> In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals... When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only standard and will legitimately become a full-fledged sensing paradigm... tracking can be done surreptitiously because Wi-Fi signals can penetrate walls, don't require light, and don't offer any visible indicator of their presence.
I...don't await eagerly the time when tinfoil ceases to be the joke it has been for decades, instead being promoted to a solution anybody even remotely interested in their privacy utilizes.
> Honestly I don't see any purely technical solution to this.
For home, chicken wire in the walls and wired networks. A Faraday cage is the simple solution, but unfortunately for this case is unlikely to be in most interior walls in modern buildings.
> Honestly I don't see any purely technical solution to this.
The technical solution is pretty simple: do not use Wi-Fi. I use wired connections for all of the devices in my household. The only non-technical aspect of the solution was an interior design-based one about unobtrusive cable wiring around the house.
Build better walls. Don't try to outlaw people "looking at you", no matter what frequency they use.
I find it equally ridiculous to try to outlaw software radio that might listen to "unapproved" radio bands, or listening to clear-text WiFi, baby monitors and cell phones.
It's almost as stupid as people who would want brain implant computers to implement DRM so people can't record and share their own memory of a movie.
Another analogy would be a country of blind people trying to legislate sighted people wearing blindfolds, because all of their privacy fences have huge holes in them.
A lot of this work has been research of Dina Katabi at MIT, via a function called the Sparse Fourier ("4-E-A") Transform.
I am not excusing the privacy implications, which will be abused to the extreme. However, it will be used also for health reasons, like monitoring respiration, and activity.
> We identify a number of critical issues that need to be addressed in this space... First, individuals should be provided the opportunity to opt out of SENS services – in other words, to avoid being monitored and tracked by the Wi-Fi devices around them.
Bad news, the paper proposes remote human identification by every Wi-Fi device.
> This would require the widespread introduction of reliable SENS algorithm for human or animal identification.
Would opt-in be legally easier than requiring human body scan registration for opt-out of Wi-Fi remote sensing?
Yeah, this tech standard is totally insane, why would I want anyone or anything to be able to scan people and objects inside my house without my knowledge? I’m aware of microphone attacks for keyboard password entry and other methods of surreptitious surveillance, but this is way past a microphone or webcam. I will pay a massive premium to purchase WiFi equipment without this feature.
Unfortunately these will be everywhere, far beyond any existing camera surveillance network.
Can make a lot of interesting products. Lights that turn on or change color when different people enter a room. home security systems that can detect motion. the ability to summon help for people who fall.
I've been looking into this for a while, should be mature enough in a year or so. there are already dozens of companies in this space
Is that some sort of hatch in the pavement? You order something on Prime, and moments later, a slab embossed with Amazons' logo opens, a deliveryperson jumps out and deposits the package into your outstretched arm.
I've rented two houses that used chicken wire to bind the plaster to the lath. You could get a bit of cell service near the windows, but you needed a WAP in each room. Finding studs was a nightmare.
Yes, this kind of shielding in construction is well understood, people concerned about information leakage have been doing it for decades and made the specs public. (Also people suffering from perceived "eletromagnetic hypersensitivity")
Of course, any house totally shielded with a Faraday cage would look extra suspicious and thus receive closer scrutiny. You'd need most of the house to be non-shielded to act as a honeypot while maintaining a small shielded section of the house for "emergencies".
I recently cut a couple holes in my house exterior through stucco. Like a sibling comment, that stucco was secured over some wire mesh. I can't remember how dense the mesh needs to be to block whichever frequencies would be used, but something like that would be commonplace and provide reasonable doubt.
Those are illegal (at least in the US, and likely just about everywhere). Which is bitterly ironic in this case ... spying on people inside their homes using WiFi is "fine", but trying to jam that bullshit is ... illegal.
Anyone aware of a polished application that utilizes this for personal home monitoring? It'd be fantastic to integrate this with Home Assistant[1] in lieu of Zigbee motion sensors.
No, that would require a precision that's probably still decades away. It could be used to grossly place people and large objects, and notice their movement. Sensing voice would require to monitor vibrations in either the person speaking or anything that vibrates with the emitted sound.
Funnily, there are much easier ways to do that, although they require direct line of vision [1]. Another option would be to measure the vibrations on walls (think glass on the wall, but hitech).
Instead of going to such extreme lengths though, it's more sensible to lobby for political change. There is absolutely no legitimate reason this should be introduced as a general standard for all wifi divices. This sort of spying needs to be illegal unless specifically approved in limited cases.
> "It’s important to note that there is presently no evidence of the vulnerabilities being used against Wi-Fi users maliciously and these issues are mitigated through routine device updates once updated firmware becomes available.
> "Like many previous vulnerabilities, FragAttacks has been academically well-researched and responsibly reported in a manner allowing the industry to proactively prepare and begin to roll out updates that fully eliminate the vulnerabilities. This set of vulnerabilities requires a potential attacker to be physically within range of the Wi-Fi network (or user device) in order to exploit it. This significantly reduces the likelihood of actual exploitation or attack."
I agree with the industry response here. KRACK was the same thing. The author finds a vulnerability that is absolutely valid (no denying here), easy to exploit in a lab but very hard to exploit in practice. Back in the day, we did test our equipment for KRACK. We concluded that someone had to circumvent all our physical security barriers (challenging, but theoretically possible) to get close enough to an AP that would see sensitive stuff, had to know WHEN to do that, or at least plant a device that could easily be noticed, and they would still fail because we didn't have 802.11r enabled on those AP's.
Is it a concern? It depends on what you're doing. It is absolutely a concern if your corporation is handling ultra-sensitive information. However, you should also question your physical barriers in that case and whether you should use Wi-Fi at all for some aspects of your operation. Is it a concern for the vast majority of office workers or someone at home? Probably not; there would be easier ways to find a valid credit card number that don't involve the time and effort for a hacker to travel to your place where they could be discovered. There's no need to replace all your AP's with new hardware, although the Wi-Fi Alliance would love for you to do that.
Does this exploit warrant its own fancy name and domain name? As was the case for KRACK, I don't believe so. That should be reserved for vulnerabilities that have a severe impact AND are extremely trivial to exploit with no proximity requirements. If not, the fancy-name-vulns risk being deprived of their ability to get the attention that is required.
I don't. This sentence serves no purpose other than distraction and needs to stop being used: "there is presently no evidence of the vulnerabilities being used".
It's a standard sentence that is rolled out for any security event or breach usually to misdirect blame. It needs to go away.
>[KRACK] easy to exploit in a lab but very hard to exploit in practice
How so? Even I have done it (on my own AP). Unless you own a big property that the WiFi signal cannot reach outside it's as easy as pressing GO in one of the hundreds of script kiddie tools.
Several of the implementation flaws allow an attacker to essentially inject plaintext frames in a Wi-Fi network. All that's needed is being within range of the network (with an extender you can still be far away). I agree that the design flaws aren't that serious! But that's also explicitly mentioned on the website so...
Edit: injection can be used to punch a hole in the router's NAT so someone can directly try to attack your devices. As always there world isn't burning down. But I think it's interesting research :)
WiFi exploits will always be subject to proximity though? For it to be remotely exploitable, you would be talking about a router or something else in the hardware stack.
In your mind, what kind of WiFi exploit is actually concerning?
After reading your reply, it seems you have ruled out all home networks and any exploit on a company not dealing with ultra-sensitive data. What's left?
If you do not trust the network, as you should not, the risk of these attacks is reduced to that of denial of service attacks.
Yes, it’s annoying if an attacker can manipulate your DNS responses. But it’s unavoidable on the internet and your local network should not be your only defense against it.
In which fantasy world are WiFi devices known for receiving regular firmware updates? Especially if they're older than a year or two? Enterprisey brands, sure, but consumer grade stuff? Hah!
> By default devices don't send fragmented frames. This means that the mixed key attack and the fragment cache attack, on their own, will be hard to exploit in practice, unless Wi-Fi 6 is used. When using Wi-Fi 6, which is based on the 802.11ax standard, a device may dynamically fragment frames to fill up available airtime.
Why does this feel like Spectre? We're trying to speed things up in a way that eventually blows back into our face.
Does it have anything to do with the speed of development->deployment? If something that is going to be standardized is rushed, then these kind of easily-ish found flaws will continually haunt us. If things slowed down and allowed a serious amount of pentesting before standarization, then maybe we can avoid these herpes like flaws where they sit dormant and then flare up, but can never be eliminated once discovered.
If you want up-to-the-second research results on Wi-Fi vulnerabilities, you are welcome to start your own research group, generate your own results, and share them however you'd like. You are not entitled to access to other people's results on your own terms.
I'm not a believer in coordinated disclosure and long embargoes (I think P0 does it just about right, though I'd make it 45 days instead of 90). But if I was offered information about a protocol vulnerability under a long embargo, accepted it, and then broke the embargo terms, I wouldn't whine about it next time when I wasn't included. Honestly: I wouldn't whine about it under any circumstances, even if I studiously complied with the embargo. Because we're not entitled to other people's work.
By now it's probably easier in mind to treat any Wi-Fi as Open Network and always use something like WireGuard/Tailscale for secure communication between devices.
Often many companies and organizations from many countries are getting informed about such security problems under the embargo. I assume that the intelligence agencies form many countries are also getting these information. Either they are officially informed, because they also protect the government networks or they have just good working relationships with their local companies.
I assume Microsoft would inform the NSA about such things, Huawei would inform the Chinese intelligence agencies and Siemens would inform the German BND.
I can't read from your comment if you think this is A Good Thing. In my opinion it is s Very Bad Thing. None of those entities are more important than everyone else. If anyone should be alerted it should only be those that fix the vulnerability in WiFi devices. Anyone else and not only does the risk of leaks rise exponentially but some of them will rub their fingers with glee and exploit it ASAP.
I appreciate the distaste for a security-vulnerability being sat on for so long. However, the appropriateness of a long-embargo would seem like a bigger topic.
That said, about being sitting ducks.. dunno how much the situation really changes like that. For example, was this really unknown before this particular discovery? And what other vulnerabilities aren't currently being reported, whether under embargo or not?
Seems like users ought to have reasonable expectations about how secure popularly practiced technology is. If someone believed that a vulnerability like this wasn't a possibility, then they may need to update their expectations.
The embargo for binary patches was May 3rd. Of course, if random me knew about these issues, every interested party also did. Think about vendors like Qualcomm, Intel or Mediatek; they were all informed and all of them then had to inform their chip buyers because they don't make any of the actual customer products.
"""
How can the adversary construct unencrypted Wi-Fi frames so they are accepted by a vulnerable device? First, certain Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network.
"""
This actually made me angry. How fucking long are we doing this already? This is so. basic. Why is this possible? This should incur liability, we know the IT environment is adversarial.
I understand one can make technical mistakes, or shoot oneself in the foot in low level languages that are difficult to handle correctly. But this is a conceptual mistake, involving crypto! How can you possibly have written this code for an issue like this to occur? What is the control flow that leads to this? I almost cannot imagine how someone could code this up by accident, this must be a backdoor. Just imagine:
if decrypt(encrypted) == false
{
memcpy(plaintext, encrypted); // lets try to use the encrypted data anyway, you never know!
}
handle_packet(plaintext);
WiFi has always been developed on being retro-compatible. The good side is you can use something from 2003 with AP from today (let's ditch the 5MHz and 10MHz bandwidth), the downside is you have a big stack of technical debt in most of the chipset out there, which might be why this kind of things happens.
Not having any access to the firmware source (thanks FCC) does not help at all.
Why is it the FCC's fault specifically? The FCC doesn't regulate Intellectual Property. They regulate radios. Are you implying its within the FCC's power to say radio firmware must be open source?
Might shock you but the for-profit Wifi Alliance repeatedly ignores best practice advice and has the garbage they push out owned all the time. At this point I'm half convinced they are compromised, see no reason why they should be writing the standards anymore. People tell them what they are doing wrong constantly and they just ignore it and push ahead until someone breaks it exactly as predicted, rinse, repeat. This has been going on for years.
Even with encryption turned on, there will be plaintext packets you must process (e.g. to start the session). So it requires a whitelist to properly enforce, but all your conformance tests will pass without it. Easy to miss.
I think this will make for an excellent litmus test for companies that make wifi products. Is this a critical fix? No. Is it important, if not critical? Yes.
Some vendors aren't going to care about this in the least and won't offer any updates.
Some will only fix this in new and future devices.
And perhaps some will update all their devices going back several years.
Currently I buy used 802.11ac Airport Extremes for wireless for people because they're simple, they stay out of the way, and the last time there was a major update, Apple updated every Airport model all the way back to the Airport Express from 2008.
But I want to be able to buy new wifi devices, and how vendors handle this will inform me about which ones I'll buy going forward.
Maybe because it's the same year they announced they were dropping support for it?
Time to get a newer piece of gear. This is the problem with software - it doesn't age like a fine wine; it has to be maintained - and that usually means someone is going to have to be paid to do the not so fun work of maintaining and fixing old stuff that is no longer "OoOh tEh sHiNeY!"
> certain devices accept plaintext aggregated frames that look like handshake messages. An adversary can exploit this by sending an aggregated frame whose starts resembles a handshake message and whose second subframe contains the packet that the adversary wants to inject.
That reminds me of a thread [0] that came up a month ago mentioning discussion of packets in packets [1]. That paper was from 2011!
From my experience with TP-LINK software, you don't need to worry about this attack. The attack demonstrated is complex, requires physical proximity and a lot of knowledge about the target.
Meanwhile, your router will probably give any attacker root if they ask it nicely. TP-Link doesn't seem to care about device security at all if you're already paid for the device, so don't expect any updates and expect a whole range of vulnerabilities to be exploitable against your router.
Now, it must be said, TP-Link is no D-Link, a company that almost seems to add security problems to their software intentionally with their awful software quality, but if you're conscious about security, any consumer device will probably have a whole bunch of exploits that would work easier and more reliably.
EDIT: replaced the word "access" with "proximity" to avoid confusion.
What? You just need a high enough gain antenna and you can carry it out much further away than it appears your wifi reaches. Isn't physical access, being able to touch the computer?
Fragmentation is usually disabled in home APs. I've played with it on hostapd, but didn't find a performance improvement, and investigating withe WireShark found even 64k packets were not being fragmented. Is the same true for enterprise AP?
I wonder if hardcoding your DNS servers will help. I guess sometimes this is not possible because in corporate environments DNS servers are sent via DHCP.
“ More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.”
So yes, but as you say lots of things can override your explicit DNS settings. Even browsers can do it these days.
Run WireGuard. Effectively treat WiFi as untrusted and VPN over it. Have WireGuard send over your DNS on the other side, and have that DNS use D-o-T or D-o-H depending on your threat model.
Use Ethernet on stationary devices, and WiFi on mobile devices.
Authenticating the remote end of the connection (which all decent software does because using it on other people's WiFi would be very unsafe otherwise) makes it irrelevant.
I, too, would like to know the definitive answer to this, as I feel like a malicious DNS packet was used against a computer of mine before connected to the VPN.
I've always felt an always listening radio, especially the ones in televisions that try to connect to anything it can, in any device is a big gaping security hole. We've already seen how Bluetooth makes things vulnerable. If you're truly worried about security, go with the cable.
Future Wi-Fi devices will be able to see through your home and business walls, for activity monitoring and biometric identification, https://www.theregister.com/2021/03/31/wifi_devices_monitori...
> In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals... When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only standard and will legitimately become a full-fledged sensing paradigm... tracking can be done surreptitiously because Wi-Fi signals can penetrate walls, don't require light, and don't offer any visible indicator of their presence.
IEEE 802.11bf paper: https://arxiv.org/abs/2103.14918
Papers on device-free wireless sensing (DFWS): https://dhalperi.github.io/linux-80211n-csitool/
Remote sensing with low-cost ESP32 and 802.11n: https://academic.oup.com/jcde/article/7/5/644/5837600
What the actual fuck??
Honestly I don't see any purely technical solution to this. At some point we have to demand that laws be written to outlaw this.
If you live in Europe, you might want to sign the European citizen initiative banning biometrics
Reclaimyourface.eu
10 replies →
I...don't await eagerly the time when tinfoil ceases to be the joke it has been for decades, instead being promoted to a solution anybody even remotely interested in their privacy utilizes.
5 replies →
https://ans.unibs.it/projects/csi-murder/ enabled by https://github.com/open-sdr/openwifi
Both partially funded by EU's Horizon2020 program.
Openwifi talk at FOSDEM 2020 https://www.youtube.com/watch?v=8q5nHUWP43U
1 reply →
> Honestly I don't see any purely technical solution to this.
For home, chicken wire in the walls and wired networks. A Faraday cage is the simple solution, but unfortunately for this case is unlikely to be in most interior walls in modern buildings.
3 replies →
Check this out https://youtu.be/FDZ39h-kCS8
5 replies →
>Honestly I don't see any purely technical solution to this.
https://en.wikipedia.org/wiki/Faraday_cage
Use a router certified with "Respects Your Freedom": https://fsf.org/ryf
> Honestly I don't see any purely technical solution to this.
The technical solution is pretty simple: do not use Wi-Fi. I use wired connections for all of the devices in my household. The only non-technical aspect of the solution was an interior design-based one about unobtrusive cable wiring around the house.
1 reply →
Build better walls. Don't try to outlaw people "looking at you", no matter what frequency they use.
I find it equally ridiculous to try to outlaw software radio that might listen to "unapproved" radio bands, or listening to clear-text WiFi, baby monitors and cell phones.
It's almost as stupid as people who would want brain implant computers to implement DRM so people can't record and share their own memory of a movie.
Another analogy would be a country of blind people trying to legislate sighted people wearing blindfolds, because all of their privacy fences have huge holes in them.
Technology improves people's abilities. Adapt.
6 replies →
Or just don’t install these devices in your house/live in a place where privacy is functionally impossible like an apartment building.
3 replies →
A lot of this work has been research of Dina Katabi at MIT, via a function called the Sparse Fourier ("4-E-A") Transform.
I am not excusing the privacy implications, which will be abused to the extreme. However, it will be used also for health reasons, like monitoring respiration, and activity.
From https://en.wikipedia.org/wiki/Dina_Katabi
> her work on X-ray vision was chosen as one of the "50 ways that MIT has transformed computer science."
And the housing market.
5 replies →
This is one of those things that shouldn't even have a standard made for it.
What does everyone think is going to happen with capabilities like that?
Good news, the paper mentions privacy.
> We identify a number of critical issues that need to be addressed in this space... First, individuals should be provided the opportunity to opt out of SENS services – in other words, to avoid being monitored and tracked by the Wi-Fi devices around them.
Bad news, the paper proposes remote human identification by every Wi-Fi device.
> This would require the widespread introduction of reliable SENS algorithm for human or animal identification.
Would opt-in be legally easier than requiring human body scan registration for opt-out of Wi-Fi remote sensing?
3 replies →
Yeah, this tech standard is totally insane, why would I want anyone or anything to be able to scan people and objects inside my house without my knowledge? I’m aware of microphone attacks for keyboard password entry and other methods of surreptitious surveillance, but this is way past a microphone or webcam. I will pay a massive premium to purchase WiFi equipment without this feature.
Unfortunately these will be everywhere, far beyond any existing camera surveillance network.
4 replies →
Can make a lot of interesting products. Lights that turn on or change color when different people enter a room. home security systems that can detect motion. the ability to summon help for people who fall.
I've been looking into this for a while, should be mature enough in a year or so. there are already dozens of companies in this space
Do you think making it a standard is required to use it? The technology exists now. Writing it down isn't breathing it into existence.
3 replies →
And let’s not forget also Amazon Sidewalk
Scary times.
Is that some sort of hatch in the pavement? You order something on Prime, and moments later, a slab embossed with Amazons' logo opens, a deliveryperson jumps out and deposits the package into your outstretched arm.
6 replies →
Only if you tolerate devices with non-free software.
22 replies →
Yup.
Even radiuz was probably better.
https://wifinetnews.com/archives/2004/06/radiuz_combines_wpa...
wasn't this a scene in Batman, Dark Night?
yes, yes it was https://www.youtube.com/watch?v=IRELLH86Edo
Is it practical to put a Faraday mesh into the exterior walls of a house?
I've rented two houses that used chicken wire to bind the plaster to the lath. You could get a bit of cell service near the windows, but you needed a WAP in each room. Finding studs was a nightmare.
Yes, this kind of shielding in construction is well understood, people concerned about information leakage have been doing it for decades and made the specs public. (Also people suffering from perceived "eletromagnetic hypersensitivity")
Of course, any house totally shielded with a Faraday cage would look extra suspicious and thus receive closer scrutiny. You'd need most of the house to be non-shielded to act as a honeypot while maintaining a small shielded section of the house for "emergencies".
2 replies →
With 2 conditions; a) you would have to do it before closing up the walls and b) give up on radio.
4 replies →
I recently cut a couple holes in my house exterior through stucco. Like a sibling comment, that stucco was secured over some wire mesh. I can't remember how dense the mesh needs to be to block whichever frequencies would be used, but something like that would be commonplace and provide reasonable doubt.
1 reply →
https://en.wikipedia.org/wiki/Tempest_(codename) might have useful info
Attic insulation ("radiant barrier") has a layer of aluminum, it can reduce EMF if joints overlap and are sealed with aluminum tape.
3 replies →
Trying to stop radio waves is sort of like trying to stop water. Any little crack or hole and it'll come through.
In addition to that, you might want/need to use only wired connections to your router and rip out any components that enable wireless.
I see a market for personal WiFi jamming devices.
Those are illegal (at least in the US, and likely just about everywhere). Which is bitterly ironic in this case ... spying on people inside their homes using WiFi is "fine", but trying to jam that bullshit is ... illegal.
1 reply →
Jamming would run afoul of the FCC. Now having one or more WAPs randomly modulate their signal strength should do the trick
Anyone aware of a polished application that utilizes this for personal home monitoring? It'd be fantastic to integrate this with Home Assistant[1] in lieu of Zigbee motion sensors.
[1] https://www.home-assistant.io/
Do I understand it correct that it's possible to 'sense' what people speak with this technique?
No, that would require a precision that's probably still decades away. It could be used to grossly place people and large objects, and notice their movement. Sensing voice would require to monitor vibrations in either the person speaking or anything that vibrates with the emitted sound.
Funnily, there are much easier ways to do that, although they require direct line of vision [1]. Another option would be to measure the vibrations on walls (think glass on the wall, but hitech).
[1] https://www.schneier.com/blog/archives/2020/06/eavesdropping...
I need to invent faraday cage paint :p
https://www.businessinsider.com/a-san-francisco-apartment-th...
Instead of going to such extreme lengths though, it's more sensible to lobby for political change. There is absolutely no legitimate reason this should be introduced as a general standard for all wifi divices. This sort of spying needs to be illegal unless specifically approved in limited cases.
Now imagine what will be accomplished with 5G.. puts on tinfoil hat.
Is there no limit to this surveillance capitalism thing? At what point does it get dystopian enough for them to stop?
when capitalism ends.
Would it be possible to use this to look at a monitor?
From the industry response[1]:
> "It’s important to note that there is presently no evidence of the vulnerabilities being used against Wi-Fi users maliciously and these issues are mitigated through routine device updates once updated firmware becomes available.
> "Like many previous vulnerabilities, FragAttacks has been academically well-researched and responsibly reported in a manner allowing the industry to proactively prepare and begin to roll out updates that fully eliminate the vulnerabilities. This set of vulnerabilities requires a potential attacker to be physically within range of the Wi-Fi network (or user device) in order to exploit it. This significantly reduces the likelihood of actual exploitation or attack."
[1] https://www.commscope.com/blog/2021/wi-fi-alliance-discloses...
I agree with the industry response here. KRACK was the same thing. The author finds a vulnerability that is absolutely valid (no denying here), easy to exploit in a lab but very hard to exploit in practice. Back in the day, we did test our equipment for KRACK. We concluded that someone had to circumvent all our physical security barriers (challenging, but theoretically possible) to get close enough to an AP that would see sensitive stuff, had to know WHEN to do that, or at least plant a device that could easily be noticed, and they would still fail because we didn't have 802.11r enabled on those AP's.
Is it a concern? It depends on what you're doing. It is absolutely a concern if your corporation is handling ultra-sensitive information. However, you should also question your physical barriers in that case and whether you should use Wi-Fi at all for some aspects of your operation. Is it a concern for the vast majority of office workers or someone at home? Probably not; there would be easier ways to find a valid credit card number that don't involve the time and effort for a hacker to travel to your place where they could be discovered. There's no need to replace all your AP's with new hardware, although the Wi-Fi Alliance would love for you to do that.
Does this exploit warrant its own fancy name and domain name? As was the case for KRACK, I don't believe so. That should be reserved for vulnerabilities that have a severe impact AND are extremely trivial to exploit with no proximity requirements. If not, the fancy-name-vulns risk being deprived of their ability to get the attention that is required.
> I agree with the industry response here.
I don't. This sentence serves no purpose other than distraction and needs to stop being used: "there is presently no evidence of the vulnerabilities being used".
It's a standard sentence that is rolled out for any security event or breach usually to misdirect blame. It needs to go away.
2 replies →
>[KRACK] easy to exploit in a lab but very hard to exploit in practice
How so? Even I have done it (on my own AP). Unless you own a big property that the WiFi signal cannot reach outside it's as easy as pressing GO in one of the hundreds of script kiddie tools.
Several of the implementation flaws allow an attacker to essentially inject plaintext frames in a Wi-Fi network. All that's needed is being within range of the network (with an extender you can still be far away). I agree that the design flaws aren't that serious! But that's also explicitly mentioned on the website so...
Edit: injection can be used to punch a hole in the router's NAT so someone can directly try to attack your devices. As always there world isn't burning down. But I think it's interesting research :)
1 reply →
WiFi exploits will always be subject to proximity though? For it to be remotely exploitable, you would be talking about a router or something else in the hardware stack.
In your mind, what kind of WiFi exploit is actually concerning?
After reading your reply, it seems you have ruled out all home networks and any exploit on a company not dealing with ultra-sensitive data. What's left?
1 reply →
If you do not trust the network, as you should not, the risk of these attacks is reduced to that of denial of service attacks.
Yes, it’s annoying if an attacker can manipulate your DNS responses. But it’s unavoidable on the internet and your local network should not be your only defense against it.
Tell that to the Iranians and their nuclear facilities...
How would a victim know if someone in a coffeeshop used this attack?
> these issues are mitigated through routine device updates once updated firmware becomes available.
Unless you are one of the millions upon millions of people who have an Android device that launched >3 years ago.
Concept correct, # of years off by a lot.
> This set of vulnerabilities requires a potential attacker to be physically within range of the Wi-Fi network
I have troubles imagining an attack on wifi protocol where this doesn't apply :).
Back in the day you could disconnect some modems by sending certain strings over any higher level protocol, e.g. ICMP or IRC.
4 replies →
> requires a potential attacker to be physically within range of the Wi-Fi network (or user device) in order to exploit it.
So everyone that lives or works in a city? That can't be many people can it?
In which fantasy world are WiFi devices known for receiving regular firmware updates? Especially if they're older than a year or two? Enterprisey brands, sure, but consumer grade stuff? Hah!
Well, just look at https://git.kernel.org/pub/scm/linux/kernel/git/firmware/lin... ?
> By default devices don't send fragmented frames. This means that the mixed key attack and the fragment cache attack, on their own, will be hard to exploit in practice, unless Wi-Fi 6 is used. When using Wi-Fi 6, which is based on the 802.11ax standard, a device may dynamically fragment frames to fill up available airtime.
Why does this feel like Spectre? We're trying to speed things up in a way that eventually blows back into our face.
Does it have anything to do with the speed of development->deployment? If something that is going to be standardized is rushed, then these kind of easily-ish found flaws will continually haunt us. If things slowed down and allowed a serious amount of pentesting before standarization, then maybe we can avoid these herpes like flaws where they sit dormant and then flare up, but can never be eliminated once discovered.
Doubtful.
> several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997!
And spectre is also based on a decades old documented flaw.
It's just not very practical to predict every feasible attack until a lot of people have real systems to explore.
why do you need complex systems at all? just use a flat memory system with no kernel. no stack cookies. in fact, no internet is probably better.
seriously, have we learned nothing from Battlestar Galactica?
Mathy strikes again ! This has been fixed in Linux and certain firmware / driver already: https://lore.kernel.org/linux-wireless/20210511180259.159598...
Only because they agreed to sit on the patches for an inordinate amount of time.
Theo de Raadt did the right thing for KRACK. Shame it would be his only chance to do so before getting kicked out of Mathy Vanhoef's secret club.
If you want up-to-the-second research results on Wi-Fi vulnerabilities, you are welcome to start your own research group, generate your own results, and share them however you'd like. You are not entitled to access to other people's results on your own terms.
I'm not a believer in coordinated disclosure and long embargoes (I think P0 does it just about right, though I'd make it 45 days instead of 90). But if I was offered information about a protocol vulnerability under a long embargo, accepted it, and then broke the embargo terms, I wouldn't whine about it next time when I wasn't included. Honestly: I wouldn't whine about it under any circumstances, even if I studiously complied with the embargo. Because we're not entitled to other people's work.
4 replies →
I'm out of the loop. Expand?
14 replies →
So these patches are for “ Linux IEEE 802.11 implementation (mac80211)” and ath10k/ath11k.
By now it's probably easier in mind to treat any Wi-Fi as Open Network and always use something like WireGuard/Tailscale for secure communication between devices.
Can you help me understand why this is necessary if all your services use https?
Yeap. I'm trying to remember if 802.11x would help or it's just AAA. Point-to-point tunnels up one layer are the way to go.
And set your own DNS, and maybe block DNS on the standard port...
If only we knew 6 months earlier after a reasonable disclosure.
It’s always been my working assumption that WiFi security should be presumed to be broken until it is proven to be broken.
A 9 month embargo is disgusting. Linux users have been sitting ducks while others may or may not received silent updates.
Often many companies and organizations from many countries are getting informed about such security problems under the embargo. I assume that the intelligence agencies form many countries are also getting these information. Either they are officially informed, because they also protect the government networks or they have just good working relationships with their local companies.
I assume Microsoft would inform the NSA about such things, Huawei would inform the Chinese intelligence agencies and Siemens would inform the German BND.
And those nations got a chance to freely exploit it* for way longer than a typical reasonable disclosure of 90 days.
*Assuming they didn't already know about it which is why fast disclosure is so important.
I can't read from your comment if you think this is A Good Thing. In my opinion it is s Very Bad Thing. None of those entities are more important than everyone else. If anyone should be alerted it should only be those that fix the vulnerability in WiFi devices. Anyone else and not only does the risk of leaks rise exponentially but some of them will rub their fingers with glee and exploit it ASAP.
2 replies →
I appreciate the distaste for a security-vulnerability being sat on for so long. However, the appropriateness of a long-embargo would seem like a bigger topic.
That said, about being sitting ducks.. dunno how much the situation really changes like that. For example, was this really unknown before this particular discovery? And what other vulnerabilities aren't currently being reported, whether under embargo or not?
Seems like users ought to have reasonable expectations about how secure popularly practiced technology is. If someone believed that a vulnerability like this wasn't a possibility, then they may need to update their expectations.
The embargo for binary patches was May 3rd. Of course, if random me knew about these issues, every interested party also did. Think about vendors like Qualcomm, Intel or Mediatek; they were all informed and all of them then had to inform their chip buyers because they don't make any of the actual customer products.
From the researcher that brought you KRACK:
https://www.krackattacks.com/
It's as though supporting fragmentation in any protocol makes preventing replays and offset overwrites a next order Hard problem.
Everytime I see a headline like this always think "this is probably Mathy at it again". The guy is a titan in breaking wifi.
""" How can the adversary construct unencrypted Wi-Fi frames so they are accepted by a vulnerable device? First, certain Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network. """
This actually made me angry. How fucking long are we doing this already? This is so. basic. Why is this possible? This should incur liability, we know the IT environment is adversarial.
I understand one can make technical mistakes, or shoot oneself in the foot in low level languages that are difficult to handle correctly. But this is a conceptual mistake, involving crypto! How can you possibly have written this code for an issue like this to occur? What is the control flow that leads to this? I almost cannot imagine how someone could code this up by accident, this must be a backdoor. Just imagine:
WiFi has always been developed on being retro-compatible. The good side is you can use something from 2003 with AP from today (let's ditch the 5MHz and 10MHz bandwidth), the downside is you have a big stack of technical debt in most of the chipset out there, which might be why this kind of things happens.
Not having any access to the firmware source (thanks FCC) does not help at all.
Why is it the FCC's fault specifically? The FCC doesn't regulate Intellectual Property. They regulate radios. Are you implying its within the FCC's power to say radio firmware must be open source?
1 reply →
> This should incur liability
Might shock you but the for-profit Wifi Alliance repeatedly ignores best practice advice and has the garbage they push out owned all the time. At this point I'm half convinced they are compromised, see no reason why they should be writing the standards anymore. People tell them what they are doing wrong constantly and they just ignore it and push ahead until someone breaks it exactly as predicted, rinse, repeat. This has been going on for years.
> I'm half convinced they are compromised...
Half? Sadly, it's hard to imagine these things not involving some well known 3-letter US agencies.
Even with encryption turned on, there will be plaintext packets you must process (e.g. to start the session). So it requires a whitelist to properly enforce, but all your conformance tests will pass without it. Easy to miss.
I think this will make for an excellent litmus test for companies that make wifi products. Is this a critical fix? No. Is it important, if not critical? Yes.
Some vendors aren't going to care about this in the least and won't offer any updates.
Some will only fix this in new and future devices.
And perhaps some will update all their devices going back several years.
Currently I buy used 802.11ac Airport Extremes for wireless for people because they're simple, they stay out of the way, and the last time there was a major update, Apple updated every Airport model all the way back to the Airport Express from 2008.
But I want to be able to buy new wifi devices, and how vendors handle this will inform me about which ones I'll buy going forward.
As far as I can tell Apple has not released an update for my Airport Express since 2018 :/
Maybe because it's the same year they announced they were dropping support for it?
Time to get a newer piece of gear. This is the problem with software - it doesn't age like a fine wine; it has to be maintained - and that usually means someone is going to have to be paid to do the not so fun work of maintaining and fixing old stuff that is no longer "OoOh tEh sHiNeY!"
1 reply →
> certain devices accept plaintext aggregated frames that look like handshake messages. An adversary can exploit this by sending an aggregated frame whose starts resembles a handshake message and whose second subframe contains the packet that the adversary wants to inject.
That reminds me of a thread [0] that came up a month ago mentioning discussion of packets in packets [1]. That paper was from 2011!
[0]: https://static.usenix.org/events/woot11/tech/final_files/Goo...
I just checked for an update for my TP Link Rouer, nothing yet.
How likely are large manufacturers likely to react to this?
Well you may find you can run (but May understandably not want to) OpenWRT on your TP Link Router. And OpenWRT released an update following KRACK
Not my model yet (unfortunately)
>How likely are large manufacturers likely to react to this?
Ruckus has updates out already: https://support.ruckuswireless.com/fragattacks-ruckus-techni...
From my own experience with TP Link routers I don't expect them to update at all.
From my experience with TP-LINK software, you don't need to worry about this attack. The attack demonstrated is complex, requires physical proximity and a lot of knowledge about the target.
Meanwhile, your router will probably give any attacker root if they ask it nicely. TP-Link doesn't seem to care about device security at all if you're already paid for the device, so don't expect any updates and expect a whole range of vulnerabilities to be exploitable against your router.
Now, it must be said, TP-Link is no D-Link, a company that almost seems to add security problems to their software intentionally with their awful software quality, but if you're conscious about security, any consumer device will probably have a whole bunch of exploits that would work easier and more reliably.
EDIT: replaced the word "access" with "proximity" to avoid confusion.
> requires physical access
What? You just need a high enough gain antenna and you can carry it out much further away than it appears your wifi reaches. Isn't physical access, being able to touch the computer?
2 replies →
If the device didn't first appear on the market in the last six months? About as likely as Apple opening their hardware.
Fragmentation is usually disabled in home APs. I've played with it on hostapd, but didn't find a performance improvement, and investigating withe WireShark found even 64k packets were not being fragmented. Is the same true for enterprise AP?
It's enabled with WiFi6 so a forward compatible vulnerability!
I wonder if hardcoding your DNS servers will help. I guess sometimes this is not possible because in corporate environments DNS servers are sent via DHCP.
“ More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.”
So yes, but as you say lots of things can override your explicit DNS settings. Even browsers can do it these days.
Run WireGuard. Effectively treat WiFi as untrusted and VPN over it. Have WireGuard send over your DNS on the other side, and have that DNS use D-o-T or D-o-H depending on your threat model.
Use Ethernet on stationary devices, and WiFi on mobile devices.
Exactly how terrified should I be right now?
The chained CVE's made for interesting reading. Book-marked for future reference when I have my SDR to hand.
Suprised there is nothing in the "Q&A" that refers to wired devices. As if there is no choice.
Would using a VPN prevent the malicious DNS packet?
Authenticating the remote end of the connection (which all decent software does because using it on other people's WiFi would be very unsafe otherwise) makes it irrelevant.
Could you elaborate on this?
I, too, would like to know the definitive answer to this, as I feel like a malicious DNS packet was used against a computer of mine before connected to the VPN.
Very serious attack...
I would really like to know, if someone could, the definitive answer to if using a VPN would prevent the malicious packet?
Do we even know at this point?
“Frag” as a portmanteau of FRagmentation and AGgregation is hardly a non-ambiguous choice of terminology.
So, will I need to go beyond the tinfoil hat? Maybe line the walls with tinfoil?
I've always felt an always listening radio, especially the ones in televisions that try to connect to anything it can, in any device is a big gaping security hole. We've already seen how Bluetooth makes things vulnerable. If you're truly worried about security, go with the cable.
What are some vulnerabilities in bluetooth?
BleedingTooth