Cracking Wifi With Sleep Mode
The concept of queueing in networking devices is well-defined, and where a busy device might have to store data within a buffer before it is transmitted.
A more significant need to queue data is when a device goes to sleep, and where it is expected to go back to its state before it went to sleep. For example, a device could put itself to sleep for a short time in order to conserve its battery. If so, the wifi access point is likely buffer the data that it was going to send to the device for a defined time. Once the device wakes up, the access point can send the data to the device — as if it had never gone to sleep. Unfortunately, the data in the buffer will often unencrypted, and so, if an adversary can remove the encryption keys for a client in the time it is sleeping, the resulting data could be sent in a plaintext format. If unencrypted data is sent over the wifi connection, anyone which is associated with the access point can then easily read it in a plaintext form.
A significant weakness of many wifi systems is that the frame to send a request for a device to go into sleep mode can be easily spoofed, and is unprotected. This means that an access point could be tricked into believing a device is in sleep mode, but where it is generated from a spoofed frame from an adversary.
