NDSS 2025 – Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack

This paper reveals a fundamental Wi-Fi side channel attack exploiting observable frame sizes. Attackers can hijack TCP connections by observing the sizes of encrypted frames. TCP receivers' response packets, like ACKs and RSTs, vary in size. These varying responses, when encrypted, result in consistently distinguishable frame sizes that an attacker can monitor. By analyzing these sizes, an attacker can detect and subsequently hijack a victim's TCP connection. The attack successfully terminated SSH sessions in 19 seconds and injected malicious web traffic within 28 seconds. Testing on 30 popular wireless routers from 9 vendors showed no protection against this attack. The attack was successful in 93.75% of 80 real-world Wi-Fi networks tested. The vulnerability has been responsibly disclosed to the Wi-Fi Alliance. Mitigation strategies have also been proposed. This research was presented at the NDSS Symposium 2025.