Skip to content

Security: domienschepers/wifi-ftm

Security

SECURITY.md

Wi-Fi FTM Security and Privacy

Our research resulted in a variety of vulnerabilities and weaknesses compromising the security and privacy of Wi-Fi FTM.

Due to the open and unprotected nature of Wi-Fi FTM, all vulnerabilities can be exploited remotely and pre-authentication.

Please note all findings are disclosed to their respective vendors, and published only after at least a 90-day period.

Initiating Stations

We identified the following characteristics and weaknesses in initiating stations.

Wi-Fi Card Firmware Range 1 Terminate 2 PHY-Verif. 3 Delta Verif. 4 Retrans. 5
Broadcom BCM4375B1 Unknown [0,+300] Yes No Yes Unknown
Qualcomm WCN3990 Unknown [-22.5,+∞] Yes No No Yes
Qualcomm QCA6390 Unknown [-22.5,+∞] Yes No No Yes
Intel AC-8260 Version 31 [-∞,+∞] Yes No No Yes
Intel AC-8260 Version 36 [-10,+100] Yes No No Unknown
Intel AC-8265 Version 34, 36 [-10,+100] Yes No No Unknown
Intel AX-200 Version 53 [0,+∞] Yes No No Yes
Intel AX-200 Version 55 [-∞,+∞] Yes No No Yes
Intel AX-200 Version 57, 58, 59 [0,+100] Yes No Yes Unknown
Intel AX-210 Version 62, 63, 66-68, 71, 73 [-∞,+∞] Yes No Yes Yes

1 Receiver accepts distance measurements within these bounds, otherwise reports a failed measurement session.

2 Receiver accepts frames terminating the measurement session.

3 Receiver rejects frames transmitted under unexpected physical-layer parameters.

4 Receiver accepts frames only within the expected Min Delta FTM window, otherwise does not transmit acknowledgement.

5 Receiver accepts retransmissions and improperly manages timestamps.

Responding Stations

We identified the following vulnerabilities in responding stations.

Wi-Fi Card Firmware Wi-Fi FTM Resource Exhaust 1 Denial-of-Service 2
Qualcomm IPQ4018 Unknown After 16 Open Sessions Force AP Reboot
Qualcomm IPQ4019 Unknown After 16 Open Sessions Crash 5 GHz Band
Qualcomm QCS404 Unknown After 16 Open Sessions Crash 5 GHz Band
Intel AC-8260 Version 31, 36 After 32 Open Sessions No
Intel AC-8265 Version 34, 36 After 32 Open Sessions No
Intel AX-200 Version 53, 55 After 32 Open Sessions No
Intel AX-200 Version 57, 58, 59 After 10 Open Sessions No
Intel AX-210 Version 62, 63, 66-68, 71, 73 After 10 Open Sessions No

1 Exhaust Wi-Fi FTM resources to perform a Denial-of-Service.

2 Denial-of-Service crashing the entire AP or targetted frequency band.

Notes

  • For Qualcomm systems, the resource exhaust lasts indefinitely and requires a manual reboot.
  • For Intel systems, the resource exhaust lasts half a minute, and a full minute for firmware Version 57 onwards.

Miscellaneous

We identified issues in the Linux kernel which incorrectly buffer Wi-Fi FTM frames when a station is in power-save mode.

This issue has been fixed since Linux kernel 6.4-rc1 in the following commit:

For more details, refer to our research paper in Section 4.2 (pdf, repository).

Common Vulnerabilities and Exposures (CVE) Identifiers

Our research resulted in a variety of vulnerabilities which were assigned the following CVE Identifiers.

CVE Identifier Description
CVE-2020-11270 Possible denial of service due to RTT responder consistently rejects all FTMR by
transmitting FTM1 with failure status in the FTM parameter IE.
CVE-2020-11280 Denial of service while processing fine timing measurement request (FTMR) frame with
reserved bits set in the FTM parameter IE due to improper error handling.
CVE-2020-11281 Allowing RTT frames to be linked with non randomized MAC address by comparing the
sequence numbers can lead to information disclosure.
CVE-2020-11287 Allowing RTT frames to be linked with non randomized MAC address by comparing the
sequence numbers can lead to information disclosure.
CVE-2021-0053 Improper initialization in firmware for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi in Windows 10
may allow an authenticated user to potentially enable information disclosure via adjacent access.

Overview of Known Security Updates

There aren’t any published security advisories