Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack
Ziqiang Wang
Network and Distributed System Security (NDSS) Symposium 2025 · Day 1 · WiFi and Bluetooth Security
This talk, presented by Ziqiang Wang (representing a collaborative effort from Tsinghua University, George Mason University, and Southeast University), unveils a critical vulnerability in modern Wi-Fi networks: an **off-path TCP hijacking attack** leveraging a novel **packet-size side channel**. The research demonstrates how an attacker, merely by being connected to the same Wi-Fi network as a victim, can infer sensitive TCP connection parameters even when Wi-Fi frames are encrypted with WPA2 or WPA3. This allows the attacker to either terminate active TCP connections (a denial-of-service attack) or inject malicious data into unencrypted TCP streams.
AI review
Solid, original network security research that identifies a genuinely novel side channel — encrypted Wi-Fi frame sizes leaking TCP option state — and chains it into a practical off-path hijacking primitive. The 74% real-world success rate across 80 networks is not a lab artifact, and the attack's reliance on a subtle but fundamental protocol interaction (Challenge-ACK + TCP options → frame size oracle) gives this legitimate staying power.