Null Data Frame: A Double-Edged Sword in IEEE 802.11 WLANs

Null data frames are a special but important type of frames in IEEE 802.11 WLANs. They are widely used in 802.11 WLANs for control purposes such as power management, channel scanning, and association keeping alive. The wide applications of null data frames come from their salient features such as lightweight frame format and implementation flexibility. However, such features can be taken advantage of by malicious attackers to launch a variety of attacks on 802.11 WLANs. In this paper, we identify potential security vulnerabilities in current null data frame applications in 802.11 WLANs. We then study two types of attacks taking advantage of these vulnerabilities in detail that are functionality-based Denial-of-Service attack and implementation-based fingerprinting attack. We also evaluate their effectiveness based on extensive experiments. Furthermore, we design and implement novel defense mechanisms against the attacks, and evaluate their effectiveness based on extensive experiments. Although our proposed defenses help alleviate the vulnerabilities, completely eliminating the vulnerabilities brought by null data frames remains an open issue. Finally, we point out that our work has broader impact in that similar vulnerabilities exist in many other networks due to the adoption of simple and lightweight messages for control purpose.