Comment by SCHiM
4 years ago
""" How can the adversary construct unencrypted Wi-Fi frames so they are accepted by a vulnerable device? First, certain Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network. """
This actually made me angry. How fucking long are we doing this already? This is so. basic. Why is this possible? This should incur liability, we know the IT environment is adversarial.
I understand one can make technical mistakes, or shoot oneself in the foot in low level languages that are difficult to handle correctly. But this is a conceptual mistake, involving crypto! How can you possibly have written this code for an issue like this to occur? What is the control flow that leads to this? I almost cannot imagine how someone could code this up by accident, this must be a backdoor. Just imagine:
if decrypt(encrypted) == false
{
memcpy(plaintext, encrypted); // lets try to use the encrypted data anyway, you never know!
}
handle_packet(plaintext);
WiFi has always been developed on being retro-compatible. The good side is you can use something from 2003 with AP from today (let's ditch the 5MHz and 10MHz bandwidth), the downside is you have a big stack of technical debt in most of the chipset out there, which might be why this kind of things happens.
Not having any access to the firmware source (thanks FCC) does not help at all.
Why is it the FCC's fault specifically? The FCC doesn't regulate Intellectual Property. They regulate radios. Are you implying its within the FCC's power to say radio firmware must be open source?
They require that users can't use restricted frequency ranges or raise the power level. The easiest and cheapest way for manufacturers to comply is to lock down firmwares. And since they didn't also require open firmwares that's the effective outcome in many cases.
> This should incur liability
Might shock you but the for-profit Wifi Alliance repeatedly ignores best practice advice and has the garbage they push out owned all the time. At this point I'm half convinced they are compromised, see no reason why they should be writing the standards anymore. People tell them what they are doing wrong constantly and they just ignore it and push ahead until someone breaks it exactly as predicted, rinse, repeat. This has been going on for years.
> I'm half convinced they are compromised...
Half? Sadly, it's hard to imagine these things not involving some well known 3-letter US agencies.
Even with encryption turned on, there will be plaintext packets you must process (e.g. to start the session). So it requires a whitelist to properly enforce, but all your conformance tests will pass without it. Easy to miss.