EDK-01958).

This work has been partly supported by the University of Piraeus Research Center.


  1. 1.
  2. 2.
  3. 3.
    Wi-fi protected setup specification version 1.0h. 2006 (2015)Google Scholar
  4. 4.
    Common vulnerability scoring system version 3.1: Specification document (2019).
  5. 5.
    Pwning WiFi networks with bettercap and the PMKID client less attack, February 2019.
  6. 6.
    Cassola, A., Robertson, W., Kirda, E., Noubir, G.: A practical, targeted, and stealthy attack against WPA enterprise authentication. In: NDSS Symposium 2013, June 2013.
  7. 7.
    Altaweel, A., Stoleru, R., Gu, G.: EvilDirect: A new Wi-Fi direct hijacking attack and countermeasures. In: 2017 26th International Conference on Computer Communication and Networks (ICCCN), pp. 1–11, July 2017.
  8. 8.
    Dagelić, A., Perković, T., Vujatović, B., Čagalj, M.: SSID oracle attack on undisclosed Wi-Fi preferred network lists. Wirel. Commun. Mob. Comput. 2018, 15 p. (2018). Article ID 5153265
  9. 9.
    Barbera, M.V., Epasto, A., Mei, A., Perta, V.C., Stefa, J.: Signals from the crowd: uncovering social relationships through smartphone probes. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 265–276. ACM (2013)Google Scholar
  10. 10.
    Camps-Mur, D., Garcia-Saavedra, A., Serrano, P.: Device-to-device communications with Wi-Fi direct: overview and experimentation. IEEE Wirel. Commun. 20(3), 96–104 (2013). Scholar
  11. 11.
    Chatzisofroniou, G.: Efficient Wi-Fi phishing attacks. Tripwire blog (2017)Google Scholar
  12. 12.
    Chatzisofroniou, G.: Introducing wifiphisher. In: BSidesLondon 2015 (2017)Google Scholar
  13. 13.
    Chatzisofroniou, G.: Lure10: Exploiting windows automatic wireless association algorithm. In: HITBSecConf 2017 (2017)Google Scholar
  14. 14.
    Chatzisofroniou, G.: Known beacons attack. CENSUS S.A. blog (2018)Google Scholar
  15. 15.
    Dai Zovi, D.A., Macaulay, S.A.: Attacking automatic wireless network selection. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 365–372, June 2005.
  16. 16.
    Group, I.W.: Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: higher-speed physical layer in the 5 GHZ band. In: IEEE Std 802.11 (1999).
  17. 17.
    Hurley, C.: WarDriving: Drive, Detect, Defend: A Guide to Wireless Security (2004)Google Scholar
  18. 18.
    Jana, S., Kasera, S.K.: On fast and accurate detection of unauthorized wireless access points using clock skews. IEEE Trans. Mob. Comput. 9(3), 449–462 (2010). Scholar
  19. 19.
    Nobles, P.: Vulnerability of IEEE802.11 WLANs to MAC layer dos attacks. In: IET Conference Proceedings, pp. 14–14(1), January 2004.
  20. 20.
    Nussel, L.: The evil twin problem with WPA2-enterprise. SUSE Linux Products GmbH (2010)Google Scholar
  21. 21.
    Roth, V., Polak, W., Rieffel, E., Turner, T.: Simple and effective defense against evil twin access points. In: Proceedings of the First ACM Conference on Wireless Network Security, pp. 220–235. ACM (2008)Google Scholar
  22. 22.
    SensePost: Manna from heaven. DEF CON 22 (2015)Google Scholar
  23. 23.
    Tippenhauer, N.O., Rasmussen, K.B., Pöpper, C., Capkun, S.: iPhone and iPod location spoofing: Attacks on public WLAN-based positioning systems. Technical report/ETH Zürich, Department of Computer Science 599 (2012)Google Scholar
  24. 24.
    Vanhoef, M.: Windows 10 lock screen: abusing the network UI for backdoors (and how to disable it). Mathy Vanhoef blog (2017)Google Scholar
  25. 25.
    Vanhoef, M., Piessens, F.: Advanced Wi-Fi attacks using commodity hardware. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 256–265. ACM, New York (2014).
  26. 26.
    Vanhoef, M., Piessens, F.: Key reinstallation attacks: forcing nonce reuse in WPA2. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1313–1328. ACM, New York (2017).
  27. 27.
    Venkataraman, A., Beyah, R.: Rogue access point detection using innate characteristics of the 802.11 MAC. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 394–416. Springer, Heidelberg (2009). Scholar
  28. 28.
    Viehbck, S.: Wi-Fi protected setup online pin brute force vulnerability (2011)Google Scholar
  29. 29.
    Yang, C., Song, Y., Gu, G.: Active user-side evil twin access point detection using statistical techniques. IEEE Trans. Inf. Forensics Secur. 7(5), 1638–1651 (2012)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2021

Authors and Affiliations

  1. 1.SecLab, Department of InformaticsUniversity of PiraeusPireasGreece

Personalised recommendations