In this paper, we unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. Despite the various security mechanisms (e.g., WEP and WPA2/WPA3) implemented to safeguard Wi-Fi networks, our study reveals that an off path attacker can still extract sufficient information from the frame size side channel to hijack the victim's TCP connection. Our side channel attack is based on two significant findings: (i) response packets (e.g., ACK and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames containing these response packets have consistent and distinguishable sizes. By observing the size of the victim's encrypted frames, the attacker can detect and hijack the victim's TCP connections. We validate the effectiveness of this side channel attack through two case studies, i.e., SSH DoS and web traffic manipulation. Precisely, our attack can terminate the victim's SSH session in 19 seconds and inject malicious data into the victim's web traffic within 28 seconds. Furthermore, we conduct extensive measurements to evaluate the impact of our attack on real-world Wi-Fi networks. We test 30 popular wireless routers from 9 well-known vendors, and none of these routers can protect victims from our attack. Besides, we implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim's TCP connections in 75 (93.75%) evaluated Wi-Fi networks. We have responsibly disclosed the vulnerability to the Wi-Fi Alliance and proposed several mitigation strategies to address this issue.

翻译：本文揭示了Wi-Fi网络中一个基础的侧信道——可观测的帧大小，攻击者可利用该侧信道实施TCP劫持攻击。尽管Wi-Fi网络已部署多种安全机制（如WEP和WPA2/WPA3）进行防护，但我们的研究表明，非路径攻击者仍能从帧大小侧信道中提取足够信息以劫持受害者的TCP连接。该侧信道攻击基于两项重要发现：(i) TCP接收端生成的响应数据包（如ACK和RST）具有尺寸差异；(ii) 承载这些响应数据包的加密帧具有稳定且可区分的尺寸。通过观测受害者加密帧的尺寸，攻击者能够检测并劫持其TCP连接。我们通过两个案例研究（SSH拒绝服务攻击与网络流量篡改）验证了该侧信道攻击的有效性。具体而言，我们的攻击可在19秒内终止受害者的SSH会话，并在28秒内向受害者的网络流量注入恶意数据。此外，我们通过大规模测量评估了该攻击对真实Wi-Fi网络的影响。测试涵盖9家知名厂商的30款主流无线路由器，所有设备均无法防御此攻击。我们在80个真实Wi-Fi网络中实施攻击，其中75个（93.75%）网络的TCP连接被成功劫持。我们已向Wi-Fi联盟负贵披露该漏洞，并提出了若干缓解策略以应对此问题。