Preamble Forgery and Injection in Wi-Fi Networks: Attacks and Defenses

In Wi-Fi networks, the preamble plays a crucial role in frame detection, synchronization, and channel estimation. It also ensures compatibility and interoperability across devices that operate different versions of Wi-Fi (e.g., IEEE 802.11a/g/n/ac/ax/be). Despite its significance, the preamble lacks authenticity and confidentiality guarantees, relying solely on weak integrity protection. In this paper, we introduce novel Preamble Injection and Spoofing (PrInS) attacks that exploit these vulnerabilities. Specifically, we show how an adversary can inject forged preambles without payloads to disrupt legitimate receptions or force legitimate users to defer transmissions. We demonstrate the impact of PrInS attacks both via experiments using software-defined radios (SDRs) and via system-level simulations. Our results show that the adversary can almost silence the channel, degrading the throughput of a legitimate user down to 2% of its normal throughput. Even at 30\30 dB less power than the legitimate signal, the adversary still causes 87% reduction in throughput. Even when the attacker targets only a fraction of legitimate frames, the average packet latency and packet loss rate significantly increase. As a countermeasure, we propose preamble customization and randomization using group keys and timestamps, along with preamble authentication in the receive state machine. Our countermeasure detects forged preambles with nearly 100% accuracy while maintaining low false alarm rates in most scenarios. Most importantly, it remains backward-compatible with existing 802.11 standards and does not impact the synchronization and frame error rates of the Wi-Fi system.