Comment by asclepi
4 years ago
I agree with the industry response here. KRACK was the same thing. The author finds a vulnerability that is absolutely valid (no denying here), easy to exploit in a lab but very hard to exploit in practice. Back in the day, we did test our equipment for KRACK. We concluded that someone had to circumvent all our physical security barriers (challenging, but theoretically possible) to get close enough to an AP that would see sensitive stuff, had to know WHEN to do that, or at least plant a device that could easily be noticed, and they would still fail because we didn't have 802.11r enabled on those AP's.
Is it a concern? It depends on what you're doing. It is absolutely a concern if your corporation is handling ultra-sensitive information. However, you should also question your physical barriers in that case and whether you should use Wi-Fi at all for some aspects of your operation. Is it a concern for the vast majority of office workers or someone at home? Probably not; there would be easier ways to find a valid credit card number that don't involve the time and effort for a hacker to travel to your place where they could be discovered. There's no need to replace all your AP's with new hardware, although the Wi-Fi Alliance would love for you to do that.
Does this exploit warrant its own fancy name and domain name? As was the case for KRACK, I don't believe so. That should be reserved for vulnerabilities that have a severe impact AND are extremely trivial to exploit with no proximity requirements. If not, the fancy-name-vulns risk being deprived of their ability to get the attention that is required.
> I agree with the industry response here.
I don't. This sentence serves no purpose other than distraction and needs to stop being used: "there is presently no evidence of the vulnerabilities being used".
It's a standard sentence that is rolled out for any security event or breach usually to misdirect blame. It needs to go away.
I disagree: for defenders trying to establish veracity of flaws and prioritizing defense this is useful information. "Active exploits seen in wild" is a strong signal.
Picking two potentially high impact announcements from the last month or so:
1. There is a severe flaw in the RSA cryptosystem. 2. There is a remote code exec vulnerability in Microsoft Exchange.
One of these was a sketch of an incremental improvement to an attack that remains mostly of theoretical interest. The other was being actively exploited, was tragically simple for 3rd parties to replicate post-announcement and resulted in widespread pain.
There is some (non-linear) scale here (theoretical flaw/poc/weaponized poc/public poc/public weaponized poc/exploited, but limited actors or targets/widely exploited/HAVOC). MS for example uses just "less likely to be exploited", "more likely to be exploited" "being exploited". It's coarse and somewhat subjective but there is value even so.
"This flaw is being actively exploited in the wild" is the best line I can take upstairs. I don't want that to go away just because some parties might misuse it.
That assumes this statement is made out of some sort of particular knowledge. When a Google Zero researcher finds an exploit, then goes through Google crash logging to determine if it's been abused in the wild, there is a reasonable basis for speculation on their part to say if this is an active exploit in the wild or not.
When an sales busybody like the WiFi alliance makes that statement, it comes from ignorance and CYA.
>[KRACK] easy to exploit in a lab but very hard to exploit in practice
How so? Even I have done it (on my own AP). Unless you own a big property that the WiFi signal cannot reach outside it's as easy as pressing GO in one of the hundreds of script kiddie tools.
Several of the implementation flaws allow an attacker to essentially inject plaintext frames in a Wi-Fi network. All that's needed is being within range of the network (with an extender you can still be far away). I agree that the design flaws aren't that serious! But that's also explicitly mentioned on the website so...
Edit: injection can be used to punch a hole in the router's NAT so someone can directly try to attack your devices. As always there world isn't burning down. But I think it's interesting research :)
I agree, it absolutely is interesting research, and I appreciate the detailed explanation that was published.
Although the proximity requirement severely limits the possible impact, it does make us think again about the security of our Wi-Fi networks, and as a result we may identify areas to improve, which is a benefit.
WiFi exploits will always be subject to proximity though? For it to be remotely exploitable, you would be talking about a router or something else in the hardware stack.
In your mind, what kind of WiFi exploit is actually concerning?
After reading your reply, it seems you have ruled out all home networks and any exploit on a company not dealing with ultra-sensitive data. What's left?
>WiFi exploits will always be subject to proximity though?
Something as simple as a Pringles can will dramatically increase "proximity". If you are in (or as perceived as) a juicy enough target area why wouldn't someone use something like this? Great way to monitor people, find out which houses are ripe to break in, etc.
If you do not trust the network, as you should not, the risk of these attacks is reduced to that of denial of service attacks.
Yes, it’s annoying if an attacker can manipulate your DNS responses. But it’s unavoidable on the internet and your local network should not be your only defense against it.
Tell that to the Iranians and their nuclear facilities...