Vulnerabilities Announcement – Bypassing Wi-Fi Encryption by Manipulating Transmit Queues

Peplink has identified vulnerabilities in some of its products related to the manipulation of transmit queues in the 802.11 standards, regarding the Framing Frames research paper. Specifically:

Section 3 – Leaking Frames from the Wi-Fi Queue: Some Peplink models that have Wi-Fi AP function may be vulnerable to leaking frames from the Wi-Fi queue, while others may not. Stay tuned to this post as we will provide a list of affected models.

Section 4 – Abusing the Queue for Network Disruptions: Peplink models are vulnerable to abusing the queue for network disruptions.

Session 5 – Overriding the Victim’s Security Context: For the attack to be successful, the attacker must possess valid network credentials, impeccable timing, and even if the attacker receives frames, they are of minimal value in modern secured networks.

Impact and Severity

The attacker takes advantage of the fact that they can intercept certain data packets intended for the victim, steal their contents and obtain sensitive information by using the same MAC address as the victim. This can be done by disconnecting the victim from the WLAN through a deauthentication attack or logging in at another AP in the network using the victim’s MAC address. In a securely configured network, this attack is considered opportunistic and the information that the attacker can obtain is of minimal value.


To better prevent this attack, we recommend separating trusted and untrusted WLAN clients by using different SSIDs and VLAN networks; enabling the “Management Frame Protection”; and using higher-layer encryption, such as TLS and HTTPS, which can prevent sensitive information from being exposed to attackers.