Protected Management Frames enhance Wi-Fi® network security

Have you ever asked yourself if very long and complex passwords are sufficient to secure your personal Wi-Fi^® network? Or if enterprise networks with 802.1X authentication can be enhanced any further? In both cases, the security of the network can be improved by the use of Protected Management Frames.

Wi-Fi uses three different frame categories: Management, Control, and Data. Management frames such as authentication, de-authentication, association, disassociation, beacons, and probes frames are used by wireless clients to find and connect to the right Wi-Fi network and manage the client connection after a successful association. Without the Protected Management Frames feature, all management frames are sent unprotected in the open. Transmitting open frames make connections vulnerable to attack. Protected Management Frames is a feature currently included in several Wi-Fi CERTIFIED™ programs that, when enabled, provides integrity protection for both unicast and broadcast management frames, and also encrypts unicast management frames in the same way as data to provide confidentiality.  Based on the IEEE 802.11w amendment, Protected Management Frames utilizes the Security Association teardown protection mechanism already in place for encrypted data frames and therefore improves the resiliency of a Wi-Fi network.

Defense mechanisms enabled through Protected Management Frames

Protected Management Frames are designed to prohibit attacks such as disconnect, honeypot, and evil twin attacks.  Device vendors should ensure Protected Management Frames are activated automatically.

Disconnect Attacks

One of the most prominent attacks on Wi-Fi networks are injected De-authentication/Disassociation frames to disconnect a client or even multiple clients from the network. As long as an attacker is able to retrieve the MAC address of an Access Point (AP) and the Basic Service Set Identifier (BSSID) of a network, the attacker can spoof the AP and send out broadcast management frames to tell all clients that the AP will terminate their connection. With the additional information of a MAC address of a connected client, the attacker can terminate the specific client connection.

Since MAC addresses and BSSIDs can be obtained easily by sniffing packets on a Wi-Fi channel, this attack is (with Protected Management Frames disabled or not available) easy to execute. Some tools even offer automated ways to terminate active connections in range of the attack tool, and so make it easy to perform a Denial of Service (DoS) attack. From an end-user perspective, this results in an unstable connection or no connection at all, and might also cause the client to blacklist the spoofed AP (or the whole network) for an extended period.

In addition to a DoS attack, this approach can also be used to facilitate other types of attacks on a network. For example, while WPA3-Personal already incorporates Protected Management Frames and provides resistance against offline dictionary attacks on the passphrase, many deployments and devices still rely on WPA2-Personal. Against those networks and devices, disconnect attacks can be used to speed up offline dictionary attacks. The attack is performed for just a short period of time, interrupting the connection and forcing the clients to reconnect to the network. The attacker can then capture the authentication frames exchanged during the forced reconnections to execute a dictionary attack on the passphrase.

Protected Management Frames enforces the encryption of frames for disconnection, which enables APs and clients to detect forged disconnect frames and ignore them. Furthermore, if an AP reports the detection of attempted forged frames to a network monitoring tool, the network operator can be notified to quickly expose the attacker.

Honeypot and Evil Twin Attacks
For open (unauthenticated) networks, a more sophisticated attack involves the use of a so-called honeypot or evil twin AP that is operated by an attacker. For this attack scenario, the client(s) are manipulated to move away from the AP they are currently connected to and instead join the attacker’s honeypot. One way to achieve this is to send out forged Channel Switch Announcement directed to a client, with the operating channel of the honeypot announced in the body of the frame. The client will then try to look for an AP on the announced channel and might join the honeypot as it announces the same network as the valid APs. Another possible way is to forge BSS Transition Management Requests with the honeypot as the new connection target. In both cases, the attacker can become a so-called Man-in-the-middle, which allows him or her to decrypt/read and manipulate data transferred between the client and the network.

In the same way as for the disconnect attacks, Protected Management Frames enforce the encryption of management frames like Channel Switch Announcements and BSS Transition Management Requests, which enables APs and clients to detect, report, and ignore forged frames. This way clients stay connected to the desired APs.

To leverage Protected Management Frames, both the AP and the client need to be capable of using it and it must be activated for each encrypted Wi-Fi network of the AP. If that is the case, Protected Management Frames are automatically invoked during client association. No end-user interaction is required and from then on, management frames dealing with the client connection are encrypted.

Market adoption

Thanks to Wi-Fi Alliance making this feature a prerequisite for a broad range of certifications, mainstream devices of today support Protected Management Frames. It is a fundamental component and therefore required to always be used for Wi-Fi CERTIFIED WPA3™ and Wi-Fi CERTIFIED Enhanced Open™ networks. As of July 2020, WPA3™ will be mandatory for all Wi-Fi CERTIFIED devices. At this time, all certified devices will also support Protected Management Frames, including devices equipped with Wi-Fi CERTIFIED 6™, Wi-Fi CERTIFIED™ ac, Wi-Fi CERTIFIED Passpoint®, Wi-Fi CERTIFIED Agile Multiband™ and Wi-Fi CERTIFIED Optimized Connectivity™.

Configuration Options

Three different configuration options exist for Protected Management Frames. They are listed and explained in detail below:

• Disable: Disables PMF for a network. It is not recommended to use this setting, only in case non-PMF-capable clients experience connection issues with the “Capable” option.
• Capable: This should be the default option for an encrypted Wi-Fi network based on WPA2. By selecting this option, both types of clients, capable of PMF or not, can connect to the network. Clients capable of PMF will negotiate it with the AP.
• Mandatory: Only PMF-capable clients can connect to the network, which makes this the safest option. WPA3-Personal only mode and WPA3-Enterprise with 192-bit security mode activate this option as default.

Solving another piece of the security puzzle

Protected Management Frames are another piece to the puzzle of a secure Wi-Fi network. They can prevent most of the attacks of today to disconnect clients or steer them to APs under an attacker’s control. Vendors need to make sure that devices, especially those certified for the Wi-Fi Alliance programs mentioned above, activate Protected Management Frames automatically. Network operators and end-users should look out for Wi-Fi CERTIFIED products to ensure Protected Management Frames are supported. Particularly network operators should ensure that Protected Management Frames are enabled on their networks as implementations are mature these days. By deploying Protected Management Frames, we can get rid of simple and well-known disconnect and steering attacks through modern, secure Wi-Fi networks.