Comment by miles
4 years ago
From the industry response[1]:
> "It’s important to note that there is presently no evidence of the vulnerabilities being used against Wi-Fi users maliciously and these issues are mitigated through routine device updates once updated firmware becomes available.
> "Like many previous vulnerabilities, FragAttacks has been academically well-researched and responsibly reported in a manner allowing the industry to proactively prepare and begin to roll out updates that fully eliminate the vulnerabilities. This set of vulnerabilities requires a potential attacker to be physically within range of the Wi-Fi network (or user device) in order to exploit it. This significantly reduces the likelihood of actual exploitation or attack."
[1] https://www.commscope.com/blog/2021/wi-fi-alliance-discloses...
I agree with the industry response here. KRACK was the same thing. The author finds a vulnerability that is absolutely valid (no denying here), easy to exploit in a lab but very hard to exploit in practice. Back in the day, we did test our equipment for KRACK. We concluded that someone had to circumvent all our physical security barriers (challenging, but theoretically possible) to get close enough to an AP that would see sensitive stuff, had to know WHEN to do that, or at least plant a device that could easily be noticed, and they would still fail because we didn't have 802.11r enabled on those AP's.
Is it a concern? It depends on what you're doing. It is absolutely a concern if your corporation is handling ultra-sensitive information. However, you should also question your physical barriers in that case and whether you should use Wi-Fi at all for some aspects of your operation. Is it a concern for the vast majority of office workers or someone at home? Probably not; there would be easier ways to find a valid credit card number that don't involve the time and effort for a hacker to travel to your place where they could be discovered. There's no need to replace all your AP's with new hardware, although the Wi-Fi Alliance would love for you to do that.
Does this exploit warrant its own fancy name and domain name? As was the case for KRACK, I don't believe so. That should be reserved for vulnerabilities that have a severe impact AND are extremely trivial to exploit with no proximity requirements. If not, the fancy-name-vulns risk being deprived of their ability to get the attention that is required.
> I agree with the industry response here.
I don't. This sentence serves no purpose other than distraction and needs to stop being used: "there is presently no evidence of the vulnerabilities being used".
It's a standard sentence that is rolled out for any security event or breach usually to misdirect blame. It needs to go away.
I disagree: for defenders trying to establish veracity of flaws and prioritizing defense this is useful information. "Active exploits seen in wild" is a strong signal.
Picking two potentially high impact announcements from the last month or so:
1. There is a severe flaw in the RSA cryptosystem. 2. There is a remote code exec vulnerability in Microsoft Exchange.
One of these was a sketch of an incremental improvement to an attack that remains mostly of theoretical interest. The other was being actively exploited, was tragically simple for 3rd parties to replicate post-announcement and resulted in widespread pain.
There is some (non-linear) scale here (theoretical flaw/poc/weaponized poc/public poc/public weaponized poc/exploited, but limited actors or targets/widely exploited/HAVOC). MS for example uses just "less likely to be exploited", "more likely to be exploited" "being exploited". It's coarse and somewhat subjective but there is value even so.
"This flaw is being actively exploited in the wild" is the best line I can take upstairs. I don't want that to go away just because some parties might misuse it.
1 reply →
>[KRACK] easy to exploit in a lab but very hard to exploit in practice
How so? Even I have done it (on my own AP). Unless you own a big property that the WiFi signal cannot reach outside it's as easy as pressing GO in one of the hundreds of script kiddie tools.
Several of the implementation flaws allow an attacker to essentially inject plaintext frames in a Wi-Fi network. All that's needed is being within range of the network (with an extender you can still be far away). I agree that the design flaws aren't that serious! But that's also explicitly mentioned on the website so...
Edit: injection can be used to punch a hole in the router's NAT so someone can directly try to attack your devices. As always there world isn't burning down. But I think it's interesting research :)
I agree, it absolutely is interesting research, and I appreciate the detailed explanation that was published.
Although the proximity requirement severely limits the possible impact, it does make us think again about the security of our Wi-Fi networks, and as a result we may identify areas to improve, which is a benefit.
WiFi exploits will always be subject to proximity though? For it to be remotely exploitable, you would be talking about a router or something else in the hardware stack.
In your mind, what kind of WiFi exploit is actually concerning?
After reading your reply, it seems you have ruled out all home networks and any exploit on a company not dealing with ultra-sensitive data. What's left?
>WiFi exploits will always be subject to proximity though?
Something as simple as a Pringles can will dramatically increase "proximity". If you are in (or as perceived as) a juicy enough target area why wouldn't someone use something like this? Great way to monitor people, find out which houses are ripe to break in, etc.
If you do not trust the network, as you should not, the risk of these attacks is reduced to that of denial of service attacks.
Yes, it’s annoying if an attacker can manipulate your DNS responses. But it’s unavoidable on the internet and your local network should not be your only defense against it.
Tell that to the Iranians and their nuclear facilities...
How would a victim know if someone in a coffeeshop used this attack?
> these issues are mitigated through routine device updates once updated firmware becomes available.
Unless you are one of the millions upon millions of people who have an Android device that launched >3 years ago.
Concept correct, # of years off by a lot.
> This set of vulnerabilities requires a potential attacker to be physically within range of the Wi-Fi network
I have troubles imagining an attack on wifi protocol where this doesn't apply :).
Back in the day you could disconnect some modems by sending certain strings over any higher level protocol, e.g. ICMP or IRC.
Linksys WRT54G, Netgear 614/624 routers: sending `DCC SEND foo 0 0 0` would boot people off IRC
Norton Personal Firewall: `startkeylogger` would boot you off of IRC
These would typically be combined into `DCC SEND startkeylogger 0 0 0` to grief a whole channel of people
1 reply →
Back in the day, you could:
- Hijack TCP sessions very easily with IP hijacking, especially telnet
- DoS someone with a smurf attack
- Ping of death windoze
- Inject content into unencrypted pages (goatse everyone's web page backgrounds)
- Get hacked by running inetd services
- chargen ... nuf said
- Apply a zillion patches to a Solaris box but break 10 other things
I think this vulnerability is one of the most embarrassing blunders caused by a software patent.
> requires a potential attacker to be physically within range of the Wi-Fi network (or user device) in order to exploit it.
So everyone that lives or works in a city? That can't be many people can it?
In which fantasy world are WiFi devices known for receiving regular firmware updates? Especially if they're older than a year or two? Enterprisey brands, sure, but consumer grade stuff? Hah!
Well, just look at https://git.kernel.org/pub/scm/linux/kernel/git/firmware/lin... ?