The Danger of Packet Length Leakage: Off-path TCP/IP Hijacking Attacks Against Wireless and Mobile Networks

The Danger of Packet Length Leakage: Off-path TCP/IP Hijacking Attacks Against Wireless and Mobile Networks

연구 분야: Networking

학회: 2025 IEEE 10th European Symposium on Security and Privacy (EuroS&P)

To combat eavesdropping and injection attacks, wireless networks widely adopt encryption to provide confidentiality and integrity guarantees. In this paper, we present a novel and generic attack, termed LenOracle, which can hijack the TCP/UDP connections over encrypted wireless networks (e.g., 5G/4G/3G and Wi-Fi) via packet injections from the Internet. Due to the design nature of wireless networks and stream ciphers they used, the length of IP packets being transmitted can be acquired by radio sniffing. It thus provides a side channel for adversaries. We found that adversaries could utilize this side channel with TCP features to infer the presence of a connection, infer the protocol state (sequence number, acknowledge number) of the connection, and finally hijack TCP/IP connections over wireless networks. Through real-world experiments in commercial LTE networks and real Wi-Fi networks, we demonstrated that the LenOracle attack is practical and severe against both TCP and UDP connections. For the former, we successfully injected a fake short message into a victim TCP connection; For the latter, we were able to inject a fake DNS response into a UDP connection and poisoned the DNS cache of the victim device. Following the responsible disclosure policy, we have reported our findings and mitigation recommendations to GSMA and Wi-Fi Alliance. The GSMA acknowledged that the issue affects 5G/4G/3G, notified all its members (operators and vendors worldwide) of this issue, and highlighted the mitigation we proposed.