How to Counter Hotel WiFi Deassociation Attacks

Recently the FCC made it crystal clear that Deassociation Attacks by hotel Wi-Fi installations to force their 'guests' using the hotel's Wi-Fi instead of tethering their equipment to their smartphones and tablets is illegal. That only applies to the US, of course, and despite it being a very effective move to aggravate customers it doesn't mean nobody else will be trying to use it in the future. But it turns out, there's an effective countermeasure against this, at least in the foreseeable future.

The attack vector used by such Wi-Fi installations is to send De-association management frames to devices connected to a hotspot other than that of a local venue. Unlike data frames which are encrypted and thus can't be forged, Wi-Fi management frames are sent in the clear and can thus be sent by anyone. To mitigate rogue de-associations and other attack vectors the 802.11w amendment to the Wi-Fi standard describes a way to also protect management frames which effectively counters such attacks.

There are many amendments to the Wi-Fi standards that have never been implemented and for a long time it looked like this was yet another one. But since July 2014 the Wi-Fi Association requires implementation of the protected management frames amendment in its Wi-Fi certification scheme when a device supports 802.11ac, the latest super high speed transmission mode as reported here, here and here. That's good news as this certification is required for the Wi-Fi logo on the sales packaging and as a precondition by many companies (such as mobile network operators) to sell a Wi-Fi capable device. Also, a growing number of access points and devices such as notebooks, smartphones and tablets support 802.11ac today and even more will do so in the future.

PmfI ran a quick trace of all access points in the neighborhood but didn't find any indication of the feature being supported in their beacon frames. As described here in detail and shown in the screenshot on the left there are two bits towards the end of the beacon frame that indicate to devices whether PMF (protected management frames) are supported or not. These indicator bits are also sent by devices during connection establishment so it's easy to find out if a device supports PMF. One source claimed that the Samsung S5 already supported it but when I traced the connection establishment both bits were set to 0. So at least my S5 does not or doesn't want to indicate this capability to an access point that itself doesn't support it. The result is perhaps a bit disappointing but not really surprising as the new rule just came into effect half a year ago. So I will have to get hold of devices certified after that date. I'll keep you posted.

The article linked above remarks that PMF counters all management frame attacks observed so far. One thing it can't protect against are attacks with Ready To Send / Clear To Send frames that include long reservation times for transmissions (up to 32 milliseconds). The good thing is, however, that such frames are not network specific and thus would not only slow down an attacked network but also the hotel Wi-Fi itself on the same channel. In other words this is no caveat for hotels that have a special treat for their customers…

2 thoughts on “How to Counter Hotel WiFi Deassociation Attacks”

  1. Hi Martin,

    Is there any other way to prevent hotels from blocking personal hotspots? IMHO Wi-Fi ac is still far away from being included in mid-range & budget handsets which means only a tiny fraction of the people using the latest handsets will benefit from it.

Comments are closed.